+ dnsforward: match CNAME with filtering rules

+ GET /control/querylog: add "cname_match" field * querylog: Add() now receives an object with parameters
2019-11-21 16:13:19 +03:00
parent acd8da6f0a
commit e7727e9f63
7 changed files with 297 additions and 33 deletions
--- a/dnsforward/dnsforward.go
+++ b/dnsforward/dnsforward.go
@@ -164,6 +164,15 @@ func (s *Server) Start(config *ServerConfig) error {

 // startInternal starts without locking
 func (s *Server) startInternal(config *ServerConfig) error {
+	err := s.prepare(config)
+	if err != nil {
+		return err
+	}
+	return s.dnsProxy.Start()
+}
+
+// Prepare the object
+func (s *Server) prepare(config *ServerConfig) error {
 	if s.dnsProxy != nil {
 		return errors.New("DNS server is already started")
 	}
@@ -243,7 +252,7 @@ func (s *Server) startInternal(config *ServerConfig) error {

 	// Initialize and start the DNS proxy
 	s.dnsProxy = &proxy.Proxy{Config: proxyConfig}
-	return s.dnsProxy.Start()
+	return nil
 }

 // Stop stops the DNS server
@@ -344,6 +353,7 @@ func (s *Server) beforeRequestHandler(p *proxy.Proxy, d *proxy.DNSContext) (bool
 }

 // handleDNSRequest filters the incoming DNS requests and writes them to the query log
+// nolint (gocyclo)
 func (s *Server) handleDNSRequest(p *proxy.Proxy, d *proxy.DNSContext) error {
 	start := time.Now()

@@ -372,6 +382,7 @@ func (s *Server) handleDNSRequest(p *proxy.Proxy, d *proxy.DNSContext) error {
 		return err
 	}

+	var origResp *dns.Msg
 	if d.Res == nil {
 		answer := []dns.RR{}
 		originalQuestion := d.Req.Question[0]
@@ -396,6 +407,18 @@ func (s *Server) handleDNSRequest(p *proxy.Proxy, d *proxy.DNSContext) error {
 				answer = append(answer, d.Res.Answer...) // host -> IP
 				d.Res.Answer = answer
 			}
+
+		} else if res.Reason != dnsfilter.NotFilteredWhiteList {
+			origResp2 := d.Res
+			res, err = s.filterResponse(d)
+			if err != nil {
+				return err
+			}
+			if res != nil {
+				origResp = origResp2 // matched by response
+			} else {
+				res = &dnsfilter.Result{}
+			}
 		}
 	}

@@ -416,11 +439,18 @@ func (s *Server) handleDNSRequest(p *proxy.Proxy, d *proxy.DNSContext) error {
 	// Synchronize access to s.queryLog and s.stats so they won't be suddenly uninitialized while in use.
 	// This can happen after proxy server has been stopped, but its workers haven't yet exited.
 	if shouldLog && s.queryLog != nil {
-		upstreamAddr := ""
-		if d.Upstream != nil {
-			upstreamAddr = d.Upstream.Address()
+		p := querylog.AddParams{
+			Question:   msg,
+			Answer:     d.Res,
+			OrigAnswer: origResp,
+			Result:     res,
+			Elapsed:    elapsed,
+			ClientIP:   getIP(d.Addr),
 		}
-		s.queryLog.Add(msg, d.Res, res, elapsed, getIP(d.Addr), upstreamAddr)
+		if d.Upstream != nil {
+			p.Upstream = d.Upstream.Address()
+		}
+		s.queryLog.Add(p)
 	}

 	s.updateStats(d, elapsed, *res)
@@ -538,6 +568,54 @@ func (s *Server) filterDNSRequest(d *proxy.DNSContext) (*dnsfilter.Result, error
 	return &res, err
 }

+// If response contains CNAME, A or AAAA records, we apply filtering to each canonical host name or IP address.
+// If this is a match, we set a new response in d.Res and return.
+func (s *Server) filterResponse(d *proxy.DNSContext) (*dnsfilter.Result, error) {
+	for _, a := range d.Res.Answer {
+		host := ""
+
+		switch v := a.(type) {
+		case *dns.CNAME:
+			log.Debug("DNSFwd: Checking CNAME %s for %s", v.Target, v.Hdr.Name)
+			host = strings.TrimSuffix(v.Target, ".")
+
+		case *dns.A:
+			host = v.A.String()
+			log.Debug("DNSFwd: Checking record A (%s) for %s", host, v.Hdr.Name)
+
+		case *dns.AAAA:
+			host = v.AAAA.String()
+			log.Debug("DNSFwd: Checking record AAAA (%s) for %s", host, v.Hdr.Name)
+
+		default:
+			continue
+		}
+
+		s.RLock()
+		// Synchronize access to s.dnsFilter so it won't be suddenly uninitialized while in use.
+		// This could happen after proxy server has been stopped, but its workers are not yet exited.
+		if !s.conf.ProtectionEnabled || s.dnsFilter == nil {
+			s.RUnlock()
+			continue
+		}
+		setts := dnsfilter.RequestFilteringSettings{}
+		setts.FilteringEnabled = true
+		res, err := s.dnsFilter.CheckHost(host, d.Req.Question[0].Qtype, &setts)
+		s.RUnlock()
+
+		if err != nil {
+			return nil, err
+
+		} else if res.IsFiltered {
+			d.Res = s.genDNSFilterMessage(d, &res)
+			log.Debug("DNSFwd: Matched %s by response: %s", d.Req.Question[0].Name, host)
+			return &res, nil
+		}
+	}
+
+	return nil, nil
+}
+
 // genDNSFilterMessage generates a DNS message corresponding to the filtering result
 func (s *Server) genDNSFilterMessage(d *proxy.DNSContext, result *dnsfilter.Result) *dns.Msg {
 	m := d.Req
--- a/dnsforward/dnsforward_test.go
+++ b/dnsforward/dnsforward_test.go
@@ -16,6 +16,7 @@ import (

 	"github.com/AdguardTeam/AdGuardHome/dnsfilter"
 	"github.com/AdguardTeam/dnsproxy/proxy"
+	"github.com/AdguardTeam/dnsproxy/upstream"
 	"github.com/miekg/dns"
 	"github.com/stretchr/testify/assert"
 )
@@ -246,6 +247,142 @@ func TestBlockedRequest(t *testing.T) {
 	}
 }

+// testUpstream is a mock of real upstream.
+// specify fields with necessary values to simulate real upstream behaviour
+type testUpstream struct {
+	cn   map[string]string   // Map of [name]canonical_name
+	ipv4 map[string][]net.IP // Map of [name]IPv4
+	ipv6 map[string][]net.IP // Map of [name]IPv6
+}
+
+func (u *testUpstream) Exchange(m *dns.Msg) (*dns.Msg, error) {
+	resp := dns.Msg{}
+	resp.SetReply(m)
+	hasARecord := false
+	hasAAAARecord := false
+
+	reqType := m.Question[0].Qtype
+	name := m.Question[0].Name
+
+	// Let's check if we have any CNAME for given name
+	if cname, ok := u.cn[name]; ok {
+		cn := dns.CNAME{}
+		cn.Hdr.Name = name
+		cn.Hdr.Rrtype = dns.TypeCNAME
+		cn.Target = cname
+		resp.Answer = append(resp.Answer, &cn)
+	}
+
+	// Let's check if we can add some A records to the answer
+	if ipv4addr, ok := u.ipv4[name]; ok && reqType == dns.TypeA {
+		hasARecord = true
+		for _, ipv4 := range ipv4addr {
+			respA := dns.A{}
+			respA.Hdr.Rrtype = dns.TypeA
+			respA.Hdr.Name = name
+			respA.A = ipv4
+			resp.Answer = append(resp.Answer, &respA)
+		}
+	}
+
+	// Let's check if we can add some AAAA records to the answer
+	if u.ipv6 != nil {
+		if ipv6addr, ok := u.ipv6[name]; ok && reqType == dns.TypeAAAA {
+			hasAAAARecord = true
+			for _, ipv6 := range ipv6addr {
+				respAAAA := dns.A{}
+				respAAAA.Hdr.Rrtype = dns.TypeAAAA
+				respAAAA.Hdr.Name = name
+				respAAAA.A = ipv6
+				resp.Answer = append(resp.Answer, &respAAAA)
+			}
+		}
+	}
+
+	if len(resp.Answer) == 0 {
+		if hasARecord || hasAAAARecord {
+			// Set No Error RCode if there are some records for given Qname but we didn't apply them
+			resp.SetRcode(m, dns.RcodeSuccess)
+		} else {
+			// Set NXDomain RCode otherwise
+			resp.SetRcode(m, dns.RcodeNameError)
+		}
+	}
+
+	return &resp, nil
+}
+
+func (u *testUpstream) Address() string {
+	return "test"
+}
+
+func (s *Server) startWithUpstream(u upstream.Upstream) error {
+	s.Lock()
+	defer s.Unlock()
+	err := s.prepare(nil)
+	if err != nil {
+		return err
+	}
+	s.dnsProxy.Upstreams = []upstream.Upstream{u}
+	return s.dnsProxy.Start()
+}
+
+// testCNAMEs is a simple map of names and CNAMEs necessary for the testUpstream work
+var testCNAMEs = map[string]string{
+	"badhost.":               "null.example.org.",
+	"whitelist.example.org.": "null.example.org.",
+}
+
+// testIPv4 is a simple map of names and IPv4s necessary for the testUpstream work
+var testIPv4 = map[string][]net.IP{
+	"null.example.org.": {{1, 2, 3, 4}},
+	"example.org.":      {{127, 0, 0, 255}},
+}
+
+func TestBlockCNAME(t *testing.T) {
+	s := createTestServer(t)
+	testUpstm := &testUpstream{testCNAMEs, testIPv4, nil}
+	err := s.startWithUpstream(testUpstm)
+	assert.True(t, err == nil)
+	addr := s.dnsProxy.Addr(proxy.ProtoUDP)
+
+	// 'badhost' has a canonical name 'null.example.org' which is blocked by filters:
+	// response is blocked
+	req := dns.Msg{}
+	req.Id = dns.Id()
+	req.Question = []dns.Question{
+		{Name: "badhost.", Qtype: dns.TypeA, Qclass: dns.ClassINET},
+	}
+	reply, err := dns.Exchange(&req, addr.String())
+	assert.True(t, err == nil)
+	assert.True(t, reply.Rcode == dns.RcodeNameError)
+
+	// 'whitelist.example.org' has a canonical name 'null.example.org' which is blocked by filters
+	//   but 'whitelist.example.org' is in a whitelist:
+	// response isn't blocked
+	req = dns.Msg{}
+	req.Id = dns.Id()
+	req.Question = []dns.Question{
+		{Name: "whitelist.example.org.", Qtype: dns.TypeA, Qclass: dns.ClassINET},
+	}
+	reply, err = dns.Exchange(&req, addr.String())
+	assert.True(t, err == nil)
+	assert.True(t, reply.Rcode == dns.RcodeSuccess)
+
+	// 'example.org' has a canonical name 'cname1' with IP 127.0.0.255 which is blocked by filters:
+	// response is blocked
+	req = dns.Msg{}
+	req.Id = dns.Id()
+	req.Question = []dns.Question{
+		{Name: "example.org.", Qtype: dns.TypeA, Qclass: dns.ClassINET},
+	}
+	reply, err = dns.Exchange(&req, addr.String())
+	assert.True(t, err == nil)
+	assert.True(t, reply.Rcode == dns.RcodeNameError)
+
+	_ = s.Stop()
+}
+
 func TestNullBlockedRequest(t *testing.T) {
 	s := createTestServer(t)
 	s.conf.FilteringConfig.BlockingMode = "null_ip"
@@ -376,7 +513,7 @@ func TestBlockedBySafeBrowsing(t *testing.T) {
 }

 func createTestServer(t *testing.T) *Server {
-	rules := "||nxdomain.example.org^\n||null.example.org^\n127.0.0.1	host.example.org\n"
+	rules := "||nxdomain.example.org^\n||null.example.org^\n127.0.0.1	host.example.org\n@@||whitelist.example.org^\n||127.0.0.255\n"
 	filters := map[int]string{}
 	filters[0] = rules
 	c := dnsfilter.Config{}