268 lines
7.1 KiB
Go
268 lines
7.1 KiB
Go
package dnsforward
|
|
|
|
import (
|
|
"net"
|
|
"time"
|
|
|
|
"github.com/AdguardTeam/AdGuardHome/internal/dnsfilter"
|
|
"github.com/AdguardTeam/dnsproxy/proxy"
|
|
"github.com/AdguardTeam/golibs/log"
|
|
"github.com/AdguardTeam/urlfilter/rules"
|
|
"github.com/miekg/dns"
|
|
)
|
|
|
|
// makeResponse creates a DNS response by req and sets necessary flags. It also
|
|
// guarantees that req.Question will be not empty.
|
|
func (s *Server) makeResponse(req *dns.Msg) (resp *dns.Msg) {
|
|
resp = &dns.Msg{
|
|
MsgHdr: dns.MsgHdr{
|
|
RecursionAvailable: true,
|
|
},
|
|
Compress: true,
|
|
}
|
|
|
|
resp.SetReply(req)
|
|
|
|
return resp
|
|
}
|
|
|
|
// genDNSFilterMessage generates a DNS message corresponding to the filtering result
|
|
func (s *Server) genDNSFilterMessage(d *proxy.DNSContext, result *dnsfilter.Result) *dns.Msg {
|
|
m := d.Req
|
|
|
|
if m.Question[0].Qtype != dns.TypeA && m.Question[0].Qtype != dns.TypeAAAA {
|
|
if s.conf.BlockingMode == "null_ip" {
|
|
return s.makeResponse(m)
|
|
}
|
|
return s.genNXDomain(m)
|
|
}
|
|
|
|
switch result.Reason {
|
|
case dnsfilter.FilteredSafeBrowsing:
|
|
return s.genBlockedHost(m, s.conf.SafeBrowsingBlockHost, d)
|
|
case dnsfilter.FilteredParental:
|
|
return s.genBlockedHost(m, s.conf.ParentalBlockHost, d)
|
|
default:
|
|
// If the query was filtered by "Safe search", dnsfilter also must return
|
|
// the IP address that must be used in response.
|
|
// In this case regardless of the filtering method, we should return it
|
|
if result.Reason == dnsfilter.FilteredSafeSearch &&
|
|
len(result.Rules) > 0 &&
|
|
result.Rules[0].IP != nil {
|
|
return s.genResponseWithIP(m, result.Rules[0].IP)
|
|
}
|
|
|
|
if s.conf.BlockingMode == "null_ip" {
|
|
// it means that we should return 0.0.0.0 or :: for any blocked request
|
|
return s.makeResponseNullIP(m)
|
|
} else if s.conf.BlockingMode == "custom_ip" {
|
|
// means that we should return custom IP for any blocked request
|
|
|
|
switch m.Question[0].Qtype {
|
|
case dns.TypeA:
|
|
return s.genARecord(m, s.conf.BlockingIPAddrv4)
|
|
case dns.TypeAAAA:
|
|
return s.genAAAARecord(m, s.conf.BlockingIPAddrv6)
|
|
}
|
|
} else if s.conf.BlockingMode == "nxdomain" {
|
|
// means that we should return NXDOMAIN for any blocked request
|
|
|
|
return s.genNXDomain(m)
|
|
} else if s.conf.BlockingMode == "refused" {
|
|
// means that we should return NXDOMAIN for any blocked request
|
|
|
|
return s.makeResponseREFUSED(m)
|
|
}
|
|
|
|
// Default blocking mode
|
|
// If there's an IP specified in the rule, return it
|
|
// For host-type rules, return null IP
|
|
if len(result.Rules) > 0 && result.Rules[0].IP != nil {
|
|
return s.genResponseWithIP(m, result.Rules[0].IP)
|
|
}
|
|
|
|
return s.makeResponseNullIP(m)
|
|
}
|
|
}
|
|
|
|
func (s *Server) genServerFailure(request *dns.Msg) *dns.Msg {
|
|
resp := dns.Msg{}
|
|
resp.SetRcode(request, dns.RcodeServerFailure)
|
|
resp.RecursionAvailable = true
|
|
return &resp
|
|
}
|
|
|
|
func (s *Server) genARecord(request *dns.Msg, ip net.IP) *dns.Msg {
|
|
resp := s.makeResponse(request)
|
|
resp.Answer = append(resp.Answer, s.genAnswerA(request, ip))
|
|
return resp
|
|
}
|
|
|
|
func (s *Server) genAAAARecord(request *dns.Msg, ip net.IP) *dns.Msg {
|
|
resp := s.makeResponse(request)
|
|
resp.Answer = append(resp.Answer, s.genAnswerAAAA(request, ip))
|
|
return resp
|
|
}
|
|
|
|
func (s *Server) hdr(req *dns.Msg, rrType rules.RRType) (h dns.RR_Header) {
|
|
return dns.RR_Header{
|
|
Name: req.Question[0].Name,
|
|
Rrtype: rrType,
|
|
Ttl: s.conf.BlockedResponseTTL,
|
|
Class: dns.ClassINET,
|
|
}
|
|
}
|
|
|
|
func (s *Server) genAnswerA(req *dns.Msg, ip net.IP) (ans *dns.A) {
|
|
return &dns.A{
|
|
Hdr: s.hdr(req, dns.TypeA),
|
|
A: ip,
|
|
}
|
|
}
|
|
|
|
func (s *Server) genAnswerAAAA(req *dns.Msg, ip net.IP) (ans *dns.AAAA) {
|
|
return &dns.AAAA{
|
|
Hdr: s.hdr(req, dns.TypeAAAA),
|
|
AAAA: ip,
|
|
}
|
|
}
|
|
|
|
func (s *Server) genAnswerCNAME(req *dns.Msg, cname string) (ans *dns.CNAME) {
|
|
return &dns.CNAME{
|
|
Hdr: s.hdr(req, dns.TypeCNAME),
|
|
Target: dns.Fqdn(cname),
|
|
}
|
|
}
|
|
|
|
func (s *Server) genAnswerMX(req *dns.Msg, mx *rules.DNSMX) (ans *dns.MX) {
|
|
return &dns.MX{
|
|
Hdr: s.hdr(req, dns.TypePTR),
|
|
Preference: mx.Preference,
|
|
Mx: mx.Exchange,
|
|
}
|
|
}
|
|
|
|
func (s *Server) genAnswerPTR(req *dns.Msg, ptr string) (ans *dns.PTR) {
|
|
return &dns.PTR{
|
|
Hdr: s.hdr(req, dns.TypePTR),
|
|
Ptr: ptr,
|
|
}
|
|
}
|
|
|
|
func (s *Server) genAnswerTXT(req *dns.Msg, strs []string) (ans *dns.TXT) {
|
|
return &dns.TXT{
|
|
Hdr: s.hdr(req, dns.TypeTXT),
|
|
Txt: strs,
|
|
}
|
|
}
|
|
|
|
// generate DNS response message with an IP address
|
|
func (s *Server) genResponseWithIP(req *dns.Msg, ip net.IP) *dns.Msg {
|
|
if req.Question[0].Qtype == dns.TypeA && ip.To4() != nil {
|
|
return s.genARecord(req, ip.To4())
|
|
} else if req.Question[0].Qtype == dns.TypeAAAA &&
|
|
len(ip) == net.IPv6len && ip.To4() == nil {
|
|
return s.genAAAARecord(req, ip)
|
|
}
|
|
|
|
// empty response
|
|
resp := s.makeResponse(req)
|
|
return resp
|
|
}
|
|
|
|
// Respond with 0.0.0.0 for A, :: for AAAA, empty response for other types
|
|
func (s *Server) makeResponseNullIP(req *dns.Msg) *dns.Msg {
|
|
if req.Question[0].Qtype == dns.TypeA {
|
|
return s.genARecord(req, []byte{0, 0, 0, 0})
|
|
} else if req.Question[0].Qtype == dns.TypeAAAA {
|
|
return s.genAAAARecord(req, net.IPv6zero)
|
|
}
|
|
|
|
return s.makeResponse(req)
|
|
}
|
|
|
|
func (s *Server) genBlockedHost(request *dns.Msg, newAddr string, d *proxy.DNSContext) *dns.Msg {
|
|
ip := net.ParseIP(newAddr)
|
|
if ip != nil {
|
|
return s.genResponseWithIP(request, ip)
|
|
}
|
|
|
|
// look up the hostname, TODO: cache
|
|
replReq := dns.Msg{}
|
|
replReq.SetQuestion(dns.Fqdn(newAddr), request.Question[0].Qtype)
|
|
replReq.RecursionDesired = true
|
|
|
|
newContext := &proxy.DNSContext{
|
|
Proto: d.Proto,
|
|
Addr: d.Addr,
|
|
StartTime: time.Now(),
|
|
Req: &replReq,
|
|
}
|
|
|
|
err := s.dnsProxy.Resolve(newContext)
|
|
if err != nil {
|
|
log.Printf("Couldn't look up replacement host %q: %s", newAddr, err)
|
|
return s.genServerFailure(request)
|
|
}
|
|
|
|
resp := s.makeResponse(request)
|
|
if newContext.Res != nil {
|
|
for _, answer := range newContext.Res.Answer {
|
|
answer.Header().Name = request.Question[0].Name
|
|
resp.Answer = append(resp.Answer, answer)
|
|
}
|
|
}
|
|
|
|
return resp
|
|
}
|
|
|
|
// Create REFUSED DNS response
|
|
func (s *Server) makeResponseREFUSED(request *dns.Msg) *dns.Msg {
|
|
resp := dns.Msg{}
|
|
resp.SetRcode(request, dns.RcodeRefused)
|
|
resp.RecursionAvailable = true
|
|
return &resp
|
|
}
|
|
|
|
func (s *Server) genNXDomain(request *dns.Msg) *dns.Msg {
|
|
resp := dns.Msg{}
|
|
resp.SetRcode(request, dns.RcodeNameError)
|
|
resp.RecursionAvailable = true
|
|
resp.Ns = s.genSOA(request)
|
|
return &resp
|
|
}
|
|
|
|
func (s *Server) genSOA(request *dns.Msg) []dns.RR {
|
|
zone := ""
|
|
if len(request.Question) > 0 {
|
|
zone = request.Question[0].Name
|
|
}
|
|
|
|
soa := dns.SOA{
|
|
// values copied from verisign's nonexistent .com domain
|
|
// their exact values are not important in our use case because they are used for domain transfers between primary/secondary DNS servers
|
|
Refresh: 1800,
|
|
Retry: 900,
|
|
Expire: 604800,
|
|
Minttl: 86400,
|
|
// copied from AdGuard DNS
|
|
Ns: "fake-for-negative-caching.adguard.com.",
|
|
Serial: 100500,
|
|
// rest is request-specific
|
|
Hdr: dns.RR_Header{
|
|
Name: zone,
|
|
Rrtype: dns.TypeSOA,
|
|
Ttl: s.conf.BlockedResponseTTL,
|
|
Class: dns.ClassINET,
|
|
},
|
|
Mbox: "hostmaster.", // zone will be appended later if it's not empty or "."
|
|
}
|
|
if soa.Hdr.Ttl == 0 {
|
|
soa.Hdr.Ttl = defaultValues.BlockedResponseTTL
|
|
}
|
|
if len(zone) > 0 && zone[0] != '.' {
|
|
soa.Mbox += zone
|
|
}
|
|
return []dns.RR{&soa}
|
|
}
|