From b6193c32ceb814ad305017854ad4bb2115f7cfbf Mon Sep 17 00:00:00 2001
From: Simon Zolin <s.zolin@adguard.com>
Date: Wed, 19 Aug 2020 14:13:16 +0300
Subject: [PATCH] + DNS: new blocking mode: "refused"

---
 AGHTechDoc.md                 | 4 ++--
 dnsforward/dnsforward_http.go | 2 +-
 dnsforward/msg.go             | 5 +++++
 openapi/openapi.yaml          | 1 +
 4 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/AGHTechDoc.md b/AGHTechDoc.md
index e5e582ec..49b62d52 100644
--- a/AGHTechDoc.md
+++ b/AGHTechDoc.md
@@ -990,7 +990,7 @@ Response:
 
 		"protection_enabled": true | false,
 		"ratelimit": 1234,
-		"blocking_mode": "default" | "nxdomain" | "null_ip" | "custom_ip",
+		"blocking_mode": "default" | "refused" | "nxdomain" | "null_ip" | "custom_ip",
 		"blocking_ipv4": "1.2.3.4",
 		"blocking_ipv6": "1:2:3::4",
 		"edns_cs_enabled": true | false,
@@ -1015,7 +1015,7 @@ Request:
 
 		"protection_enabled": true | false,
 		"ratelimit": 1234,
-		"blocking_mode": "default" | "nxdomain" | "null_ip" | "custom_ip",
+		"blocking_mode": "default" | "refused" | "nxdomain" | "null_ip" | "custom_ip",
 		"blocking_ipv4": "1.2.3.4",
 		"blocking_ipv6": "1:2:3::4",
 		"edns_cs_enabled": true | false,
diff --git a/dnsforward/dnsforward_http.go b/dnsforward/dnsforward_http.go
index 63e82d95..f3dc35e0 100644
--- a/dnsforward/dnsforward_http.go
+++ b/dnsforward/dnsforward_http.go
@@ -74,7 +74,7 @@ func (s *Server) handleGetConfig(w http.ResponseWriter, r *http.Request) {
 
 func checkBlockingMode(req dnsConfigJSON) bool {
 	bm := req.BlockingMode
-	if !(bm == "default" || bm == "nxdomain" || bm == "null_ip" || bm == "custom_ip") {
+	if !(bm == "default" || bm == "refused" || bm == "nxdomain" || bm == "null_ip" || bm == "custom_ip") {
 		return false
 	}
 
diff --git a/dnsforward/msg.go b/dnsforward/msg.go
index 0df35bfc..fc4ecb51 100644
--- a/dnsforward/msg.go
+++ b/dnsforward/msg.go
@@ -64,6 +64,11 @@ func (s *Server) genDNSFilterMessage(d *proxy.DNSContext, result *dnsfilter.Resu
 			// means that we should return NXDOMAIN for any blocked request
 
 			return s.genNXDomain(m)
+
+		} else if s.conf.BlockingMode == "refused" {
+			// means that we should return NXDOMAIN for any blocked request
+
+			return s.makeResponseREFUSED(m)
 		}
 
 		// Default blocking mode
diff --git a/openapi/openapi.yaml b/openapi/openapi.yaml
index 57d63c70..7fd48870 100644
--- a/openapi/openapi.yaml
+++ b/openapi/openapi.yaml
@@ -1007,6 +1007,7 @@ components:
                     type: string
                     enum:
                         - default
+                        - refused
                         - nxdomain
                         - null_ip
                         - custom_ip