all: sync with master; upd chlog

2023-07-12 15:13:31 +03:00
parent 19347d263a
commit ec83d0eb86
55 changed files with 1699 additions and 1006 deletions
--- a/internal/dnsforward/dnsforward.go
+++ b/internal/dnsforward/dnsforward.go
@@ -17,6 +17,7 @@ import (
 	"github.com/AdguardTeam/AdGuardHome/internal/dhcpd"
 	"github.com/AdguardTeam/AdGuardHome/internal/filtering"
 	"github.com/AdguardTeam/AdGuardHome/internal/querylog"
+	"github.com/AdguardTeam/AdGuardHome/internal/rdns"
 	"github.com/AdguardTeam/AdGuardHome/internal/stats"
 	"github.com/AdguardTeam/dnsproxy/proxy"
 	"github.com/AdguardTeam/dnsproxy/upstream"
@@ -277,17 +278,6 @@ func (s *Server) Resolve(host string) ([]net.IPAddr, error) {
 	return s.internalProxy.LookupIPAddr(host)
 }

-// RDNSExchanger is a resolver for clients' addresses.
-type RDNSExchanger interface {
-	// Exchange tries to resolve the ip in a suitable way, i.e. either as local
-	// or as external.
-	Exchange(ip net.IP) (host string, err error)
-
-	// ResolvesPrivatePTR returns true if the RDNSExchanger is able to
-	// resolve PTR requests for locally-served addresses.
-	ResolvesPrivatePTR() (ok bool)
-}
-
 const (
 	// ErrRDNSNoData is returned by [RDNSExchanger.Exchange] when the answer
 	// section of response is either NODATA or has no PTR records.
@@ -299,10 +289,10 @@ const (
 )

 // type check
-var _ RDNSExchanger = (*Server)(nil)
+var _ rdns.Exchanger = (*Server)(nil)

-// Exchange implements the RDNSExchanger interface for *Server.
-func (s *Server) Exchange(ip net.IP) (host string, err error) {
+// Exchange implements the [rdns.Exchanger] interface for *Server.
+func (s *Server) Exchange(ip netip.Addr) (host string, err error) {
 	s.serverLock.RLock()
 	defer s.serverLock.RUnlock()

@@ -310,7 +300,7 @@ func (s *Server) Exchange(ip net.IP) (host string, err error) {
 		return "", nil
 	}

-	arpa, err := netutil.IPToReversedAddr(ip)
+	arpa, err := netutil.IPToReversedAddr(ip.AsSlice())
 	if err != nil {
 		return "", fmt.Errorf("reversing ip: %w", err)
 	}
@@ -335,7 +325,7 @@ func (s *Server) Exchange(ip net.IP) (host string, err error) {
 	}

 	var resolver *proxy.Proxy
-	if s.privateNets.Contains(ip) {
+	if s.isPrivateIP(ip) {
 		if !s.conf.UsePrivateRDNS {
 			return "", nil
 		}
@@ -350,8 +340,12 @@ func (s *Server) Exchange(ip net.IP) (host string, err error) {
 		return "", err
 	}

+	return hostFromPTR(ctx.Res)
+}
+
+// hostFromPTR returns domain name from the PTR response or error.
+func hostFromPTR(resp *dns.Msg) (host string, err error) {
 	// Distinguish between NODATA response and a failed request.
-	resp := ctx.Res
 	if resp.Rcode != dns.RcodeSuccess && resp.Rcode != dns.RcodeNameError {
 		return "", fmt.Errorf(
 			"received %s response: %w",
@@ -370,12 +364,25 @@ func (s *Server) Exchange(ip net.IP) (host string, err error) {
 	return "", ErrRDNSNoData
 }

-// ResolvesPrivatePTR implements the RDNSExchanger interface for *Server.
-func (s *Server) ResolvesPrivatePTR() (ok bool) {
+// isPrivateIP returns true if the ip is private.
+func (s *Server) isPrivateIP(ip netip.Addr) (ok bool) {
+	return s.privateNets.Contains(ip.AsSlice())
+}
+
+// ShouldResolveClient returns false if ip is a loopback address, or ip is
+// private and resolving of private addresses is disabled.
+func (s *Server) ShouldResolveClient(ip netip.Addr) (ok bool) {
+	if ip.IsLoopback() {
+		return false
+	}
+
+	isPrivate := s.isPrivateIP(ip)
+
 	s.serverLock.RLock()
 	defer s.serverLock.RUnlock()

-	return s.conf.UsePrivateRDNS
+	return s.conf.ResolveClients &&
+		(s.conf.UsePrivateRDNS || !isPrivate)
 }

 // Start starts the DNS server.
--- a/internal/dnsforward/dnsforward_test.go
+++ b/internal/dnsforward/dnsforward_test.go
@@ -1273,11 +1273,11 @@ func TestServer_Exchange(t *testing.T) {
 	)

 	var (
-		onesIP  = net.IP{1, 1, 1, 1}
-		localIP = net.IP{192, 168, 1, 1}
+		onesIP  = netip.MustParseAddr("1.1.1.1")
+		localIP = netip.MustParseAddr("192.168.1.1")
 	)

-	revExtIPv4, err := netutil.IPToReversedAddr(onesIP)
+	revExtIPv4, err := netutil.IPToReversedAddr(onesIP.AsSlice())
 	require.NoError(t, err)

 	extUpstream := &aghtest.UpstreamMock{
@@ -1290,7 +1290,7 @@ func TestServer_Exchange(t *testing.T) {
 		},
 	}

-	revLocIPv4, err := netutil.IPToReversedAddr(localIP)
+	revLocIPv4, err := netutil.IPToReversedAddr(localIP.AsSlice())
 	require.NoError(t, err)

 	locUpstream := &aghtest.UpstreamMock{
@@ -1330,7 +1330,7 @@ func TestServer_Exchange(t *testing.T) {
 		want        string
 		wantErr     error
 		locUpstream upstream.Upstream
-		req         net.IP
+		req         netip.Addr
 	}{{
 		name:        "external_good",
 		want:        onesHost,
@@ -1354,7 +1354,7 @@ func TestServer_Exchange(t *testing.T) {
 		want:        "",
 		wantErr:     ErrRDNSNoData,
 		locUpstream: locUpstream,
-		req:         net.IP{192, 168, 1, 2},
+		req:         netip.MustParseAddr("192.168.1.2"),
 	}, {
 		name:        "invalid_answer",
 		want:        "",
@@ -1396,3 +1396,57 @@ func TestServer_Exchange(t *testing.T) {
 		assert.Empty(t, host)
 	})
 }
+
+func TestServer_ShouldResolveClient(t *testing.T) {
+	srv := &Server{
+		privateNets: netutil.SubnetSetFunc(netutil.IsLocallyServed),
+	}
+
+	testCases := []struct {
+		ip         netip.Addr
+		want       require.BoolAssertionFunc
+		name       string
+		resolve    bool
+		usePrivate bool
+	}{{
+		name:       "default",
+		ip:         netip.MustParseAddr("1.1.1.1"),
+		want:       require.True,
+		resolve:    true,
+		usePrivate: true,
+	}, {
+		name:       "no_rdns",
+		ip:         netip.MustParseAddr("1.1.1.1"),
+		want:       require.False,
+		resolve:    false,
+		usePrivate: true,
+	}, {
+		name:       "loopback",
+		ip:         netip.MustParseAddr("127.0.0.1"),
+		want:       require.False,
+		resolve:    true,
+		usePrivate: true,
+	}, {
+		name:       "private_resolve",
+		ip:         netip.MustParseAddr("192.168.0.1"),
+		want:       require.True,
+		resolve:    true,
+		usePrivate: true,
+	}, {
+		name:       "private_no_resolve",
+		ip:         netip.MustParseAddr("192.168.0.1"),
+		want:       require.False,
+		resolve:    true,
+		usePrivate: false,
+	}}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			srv.conf.ResolveClients = tc.resolve
+			srv.conf.UsePrivateRDNS = tc.usePrivate
+
+			ok := srv.ShouldResolveClient(tc.ip)
+			tc.want(t, ok)
+		})
+	}
+}
--- a/internal/dnsforward/filter_test.go
+++ b/internal/dnsforward/filter_test.go
@@ -21,6 +21,8 @@ func TestHandleDNSRequest_filterDNSResponse(t *testing.T) {
 ||cname.specific^$dnstype=~CNAME
 ||0.0.0.1^$dnstype=~A
 ||::1^$dnstype=~AAAA
+0.0.0.0 duplicate.domain
+0.0.0.0 duplicate.domain
 `

 	forwardConf := ServerConfig{
@@ -137,6 +139,17 @@ func TestHandleDNSRequest_filterDNSResponse(t *testing.T) {
 			},
 			A: netutil.IPv4Zero(),
 		}},
+	}, {
+		req:  createTestMessage("duplicate.domain."),
+		name: "duplicate_domain",
+		wantAns: []dns.RR{&dns.A{
+			Hdr: dns.RR_Header{
+				Name:   "duplicate.domain.",
+				Rrtype: dns.TypeA,
+				Class:  dns.ClassINET,
+			},
+			A: netutil.IPv4Zero(),
+		}},
 	}}

 	for _, tc := range testCases {
--- a/internal/dnsforward/msg.go
+++ b/internal/dnsforward/msg.go
@@ -26,11 +26,25 @@ func (s *Server) makeResponse(req *dns.Msg) (resp *dns.Msg) {
 	return resp
 }

-// ipsFromRules extracts non-IP addresses from the filtering result rules.
+// containsIP returns true if the IP is already in the list.
+func containsIP(ips []net.IP, ip net.IP) bool {
+	for _, a := range ips {
+		if a.Equal(ip) {
+			return true
+		}
+	}
+
+	return false
+}
+
+// ipsFromRules extracts unique non-IP addresses from the filtering result
+// rules.
 func ipsFromRules(resRules []*filtering.ResultRule) (ips []net.IP) {
 	for _, r := range resRules {
-		if r.IP != nil {
-			ips = append(ips, r.IP)
+		// len(resRules) and len(ips) are actually small enough for O(n^2) to do
+		// not raise performance questions.
+		if ip := r.IP; ip != nil && !containsIP(ips, ip) {
+			ips = append(ips, ip)
 		}
 	}

--- a/internal/dnsforward/stats.go
+++ b/internal/dnsforward/stats.go
@@ -2,9 +2,9 @@ package dnsforward

 import (
 	"net"
-	"strings"
 	"time"

+	"github.com/AdguardTeam/AdGuardHome/internal/aghnet"
 	"github.com/AdguardTeam/AdGuardHome/internal/filtering"
 	"github.com/AdguardTeam/AdGuardHome/internal/querylog"
 	"github.com/AdguardTeam/AdGuardHome/internal/stats"
@@ -24,7 +24,7 @@ func (s *Server) processQueryLogsAndStats(dctx *dnsContext) (rc resultCode) {
 	pctx := dctx.proxyCtx

 	q := pctx.Req.Question[0]
-	host := strings.ToLower(strings.TrimSuffix(q.Name, "."))
+	host := aghnet.NormalizeDomain(q.Name)

 	ip, _ := netutil.IPAndPortFromAddr(pctx.Addr)
 	ip = slices.Clone(ip)
@@ -139,11 +139,10 @@ func (s *Server) updateStats(
 	clientIP string,
 ) {
 	pctx := ctx.proxyCtx
-	e := stats.Entry{}
-	e.Domain = strings.ToLower(pctx.Req.Question[0].Name)
-	if e.Domain != "." {
-		// Remove last ".", but save the domain as is for "." queries.
-		e.Domain = e.Domain[:len(e.Domain)-1]
+	e := stats.Entry{
+		Domain: aghnet.NormalizeDomain(pctx.Req.Question[0].Name),
+		Result: stats.RNotFiltered,
+		Time:   uint32(elapsed / 1000),
 	}

 	if clientID := ctx.clientID; clientID != "" {
@@ -152,9 +151,6 @@ func (s *Server) updateStats(
 		e.Client = clientIP
 	}

-	e.Time = uint32(elapsed / 1000)
-	e.Result = stats.RNotFiltered
-
 	switch res.Reason {
 	case filtering.FilteredSafeBrowsing:
 		e.Result = stats.RSafeBrowsing
@@ -162,7 +158,8 @@ func (s *Server) updateStats(
 		e.Result = stats.RParental
 	case filtering.FilteredSafeSearch:
 		e.Result = stats.RSafeSearch
-	case filtering.FilteredBlockList,
+	case
+		filtering.FilteredBlockList,
 		filtering.FilteredInvalid,
 		filtering.FilteredBlockedService:
 		e.Result = stats.RFiltered