Pull request: 6122-dnsforward: ipv6 hints filtering
Merge in DNS/adguard-home from 6122-ipv6hints-filtering to master
Squashed commit of the following:
commit 4c0923de9110ebd5dac28dbfbffeb7f834d7c567
Merge: b1ba1a9a8 4b4036fa6
Author: Dimitry Kolyshev <dkolyshev@adguard.com>
Date: Tue Aug 22 17:00:46 2023 +0300
Merge remote-tracking branch 'origin/master' into 6122-ipv6hints-filtering
commit b1ba1a9a8641ae846d0360bd50115153ff7c3b19
Author: Dimitry Kolyshev <dkolyshev@adguard.com>
Date: Tue Aug 22 15:56:45 2023 +0300
client: disable ipv6
commit 34f2a19aaec0928e83469945d807d9339715d671
Author: Dimitry Kolyshev <dkolyshev@adguard.com>
Date: Tue Aug 22 15:16:27 2023 +0300
client: disable ipv6
commit e0387597f81163c9e76bcf20307099c1ca72ca22
Author: Dimitry Kolyshev <dkolyshev@adguard.com>
Date: Tue Aug 22 15:11:45 2023 +0300
dnsforward: imp code
commit 22cdac4516759edbc6a81dd7636f0170fa669071
Author: Dimitry Kolyshev <dkolyshev@adguard.com>
Date: Tue Aug 22 13:59:22 2023 +0300
dnsforward: ipv6 hints filtering
This commit is contained in:
parent
4b4036fa6a
commit
cb6d4620c5
|
@ -25,6 +25,8 @@ NOTE: Add new changes BELOW THIS COMMENT.
|
||||||
|
|
||||||
### Added
|
### Added
|
||||||
|
|
||||||
|
- IPv6 hints are now filtered in case IPv6 addresses resolving is disabled
|
||||||
|
([#6122]).
|
||||||
- The ability to set fallback DNS servers in the configuration file ([#3701]).
|
- The ability to set fallback DNS servers in the configuration file ([#3701]).
|
||||||
- While adding or updating blocklists, the title can now be parsed from
|
- While adding or updating blocklists, the title can now be parsed from
|
||||||
`! Title:` definition of the blocklist's source ([#6020]).
|
`! Title:` definition of the blocklist's source ([#6020]).
|
||||||
|
@ -76,6 +78,7 @@ In this release, the schema version has changed from 24 to 25.
|
||||||
[#6020]: https://github.com/AdguardTeam/AdGuardHome/issues/6020
|
[#6020]: https://github.com/AdguardTeam/AdGuardHome/issues/6020
|
||||||
[#6053]: https://github.com/AdguardTeam/AdGuardHome/issues/6053
|
[#6053]: https://github.com/AdguardTeam/AdGuardHome/issues/6053
|
||||||
[#6093]: https://github.com/AdguardTeam/AdGuardHome/issues/6093
|
[#6093]: https://github.com/AdguardTeam/AdGuardHome/issues/6093
|
||||||
|
[#6122]: https://github.com/AdguardTeam/AdGuardHome/issues/6122
|
||||||
|
|
||||||
<!--
|
<!--
|
||||||
NOTE: Add new changes ABOVE THIS COMMENT.
|
NOTE: Add new changes ABOVE THIS COMMENT.
|
||||||
|
|
|
@ -568,7 +568,7 @@
|
||||||
"rewrite_A": "<0>A</0>: special value, keep <0>A</0> records from the upstream",
|
"rewrite_A": "<0>A</0>: special value, keep <0>A</0> records from the upstream",
|
||||||
"rewrite_AAAA": "<0>AAAA</0>: special value, keep <0>AAAA</0> records from the upstream",
|
"rewrite_AAAA": "<0>AAAA</0>: special value, keep <0>AAAA</0> records from the upstream",
|
||||||
"disable_ipv6": "Disable resolving of IPv6 addresses",
|
"disable_ipv6": "Disable resolving of IPv6 addresses",
|
||||||
"disable_ipv6_desc": "Drop all DNS queries for IPv6 addresses (type AAAA).",
|
"disable_ipv6_desc": "Drop all DNS queries for IPv6 addresses (type AAAA) and remove IPv6 hints from HTTPS responses.",
|
||||||
"fastest_addr": "Fastest IP address",
|
"fastest_addr": "Fastest IP address",
|
||||||
"fastest_addr_desc": "Query all DNS servers and return the fastest IP address among all responses. This slows down DNS queries as AdGuard Home has to wait for responses from all DNS servers, but improves the overall connectivity.",
|
"fastest_addr_desc": "Query all DNS servers and return the fastest IP address among all responses. This slows down DNS queries as AdGuard Home has to wait for responses from all DNS servers, but improves the overall connectivity.",
|
||||||
"autofix_warning_text": "If you click \"Fix\", AdGuard Home will configure your system to use AdGuard Home DNS server.",
|
"autofix_warning_text": "If you click \"Fix\", AdGuard Home will configure your system to use AdGuard Home DNS server.",
|
||||||
|
|
|
@ -12,6 +12,7 @@ import (
|
||||||
"github.com/AdguardTeam/golibs/log"
|
"github.com/AdguardTeam/golibs/log"
|
||||||
"github.com/AdguardTeam/golibs/netutil"
|
"github.com/AdguardTeam/golibs/netutil"
|
||||||
"github.com/miekg/dns"
|
"github.com/miekg/dns"
|
||||||
|
"golang.org/x/exp/slices"
|
||||||
)
|
)
|
||||||
|
|
||||||
// beforeRequestHandler is the handler that is called before any other
|
// beforeRequestHandler is the handler that is called before any other
|
||||||
|
@ -208,12 +209,23 @@ func (s *Server) filterDNSResponse(
|
||||||
return nil, nil
|
return nil, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// removeIPv6Hints deletes IPv6 hints from RR values.
|
||||||
|
func removeIPv6Hints(rr *dns.HTTPS) {
|
||||||
|
rr.Value = slices.DeleteFunc(rr.Value, func(kv dns.SVCBKeyValue) (del bool) {
|
||||||
|
_, ok := kv.(*dns.SVCBIPv6Hint)
|
||||||
|
|
||||||
|
return ok
|
||||||
|
})
|
||||||
|
}
|
||||||
|
|
||||||
// filterHTTPSRecords filters HTTPS answers information through all rule list
|
// filterHTTPSRecords filters HTTPS answers information through all rule list
|
||||||
// filters of the server filters.
|
// filters of the server filters. Removes IPv6 hints if IPv6 resolving is
|
||||||
func (s *Server) filterHTTPSRecords(
|
// disabled.
|
||||||
rr *dns.HTTPS,
|
func (s *Server) filterHTTPSRecords(rr *dns.HTTPS, setts *filtering.Settings) (r *filtering.Result, err error) {
|
||||||
setts *filtering.Settings,
|
if s.conf.AAAADisabled {
|
||||||
) (r *filtering.Result, err error) {
|
removeIPv6Hints(rr)
|
||||||
|
}
|
||||||
|
|
||||||
for _, kv := range rr.Value {
|
for _, kv := range rr.Value {
|
||||||
var ips []net.IP
|
var ips []net.IP
|
||||||
switch hint := kv.(type) {
|
switch hint := kv.(type) {
|
||||||
|
|
|
@ -113,6 +113,99 @@ func TestServer_ProcessInitial(t *testing.T) {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func TestServer_ProcessFilteringAfterResponse(t *testing.T) {
|
||||||
|
t.Parallel()
|
||||||
|
|
||||||
|
var (
|
||||||
|
testIPv4 net.IP = netip.MustParseAddr("1.1.1.1").AsSlice()
|
||||||
|
testIPv6 net.IP = netip.MustParseAddr("1234::cdef").AsSlice()
|
||||||
|
)
|
||||||
|
|
||||||
|
testCases := []struct {
|
||||||
|
name string
|
||||||
|
req *dns.Msg
|
||||||
|
aaaaDisabled bool
|
||||||
|
respAns []dns.RR
|
||||||
|
wantRC resultCode
|
||||||
|
wantRespAns []dns.RR
|
||||||
|
}{{
|
||||||
|
name: "pass",
|
||||||
|
req: createTestMessageWithType(aghtest.ReqFQDN, dns.TypeHTTPS),
|
||||||
|
aaaaDisabled: false,
|
||||||
|
respAns: newSVCBHintsAnswer(
|
||||||
|
aghtest.ReqFQDN,
|
||||||
|
[]dns.SVCBKeyValue{
|
||||||
|
&dns.SVCBIPv4Hint{Hint: []net.IP{testIPv4}},
|
||||||
|
&dns.SVCBIPv6Hint{Hint: []net.IP{testIPv6}},
|
||||||
|
},
|
||||||
|
),
|
||||||
|
wantRespAns: newSVCBHintsAnswer(
|
||||||
|
aghtest.ReqFQDN,
|
||||||
|
[]dns.SVCBKeyValue{
|
||||||
|
&dns.SVCBIPv4Hint{Hint: []net.IP{testIPv4}},
|
||||||
|
&dns.SVCBIPv6Hint{Hint: []net.IP{testIPv6}},
|
||||||
|
},
|
||||||
|
),
|
||||||
|
wantRC: resultCodeSuccess,
|
||||||
|
}, {
|
||||||
|
name: "filter",
|
||||||
|
req: createTestMessageWithType(aghtest.ReqFQDN, dns.TypeHTTPS),
|
||||||
|
aaaaDisabled: true,
|
||||||
|
respAns: newSVCBHintsAnswer(
|
||||||
|
aghtest.ReqFQDN,
|
||||||
|
[]dns.SVCBKeyValue{
|
||||||
|
&dns.SVCBIPv4Hint{Hint: []net.IP{testIPv4}},
|
||||||
|
&dns.SVCBIPv6Hint{Hint: []net.IP{testIPv6}},
|
||||||
|
},
|
||||||
|
),
|
||||||
|
wantRespAns: newSVCBHintsAnswer(
|
||||||
|
aghtest.ReqFQDN,
|
||||||
|
[]dns.SVCBKeyValue{
|
||||||
|
&dns.SVCBIPv4Hint{Hint: []net.IP{testIPv4}},
|
||||||
|
},
|
||||||
|
),
|
||||||
|
wantRC: resultCodeSuccess,
|
||||||
|
}}
|
||||||
|
|
||||||
|
for _, tc := range testCases {
|
||||||
|
tc := tc
|
||||||
|
|
||||||
|
t.Run(tc.name, func(t *testing.T) {
|
||||||
|
t.Parallel()
|
||||||
|
|
||||||
|
c := ServerConfig{
|
||||||
|
FilteringConfig: FilteringConfig{
|
||||||
|
AAAADisabled: tc.aaaaDisabled,
|
||||||
|
EDNSClientSubnet: &EDNSClientSubnet{Enabled: false},
|
||||||
|
},
|
||||||
|
}
|
||||||
|
|
||||||
|
s := createTestServer(t, &filtering.Config{}, c, nil)
|
||||||
|
|
||||||
|
resp := newResp(dns.RcodeSuccess, tc.req, tc.respAns)
|
||||||
|
dctx := &dnsContext{
|
||||||
|
setts: &filtering.Settings{
|
||||||
|
FilteringEnabled: true,
|
||||||
|
ProtectionEnabled: true,
|
||||||
|
},
|
||||||
|
protectionEnabled: true,
|
||||||
|
responseFromUpstream: true,
|
||||||
|
result: &filtering.Result{},
|
||||||
|
proxyCtx: &proxy.DNSContext{
|
||||||
|
Proto: proxy.ProtoUDP,
|
||||||
|
Req: tc.req,
|
||||||
|
Res: resp,
|
||||||
|
Addr: testClientAddr,
|
||||||
|
},
|
||||||
|
}
|
||||||
|
|
||||||
|
gotRC := s.processFilteringAfterResponse(dctx)
|
||||||
|
assert.Equal(t, tc.wantRC, gotRC)
|
||||||
|
assert.Equal(t, newResp(dns.RcodeSuccess, tc.req, tc.wantRespAns), dctx.proxyCtx.Res)
|
||||||
|
})
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
func TestServer_ProcessDDRQuery(t *testing.T) {
|
func TestServer_ProcessDDRQuery(t *testing.T) {
|
||||||
dohSVCB := &dns.SVCB{
|
dohSVCB := &dns.SVCB{
|
||||||
Priority: 1,
|
Priority: 1,
|
||||||
|
|
Loading…
Reference in New Issue