Pull request 1944: 6049-block-ns-root
Updates #6049. Squashed commit of the following: commit 288a486b741b4dc57769bd5a0bdd67b4d75cc8c0 Author: Ainar Garipov <A.Garipov@AdGuard.COM> Date: Thu Jul 27 20:59:14 2023 +0300 dnsforward: fix blocking of ns root
This commit is contained in:
parent
300821a7fb
commit
79306cb48a
|
@ -25,10 +25,15 @@ NOTE: Add new changes BELOW THIS COMMENT.
|
|||
|
||||
### Fixed
|
||||
|
||||
- Inability to block queries for the root domain, such as `NS .` queries, using
|
||||
the *Disallowed domains* feature on the *DNS settings* page ([#6049]). Users
|
||||
who want to block `.` queries should use the `|.^` AdBlock rule or a similar
|
||||
regular expression.
|
||||
- Client hostnames not resolving when upstream server responds with zero-TTL
|
||||
records ([#6046]).
|
||||
|
||||
[#6046]: https://github.com/AdguardTeam/AdGuardHome/issues/6046
|
||||
[#6049]: https://github.com/AdguardTeam/AdGuardHome/issues/6049
|
||||
|
||||
<!--
|
||||
NOTE: Add new changes ABOVE THIS COMMENT.
|
||||
|
|
|
@ -90,7 +90,7 @@ func newAccessCtx(allowed, blocked, blockedHosts []string) (a *accessManager, er
|
|||
|
||||
lists := []filterlist.RuleList{
|
||||
&filterlist.StringRuleList{
|
||||
ID: int(0),
|
||||
ID: 0,
|
||||
RulesText: b.String(),
|
||||
IgnoreCosmetic: true,
|
||||
},
|
||||
|
|
|
@ -31,6 +31,7 @@ func TestIsBlockedHost(t *testing.T) {
|
|||
"*.host.com",
|
||||
"||host3.com^",
|
||||
"||*^$dnstype=HTTPS",
|
||||
"|.^",
|
||||
})
|
||||
require.NoError(t, err)
|
||||
|
||||
|
@ -94,6 +95,11 @@ func TestIsBlockedHost(t *testing.T) {
|
|||
name: "by_qtype_other",
|
||||
host: "site-with-https-record.example",
|
||||
qt: dns.TypeA,
|
||||
}, {
|
||||
want: assert.True,
|
||||
name: "ns_root",
|
||||
host: ".",
|
||||
qt: dns.TypeNS,
|
||||
}}
|
||||
|
||||
for _, tc := range testCases {
|
||||
|
|
|
@ -5,6 +5,7 @@ import (
|
|||
"fmt"
|
||||
"strings"
|
||||
|
||||
"github.com/AdguardTeam/AdGuardHome/internal/aghnet"
|
||||
"github.com/AdguardTeam/AdGuardHome/internal/filtering"
|
||||
"github.com/AdguardTeam/dnsproxy/proxy"
|
||||
"github.com/AdguardTeam/golibs/log"
|
||||
|
@ -33,9 +34,9 @@ func (s *Server) beforeRequestHandler(
|
|||
if len(pctx.Req.Question) == 1 {
|
||||
q := pctx.Req.Question[0]
|
||||
qt := q.Qtype
|
||||
host := strings.TrimSuffix(q.Name, ".")
|
||||
host := aghnet.NormalizeDomain(q.Name)
|
||||
if s.access.isBlockedHost(host, qt) {
|
||||
log.Debug("request %s %s is in access blocklist", dns.Type(qt), host)
|
||||
log.Debug("access: request %s %s is in access blocklist", dns.Type(qt), host)
|
||||
|
||||
return s.preBlockedResponse(pctx)
|
||||
}
|
||||
|
@ -79,7 +80,12 @@ func (s *Server) filterDNSRequest(dctx *dnsContext) (res *filtering.Result, err
|
|||
res = &resVal
|
||||
switch {
|
||||
case res.IsFiltered:
|
||||
log.Tracef("host %q is filtered, reason %q, rule: %q", host, res.Reason, res.Rules[0].Text)
|
||||
log.Debug(
|
||||
"dnsforward: host %q is filtered, reason: %q; rule: %q",
|
||||
host,
|
||||
res.Reason,
|
||||
res.Rules[0].Text,
|
||||
)
|
||||
pctx.Res = s.genDNSFilterMessage(pctx, res)
|
||||
case res.Reason.In(filtering.Rewritten, filtering.RewrittenRule) &&
|
||||
res.CanonName != "" &&
|
||||
|
@ -189,7 +195,7 @@ func (s *Server) filterDNSResponse(
|
|||
continue
|
||||
} else if res.IsFiltered {
|
||||
pctx.Res = s.genDNSFilterMessage(pctx, res)
|
||||
log.Debug("DNSFwd: Matched %s by response: %s", pctx.Req.Question[0].Name, host)
|
||||
log.Debug("dnsforward: matched %q by response: %q", pctx.Req.Question[0].Name, host)
|
||||
|
||||
return res, nil
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue