From 07ebcc2bf3bf4e4d3535f0d1d5191cbc82ba876d Mon Sep 17 00:00:00 2001
From: Simon Zolin <s.zolin@adguard.com>
Date: Mon, 30 Dec 2019 18:41:51 +0300
Subject: [PATCH] * DNS: nxdomain: don't return IP address for a blocked domain

Don't return IP address for a blocked domain
 when blocking mode is "nxdomain".
---
 AGHTechDoc.md                 | 10 ++++++++--
 dnsforward/dnsforward.go      | 10 ++++++----
 dnsforward/dnsforward_http.go |  2 +-
 openapi/openapi.yaml          |  1 +
 4 files changed, 16 insertions(+), 7 deletions(-)

diff --git a/AGHTechDoc.md b/AGHTechDoc.md
index 3045d6f7..e8f98db4 100644
--- a/AGHTechDoc.md
+++ b/AGHTechDoc.md
@@ -831,7 +831,7 @@ Response:
 	{
 		"protection_enabled": true | false,
 		"ratelimit": 1234,
-		"blocking_mode": "nxdomain" | "null_ip" | "custom_ip",
+		"blocking_mode": "default" | "nxdomain" | "null_ip" | "custom_ip",
 		"blocking_ipv4": "1.2.3.4",
 		"blocking_ipv6": "1:2:3::4",
 		"edns_cs_enabled": true | false,
@@ -848,7 +848,7 @@ Request:
 	{
 		"protection_enabled": true | false,
 		"ratelimit": 1234,
-		"blocking_mode": "nxdomain" | "null_ip" | "custom_ip",
+		"blocking_mode": "default" | "nxdomain" | "null_ip" | "custom_ip",
 		"blocking_ipv4": "1.2.3.4",
 		"blocking_ipv6": "1:2:3::4",
 		"edns_cs_enabled": true | false,
@@ -859,6 +859,12 @@ Response:
 
 	200 OK
 
+`blocking_mode`:
+* default: Respond with NXDOMAIN when blocked by Adblock-style rule;  respond with the IP address specified in the rule when blocked by /etc/hosts-style rule
+* NXDOMAIN: Respond with NXDOMAIN code
+* Null IP: Respond with zero IP address (0.0.0.0 for A; :: for AAAA)
+* Custom IP: Respond with a manually set IP address
+
 `blocking_ipv4` and `blocking_ipv6` values are active when `blocking_mode` is set to `custom_ip`.
 
 
diff --git a/dnsforward/dnsforward.go b/dnsforward/dnsforward.go
index 32875db1..462cf4d3 100644
--- a/dnsforward/dnsforward.go
+++ b/dnsforward/dnsforward.go
@@ -727,10 +727,6 @@ func (s *Server) genDNSFilterMessage(d *proxy.DNSContext, result *dnsfilter.Resu
 	case dnsfilter.FilteredParental:
 		return s.genBlockedHost(m, s.conf.ParentalBlockHost, d)
 	default:
-		if result.IP != nil {
-			return s.genResponseWithIP(m, result.IP)
-		}
-
 		if s.conf.BlockingMode == "null_ip" {
 			switch m.Question[0].Qtype {
 			case dns.TypeA:
@@ -746,8 +742,14 @@ func (s *Server) genDNSFilterMessage(d *proxy.DNSContext, result *dnsfilter.Resu
 			case dns.TypeAAAA:
 				return s.genAAAARecord(m, s.conf.BlockingIPAddrv6)
 			}
+
+		} else if s.conf.BlockingMode == "nxdomain" {
+			return s.genNXDomain(m)
 		}
 
+		if result.IP != nil {
+			return s.genResponseWithIP(m, result.IP)
+		}
 		return s.genNXDomain(m)
 	}
 }
diff --git a/dnsforward/dnsforward_http.go b/dnsforward/dnsforward_http.go
index c20ac7fc..088add56 100644
--- a/dnsforward/dnsforward_http.go
+++ b/dnsforward/dnsforward_http.go
@@ -54,7 +54,7 @@ func (s *Server) handleGetConfig(w http.ResponseWriter, r *http.Request) {
 
 func checkBlockingMode(req dnsConfigJSON) bool {
 	bm := req.BlockingMode
-	if !(bm == "nxdomain" || bm == "null_ip" || bm == "custom_ip") {
+	if !(bm == "default" || bm == "nxdomain" || bm == "null_ip" || bm == "custom_ip") {
 		return false
 	}
 
diff --git a/openapi/openapi.yaml b/openapi/openapi.yaml
index 2400b9b7..2d042c62 100644
--- a/openapi/openapi.yaml
+++ b/openapi/openapi.yaml
@@ -1075,6 +1075,7 @@ definitions:
             blocking_mode:
                 type: "string"
                 enum:
+                - "default"
                 - "nxdomain"
                 - "null_ip"
                 - "custom_ip"