Merge: * DNS: use REFUSED DNS error code as the default blocking method
Merge in DNS/adguard-home from 1914-refused-blocking-mode to master Fix #1914 * commit '382cddea47452abd02adeab2a1539dcd3c74c1dd': fix pre-commit hook * (ui): added refused string + client: Add REFUSED DNS error code as the default blocking method + DNS: new blocking mode: "refused" * locales: blocking_mode_default: NXDOMAIN -> REFUSED * DNS: use REFUSED DNS error code as the default blocking method
This commit is contained in:
commit
9a49161f15
|
@ -1,8 +1,10 @@
|
||||||
#!/bin/bash
|
#!/bin/bash
|
||||||
set -e;
|
set -e;
|
||||||
|
|
||||||
|
found=0
|
||||||
git diff --cached --name-only | grep -q '.js$' && found=1
|
git diff --cached --name-only | grep -q '.js$' && found=1
|
||||||
if [ $found == 1 ]; then
|
if [ $found == 1 ]; then
|
||||||
make lint-js || exit 1
|
npm --prefix client run lint || exit 1
|
||||||
npm run test --prefix client || exit 1
|
npm run test --prefix client || exit 1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
|
|
@ -992,7 +992,7 @@ Response:
|
||||||
|
|
||||||
"protection_enabled": true | false,
|
"protection_enabled": true | false,
|
||||||
"ratelimit": 1234,
|
"ratelimit": 1234,
|
||||||
"blocking_mode": "default" | "nxdomain" | "null_ip" | "custom_ip",
|
"blocking_mode": "default" | "refused" | "nxdomain" | "null_ip" | "custom_ip",
|
||||||
"blocking_ipv4": "1.2.3.4",
|
"blocking_ipv4": "1.2.3.4",
|
||||||
"blocking_ipv6": "1:2:3::4",
|
"blocking_ipv6": "1:2:3::4",
|
||||||
"edns_cs_enabled": true | false,
|
"edns_cs_enabled": true | false,
|
||||||
|
@ -1017,7 +1017,7 @@ Request:
|
||||||
|
|
||||||
"protection_enabled": true | false,
|
"protection_enabled": true | false,
|
||||||
"ratelimit": 1234,
|
"ratelimit": 1234,
|
||||||
"blocking_mode": "default" | "nxdomain" | "null_ip" | "custom_ip",
|
"blocking_mode": "default" | "refused" | "nxdomain" | "null_ip" | "custom_ip",
|
||||||
"blocking_ipv4": "1.2.3.4",
|
"blocking_ipv4": "1.2.3.4",
|
||||||
"blocking_ipv6": "1:2:3::4",
|
"blocking_ipv6": "1:2:3::4",
|
||||||
"edns_cs_enabled": true | false,
|
"edns_cs_enabled": true | false,
|
||||||
|
|
|
@ -240,6 +240,7 @@
|
||||||
"blocking_mode": "Blocking mode",
|
"blocking_mode": "Blocking mode",
|
||||||
"default": "Default",
|
"default": "Default",
|
||||||
"nxdomain": "NXDOMAIN",
|
"nxdomain": "NXDOMAIN",
|
||||||
|
"refused": "REFUSED",
|
||||||
"null_ip": "Null IP",
|
"null_ip": "Null IP",
|
||||||
"custom_ip": "Custom IP",
|
"custom_ip": "Custom IP",
|
||||||
"blocking_ipv4": "Blocking IPv4",
|
"blocking_ipv4": "Blocking IPv4",
|
||||||
|
@ -254,7 +255,8 @@
|
||||||
"rate_limit_desc": "The number of requests per second that a single client is allowed to make (0: unlimited)",
|
"rate_limit_desc": "The number of requests per second that a single client is allowed to make (0: unlimited)",
|
||||||
"blocking_ipv4_desc": "IP address to be returned for a blocked A request",
|
"blocking_ipv4_desc": "IP address to be returned for a blocked A request",
|
||||||
"blocking_ipv6_desc": "IP address to be returned for a blocked AAAA request",
|
"blocking_ipv6_desc": "IP address to be returned for a blocked AAAA request",
|
||||||
"blocking_mode_default": "Default: Respond with NXDOMAIN when blocked by Adblock-style rule; respond with the IP address specified in the rule when blocked by /etc/hosts-style rule",
|
"blocking_mode_default": "Default: Respond with REFUSED when blocked by Adblock-style rule; respond with the IP address specified in the rule when blocked by /etc/hosts-style rule",
|
||||||
|
"blocking_mode_refused": "REFUSED: Respond with REFUSED code",
|
||||||
"blocking_mode_nxdomain": "NXDOMAIN: Respond with NXDOMAIN code",
|
"blocking_mode_nxdomain": "NXDOMAIN: Respond with NXDOMAIN code",
|
||||||
"blocking_mode_null_ip": "Null IP: Respond with zero IP address (0.0.0.0 for A; :: for AAAA)",
|
"blocking_mode_null_ip": "Null IP: Respond with zero IP address (0.0.0.0 for A; :: for AAAA)",
|
||||||
"blocking_mode_custom_ip": "Custom IP: Respond with a manually set IP address",
|
"blocking_mode_custom_ip": "Custom IP: Respond with a manually set IP address",
|
||||||
|
|
|
@ -293,8 +293,11 @@ export const QUERY_LOG_INTERVALS_DAYS = [1, 7, 30, 90];
|
||||||
|
|
||||||
export const FILTERS_INTERVALS_HOURS = [0, 1, 12, 24, 72, 168];
|
export const FILTERS_INTERVALS_HOURS = [0, 1, 12, 24, 72, 168];
|
||||||
|
|
||||||
|
// Note that translation strings contain these modes (blocking_mode_CONSTANT)
|
||||||
|
// i.e. blocking_mode_default, blocking_mode_null_ip
|
||||||
export const BLOCKING_MODES = {
|
export const BLOCKING_MODES = {
|
||||||
default: 'default',
|
default: 'default',
|
||||||
|
refused: 'refused',
|
||||||
nxdomain: 'nxdomain',
|
nxdomain: 'nxdomain',
|
||||||
null_ip: 'null_ip',
|
null_ip: 'null_ip',
|
||||||
custom_ip: 'custom_ip',
|
custom_ip: 'custom_ip',
|
||||||
|
|
|
@ -74,7 +74,7 @@ func (s *Server) handleGetConfig(w http.ResponseWriter, r *http.Request) {
|
||||||
|
|
||||||
func checkBlockingMode(req dnsConfigJSON) bool {
|
func checkBlockingMode(req dnsConfigJSON) bool {
|
||||||
bm := req.BlockingMode
|
bm := req.BlockingMode
|
||||||
if !(bm == "default" || bm == "nxdomain" || bm == "null_ip" || bm == "custom_ip") {
|
if !(bm == "default" || bm == "refused" || bm == "nxdomain" || bm == "null_ip" || bm == "custom_ip") {
|
||||||
return false
|
return false
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -263,7 +263,7 @@ func TestBlockedRequest(t *testing.T) {
|
||||||
addr := s.dnsProxy.Addr(proxy.ProtoUDP)
|
addr := s.dnsProxy.Addr(proxy.ProtoUDP)
|
||||||
|
|
||||||
//
|
//
|
||||||
// NXDomain blocking
|
// Default blocking - REFUSED
|
||||||
//
|
//
|
||||||
req := dns.Msg{}
|
req := dns.Msg{}
|
||||||
req.Id = dns.Id()
|
req.Id = dns.Id()
|
||||||
|
@ -276,9 +276,7 @@ func TestBlockedRequest(t *testing.T) {
|
||||||
if err != nil {
|
if err != nil {
|
||||||
t.Fatalf("Couldn't talk to server %s: %s", addr, err)
|
t.Fatalf("Couldn't talk to server %s: %s", addr, err)
|
||||||
}
|
}
|
||||||
if reply.Rcode != dns.RcodeNameError {
|
assert.Equal(t, dns.RcodeRefused, reply.Rcode)
|
||||||
t.Fatalf("Wrong response: %s", reply.String())
|
|
||||||
}
|
|
||||||
|
|
||||||
err = s.Stop()
|
err = s.Stop()
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
@ -440,7 +438,7 @@ func TestBlockCNAME(t *testing.T) {
|
||||||
req := createTestMessage("badhost.")
|
req := createTestMessage("badhost.")
|
||||||
reply, err := dns.Exchange(req, addr.String())
|
reply, err := dns.Exchange(req, addr.String())
|
||||||
assert.Nil(t, err, nil)
|
assert.Nil(t, err, nil)
|
||||||
assert.Equal(t, dns.RcodeNameError, reply.Rcode)
|
assert.Equal(t, dns.RcodeRefused, reply.Rcode)
|
||||||
|
|
||||||
// 'whitelist.example.org' has a canonical name 'null.example.org' which is blocked by filters
|
// 'whitelist.example.org' has a canonical name 'null.example.org' which is blocked by filters
|
||||||
// but 'whitelist.example.org' is in a whitelist:
|
// but 'whitelist.example.org' is in a whitelist:
|
||||||
|
@ -455,7 +453,7 @@ func TestBlockCNAME(t *testing.T) {
|
||||||
req = createTestMessage("example.org.")
|
req = createTestMessage("example.org.")
|
||||||
reply, err = dns.Exchange(req, addr.String())
|
reply, err = dns.Exchange(req, addr.String())
|
||||||
assert.Nil(t, err)
|
assert.Nil(t, err)
|
||||||
assert.Equal(t, dns.RcodeNameError, reply.Rcode)
|
assert.Equal(t, dns.RcodeRefused, reply.Rcode)
|
||||||
|
|
||||||
_ = s.Stop()
|
_ = s.Stop()
|
||||||
}
|
}
|
||||||
|
|
|
@ -88,7 +88,7 @@ func processInitial(ctx *dnsContext) int {
|
||||||
// disable Mozilla DoH
|
// disable Mozilla DoH
|
||||||
if (d.Req.Question[0].Qtype == dns.TypeA || d.Req.Question[0].Qtype == dns.TypeAAAA) &&
|
if (d.Req.Question[0].Qtype == dns.TypeA || d.Req.Question[0].Qtype == dns.TypeAAAA) &&
|
||||||
d.Req.Question[0].Name == "use-application-dns.net." {
|
d.Req.Question[0].Name == "use-application-dns.net." {
|
||||||
d.Res = s.genNXDomain(d.Req)
|
d.Res = s.makeResponseREFUSED(d.Req)
|
||||||
return resultFinish
|
return resultFinish
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -24,7 +24,7 @@ func (s *Server) genDNSFilterMessage(d *proxy.DNSContext, result *dnsfilter.Resu
|
||||||
m := d.Req
|
m := d.Req
|
||||||
|
|
||||||
if m.Question[0].Qtype != dns.TypeA && m.Question[0].Qtype != dns.TypeAAAA {
|
if m.Question[0].Qtype != dns.TypeA && m.Question[0].Qtype != dns.TypeAAAA {
|
||||||
return s.genNXDomain(m)
|
return s.makeResponseREFUSED(m)
|
||||||
}
|
}
|
||||||
|
|
||||||
switch result.Reason {
|
switch result.Reason {
|
||||||
|
@ -64,15 +64,20 @@ func (s *Server) genDNSFilterMessage(d *proxy.DNSContext, result *dnsfilter.Resu
|
||||||
// means that we should return NXDOMAIN for any blocked request
|
// means that we should return NXDOMAIN for any blocked request
|
||||||
|
|
||||||
return s.genNXDomain(m)
|
return s.genNXDomain(m)
|
||||||
|
|
||||||
|
} else if s.conf.BlockingMode == "refused" {
|
||||||
|
// means that we should return NXDOMAIN for any blocked request
|
||||||
|
|
||||||
|
return s.makeResponseREFUSED(m)
|
||||||
}
|
}
|
||||||
|
|
||||||
// Default blocking mode
|
// Default blocking mode
|
||||||
// If there's an IP specified in the rule, return it
|
// If there's an IP specified in the rule, return it
|
||||||
// If there is no IP, return NXDOMAIN
|
// If there is no IP, return REFUSED
|
||||||
if result.IP != nil {
|
if result.IP != nil {
|
||||||
return s.genResponseWithIP(m, result.IP)
|
return s.genResponseWithIP(m, result.IP)
|
||||||
}
|
}
|
||||||
return s.genNXDomain(m)
|
return s.makeResponseREFUSED(m)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -182,6 +187,14 @@ func (s *Server) genCNAMEAnswer(req *dns.Msg, cname string) *dns.CNAME {
|
||||||
return answer
|
return answer
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Create REFUSED DNS response
|
||||||
|
func (s *Server) makeResponseREFUSED(request *dns.Msg) *dns.Msg {
|
||||||
|
resp := dns.Msg{}
|
||||||
|
resp.SetRcode(request, dns.RcodeRefused)
|
||||||
|
resp.RecursionAvailable = true
|
||||||
|
return &resp
|
||||||
|
}
|
||||||
|
|
||||||
func (s *Server) genNXDomain(request *dns.Msg) *dns.Msg {
|
func (s *Server) genNXDomain(request *dns.Msg) *dns.Msg {
|
||||||
resp := dns.Msg{}
|
resp := dns.Msg{}
|
||||||
resp.SetRcode(request, dns.RcodeNameError)
|
resp.SetRcode(request, dns.RcodeNameError)
|
||||||
|
|
|
@ -1007,6 +1007,7 @@ components:
|
||||||
type: string
|
type: string
|
||||||
enum:
|
enum:
|
||||||
- default
|
- default
|
||||||
|
- refused
|
||||||
- nxdomain
|
- nxdomain
|
||||||
- null_ip
|
- null_ip
|
||||||
- custom_ip
|
- custom_ip
|
||||||
|
|
Loading…
Reference in New Issue