Pull request: 5117-dns64
Merge in DNS/adguard-home from 5117-dns64 to master Updates #5117. Squashed commit of the following: commit 757d689134b85bdac9a6f5e43249866ec09ab7e3 Author: Eugene Burkov <E.Burkov@AdGuard.COM> Date: Mon Jan 23 19:06:18 2023 +0300 all: imp fmt commit b7a73c68c0b40bd3bda520c045c8110975c1827a Author: Eugene Burkov <E.Burkov@AdGuard.COM> Date: Mon Jan 23 17:49:21 2023 +0300 all: rm unused, imp code commit 548feb6bd27b9774a9453d0570d37cdf557d4c3a Merge: de3e84b554a141abAuthor: Eugene Burkov <E.Burkov@AdGuard.COM> Date: Mon Jan 23 14:08:12 2023 +0300 Merge branch 'master' into 5117-dns64 commit de3e84b52b8dbff70df3ca0ac3315c3d33576334 Author: Eugene Burkov <E.Burkov@AdGuard.COM> Date: Mon Jan 23 12:04:48 2023 +0300 dnsforward: imp code commit a580e92119e3dbadc8b1a6572dbecc679f69db40 Author: Eugene Burkov <E.Burkov@AdGuard.COM> Date: Fri Jan 20 18:24:33 2023 +0400 dnsforward: try again commit 67b7a365194939fe15e4907a3dc2fee44b019d08 Author: Eugene Burkov <E.Burkov@AdGuard.COM> Date: Fri Jan 20 18:08:23 2023 +0400 dnsforward: fix test on linux commit ca83e4178a3383e326bf528d209d8766fb3c60d3 Author: Eugene Burkov <E.Burkov@AdGuard.COM> Date: Fri Jan 20 17:37:48 2023 +0400 dnsforward: imp naming commit c4e477c7a12af4966cbcd4e5f003a72966dc5d61 Merge: 42aa42a86e803375Author: Eugene Burkov <E.Burkov@AdGuard.COM> Date: Fri Jan 20 17:30:03 2023 +0400 Merge branch 'master' into 5117-dns64 commit 42aa42a8149b6bb42eb0da6e88ede4b5065bbf2f Author: Eugene Burkov <E.Burkov@AdGuard.COM> Date: Fri Jan 20 17:26:54 2023 +0400 dnsforward: imp test commit 4e91c675703f1453456ef9eea08157009ce6237a Author: Eugene Burkov <E.Burkov@AdGuard.COM> Date: Wed Jan 18 12:32:55 2023 +0400 dnsforward: imp code, docs, add test commit 766ef757f61e7a555b8151b4783fa7aba5f566f7 Author: Eugene Burkov <E.Burkov@AdGuard.COM> Date: Tue Jan 17 16:36:35 2023 +0400 dnsforward: imp docs commit 6825f372389988597d1879cf66342c410f3cfd47 Author: Eugene Burkov <E.Burkov@AdGuard.COM> Date: Tue Jan 17 14:33:33 2023 +0400 internal: imp code, docs commit 1215316a338496b5bea2b20d697c7451bfbcc84b Author: Eugene Burkov <E.Burkov@AdGuard.COM> Date: Fri Jan 13 21:24:50 2023 +0400 all: add dns64 support
This commit is contained in:
Eugene Burkov
@@ -28,9 +28,10 @@ type dnsContext struct {
|
||||
// response is modified by filters.
|
||||
origResp *dns.Msg
|
||||
|
||||
// unreversedReqIP stores an IP address obtained from PTR request if it
|
||||
// parsed successfully and belongs to one of locally-served IP ranges as per
|
||||
// RFC 6303.
|
||||
// unreversedReqIP stores an IP address obtained from a PTR request if it
|
||||
// was parsed successfully and belongs to one of the locally served IP
|
||||
// ranges. It is also filled with unmapped version of the address if it's
|
||||
// within DNS64 prefixes.
|
||||
unreversedReqIP net.IP
|
||||
|
||||
// err is the error returned from a processing function.
|
||||
@@ -57,7 +58,7 @@ type dnsContext struct {
|
||||
// responseAD shows if the response had the AD bit set.
|
||||
responseAD bool
|
||||
|
||||
// isLocalClient shows if client's IP address is from locally-served
|
||||
// isLocalClient shows if client's IP address is from locally served
|
||||
// network.
|
||||
isLocalClient bool
|
||||
}
|
||||
@@ -133,8 +134,8 @@ func (s *Server) handleDNSRequest(_ *proxy.Proxy, pctx *proxy.DNSContext) error
|
||||
return nil
|
||||
}
|
||||
|
||||
// processRecursion checks the incoming request and halts it's handling if s
|
||||
// have tried to resolve it recently.
|
||||
// processRecursion checks the incoming request and halts its handling by
|
||||
// answering NXDOMAIN if s has tried to resolve it recently.
|
||||
func (s *Server) processRecursion(dctx *dnsContext) (rc resultCode) {
|
||||
pctx := dctx.proxyCtx
|
||||
|
||||
@@ -349,8 +350,8 @@ func (s *Server) makeDDRResponse(req *dns.Msg) (resp *dns.Msg) {
|
||||
return resp
|
||||
}
|
||||
|
||||
// processDetermineLocal determines if the client's IP address is from
|
||||
// locally-served network and saves the result into the context.
|
||||
// processDetermineLocal determines if the client's IP address is from locally
|
||||
// served network and saves the result into the context.
|
||||
func (s *Server) processDetermineLocal(dctx *dnsContext) (rc resultCode) {
|
||||
rc = resultCodeSuccess
|
||||
|
||||
@@ -377,7 +378,8 @@ func (s *Server) dhcpHostToIP(host string) (ip netip.Addr, ok bool) {
|
||||
}
|
||||
|
||||
// processDHCPHosts respond to A requests if the target hostname is known to
|
||||
// the server.
|
||||
// the server. It responds with a mapped IP address if the DNS64 is enabled and
|
||||
// the request is for AAAA.
|
||||
//
|
||||
// TODO(a.garipov): Adapt to AAAA as well.
|
||||
func (s *Server) processDHCPHosts(dctx *dnsContext) (rc resultCode) {
|
||||
@@ -409,20 +411,34 @@ func (s *Server) processDHCPHosts(dctx *dnsContext) (rc resultCode) {
|
||||
log.Debug("dnsforward: dhcp record for %q is %s", reqHost, ip)
|
||||
|
||||
resp := s.makeResponse(req)
|
||||
if q.Qtype == dns.TypeA {
|
||||
switch q.Qtype {
|
||||
case dns.TypeA:
|
||||
a := &dns.A{
|
||||
Hdr: s.hdr(req, dns.TypeA),
|
||||
A: ip.AsSlice(),
|
||||
}
|
||||
resp.Answer = append(resp.Answer, a)
|
||||
case dns.TypeAAAA:
|
||||
if len(s.dns64Prefs) > 0 {
|
||||
// Respond with DNS64-mapped address for IPv4 host if DNS64 is
|
||||
// enabled.
|
||||
aaaa := &dns.AAAA{
|
||||
Hdr: s.hdr(req, dns.TypeAAAA),
|
||||
AAAA: s.mapDNS64(ip),
|
||||
}
|
||||
resp.Answer = append(resp.Answer, aaaa)
|
||||
}
|
||||
default:
|
||||
// Go on.
|
||||
}
|
||||
|
||||
dctx.proxyCtx.Res = resp
|
||||
|
||||
return resultCodeSuccess
|
||||
}
|
||||
|
||||
// processRestrictLocal responds with NXDOMAIN to PTR requests for IP addresses
|
||||
// in locally-served network from external clients.
|
||||
// in locally served network from external clients.
|
||||
func (s *Server) processRestrictLocal(dctx *dnsContext) (rc resultCode) {
|
||||
pctx := dctx.proxyCtx
|
||||
req := pctx.Req
|
||||
@@ -452,15 +468,24 @@ func (s *Server) processRestrictLocal(dctx *dnsContext) (rc resultCode) {
|
||||
return resultCodeSuccess
|
||||
}
|
||||
|
||||
// Restrict an access to local addresses for external clients. We also
|
||||
// assume that all the DHCP leases we give are locally-served or at least
|
||||
// don't need to be accessible externally.
|
||||
if !s.privateNets.Contains(ip) {
|
||||
log.Debug("dnsforward: addr %s is not from locally-served network", ip)
|
||||
if s.shouldStripDNS64(ip) {
|
||||
// Strip the prefix from the address to get the original IPv4.
|
||||
ip = ip[nat64PrefixLen:]
|
||||
|
||||
// Treat a DNS64-prefixed address as a locally served one since those
|
||||
// queries should never be sent to the global DNS.
|
||||
dctx.unreversedReqIP = ip
|
||||
}
|
||||
|
||||
// Restrict an access to local addresses for external clients. We also
|
||||
// assume that all the DHCP leases we give are locally served or at least
|
||||
// shouldn't be accessible externally.
|
||||
if !s.privateNets.Contains(ip) {
|
||||
return resultCodeSuccess
|
||||
}
|
||||
|
||||
log.Debug("dnsforward: addr %s is from locally served network", ip)
|
||||
|
||||
if !dctx.isLocalClient {
|
||||
log.Debug("dnsforward: %q requests an internal ip", pctx.Addr)
|
||||
pctx.Res = s.genNXDomain(req)
|
||||
@@ -473,7 +498,7 @@ func (s *Server) processRestrictLocal(dctx *dnsContext) (rc resultCode) {
|
||||
dctx.unreversedReqIP = ip
|
||||
|
||||
// There is no need to filter request from external addresses since this
|
||||
// code is only executed when the request is for locally-served ARPA
|
||||
// code is only executed when the request is for locally served ARPA
|
||||
// hostname so disable redundant filters.
|
||||
dctx.setts.ParentalEnabled = false
|
||||
dctx.setts.SafeBrowsingEnabled = false
|
||||
@@ -508,7 +533,7 @@ func (s *Server) processDHCPAddrs(dctx *dnsContext) (rc resultCode) {
|
||||
return resultCodeSuccess
|
||||
}
|
||||
|
||||
// TODO(a.garipov): Remove once we switch to netip.Addr more fully.
|
||||
// TODO(a.garipov): Remove once we switch to [netip.Addr] more fully.
|
||||
ipAddr, err := netutil.IPToAddrNoMapped(ip)
|
||||
if err != nil {
|
||||
log.Debug("dnsforward: bad reverse ip %v from dhcp: %s", ip, err)
|
||||
@@ -556,10 +581,6 @@ func (s *Server) processLocalPTR(dctx *dnsContext) (rc resultCode) {
|
||||
s.serverLock.RLock()
|
||||
defer s.serverLock.RUnlock()
|
||||
|
||||
if !s.privateNets.Contains(ip) {
|
||||
return resultCodeSuccess
|
||||
}
|
||||
|
||||
if s.conf.UsePrivateRDNS {
|
||||
s.recDetector.add(*pctx.Req)
|
||||
if err := s.localResolvers.Resolve(pctx); err != nil {
|
||||
@@ -636,9 +657,8 @@ func (s *Server) processUpstream(dctx *dnsContext) (rc resultCode) {
|
||||
|
||||
origReqAD := false
|
||||
if s.conf.EnableDNSSEC {
|
||||
if req.AuthenticatedData {
|
||||
origReqAD = true
|
||||
} else {
|
||||
origReqAD = req.AuthenticatedData
|
||||
if !req.AuthenticatedData {
|
||||
req.AuthenticatedData = true
|
||||
}
|
||||
}
|
||||
@@ -655,6 +675,10 @@ func (s *Server) processUpstream(dctx *dnsContext) (rc resultCode) {
|
||||
return resultCodeError
|
||||
}
|
||||
|
||||
if s.performDNS64(prx, dctx) == resultCodeError {
|
||||
return resultCodeError
|
||||
}
|
||||
|
||||
dctx.responseFromUpstream = true
|
||||
dctx.responseAD = pctx.Res.AuthenticatedData
|
||||
|
||||
|
||||
Reference in New Issue
Block a user