Process DNS rebinding protection after DNSSEC

2020-12-03 01:20:05 +01:00
parent b338bf9b3f
commit 6b60598025
7 changed files with 219 additions and 36 deletions
--- a/internal/dnsforward/http.go
+++ b/internal/dnsforward/http.go
@@ -37,6 +37,9 @@ type dnsConfig struct {
 	CacheSize         *uint32 `json:"cache_size"`
 	CacheMinTTL       *uint32 `json:"cache_ttl_min"`
 	CacheMaxTTL       *uint32 `json:"cache_ttl_max"`
+
+	RebindingProtectionEnabled *bool     `json:"rebinding_protection_enabled"`
+	RebindingAllowedHosts      *[]string `json:"rebinding_allowed_hosts"`
 }

 func (s *Server) getDNSConfig() dnsConfig {
@@ -61,23 +64,27 @@ func (s *Server) getDNSConfig() dnsConfig {
 	} else if s.conf.AllServers {
 		upstreamMode = "parallel"
 	}
+	rebindingEnabled := s.conf.RebindingProtectionEnabled
+	rebindingAllowedHosts := stringArrayDup(s.conf.RebindingAllowedHosts)
 	s.RUnlock()
 	return dnsConfig{
-		Upstreams:         &upstreams,
-		UpstreamsFile:     &upstreamFile,
-		Bootstraps:        &bootstraps,
-		ProtectionEnabled: &protectionEnabled,
-		BlockingMode:      &blockingMode,
-		BlockingIPv4:      &BlockingIPv4,
-		BlockingIPv6:      &BlockingIPv6,
-		RateLimit:         &Ratelimit,
-		EDNSCSEnabled:     &EnableEDNSClientSubnet,
-		DNSSECEnabled:     &EnableDNSSEC,
-		DisableIPv6:       &AAAADisabled,
-		CacheSize:         &CacheSize,
-		CacheMinTTL:       &CacheMinTTL,
-		CacheMaxTTL:       &CacheMaxTTL,
-		UpstreamMode:      &upstreamMode,
+		Upstreams:                  &upstreams,
+		UpstreamsFile:              &upstreamFile,
+		Bootstraps:                 &bootstraps,
+		ProtectionEnabled:          &protectionEnabled,
+		BlockingMode:               &blockingMode,
+		BlockingIPv4:               &BlockingIPv4,
+		BlockingIPv6:               &BlockingIPv6,
+		RateLimit:                  &Ratelimit,
+		EDNSCSEnabled:              &EnableEDNSClientSubnet,
+		DNSSECEnabled:              &EnableDNSSEC,
+		DisableIPv6:                &AAAADisabled,
+		CacheSize:                  &CacheSize,
+		CacheMinTTL:                &CacheMinTTL,
+		CacheMaxTTL:                &CacheMaxTTL,
+		UpstreamMode:               &upstreamMode,
+		RebindingProtectionEnabled: &rebindingEnabled,
+		RebindingAllowedHosts:      &rebindingAllowedHosts,
 	}
 }

@@ -301,6 +308,14 @@ func (s *Server) setConfig(dc dnsConfig) (restart bool) {
 			s.conf.FastestAddr = false
 		}
 	}
+
+	if dc.RebindingProtectionEnabled != nil {
+		s.conf.RebindingProtectionEnabled = *dc.RebindingProtectionEnabled
+	}
+
+	if dc.RebindingAllowedHosts != nil {
+		s.conf.RebindingAllowedHosts = *dc.RebindingAllowedHosts
+	}
 	s.Unlock()
 	s.conf.ConfigModified()
 	return restart