Pull request: dnsforward: reply with appropriate block resp

Merge in DNS/adguard-home from access-proto-resp to master Squashed commit of the following: commit 9e78c002b31990d695c8dbd4561a3304a1827e3d Author: Ainar Garipov <A.Garipov@AdGuard.COM> Date: Tue Jul 20 13:16:44 2021 +0300 dnsforward: reply with appropriate block resp
2021-07-20 14:45:08 +03:00
parent 0217c6ad11
commit 8e8f14aefb
5 changed files with 21 additions and 5 deletions
--- a/internal/dnsforward/filter.go
+++ b/internal/dnsforward/filter.go
@@ -27,7 +27,7 @@ func (s *Server) beforeRequestHandler(

 	blocked, _ := s.IsBlockedClient(ip, clientID)
 	if blocked {
-		return false, nil
+		return s.preBlockedResponse(pctx)
 	}

 	if len(pctx.Req.Question) == 1 {
@@ -35,7 +35,7 @@ func (s *Server) beforeRequestHandler(
 		if s.access.isBlockedHost(host) {
 			log.Debug("host %s is in access blocklist", host)

-			return false, nil
+			return s.preBlockedResponse(pctx)
 		}
 	}

--- a/internal/dnsforward/msg.go
+++ b/internal/dnsforward/msg.go
@@ -266,6 +266,20 @@ func (s *Server) genBlockedHost(request *dns.Msg, newAddr string, d *proxy.DNSCo
 	return resp
 }

+// preBlockedResponse returns a protocol-appropriate response for a request that
+// was blocked by access settings.
+func (s *Server) preBlockedResponse(pctx *proxy.DNSContext) (reply bool, err error) {
+	if pctx.Proto == proxy.ProtoUDP || pctx.Proto == proxy.ProtoDNSCrypt {
+		// Return nil so that dnsproxy drops the connection and thus
+		// prevent DNS amplification attacks.
+		return false, nil
+	}
+
+	pctx.Res = s.makeResponseREFUSED(pctx.Req)
+
+	return true, nil
+}
+
 // Create REFUSED DNS response
 func (s *Server) makeResponseREFUSED(request *dns.Msg) *dns.Msg {
 	resp := dns.Msg{}