149 lines
4.3 KiB
Go
149 lines
4.3 KiB
Go
package dnsforward
|
|
|
|
import (
|
|
"strings"
|
|
|
|
"github.com/AdguardTeam/AdGuardHome/dnsfilter"
|
|
"github.com/AdguardTeam/dnsproxy/proxy"
|
|
"github.com/AdguardTeam/golibs/log"
|
|
"github.com/joomcode/errorx"
|
|
"github.com/miekg/dns"
|
|
)
|
|
|
|
func (s *Server) beforeRequestHandler(_ *proxy.Proxy, d *proxy.DNSContext) (bool, error) {
|
|
ip := ipFromAddr(d.Addr)
|
|
disallowed, _ := s.access.IsBlockedIP(ip)
|
|
if disallowed {
|
|
log.Tracef("Client IP %s is blocked by settings", ip)
|
|
return false, nil
|
|
}
|
|
|
|
if len(d.Req.Question) == 1 {
|
|
host := strings.TrimSuffix(d.Req.Question[0].Name, ".")
|
|
if s.access.IsBlockedDomain(host) {
|
|
log.Tracef("Domain %s is blocked by settings", host)
|
|
return false, nil
|
|
}
|
|
}
|
|
|
|
return true, nil
|
|
}
|
|
|
|
// getClientRequestFilteringSettings lookups client filtering settings
|
|
// using the client's IP address from the DNSContext
|
|
func (s *Server) getClientRequestFilteringSettings(d *proxy.DNSContext) *dnsfilter.RequestFilteringSettings {
|
|
setts := s.dnsFilter.GetConfig()
|
|
setts.FilteringEnabled = true
|
|
if s.conf.FilterHandler != nil {
|
|
clientAddr := ipFromAddr(d.Addr)
|
|
s.conf.FilterHandler(clientAddr, &setts)
|
|
}
|
|
return &setts
|
|
}
|
|
|
|
// filterDNSRequest applies the dnsFilter and sets d.Res if the request was filtered
|
|
func (s *Server) filterDNSRequest(ctx *dnsContext) (*dnsfilter.Result, error) {
|
|
d := ctx.proxyCtx
|
|
req := d.Req
|
|
host := strings.TrimSuffix(req.Question[0].Name, ".")
|
|
res, err := s.dnsFilter.CheckHost(host, d.Req.Question[0].Qtype, ctx.setts)
|
|
if err != nil {
|
|
// Return immediately if there's an error
|
|
return nil, errorx.Decorate(err, "dnsfilter failed to check host '%s'", host)
|
|
|
|
} else if res.IsFiltered {
|
|
log.Tracef("Host %s is filtered, reason - '%s', matched rule: '%s'", host, res.Reason, res.Rule)
|
|
d.Res = s.genDNSFilterMessage(d, &res)
|
|
|
|
} else if res.Reason == dnsfilter.ReasonRewrite && len(res.CanonName) != 0 && len(res.IPList) == 0 {
|
|
ctx.origQuestion = d.Req.Question[0]
|
|
// resolve canonical name, not the original host name
|
|
d.Req.Question[0].Name = dns.Fqdn(res.CanonName)
|
|
|
|
} else if res.Reason == dnsfilter.RewriteEtcHosts && len(res.ReverseHost) != 0 {
|
|
|
|
resp := s.makeResponse(req)
|
|
ptr := &dns.PTR{}
|
|
ptr.Hdr = dns.RR_Header{
|
|
Name: req.Question[0].Name,
|
|
Rrtype: dns.TypePTR,
|
|
Ttl: s.conf.BlockedResponseTTL,
|
|
Class: dns.ClassINET,
|
|
}
|
|
ptr.Ptr = res.ReverseHost
|
|
resp.Answer = append(resp.Answer, ptr)
|
|
d.Res = resp
|
|
} else if res.Reason == dnsfilter.ReasonRewrite || res.Reason == dnsfilter.RewriteEtcHosts {
|
|
resp := s.makeResponse(req)
|
|
|
|
name := host
|
|
if len(res.CanonName) != 0 {
|
|
resp.Answer = append(resp.Answer, s.genCNAMEAnswer(req, res.CanonName))
|
|
name = res.CanonName
|
|
}
|
|
|
|
for _, ip := range res.IPList {
|
|
if req.Question[0].Qtype == dns.TypeA {
|
|
a := s.genAAnswer(req, ip.To4())
|
|
a.Hdr.Name = dns.Fqdn(name)
|
|
resp.Answer = append(resp.Answer, a)
|
|
} else if req.Question[0].Qtype == dns.TypeAAAA {
|
|
a := s.genAAAAAnswer(req, ip)
|
|
a.Hdr.Name = dns.Fqdn(name)
|
|
resp.Answer = append(resp.Answer, a)
|
|
}
|
|
}
|
|
|
|
d.Res = resp
|
|
}
|
|
|
|
return &res, err
|
|
}
|
|
|
|
// If response contains CNAME, A or AAAA records, we apply filtering to each canonical host name or IP address.
|
|
// If this is a match, we set a new response in d.Res and return.
|
|
func (s *Server) filterDNSResponse(ctx *dnsContext) (*dnsfilter.Result, error) {
|
|
d := ctx.proxyCtx
|
|
for _, a := range d.Res.Answer {
|
|
host := ""
|
|
|
|
switch v := a.(type) {
|
|
case *dns.CNAME:
|
|
log.Debug("DNSFwd: Checking CNAME %s for %s", v.Target, v.Hdr.Name)
|
|
host = strings.TrimSuffix(v.Target, ".")
|
|
|
|
case *dns.A:
|
|
host = v.A.String()
|
|
log.Debug("DNSFwd: Checking record A (%s) for %s", host, v.Hdr.Name)
|
|
|
|
case *dns.AAAA:
|
|
host = v.AAAA.String()
|
|
log.Debug("DNSFwd: Checking record AAAA (%s) for %s", host, v.Hdr.Name)
|
|
|
|
default:
|
|
continue
|
|
}
|
|
|
|
s.RLock()
|
|
// Synchronize access to s.dnsFilter so it won't be suddenly uninitialized while in use.
|
|
// This could happen after proxy server has been stopped, but its workers are not yet exited.
|
|
if !s.conf.ProtectionEnabled || s.dnsFilter == nil {
|
|
s.RUnlock()
|
|
continue
|
|
}
|
|
res, err := s.dnsFilter.CheckHostRules(host, d.Req.Question[0].Qtype, ctx.setts)
|
|
s.RUnlock()
|
|
|
|
if err != nil {
|
|
return nil, err
|
|
|
|
} else if res.IsFiltered {
|
|
d.Res = s.genDNSFilterMessage(d, &res)
|
|
log.Debug("DNSFwd: Matched %s by response: %s", d.Req.Question[0].Name, host)
|
|
return &res, nil
|
|
}
|
|
}
|
|
|
|
return nil, nil
|
|
}
|