Pull request: all: add $dnsrewrite handling

Merge in DNS/adguard-home from 2102-dnsrewrite to master

Updates #2102.

Squashed commit of the following:

commit 8490fc18179d38c4b162ff9b257fea1f8535afbd
Merge: d9448ddca e7f7799b3
Author: Ainar Garipov <A.Garipov@AdGuard.COM>
Date:   Mon Dec 21 16:44:00 2020 +0300

    Merge branch 'master' into 2102-dnsrewrite

commit d9448ddca6d4ef3635d767e3e496e44c35d3fc6e
Author: Ainar Garipov <A.Garipov@AdGuard.COM>
Date:   Mon Dec 21 15:44:54 2020 +0300

    querylog: support dnsrewrite rules

commit 40aa5d30acddf29fb90d249d8806941c6e1915a4
Author: Ainar Garipov <A.Garipov@AdGuard.COM>
Date:   Fri Dec 18 19:27:40 2020 +0300

    all: improve documentation

commit f776a0cd63b1640ba1e5210d9301e2a2801fd824
Author: Ainar Garipov <A.Garipov@AdGuard.COM>
Date:   Fri Dec 18 19:09:08 2020 +0300

    dnsfilter: prevent panics, improve docs

commit e14073b7500d9ed827a151c5b8fb863c980c10e8
Author: Ainar Garipov <A.Garipov@AdGuard.COM>
Date:   Fri Dec 4 15:51:02 2020 +0300

    all: add $dnsrewrite handling

internal/dnsfilter/dnsfilter.go

@@ -1,4 +1,4 @@
-// Package dnsfilter implements a DNS filter.
+// Package dnsfilter implements a DNS request and response filter.
 package dnsfilter
 
 import (
@@ -95,8 +95,8 @@ type filtersInitializerParams struct {
 type DNSFilter struct {
 	rulesStorage         *filterlist.RuleStorage
 	filteringEngine      *urlfilter.DNSEngine
-	rulesStorageWhite    *filterlist.RuleStorage
-	filteringEngineWhite *urlfilter.DNSEngine
+	rulesStorageAllow    *filterlist.RuleStorage
+	filteringEngineAllow *urlfilter.DNSEngine
 	engineLock           sync.RWMutex
 
 	parentalServer       string // access via methods
@@ -127,16 +127,16 @@ const (
 
 	// NotFilteredNotFound - host was not find in any checks, default value for result
 	NotFilteredNotFound Reason = iota
-	// NotFilteredWhiteList - the host is explicitly whitelisted
-	NotFilteredWhiteList
+	// NotFilteredAllowList - the host is explicitly allowed
+	NotFilteredAllowList
 	// NotFilteredError is returned when there was an error during
 	// checking.  Reserved, currently unused.
 	NotFilteredError
 
 	// reasons for filtering
 
-	// FilteredBlackList - the host was matched to be advertising host
-	FilteredBlackList
+	// FilteredBlockList - the host was matched to be advertising host
+	FilteredBlockList
 	// FilteredSafeBrowsing - the host was matched to be malicious/phishing
 	FilteredSafeBrowsing
 	// FilteredParental - the host was matched to be outside of parental control settings
@@ -155,16 +155,20 @@ const (
 	// RewriteAutoHosts is returned when there was a rewrite by
 	// autohosts rules (/etc/hosts and so on).
 	RewriteAutoHosts
+
+	// DNSRewriteRule is returned when a $dnsrewrite filter rule was
+	// applied.
+	DNSRewriteRule
 )
 
 // TODO(a.garipov): Resync with actual code names or replace completely
 // in HTTP API v1.
 var reasonNames = []string{
 	NotFilteredNotFound:  "NotFilteredNotFound",
-	NotFilteredWhiteList: "NotFilteredWhiteList",
+	NotFilteredAllowList: "NotFilteredWhiteList",
 	NotFilteredError:     "NotFilteredError",
 
-	FilteredBlackList:      "FilteredBlackList",
+	FilteredBlockList:      "FilteredBlackList",
 	FilteredSafeBrowsing:   "FilteredSafeBrowsing",
 	FilteredParental:       "FilteredParental",
 	FilteredInvalid:        "FilteredInvalid",
@@ -174,12 +178,15 @@ var reasonNames = []string{
 	ReasonRewrite: "Rewrite",
 
 	RewriteAutoHosts: "RewriteEtcHosts",
+
+	DNSRewriteRule: "DNSRewriteRule",
 }
 
 func (r Reason) String() string {
-	if uint(r) >= uint(len(reasonNames)) {
+	if r < 0 || int(r) >= len(reasonNames) {
 		return ""
 	}
+
 	return reasonNames[r]
 }
 
@@ -278,16 +285,15 @@ func (d *DNSFilter) reset() {
 		}
 	}
 
-	if d.rulesStorageWhite != nil {
-		err = d.rulesStorageWhite.Close()
+	if d.rulesStorageAllow != nil {
+		err = d.rulesStorageAllow.Close()
 		if err != nil {
-			log.Error("dnsfilter: rulesStorageWhite.Close: %s", err)
+			log.Error("dnsfilter: rulesStorageAllow.Close: %s", err)
 		}
 	}
 }
 
 type dnsFilterContext struct {
-	stats             Stats
 	safebrowsingCache cache.Cache
 	parentalCache     cache.Cache
 	safeSearchCache   cache.Cache
@@ -339,6 +345,9 @@ type Result struct {
 	// ServiceName is the name of the blocked service.  It is empty
 	// unless Reason is set to FilteredBlockedService.
 	ServiceName string `json:",omitempty"`
+
+	// DNSRewriteResult is the $dnsrewrite filter rule result.
+	DNSRewriteResult *DNSRewriteResult `json:",omitempty"`
 }
 
 // Matched returns true if any match at all was found regardless of
@@ -383,9 +392,6 @@ func (d *DNSFilter) CheckHost(host string, qtype uint16, setts *RequestFiltering
 		}
 	}
 
-	// Then check the filter lists.
-	// if request is blocked -- it should be blocked.
-	// if it is whitelisted -- we should do nothing with it anymore.
 	if setts.FilteringEnabled {
 		result, err = d.matchHost(host, qtype, *setts)
 		if err != nil {
@@ -476,9 +482,7 @@ func (d *DNSFilter) checkAutoHosts(host string, qtype uint16, result *Result) (m
 //  . repeat for the new domain name (Note: we return only the last CNAME)
 // . Find A or AAAA record for a domain name (exact match or by wildcard)
 //  . if found, set IP addresses (IPv4 or IPv6 depending on qtype) in Result.IPList array
-func (d *DNSFilter) processRewrites(host string, qtype uint16) Result {
-	var res Result
-
+func (d *DNSFilter) processRewrites(host string, qtype uint16) (res Result) {
 	d.confLock.RLock()
 	defer d.confLock.RUnlock()
 
@@ -493,7 +497,8 @@ func (d *DNSFilter) processRewrites(host string, qtype uint16) Result {
 		log.Debug("Rewrite: CNAME for %s is %s", host, rr[0].Answer)
 
 		if host == rr[0].Answer { // "host == CNAME" is an exception
-			res.Reason = 0
+			res.Reason = NotFilteredNotFound
+
 			return res
 		}
 
@@ -616,7 +621,7 @@ func (d *DNSFilter) initFiltering(allowFilters, blockFilters []Filter) error {
 	if err != nil {
 		return err
 	}
-	rulesStorageWhite, filteringEngineWhite, err := createFilteringEngine(allowFilters)
+	rulesStorageAllow, filteringEngineAllow, err := createFilteringEngine(allowFilters)
 	if err != nil {
 		return err
 	}
@@ -625,8 +630,8 @@ func (d *DNSFilter) initFiltering(allowFilters, blockFilters []Filter) error {
 	d.reset()
 	d.rulesStorage = rulesStorage
 	d.filteringEngine = filteringEngine
-	d.rulesStorageWhite = rulesStorageWhite
-	d.filteringEngineWhite = filteringEngineWhite
+	d.rulesStorageAllow = rulesStorageAllow
+	d.filteringEngineAllow = filteringEngineAllow
 	d.engineLock.Unlock()
 
 	// Make sure that the OS reclaims memory as soon as possible
@@ -636,9 +641,31 @@ func (d *DNSFilter) initFiltering(allowFilters, blockFilters []Filter) error {
 	return nil
 }
 
+// matchHostProcessAllowList processes the allowlist logic of host
+// matching.
+func (d *DNSFilter) matchHostProcessAllowList(host string, dnsres urlfilter.DNSResult) (res Result, err error) {
+	var rule rules.Rule
+	if dnsres.NetworkRule != nil {
+		rule = dnsres.NetworkRule
+	} else if len(dnsres.HostRulesV4) > 0 {
+		rule = dnsres.HostRulesV4[0]
+	} else if len(dnsres.HostRulesV6) > 0 {
+		rule = dnsres.HostRulesV6[0]
+	}
+
+	if rule == nil {
+		return Result{}, fmt.Errorf("invalid dns result: rules are empty")
+	}
+
+	log.Debug("Filtering: found allowlist rule for host %q: %q  list_id: %d",
+		host, rule.Text(), rule.GetFilterListID())
+
+	return makeResult(rule, NotFilteredAllowList), nil
+}
+
 // matchHost is a low-level way to check only if hostname is filtered by rules,
 // skipping expensive safebrowsing and parental lookups.
-func (d *DNSFilter) matchHost(host string, qtype uint16, setts RequestFilteringSettings) (Result, error) {
+func (d *DNSFilter) matchHost(host string, qtype uint16, setts RequestFilteringSettings) (res Result, err error) {
 	d.engineLock.RLock()
 	// Keep in mind that this lock must be held no just when calling Match()
 	//  but also while using the rules returned by it.
@@ -652,22 +679,10 @@ func (d *DNSFilter) matchHost(host string, qtype uint16, setts RequestFilteringS
 		DNSType:          qtype,
 	}
 
-	if d.filteringEngineWhite != nil {
-		rr, ok := d.filteringEngineWhite.MatchRequest(ureq)
+	if d.filteringEngineAllow != nil {
+		dnsres, ok := d.filteringEngineAllow.MatchRequest(ureq)
 		if ok {
-			var rule rules.Rule
-			if rr.NetworkRule != nil {
-				rule = rr.NetworkRule
-			} else if rr.HostRulesV4 != nil {
-				rule = rr.HostRulesV4[0]
-			} else if rr.HostRulesV6 != nil {
-				rule = rr.HostRulesV6[0]
-			}
-
-			log.Debug("Filtering: found whitelist rule for host %q: %q  list_id: %d",
-				host, rule.Text(), rule.GetFilterListID())
-			res := makeResult(rule, NotFilteredWhiteList)
-			return res, nil
+			return d.matchHostProcessAllowList(host, dnsres)
 		}
 	}
 
@@ -675,54 +690,65 @@ func (d *DNSFilter) matchHost(host string, qtype uint16, setts RequestFilteringS
 		return Result{}, nil
 	}
 
-	rr, ok := d.filteringEngine.MatchRequest(ureq)
-	if !ok {
+	dnsres, ok := d.filteringEngine.MatchRequest(ureq)
+
+	// Check DNS rewrites first, because the API there is a bit
+	// awkward.
+	if dnsr := dnsres.DNSRewrites(); len(dnsr) > 0 {
+		res = d.processDNSRewrites(dnsr)
+		if res.Reason == DNSRewriteRule && res.CanonName == host {
+			// A rewrite of a host to itself.  Go on and
+			// try matching other things.
+		} else {
+			return res, nil
+		}
+	} else if !ok {
 		return Result{}, nil
 	}
 
-	if rr.NetworkRule != nil {
+	if dnsres.NetworkRule != nil {
 		log.Debug("Filtering: found rule for host %q: %q  list_id: %d",
-			host, rr.NetworkRule.Text(), rr.NetworkRule.GetFilterListID())
-		reason := FilteredBlackList
-		if rr.NetworkRule.Whitelist {
-			reason = NotFilteredWhiteList
+			host, dnsres.NetworkRule.Text(), dnsres.NetworkRule.GetFilterListID())
+		reason := FilteredBlockList
+		if dnsres.NetworkRule.Whitelist {
+			reason = NotFilteredAllowList
 		}
-		res := makeResult(rr.NetworkRule, reason)
-		return res, nil
+
+		return makeResult(dnsres.NetworkRule, reason), nil
 	}
 
-	if qtype == dns.TypeA && rr.HostRulesV4 != nil {
-		rule := rr.HostRulesV4[0] // note that we process only 1 matched rule
+	if qtype == dns.TypeA && dnsres.HostRulesV4 != nil {
+		rule := dnsres.HostRulesV4[0] // note that we process only 1 matched rule
 		log.Debug("Filtering: found rule for host %q: %q  list_id: %d",
 			host, rule.Text(), rule.GetFilterListID())
-		res := makeResult(rule, FilteredBlackList)
+		res = makeResult(rule, FilteredBlockList)
 		res.Rules[0].IP = rule.IP.To4()
 
 		return res, nil
 	}
 
-	if qtype == dns.TypeAAAA && rr.HostRulesV6 != nil {
-		rule := rr.HostRulesV6[0] // note that we process only 1 matched rule
+	if qtype == dns.TypeAAAA && dnsres.HostRulesV6 != nil {
+		rule := dnsres.HostRulesV6[0] // note that we process only 1 matched rule
 		log.Debug("Filtering: found rule for host %q: %q  list_id: %d",
 			host, rule.Text(), rule.GetFilterListID())
-		res := makeResult(rule, FilteredBlackList)
+		res = makeResult(rule, FilteredBlockList)
 		res.Rules[0].IP = rule.IP
 
 		return res, nil
 	}
 
-	if rr.HostRulesV4 != nil || rr.HostRulesV6 != nil {
+	if dnsres.HostRulesV4 != nil || dnsres.HostRulesV6 != nil {
 		// Question Type doesn't match the host rules
 		// Return the first matched host rule, but without an IP address
 		var rule rules.Rule
-		if rr.HostRulesV4 != nil {
-			rule = rr.HostRulesV4[0]
-		} else if rr.HostRulesV6 != nil {
-			rule = rr.HostRulesV6[0]
+		if dnsres.HostRulesV4 != nil {
+			rule = dnsres.HostRulesV4[0]
+		} else if dnsres.HostRulesV6 != nil {
+			rule = dnsres.HostRulesV6[0]
 		}
 		log.Debug("Filtering: found rule for host %q: %q  list_id: %d",
 			host, rule.Text(), rule.GetFilterListID())
-		res := makeResult(rule, FilteredBlackList)
+		res = makeResult(rule, FilteredBlockList)
 		res.Rules[0].IP = net.IP{}
 
 		return res, nil
@@ -741,7 +767,7 @@ func makeResult(rule rules.Rule, reason Reason) Result {
 		}},
 	}
 
-	if reason == FilteredBlackList {
+	if reason == FilteredBlockList {
 		res.IsFiltered = true
 	}
 

internal/dnsfilter/dnsfilter_test.go

@@ -178,7 +178,6 @@ func TestSafeBrowsing(t *testing.T) {
 
 	d := NewForTest(&Config{SafeBrowsingEnabled: true}, nil)
 	defer d.Close()
-	gctx.stats.Safebrowsing.Requests = 0
 	d.checkMatch(t, "wmconvirus.narod.ru")
 
 	assert.True(t, strings.Contains(logOutput.String(), "SafeBrowsing lookup for wmconvirus.narod.ru"))
@@ -366,7 +365,7 @@ const nl = "\n"
 
 const (
 	blockingRules  = `||example.org^` + nl
-	whitelistRules = `||example.org^` + nl + `@@||test.example.org` + nl
+	allowlistRules = `||example.org^` + nl + `@@||test.example.org` + nl
 	importantRules = `@@||example.org^` + nl + `||test.example.org^$important` + nl
 	regexRules     = `/example\.org/` + nl + `@@||test.example.org^` + nl
 	maskRules      = `test*.example.org^` + nl + `exam*.com` + nl
@@ -381,49 +380,49 @@ var tests = []struct {
 	reason     Reason
 	dnsType    uint16
 }{
-	{"sanity", "||doubleclick.net^", "www.doubleclick.net", true, FilteredBlackList, dns.TypeA},
+	{"sanity", "||doubleclick.net^", "www.doubleclick.net", true, FilteredBlockList, dns.TypeA},
 	{"sanity", "||doubleclick.net^", "nodoubleclick.net", false, NotFilteredNotFound, dns.TypeA},
 	{"sanity", "||doubleclick.net^", "doubleclick.net.ru", false, NotFilteredNotFound, dns.TypeA},
 	{"sanity", "||doubleclick.net^", "wmconvirus.narod.ru", false, NotFilteredNotFound, dns.TypeA},
 
-	{"blocking", blockingRules, "example.org", true, FilteredBlackList, dns.TypeA},
-	{"blocking", blockingRules, "test.example.org", true, FilteredBlackList, dns.TypeA},
-	{"blocking", blockingRules, "test.test.example.org", true, FilteredBlackList, dns.TypeA},
+	{"blocking", blockingRules, "example.org", true, FilteredBlockList, dns.TypeA},
+	{"blocking", blockingRules, "test.example.org", true, FilteredBlockList, dns.TypeA},
+	{"blocking", blockingRules, "test.test.example.org", true, FilteredBlockList, dns.TypeA},
 	{"blocking", blockingRules, "testexample.org", false, NotFilteredNotFound, dns.TypeA},
 	{"blocking", blockingRules, "onemoreexample.org", false, NotFilteredNotFound, dns.TypeA},
 
-	{"whitelist", whitelistRules, "example.org", true, FilteredBlackList, dns.TypeA},
-	{"whitelist", whitelistRules, "test.example.org", false, NotFilteredWhiteList, dns.TypeA},
-	{"whitelist", whitelistRules, "test.test.example.org", false, NotFilteredWhiteList, dns.TypeA},
-	{"whitelist", whitelistRules, "testexample.org", false, NotFilteredNotFound, dns.TypeA},
-	{"whitelist", whitelistRules, "onemoreexample.org", false, NotFilteredNotFound, dns.TypeA},
+	{"allowlist", allowlistRules, "example.org", true, FilteredBlockList, dns.TypeA},
+	{"allowlist", allowlistRules, "test.example.org", false, NotFilteredAllowList, dns.TypeA},
+	{"allowlist", allowlistRules, "test.test.example.org", false, NotFilteredAllowList, dns.TypeA},
+	{"allowlist", allowlistRules, "testexample.org", false, NotFilteredNotFound, dns.TypeA},
+	{"allowlist", allowlistRules, "onemoreexample.org", false, NotFilteredNotFound, dns.TypeA},
 
-	{"important", importantRules, "example.org", false, NotFilteredWhiteList, dns.TypeA},
-	{"important", importantRules, "test.example.org", true, FilteredBlackList, dns.TypeA},
-	{"important", importantRules, "test.test.example.org", true, FilteredBlackList, dns.TypeA},
+	{"important", importantRules, "example.org", false, NotFilteredAllowList, dns.TypeA},
+	{"important", importantRules, "test.example.org", true, FilteredBlockList, dns.TypeA},
+	{"important", importantRules, "test.test.example.org", true, FilteredBlockList, dns.TypeA},
 	{"important", importantRules, "testexample.org", false, NotFilteredNotFound, dns.TypeA},
 	{"important", importantRules, "onemoreexample.org", false, NotFilteredNotFound, dns.TypeA},
 
-	{"regex", regexRules, "example.org", true, FilteredBlackList, dns.TypeA},
-	{"regex", regexRules, "test.example.org", false, NotFilteredWhiteList, dns.TypeA},
-	{"regex", regexRules, "test.test.example.org", false, NotFilteredWhiteList, dns.TypeA},
-	{"regex", regexRules, "testexample.org", true, FilteredBlackList, dns.TypeA},
-	{"regex", regexRules, "onemoreexample.org", true, FilteredBlackList, dns.TypeA},
+	{"regex", regexRules, "example.org", true, FilteredBlockList, dns.TypeA},
+	{"regex", regexRules, "test.example.org", false, NotFilteredAllowList, dns.TypeA},
+	{"regex", regexRules, "test.test.example.org", false, NotFilteredAllowList, dns.TypeA},
+	{"regex", regexRules, "testexample.org", true, FilteredBlockList, dns.TypeA},
+	{"regex", regexRules, "onemoreexample.org", true, FilteredBlockList, dns.TypeA},
 
-	{"mask", maskRules, "test.example.org", true, FilteredBlackList, dns.TypeA},
-	{"mask", maskRules, "test2.example.org", true, FilteredBlackList, dns.TypeA},
-	{"mask", maskRules, "example.com", true, FilteredBlackList, dns.TypeA},
-	{"mask", maskRules, "exampleeee.com", true, FilteredBlackList, dns.TypeA},
-	{"mask", maskRules, "onemoreexamsite.com", true, FilteredBlackList, dns.TypeA},
+	{"mask", maskRules, "test.example.org", true, FilteredBlockList, dns.TypeA},
+	{"mask", maskRules, "test2.example.org", true, FilteredBlockList, dns.TypeA},
+	{"mask", maskRules, "example.com", true, FilteredBlockList, dns.TypeA},
+	{"mask", maskRules, "exampleeee.com", true, FilteredBlockList, dns.TypeA},
+	{"mask", maskRules, "onemoreexamsite.com", true, FilteredBlockList, dns.TypeA},
 	{"mask", maskRules, "example.org", false, NotFilteredNotFound, dns.TypeA},
 	{"mask", maskRules, "testexample.org", false, NotFilteredNotFound, dns.TypeA},
 	{"mask", maskRules, "example.co.uk", false, NotFilteredNotFound, dns.TypeA},
 
 	{"dnstype", dnstypeRules, "onemoreexample.org", false, NotFilteredNotFound, dns.TypeA},
 	{"dnstype", dnstypeRules, "example.org", false, NotFilteredNotFound, dns.TypeA},
-	{"dnstype", dnstypeRules, "example.org", true, FilteredBlackList, dns.TypeAAAA},
-	{"dnstype", dnstypeRules, "test.example.org", false, NotFilteredWhiteList, dns.TypeA},
-	{"dnstype", dnstypeRules, "test.example.org", false, NotFilteredWhiteList, dns.TypeAAAA},
+	{"dnstype", dnstypeRules, "example.org", true, FilteredBlockList, dns.TypeAAAA},
+	{"dnstype", dnstypeRules, "test.example.org", false, NotFilteredAllowList, dns.TypeA},
+	{"dnstype", dnstypeRules, "test.example.org", false, NotFilteredAllowList, dns.TypeAAAA},
 }
 
 func TestMatching(t *testing.T) {
@@ -470,7 +469,7 @@ func TestWhitelist(t *testing.T) {
 	// matched by white filter
 	res, err := d.CheckHost("host1", dns.TypeA, &setts)
 	assert.True(t, err == nil)
-	assert.True(t, !res.IsFiltered && res.Reason == NotFilteredWhiteList)
+	assert.True(t, !res.IsFiltered && res.Reason == NotFilteredAllowList)
 	if assert.Len(t, res.Rules, 1) {
 		assert.True(t, res.Rules[0].Text == "||host1^")
 	}
@@ -478,7 +477,7 @@ func TestWhitelist(t *testing.T) {
 	// not matched by white filter, but matched by block filter
 	res, err = d.CheckHost("host2", dns.TypeA, &setts)
 	assert.True(t, err == nil)
-	assert.True(t, res.IsFiltered && res.Reason == FilteredBlackList)
+	assert.True(t, res.IsFiltered && res.Reason == FilteredBlockList)
 	if assert.Len(t, res.Rules, 1) {
 		assert.True(t, res.Rules[0].Text == "||host2^")
 	}
@@ -512,8 +511,8 @@ func TestClientSettings(t *testing.T) {
 
 	// blocked by filters
 	r, _ = d.CheckHost("example.org", dns.TypeA, &setts)
-	if !r.IsFiltered || r.Reason != FilteredBlackList {
-		t.Fatalf("CheckHost FilteredBlackList")
+	if !r.IsFiltered || r.Reason != FilteredBlockList {
+		t.Fatalf("CheckHost FilteredBlockList")
 	}
 
 	// blocked by parental

internal/dnsfilter/dnsrewrite.go

@@ -0,0 +1,80 @@
+package dnsfilter
+
+import (
+	"github.com/AdguardTeam/urlfilter/rules"
+	"github.com/miekg/dns"
+)
+
+// DNSRewriteResult is the result of application of $dnsrewrite rules.
+type DNSRewriteResult struct {
+	RCode    rules.RCode              `json:",omitempty"`
+	Response DNSRewriteResultResponse `json:",omitempty"`
+}
+
+// DNSRewriteResultResponse is the collection of DNS response records
+// the server returns.
+type DNSRewriteResultResponse map[rules.RRType][]rules.RRValue
+
+// processDNSRewrites processes DNS rewrite rules in dnsr.  It returns
+// an empty result if dnsr is empty.  Otherwise, the result will have
+// either CanonName or DNSRewriteResult set.
+func (d *DNSFilter) processDNSRewrites(dnsr []*rules.NetworkRule) (res Result) {
+	if len(dnsr) == 0 {
+		return Result{}
+	}
+
+	var rules []*ResultRule
+	dnsrr := &DNSRewriteResult{
+		Response: DNSRewriteResultResponse{},
+	}
+
+	for _, nr := range dnsr {
+		dr := nr.DNSRewrite
+		if dr.NewCNAME != "" {
+			// NewCNAME rules have a higher priority than
+			// the other rules.
+			rules := []*ResultRule{{
+				FilterListID: int64(nr.GetFilterListID()),
+				Text:         nr.RuleText,
+			}}
+
+			return Result{
+				Reason:    DNSRewriteRule,
+				Rules:     rules,
+				CanonName: dr.NewCNAME,
+			}
+		}
+
+		switch dr.RCode {
+		case dns.RcodeSuccess:
+			dnsrr.RCode = dr.RCode
+			dnsrr.Response[dr.RRType] = append(dnsrr.Response[dr.RRType], dr.Value)
+			rules = append(rules, &ResultRule{
+				FilterListID: int64(nr.GetFilterListID()),
+				Text:         nr.RuleText,
+			})
+		default:
+			// RcodeRefused and other such codes have higher
+			// priority.  Return immediately.
+			rules := []*ResultRule{{
+				FilterListID: int64(nr.GetFilterListID()),
+				Text:         nr.RuleText,
+			}}
+			dnsrr = &DNSRewriteResult{
+				RCode: dr.RCode,
+			}
+
+			return Result{
+				Reason:           DNSRewriteRule,
+				Rules:            rules,
+				DNSRewriteResult: dnsrr,
+			}
+		}
+	}
+
+	return Result{
+		Reason:           DNSRewriteRule,
+		Rules:            rules,
+		DNSRewriteResult: dnsrr,
+	}
+}

internal/dnsfilter/dnsrewrite_test.go

@@ -0,0 +1,202 @@
+package dnsfilter
+
+import (
+	"net"
+	"path"
+	"testing"
+
+	"github.com/miekg/dns"
+	"github.com/stretchr/testify/assert"
+)
+
+func TestDNSFilter_CheckHostRules_dnsrewrite(t *testing.T) {
+	const text = `
+|cname^$dnsrewrite=new_cname
+
+|a_record^$dnsrewrite=127.0.0.1
+
+|aaaa_record^$dnsrewrite=::1
+
+|txt_record^$dnsrewrite=NOERROR;TXT;hello_world
+
+|refused^$dnsrewrite=REFUSED
+
+|a_records^$dnsrewrite=127.0.0.1
+|a_records^$dnsrewrite=127.0.0.2
+
+|aaaa_records^$dnsrewrite=::1
+|aaaa_records^$dnsrewrite=::2
+
+|disable_one^$dnsrewrite=127.0.0.1
+|disable_one^$dnsrewrite=127.0.0.2
+@@||disable_one^$dnsrewrite=127.0.0.1
+
+|disable_cname^$dnsrewrite=127.0.0.1
+|disable_cname^$dnsrewrite=new_cname
+@@||disable_cname^$dnsrewrite=new_cname
+
+|disable_cname_many^$dnsrewrite=127.0.0.1
+|disable_cname_many^$dnsrewrite=new_cname_1
+|disable_cname_many^$dnsrewrite=new_cname_2
+@@||disable_cname_many^$dnsrewrite=new_cname_1
+
+|disable_all^$dnsrewrite=127.0.0.1
+|disable_all^$dnsrewrite=127.0.0.2
+@@||disable_all^$dnsrewrite
+`
+	f := NewForTest(nil, []Filter{{ID: 0, Data: []byte(text)}})
+	setts := &RequestFilteringSettings{
+		FilteringEnabled: true,
+	}
+
+	ipv4p1 := net.IPv4(127, 0, 0, 1)
+	ipv4p2 := net.IPv4(127, 0, 0, 2)
+	ipv6p1 := net.IP{0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1}
+	ipv6p2 := net.IP{0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 2}
+
+	t.Run("cname", func(t *testing.T) {
+		dtyp := dns.TypeA
+		host := path.Base(t.Name())
+
+		res, err := f.CheckHostRules(host, dtyp, setts)
+		assert.Nil(t, err)
+		assert.Equal(t, "new_cname", res.CanonName)
+	})
+
+	t.Run("a_record", func(t *testing.T) {
+		dtyp := dns.TypeA
+		host := path.Base(t.Name())
+
+		res, err := f.CheckHostRules(host, dtyp, setts)
+		assert.Nil(t, err)
+
+		if dnsrr := res.DNSRewriteResult; assert.NotNil(t, dnsrr) {
+			assert.Equal(t, dns.RcodeSuccess, dnsrr.RCode)
+			if ipVals := dnsrr.Response[dtyp]; assert.Len(t, ipVals, 1) {
+				assert.Equal(t, ipv4p1, ipVals[0])
+			}
+		}
+	})
+
+	t.Run("aaaa_record", func(t *testing.T) {
+		dtyp := dns.TypeAAAA
+		host := path.Base(t.Name())
+
+		res, err := f.CheckHostRules(host, dtyp, setts)
+		assert.Nil(t, err)
+
+		if dnsrr := res.DNSRewriteResult; assert.NotNil(t, dnsrr) {
+			assert.Equal(t, dns.RcodeSuccess, dnsrr.RCode)
+			if ipVals := dnsrr.Response[dtyp]; assert.Len(t, ipVals, 1) {
+				assert.Equal(t, ipv6p1, ipVals[0])
+			}
+		}
+	})
+
+	t.Run("txt_record", func(t *testing.T) {
+		dtyp := dns.TypeTXT
+		host := path.Base(t.Name())
+		res, err := f.CheckHostRules(host, dtyp, setts)
+		assert.Nil(t, err)
+
+		if dnsrr := res.DNSRewriteResult; assert.NotNil(t, dnsrr) {
+			assert.Equal(t, dns.RcodeSuccess, dnsrr.RCode)
+			if strVals := dnsrr.Response[dtyp]; assert.Len(t, strVals, 1) {
+				assert.Equal(t, "hello_world", strVals[0])
+			}
+		}
+	})
+
+	t.Run("refused", func(t *testing.T) {
+		host := path.Base(t.Name())
+		res, err := f.CheckHostRules(host, dns.TypeA, setts)
+		assert.Nil(t, err)
+
+		if dnsrr := res.DNSRewriteResult; assert.NotNil(t, dnsrr) {
+			assert.Equal(t, dns.RcodeRefused, dnsrr.RCode)
+		}
+	})
+
+	t.Run("a_records", func(t *testing.T) {
+		dtyp := dns.TypeA
+		host := path.Base(t.Name())
+
+		res, err := f.CheckHostRules(host, dtyp, setts)
+		assert.Nil(t, err)
+
+		if dnsrr := res.DNSRewriteResult; assert.NotNil(t, dnsrr) {
+			assert.Equal(t, dns.RcodeSuccess, dnsrr.RCode)
+			if ipVals := dnsrr.Response[dtyp]; assert.Len(t, ipVals, 2) {
+				assert.Equal(t, ipv4p1, ipVals[0])
+				assert.Equal(t, ipv4p2, ipVals[1])
+			}
+		}
+	})
+
+	t.Run("aaaa_records", func(t *testing.T) {
+		dtyp := dns.TypeAAAA
+		host := path.Base(t.Name())
+
+		res, err := f.CheckHostRules(host, dtyp, setts)
+		assert.Nil(t, err)
+
+		if dnsrr := res.DNSRewriteResult; assert.NotNil(t, dnsrr) {
+			assert.Equal(t, dns.RcodeSuccess, dnsrr.RCode)
+			if ipVals := dnsrr.Response[dtyp]; assert.Len(t, ipVals, 2) {
+				assert.Equal(t, ipv6p1, ipVals[0])
+				assert.Equal(t, ipv6p2, ipVals[1])
+			}
+		}
+	})
+
+	t.Run("disable_one", func(t *testing.T) {
+		dtyp := dns.TypeA
+		host := path.Base(t.Name())
+
+		res, err := f.CheckHostRules(host, dtyp, setts)
+		assert.Nil(t, err)
+
+		if dnsrr := res.DNSRewriteResult; assert.NotNil(t, dnsrr) {
+			assert.Equal(t, dns.RcodeSuccess, dnsrr.RCode)
+			if ipVals := dnsrr.Response[dtyp]; assert.Len(t, ipVals, 1) {
+				assert.Equal(t, ipv4p2, ipVals[0])
+			}
+		}
+	})
+
+	t.Run("disable_cname", func(t *testing.T) {
+		dtyp := dns.TypeA
+		host := path.Base(t.Name())
+
+		res, err := f.CheckHostRules(host, dtyp, setts)
+		assert.Nil(t, err)
+		assert.Equal(t, "", res.CanonName)
+
+		if dnsrr := res.DNSRewriteResult; assert.NotNil(t, dnsrr) {
+			assert.Equal(t, dns.RcodeSuccess, dnsrr.RCode)
+			if ipVals := dnsrr.Response[dtyp]; assert.Len(t, ipVals, 1) {
+				assert.Equal(t, ipv4p1, ipVals[0])
+			}
+		}
+	})
+
+	t.Run("disable_cname_many", func(t *testing.T) {
+		dtyp := dns.TypeA
+		host := path.Base(t.Name())
+
+		res, err := f.CheckHostRules(host, dtyp, setts)
+		assert.Nil(t, err)
+		assert.Equal(t, "new_cname_2", res.CanonName)
+		assert.Nil(t, res.DNSRewriteResult)
+	})
+
+	t.Run("disable_all", func(t *testing.T) {
+		dtyp := dns.TypeA
+		host := path.Base(t.Name())
+
+		res, err := f.CheckHostRules(host, dtyp, setts)
+		assert.Nil(t, err)
+		assert.Equal(t, "", res.CanonName)
+		assert.Len(t, res.Rules, 0)
+	})
+}