From 4134a8c30e4e3e32eab0dcc595798ffbb907e791 Mon Sep 17 00:00:00 2001 From: Simon Zolin Date: Mon, 22 Jul 2019 12:16:30 +0300 Subject: [PATCH 1/4] + dnsforward, config: add "parental_block_host" and "safebrowsing_block_host" settings --- dnsforward/dnsforward.go | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/dnsforward/dnsforward.go b/dnsforward/dnsforward.go index bfbf43c6..eeebb6c8 100644 --- a/dnsforward/dnsforward.go +++ b/dnsforward/dnsforward.go @@ -92,6 +92,10 @@ type FilteringConfig struct { DisallowedClients []string `yaml:"disallowed_clients"` // IP addresses of clients that should be blocked BlockedHosts []string `yaml:"blocked_hosts"` // hosts that should be blocked + // IP (or domain name) which is used to respond to DNS requests blocked by parental control or safe-browsing + ParentalBlockHost string `yaml:"parental_block_host"` + SafeBrowsingBlockHost string `yaml:"safebrowsing_block_host"` + dnsfilter.Config `yaml:",inline"` } @@ -258,6 +262,13 @@ func (s *Server) initDNSFilter() error { } } + if len(s.conf.ParentalBlockHost) == 0 { + s.conf.ParentalBlockHost = parentalBlockHost + } + if len(s.conf.SafeBrowsingBlockHost) == 0 { + s.conf.SafeBrowsingBlockHost = safeBrowsingBlockHost + } + s.dnsFilter = dnsfilter.New(&s.conf.Config, filters) if s.dnsFilter == nil { return fmt.Errorf("could not initialize dnsfilter") @@ -515,9 +526,9 @@ func (s *Server) genDNSFilterMessage(d *proxy.DNSContext, result *dnsfilter.Resu switch result.Reason { case dnsfilter.FilteredSafeBrowsing: - return s.genBlockedHost(m, safeBrowsingBlockHost, d) + return s.genBlockedHost(m, s.conf.SafeBrowsingBlockHost, d) case dnsfilter.FilteredParental: - return s.genBlockedHost(m, parentalBlockHost, d) + return s.genBlockedHost(m, s.conf.ParentalBlockHost, d) default: if result.IP != nil { if m.Question[0].Qtype == dns.TypeA { From 4a05ab00577434864a2d87c29f0e7ccf5c7783e9 Mon Sep 17 00:00:00 2001 From: Simon Zolin Date: Mon, 22 Jul 2019 12:33:45 +0300 Subject: [PATCH 2/4] * dnsforward: parental control server can be an IP address, not just host name --- dnsforward/dnsforward.go | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/dnsforward/dnsforward.go b/dnsforward/dnsforward.go index eeebb6c8..e7cef514 100644 --- a/dnsforward/dnsforward.go +++ b/dnsforward/dnsforward.go @@ -601,7 +601,27 @@ func (s *Server) genAAAAAnswer(req *dns.Msg, ip net.IP) *dns.AAAA { return answer } +// generate DNS response message with an IP address +func (s *Server) genResponseWithIP(req *dns.Msg, ip net.IP) *dns.Msg { + if req.Question[0].Qtype == dns.TypeA && ip.To4() != nil { + return s.genARecord(req, ip.To4()) + } else if req.Question[0].Qtype == dns.TypeAAAA && ip.To4() == nil { + return s.genAAAARecord(req, ip) + } + + // empty response + resp := dns.Msg{} + resp.SetReply(req) + return &resp +} + func (s *Server) genBlockedHost(request *dns.Msg, newAddr string, d *proxy.DNSContext) *dns.Msg { + + ip := net.ParseIP(newAddr) + if ip != nil { + return s.genResponseWithIP(request, ip) + } + // look up the hostname, TODO: cache replReq := dns.Msg{} replReq.SetQuestion(dns.Fqdn(newAddr), request.Question[0].Qtype) From 5a3de2a276c40b795cdc916d4e03c1a458ba313b Mon Sep 17 00:00:00 2001 From: Simon Zolin Date: Mon, 22 Jul 2019 12:33:58 +0300 Subject: [PATCH 3/4] * refactor --- dnsforward/dnsforward.go | 11 +---------- 1 file changed, 1 insertion(+), 10 deletions(-) diff --git a/dnsforward/dnsforward.go b/dnsforward/dnsforward.go index e7cef514..7cd88eda 100644 --- a/dnsforward/dnsforward.go +++ b/dnsforward/dnsforward.go @@ -531,16 +531,7 @@ func (s *Server) genDNSFilterMessage(d *proxy.DNSContext, result *dnsfilter.Resu return s.genBlockedHost(m, s.conf.ParentalBlockHost, d) default: if result.IP != nil { - if m.Question[0].Qtype == dns.TypeA { - return s.genARecord(m, result.IP) - } else if m.Question[0].Qtype == dns.TypeAAAA { - return s.genAAAARecord(m, result.IP) - } - - // empty response - resp := dns.Msg{} - resp.SetReply(m) - return &resp + return s.genResponseWithIP(m, result.IP) } if s.conf.BlockingMode == "null_ip" { From fdf7ee2c08d4177d78fcdc20571bc7d2b61320ae Mon Sep 17 00:00:00 2001 From: Simon Zolin Date: Mon, 22 Jul 2019 12:52:27 +0300 Subject: [PATCH 4/4] * refactor: don't set new configuration while running DNS server --- dnsforward/dnsforward.go | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/dnsforward/dnsforward.go b/dnsforward/dnsforward.go index 7cd88eda..ef9fbc20 100644 --- a/dnsforward/dnsforward.go +++ b/dnsforward/dnsforward.go @@ -177,15 +177,11 @@ func processIPCIDRArray(dst *map[string]bool, dstIPNet *[]net.IPNet, src []strin // startInternal starts without locking func (s *Server) startInternal(config *ServerConfig) error { - if config != nil { - s.conf = *config - } - if s.dnsFilter != nil || s.dnsProxy != nil { return errors.New("DNS server is already started") } - err := s.initDNSFilter() + err := s.initDNSFilter(config) if err != nil { return err } @@ -246,9 +242,13 @@ func (s *Server) startInternal(config *ServerConfig) error { } // Initializes the DNS filter -func (s *Server) initDNSFilter() error { +func (s *Server) initDNSFilter(config *ServerConfig) error { log.Tracef("Creating dnsfilter") + if config != nil { + s.conf = *config + } + var filters map[int]string filters = nil if s.conf.FilteringEnabled {