86444eacc2
Merge in DNS/adguard-home from 2704-local-addresses-vol.2 to master Updates #2704. Updates #2829. Squashed commit of the following: commit 507d038c2709de59246fc0b65c3c4ab8e38d1990 Author: Eugene Burkov <e.burkov@adguard.com> Date: Wed Mar 31 14:33:05 2021 +0300 aghtest: fix file name commit 8e19f99337bee1d88ad6595adb96f9bb23fa3c41 Author: Eugene Burkov <e.burkov@adguard.com> Date: Wed Mar 31 14:06:43 2021 +0300 aghnet: rm redundant mutexes commit 361fa418b33ed160ca20862be1c455ab9378c03f Author: Eugene Burkov <e.burkov@adguard.com> Date: Wed Mar 31 13:45:30 2021 +0300 all: fix names, docs commit 14034f4f0230d7aaa3645054946ae5c278089a99 Merge: 35e265cca72ce1cf
Author: Eugene Burkov <e.burkov@adguard.com> Date: Wed Mar 31 13:38:15 2021 +0300 Merge branch 'master' into 2704-local-addresses-vol.2 commit 35e265cc8cd308ef1fda414b58c0217cb5f258e4 Author: Eugene Burkov <e.burkov@adguard.com> Date: Wed Mar 31 13:33:35 2021 +0300 aghnet: imp naming commit 7a7edac7208a40697d7bc50682b923a144e28e2b Author: Eugene Burkov <e.burkov@adguard.com> Date: Tue Mar 30 20:59:54 2021 +0300 changelog: oops, nope yet commit d26a5d2513daf662ac92053b5e235189a64cc022 Author: Eugene Burkov <e.burkov@adguard.com> Date: Tue Mar 30 20:55:53 2021 +0300 all: some renaming for the glory of semantics commit 9937fa619452b0742616217b975e3ff048d58acb Author: Eugene Burkov <e.burkov@adguard.com> Date: Mon Mar 29 15:34:42 2021 +0300 all: log changes commit d8d9e6dfeea8474466ee25f27021efdd3ddb1592 Author: Eugene Burkov <e.burkov@adguard.com> Date: Fri Mar 26 18:32:23 2021 +0300 all: imp localresolver, imp cutting off own addresses commit 344140df449b85925f19b460fd7dc7c08e29c35a Author: Eugene Burkov <e.burkov@adguard.com> Date: Fri Mar 26 14:53:33 2021 +0300 all: imp code quality commit 1c5c0babec73b125044e23dd3aa75d8eefc19b28 Author: Eugene Burkov <e.burkov@adguard.com> Date: Thu Mar 25 20:44:08 2021 +0300 all: fix go.mod commit 0b9fb3c2369a752e893af8ddc45a86bb9fb27ce5 Author: Eugene Burkov <e.burkov@adguard.com> Date: Thu Mar 25 20:38:51 2021 +0300 all: add error handling commit a7a2e51f57fc6f8f74b95a264ad345cd2a9e026e Merge: c13be63427f4f052
Author: Eugene Burkov <e.burkov@adguard.com> Date: Thu Mar 25 19:48:36 2021 +0300 Merge branch 'master' into 2704-local-addresses-vol.2 commit c13be634f47bcaed9320a732a51c0e4752d0dad0 Author: Eugene Burkov <e.burkov@adguard.com> Date: Thu Mar 25 18:52:28 2021 +0300 all: cover rdns with tests, imp aghnet functionality commit 48bed9025944530c613ee53e7961d6d5fbabf8be Author: Eugene Burkov <e.burkov@adguard.com> Date: Wed Mar 24 20:18:07 2021 +0300 home: make rdns great again commit 1dbacfc8d5b6895807797998317fe3cc814617c1 Author: Eugene Burkov <e.burkov@adguard.com> Date: Wed Mar 24 16:07:52 2021 +0300 all: imp external client restriction commit 1208a319a7f4ffe7b7fa8956f245d7a19437c0a4 Author: Eugene Burkov <e.burkov@adguard.com> Date: Mon Mar 22 15:26:45 2021 +0300 all: finish local ptr processor commit c8827fc3db289e1a5d7a11d057743bab39957b02 Author: Eugene Burkov <e.burkov@adguard.com> Date: Tue Mar 2 13:41:22 2021 +0300 all: imp ipdetector, add local ptr processor
380 lines
9.8 KiB
Go
380 lines
9.8 KiB
Go
// Package dnsforward contains a DNS forwarding server.
|
|
package dnsforward
|
|
|
|
import (
|
|
"errors"
|
|
"fmt"
|
|
"net"
|
|
"net/http"
|
|
"os"
|
|
"runtime"
|
|
"sync"
|
|
"time"
|
|
|
|
"github.com/AdguardTeam/AdGuardHome/internal/aghnet"
|
|
"github.com/AdguardTeam/AdGuardHome/internal/dhcpd"
|
|
"github.com/AdguardTeam/AdGuardHome/internal/dnsfilter"
|
|
"github.com/AdguardTeam/AdGuardHome/internal/querylog"
|
|
"github.com/AdguardTeam/AdGuardHome/internal/stats"
|
|
"github.com/AdguardTeam/dnsproxy/proxy"
|
|
"github.com/AdguardTeam/golibs/log"
|
|
"github.com/miekg/dns"
|
|
)
|
|
|
|
// DefaultTimeout is the default upstream timeout
|
|
const DefaultTimeout = 10 * time.Second
|
|
|
|
const (
|
|
safeBrowsingBlockHost = "standard-block.dns.adguard.com"
|
|
parentalBlockHost = "family-block.dns.adguard.com"
|
|
)
|
|
|
|
var defaultDNS = []string{
|
|
"https://dns10.quad9.net/dns-query",
|
|
}
|
|
var defaultBootstrap = []string{"9.9.9.10", "149.112.112.10", "2620:fe::10", "2620:fe::fe:10"}
|
|
|
|
// Often requested by all kinds of DNS probes
|
|
var defaultBlockedHosts = []string{"version.bind", "id.server", "hostname.bind"}
|
|
|
|
var webRegistered bool
|
|
|
|
// Server is the main way to start a DNS server.
|
|
//
|
|
// Example:
|
|
// s := dnsforward.Server{}
|
|
// err := s.Start(nil) // will start a DNS server listening on default port 53, in a goroutine
|
|
// err := s.Reconfigure(ServerConfig{UDPListenAddr: &net.UDPAddr{Port: 53535}}) // will reconfigure running DNS server to listen on UDP port 53535
|
|
// err := s.Stop() // will stop listening on port 53535 and cancel all goroutines
|
|
// err := s.Start(nil) // will start listening again, on port 53535, in a goroutine
|
|
//
|
|
// The zero Server is empty and ready for use.
|
|
type Server struct {
|
|
dnsProxy *proxy.Proxy // DNS proxy instance
|
|
dnsFilter *dnsfilter.DNSFilter // DNS filter instance
|
|
dhcpServer dhcpd.ServerInterface // DHCP server instance (optional)
|
|
queryLog querylog.QueryLog // Query log instance
|
|
stats stats.Stats
|
|
access *accessCtx
|
|
|
|
// autohostSuffix is the suffix used to detect internal hosts. It must
|
|
// be a valid top-level domain plus dots on each side.
|
|
autohostSuffix string
|
|
|
|
ipset ipsetCtx
|
|
subnetDetector *aghnet.SubnetDetector
|
|
localResolvers aghnet.Exchanger
|
|
|
|
tableHostToIP map[string]net.IP // "hostname -> IP" table for internal addresses (DHCP)
|
|
tableHostToIPLock sync.Mutex
|
|
|
|
tablePTR map[string]string // "IP -> hostname" table for reverse lookup
|
|
tablePTRLock sync.Mutex
|
|
|
|
// DNS proxy instance for internal usage
|
|
// We don't Start() it and so no listen port is required.
|
|
internalProxy *proxy.Proxy
|
|
|
|
isRunning bool
|
|
|
|
sync.RWMutex
|
|
conf ServerConfig
|
|
}
|
|
|
|
// defaultAutohostSuffix is the default suffix used to detect internal hosts
|
|
// when no suffix is provided. See the documentation for Server.autohostSuffix.
|
|
const defaultAutohostSuffix = ".lan."
|
|
|
|
// DNSCreateParams are parameters to create a new server.
|
|
type DNSCreateParams struct {
|
|
DNSFilter *dnsfilter.DNSFilter
|
|
Stats stats.Stats
|
|
QueryLog querylog.QueryLog
|
|
DHCPServer dhcpd.ServerInterface
|
|
SubnetDetector *aghnet.SubnetDetector
|
|
LocalResolvers aghnet.Exchanger
|
|
AutohostTLD string
|
|
}
|
|
|
|
// tldToSuffix converts a top-level domain into an autohost suffix.
|
|
func tldToSuffix(tld string) (suffix string) {
|
|
l := len(tld) + 2
|
|
b := make([]byte, l)
|
|
b[0] = '.'
|
|
copy(b[1:], tld)
|
|
b[l-1] = '.'
|
|
|
|
return string(b)
|
|
}
|
|
|
|
// NewServer creates a new instance of the dnsforward.Server
|
|
// Note: this function must be called only once
|
|
func NewServer(p DNSCreateParams) (s *Server, err error) {
|
|
var autohostSuffix string
|
|
if p.AutohostTLD == "" {
|
|
autohostSuffix = defaultAutohostSuffix
|
|
} else {
|
|
err = validateDomainNameLabel(p.AutohostTLD)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("autohost tld: %w", err)
|
|
}
|
|
|
|
autohostSuffix = tldToSuffix(p.AutohostTLD)
|
|
}
|
|
|
|
s = &Server{
|
|
dnsFilter: p.DNSFilter,
|
|
stats: p.Stats,
|
|
queryLog: p.QueryLog,
|
|
subnetDetector: p.SubnetDetector,
|
|
localResolvers: p.LocalResolvers,
|
|
autohostSuffix: autohostSuffix,
|
|
}
|
|
|
|
if p.DHCPServer != nil {
|
|
s.dhcpServer = p.DHCPServer
|
|
s.dhcpServer.SetOnLeaseChanged(s.onDHCPLeaseChanged)
|
|
s.onDHCPLeaseChanged(dhcpd.LeaseChangedAdded)
|
|
}
|
|
|
|
if runtime.GOARCH == "mips" || runtime.GOARCH == "mipsle" {
|
|
// Use plain DNS on MIPS, encryption is too slow
|
|
defaultDNS = defaultBootstrap
|
|
}
|
|
|
|
return s, nil
|
|
}
|
|
|
|
// NewCustomServer creates a new instance of *Server with custom internal proxy.
|
|
func NewCustomServer(internalProxy *proxy.Proxy) *Server {
|
|
s := &Server{}
|
|
if internalProxy != nil {
|
|
s.internalProxy = internalProxy
|
|
}
|
|
|
|
return s
|
|
}
|
|
|
|
// Close - close object
|
|
func (s *Server) Close() {
|
|
s.Lock()
|
|
s.dnsFilter = nil
|
|
s.stats = nil
|
|
s.queryLog = nil
|
|
s.dnsProxy = nil
|
|
|
|
err := s.ipset.Close()
|
|
if err != nil {
|
|
log.Error("closing ipset: %s", err)
|
|
}
|
|
|
|
s.Unlock()
|
|
}
|
|
|
|
// WriteDiskConfig - write configuration
|
|
func (s *Server) WriteDiskConfig(c *FilteringConfig) {
|
|
s.RLock()
|
|
sc := s.conf.FilteringConfig
|
|
*c = sc
|
|
c.RatelimitWhitelist = stringArrayDup(sc.RatelimitWhitelist)
|
|
c.BootstrapDNS = stringArrayDup(sc.BootstrapDNS)
|
|
c.AllowedClients = stringArrayDup(sc.AllowedClients)
|
|
c.DisallowedClients = stringArrayDup(sc.DisallowedClients)
|
|
c.BlockedHosts = stringArrayDup(sc.BlockedHosts)
|
|
c.UpstreamDNS = stringArrayDup(sc.UpstreamDNS)
|
|
s.RUnlock()
|
|
}
|
|
|
|
// Resolve - get IP addresses by host name from an upstream server.
|
|
// No request/response filtering is performed.
|
|
// Query log and Stats are not updated.
|
|
// This method may be called before Start().
|
|
func (s *Server) Resolve(host string) ([]net.IPAddr, error) {
|
|
s.RLock()
|
|
defer s.RUnlock()
|
|
return s.internalProxy.LookupIPAddr(host)
|
|
}
|
|
|
|
// Exchange - send DNS request to an upstream server and receive response
|
|
// No request/response filtering is performed.
|
|
// Query log and Stats are not updated.
|
|
// This method may be called before Start().
|
|
func (s *Server) Exchange(req *dns.Msg) (*dns.Msg, error) {
|
|
s.RLock()
|
|
defer s.RUnlock()
|
|
|
|
ctx := &proxy.DNSContext{
|
|
Proto: "udp",
|
|
Req: req,
|
|
StartTime: time.Now(),
|
|
}
|
|
err := s.internalProxy.Resolve(ctx)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
return ctx.Res, nil
|
|
}
|
|
|
|
// Start starts the DNS server.
|
|
func (s *Server) Start() error {
|
|
s.Lock()
|
|
defer s.Unlock()
|
|
return s.startLocked()
|
|
}
|
|
|
|
// startLocked starts the DNS server without locking. For internal use only.
|
|
func (s *Server) startLocked() error {
|
|
err := s.dnsProxy.Start()
|
|
if err == nil {
|
|
s.isRunning = true
|
|
}
|
|
return err
|
|
}
|
|
|
|
// Prepare the object
|
|
func (s *Server) Prepare(config *ServerConfig) error {
|
|
// Initialize the server configuration
|
|
// --
|
|
if config != nil {
|
|
s.conf = *config
|
|
if s.conf.BlockingMode == "custom_ip" {
|
|
if s.conf.BlockingIPv4 == nil || s.conf.BlockingIPv6 == nil {
|
|
return fmt.Errorf("dns: invalid custom blocking IP address specified")
|
|
}
|
|
}
|
|
}
|
|
|
|
// Set default values in the case if nothing is configured
|
|
// --
|
|
s.initDefaultSettings()
|
|
|
|
// Initialize IPSET configuration
|
|
// --
|
|
err := s.ipset.init(s.conf.IPSETList)
|
|
if err != nil {
|
|
if !errors.Is(err, os.ErrInvalid) && !errors.Is(err, os.ErrPermission) {
|
|
return fmt.Errorf("cannot initialize ipset: %w", err)
|
|
}
|
|
|
|
// ipset cannot currently be initialized if the server was
|
|
// installed from Snap or when the user or the binary doesn't
|
|
// have the required permissions, or when the kernel doesn't
|
|
// support netfilter.
|
|
//
|
|
// Log and go on.
|
|
//
|
|
// TODO(a.garipov): The Snap problem can probably be solved if
|
|
// we add the netlink-connector interface plug.
|
|
log.Error("cannot initialize ipset: %s", err)
|
|
}
|
|
|
|
// Prepare DNS servers settings
|
|
// --
|
|
err = s.prepareUpstreamSettings()
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
// Create DNS proxy configuration
|
|
// --
|
|
var proxyConfig proxy.Config
|
|
proxyConfig, err = s.createProxyConfig()
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
// Prepare a DNS proxy instance that we use for internal DNS queries
|
|
// --
|
|
s.prepareIntlProxy()
|
|
|
|
// Initialize DNS access module
|
|
// --
|
|
s.access = &accessCtx{}
|
|
err = s.access.Init(s.conf.AllowedClients, s.conf.DisallowedClients, s.conf.BlockedHosts)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
// Register web handlers if necessary
|
|
// --
|
|
if !webRegistered && s.conf.HTTPRegister != nil {
|
|
webRegistered = true
|
|
s.registerHandlers()
|
|
}
|
|
|
|
// Create the main DNS proxy instance
|
|
// --
|
|
s.dnsProxy = &proxy.Proxy{Config: proxyConfig}
|
|
return nil
|
|
}
|
|
|
|
// Stop stops the DNS server.
|
|
func (s *Server) Stop() error {
|
|
s.Lock()
|
|
defer s.Unlock()
|
|
return s.stopLocked()
|
|
}
|
|
|
|
// stopLocked stops the DNS server without locking. For internal use only.
|
|
func (s *Server) stopLocked() error {
|
|
if s.dnsProxy != nil {
|
|
err := s.dnsProxy.Stop()
|
|
if err != nil {
|
|
return fmt.Errorf("could not stop the DNS server properly: %w", err)
|
|
}
|
|
}
|
|
|
|
s.isRunning = false
|
|
return nil
|
|
}
|
|
|
|
// IsRunning returns true if the DNS server is running
|
|
func (s *Server) IsRunning() bool {
|
|
s.RLock()
|
|
defer s.RUnlock()
|
|
return s.isRunning
|
|
}
|
|
|
|
// Reconfigure applies the new configuration to the DNS server
|
|
func (s *Server) Reconfigure(config *ServerConfig) error {
|
|
s.Lock()
|
|
defer s.Unlock()
|
|
|
|
log.Print("Start reconfiguring the server")
|
|
err := s.stopLocked()
|
|
if err != nil {
|
|
return fmt.Errorf("could not reconfigure the server: %w", err)
|
|
}
|
|
|
|
// It seems that net.Listener.Close() doesn't close file descriptors right away.
|
|
// We wait for some time and hope that this fd will be closed.
|
|
time.Sleep(100 * time.Millisecond)
|
|
|
|
err = s.Prepare(config)
|
|
if err != nil {
|
|
return fmt.Errorf("could not reconfigure the server: %w", err)
|
|
}
|
|
|
|
err = s.startLocked()
|
|
if err != nil {
|
|
return fmt.Errorf("could not reconfigure the server: %w", err)
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
// ServeHTTP is a HTTP handler method we use to provide DNS-over-HTTPS
|
|
func (s *Server) ServeHTTP(w http.ResponseWriter, r *http.Request) {
|
|
s.RLock()
|
|
p := s.dnsProxy
|
|
s.RUnlock()
|
|
if p != nil { // an attempt to protect against race in case we're here after Close() was called
|
|
p.ServeHTTP(w, r)
|
|
}
|
|
}
|
|
|
|
// IsBlockedIP - return TRUE if this client should be blocked
|
|
func (s *Server) IsBlockedIP(ip net.IP) (bool, string) {
|
|
return s.access.IsBlockedIP(ip)
|
|
}
|