all: sync with master

internal/filtering/filtering.go

@@ -33,6 +33,7 @@ import (
 // The IDs of built-in filter lists.
 //
 // Keep in sync with client/src/helpers/constants.js.
+// TODO(d.kolyshev): Add RewritesListID and don't forget to keep in sync.
 const (
 	CustomListID = -iota
 	SysHostsListID

internal/filtering/rewrite/item.go

@@ -0,0 +1,73 @@
+package rewrite
+
+import (
+	"fmt"
+	"net/netip"
+	"strings"
+
+	"github.com/miekg/dns"
+)
+
+// Item is a single DNS rewrite record.
+type Item struct {
+	// Domain is the domain pattern for which this rewrite should work.
+	Domain string `yaml:"domain"`
+
+	// Answer is the IP address, canonical name, or one of the special
+	// values: "A" or "AAAA".
+	Answer string `yaml:"answer"`
+}
+
+// equal returns true if rw is equal to other.
+func (rw *Item) equal(other *Item) (ok bool) {
+	if rw == nil {
+		return other == nil
+	} else if other == nil {
+		return false
+	}
+
+	return *rw == *other
+}
+
+// toRule converts rw to a filter rule.
+func (rw *Item) toRule() (res string) {
+	if rw == nil {
+		return ""
+	}
+
+	domain := strings.ToLower(rw.Domain)
+
+	dType, exception := rw.rewriteParams()
+	dTypeKey := dns.TypeToString[dType]
+	if exception {
+		return fmt.Sprintf("@@||%s^$dnstype=%s,dnsrewrite", domain, dTypeKey)
+	}
+
+	return fmt.Sprintf("|%s^$dnsrewrite=NOERROR;%s;%s", domain, dTypeKey, rw.Answer)
+}
+
+// rewriteParams returns dns request type and exception flag for rw.
+func (rw *Item) rewriteParams() (dType uint16, exception bool) {
+	switch rw.Answer {
+	case "AAAA":
+		return dns.TypeAAAA, true
+	case "A":
+		return dns.TypeA, true
+	default:
+		// Go on.
+	}
+
+	addr, err := netip.ParseAddr(rw.Answer)
+	if err != nil {
+		// TODO(d.kolyshev): Validate rw.Answer as a domain name.
+		return dns.TypeCNAME, false
+	}
+
+	if addr.Is4() {
+		dType = dns.TypeA
+	} else {
+		dType = dns.TypeAAAA
+	}
+
+	return dType, false
+}

internal/filtering/rewrite/item_internal_test.go

@@ -0,0 +1,124 @@
+package rewrite
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestItem_equal(t *testing.T) {
+	const (
+		testDomain = "example.org"
+		testAnswer = "1.1.1.1"
+	)
+
+	testItem := &Item{
+		Domain: testDomain,
+		Answer: testAnswer,
+	}
+
+	testCases := []struct {
+		name  string
+		left  *Item
+		right *Item
+		want  bool
+	}{{
+		name:  "nil_left",
+		left:  nil,
+		right: testItem,
+		want:  false,
+	}, {
+		name:  "nil_right",
+		left:  testItem,
+		right: nil,
+		want:  false,
+	}, {
+		name:  "nils",
+		left:  nil,
+		right: nil,
+		want:  true,
+	}, {
+		name:  "equal",
+		left:  testItem,
+		right: testItem,
+		want:  true,
+	}, {
+		name: "distinct",
+		left: testItem,
+		right: &Item{
+			Domain: "other",
+			Answer: "other",
+		},
+		want: false,
+	}}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			res := tc.left.equal(tc.right)
+			assert.Equal(t, tc.want, res)
+		})
+	}
+}
+
+func TestItem_toRule(t *testing.T) {
+	const testDomain = "example.org"
+
+	testCases := []struct {
+		name string
+		item *Item
+		want string
+	}{{
+		name: "nil",
+		item: nil,
+		want: "",
+	}, {
+		name: "a_rule",
+		item: &Item{
+			Domain: testDomain,
+			Answer: "1.1.1.1",
+		},
+		want: "|example.org^$dnsrewrite=NOERROR;A;1.1.1.1",
+	}, {
+		name: "aaaa_rule",
+		item: &Item{
+			Domain: testDomain,
+			Answer: "1:2:3::4",
+		},
+		want: "|example.org^$dnsrewrite=NOERROR;AAAA;1:2:3::4",
+	}, {
+		name: "cname_rule",
+		item: &Item{
+			Domain: testDomain,
+			Answer: "other.org",
+		},
+		want: "|example.org^$dnsrewrite=NOERROR;CNAME;other.org",
+	}, {
+		name: "wildcard_rule",
+		item: &Item{
+			Domain: "*.example.org",
+			Answer: "other.org",
+		},
+		want: "|*.example.org^$dnsrewrite=NOERROR;CNAME;other.org",
+	}, {
+		name: "aaaa_exception",
+		item: &Item{
+			Domain: testDomain,
+			Answer: "A",
+		},
+		want: "@@||example.org^$dnstype=A,dnsrewrite",
+	}, {
+		name: "aaaa_exception",
+		item: &Item{
+			Domain: testDomain,
+			Answer: "AAAA",
+		},
+		want: "@@||example.org^$dnstype=AAAA,dnsrewrite",
+	}}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			res := tc.item.toRule()
+			assert.Equal(t, tc.want, res)
+		})
+	}
+}

internal/filtering/rewrite/storage.go

@@ -0,0 +1,241 @@
+// Package rewrite implements DNS Rewrites storage and request matching.
+package rewrite
+
+import (
+	"fmt"
+	"strings"
+	"sync"
+
+	"github.com/AdguardTeam/golibs/log"
+	"github.com/AdguardTeam/golibs/stringutil"
+	"github.com/AdguardTeam/urlfilter"
+	"github.com/AdguardTeam/urlfilter/filterlist"
+	"github.com/AdguardTeam/urlfilter/rules"
+	"github.com/miekg/dns"
+	"golang.org/x/exp/slices"
+)
+
+// Storage is a storage for rewrite rules.
+type Storage interface {
+	// MatchRequest returns matching dnsrewrites for the specified request.
+	MatchRequest(dReq *urlfilter.DNSRequest) (rws []*rules.DNSRewrite)
+
+	// Add adds item to the storage.
+	Add(item *Item) (err error)
+
+	// Remove deletes item from the storage.
+	Remove(item *Item) (err error)
+
+	// List returns all items from the storage.
+	List() (items []*Item)
+}
+
+// DefaultStorage is the default storage for rewrite rules.
+type DefaultStorage struct {
+	// mu protects items.
+	mu *sync.RWMutex
+
+	// engine is the DNS filtering engine.
+	engine *urlfilter.DNSEngine
+
+	// ruleList is the filtering rule ruleList used by the engine.
+	ruleList filterlist.RuleList
+
+	// rewrites stores the rewrite entries from configuration.
+	rewrites []*Item
+
+	// urlFilterID is the synthetic integer identifier for the urlfilter engine.
+	//
+	// TODO(a.garipov): Change the type to a string in module urlfilter and
+	// remove this crutch.
+	urlFilterID int
+}
+
+// NewDefaultStorage returns new rewrites storage.  listID is used as an
+// identifier of the underlying rules list.  rewrites must not be nil.
+func NewDefaultStorage(listID int, rewrites []*Item) (s *DefaultStorage, err error) {
+	s = &DefaultStorage{
+		mu:          &sync.RWMutex{},
+		urlFilterID: listID,
+		rewrites:    rewrites,
+	}
+
+	s.mu.Lock()
+	defer s.mu.Unlock()
+
+	err = s.resetRules()
+	if err != nil {
+		return nil, err
+	}
+
+	return s, nil
+}
+
+// type check
+var _ Storage = (*DefaultStorage)(nil)
+
+// MatchRequest implements the [Storage] interface for *DefaultStorage.
+func (s *DefaultStorage) MatchRequest(dReq *urlfilter.DNSRequest) (rws []*rules.DNSRewrite) {
+	s.mu.RLock()
+	defer s.mu.RUnlock()
+
+	rrules := s.rewriteRulesForReq(dReq)
+	if len(rrules) == 0 {
+		return nil
+	}
+
+	// TODO(a.garipov): Check cnames for cycles on initialisation.
+	cnames := stringutil.NewSet()
+	host := dReq.Hostname
+	for len(rrules) > 0 && rrules[0].DNSRewrite != nil && rrules[0].DNSRewrite.NewCNAME != "" {
+		rule := rrules[0]
+		rwAns := rule.DNSRewrite.NewCNAME
+
+		log.Debug("rewrite: cname for %s is %s", host, rwAns)
+
+		if dReq.Hostname == rwAns {
+			// A request for the hostname itself is an exception rule.
+			// TODO(d.kolyshev): Check rewrite of a pattern onto itself.
+
+			return nil
+		}
+
+		if host == rwAns && isWildcard(rule.RuleText) {
+			// An "*.example.com → sub.example.com" rewrite matching in a loop.
+			//
+			// See https://github.com/AdguardTeam/AdGuardHome/issues/4016.
+
+			return []*rules.DNSRewrite{rule.DNSRewrite}
+		}
+
+		if cnames.Has(rwAns) {
+			log.Info("rewrite: cname loop for %q on %q", dReq.Hostname, rwAns)
+
+			return nil
+		}
+
+		cnames.Add(rwAns)
+
+		drules := s.rewriteRulesForReq(&urlfilter.DNSRequest{
+			Hostname: rwAns,
+			DNSType:  dReq.DNSType,
+		})
+		if drules != nil {
+			rrules = drules
+		}
+
+		host = rwAns
+	}
+
+	return s.collectDNSRewrites(rrules, dReq.DNSType)
+}
+
+// collectDNSRewrites filters DNSRewrite by question type.
+func (s *DefaultStorage) collectDNSRewrites(
+	rewrites []*rules.NetworkRule,
+	qtyp uint16,
+) (rws []*rules.DNSRewrite) {
+	for _, rewrite := range rewrites {
+		dnsRewrite := rewrite.DNSRewrite
+		if matchesQType(dnsRewrite, qtyp) {
+			rws = append(rws, dnsRewrite)
+		}
+	}
+
+	return rws
+}
+
+// rewriteRulesForReq returns matching dnsrewrite rules.
+func (s *DefaultStorage) rewriteRulesForReq(dReq *urlfilter.DNSRequest) (rules []*rules.NetworkRule) {
+	res, _ := s.engine.MatchRequest(dReq)
+
+	return res.DNSRewrites()
+}
+
+// Add implements the [Storage] interface for *DefaultStorage.
+func (s *DefaultStorage) Add(item *Item) (err error) {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+
+	// TODO(d.kolyshev): Handle duplicate items.
+	s.rewrites = append(s.rewrites, item)
+
+	return s.resetRules()
+}
+
+// Remove implements the [Storage] interface for *DefaultStorage.
+func (s *DefaultStorage) Remove(item *Item) (err error) {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+
+	arr := []*Item{}
+
+	// TODO(d.kolyshev): Use slices.IndexFunc + slices.Delete?
+	for _, ent := range s.rewrites {
+		if ent.equal(item) {
+			log.Debug("rewrite: removed element: %s -> %s", ent.Domain, ent.Answer)
+
+			continue
+		}
+
+		arr = append(arr, ent)
+	}
+	s.rewrites = arr
+
+	return s.resetRules()
+}
+
+// List implements the [Storage] interface for *DefaultStorage.
+func (s *DefaultStorage) List() (items []*Item) {
+	s.mu.RLock()
+	defer s.mu.RUnlock()
+
+	return slices.Clone(s.rewrites)
+}
+
+// resetRules resets the filtering rules.
+func (s *DefaultStorage) resetRules() (err error) {
+	// TODO(a.garipov): Use strings.Builder.
+	var rulesText []string
+	for _, rewrite := range s.rewrites {
+		rulesText = append(rulesText, rewrite.toRule())
+	}
+
+	strList := &filterlist.StringRuleList{
+		ID:             s.urlFilterID,
+		RulesText:      strings.Join(rulesText, "\n"),
+		IgnoreCosmetic: true,
+	}
+
+	rs, err := filterlist.NewRuleStorage([]filterlist.RuleList{strList})
+	if err != nil {
+		return fmt.Errorf("creating list storage: %w", err)
+	}
+
+	s.ruleList = strList
+	s.engine = urlfilter.NewDNSEngine(rs)
+
+	log.Info("rewrite: filter %d: reset %d rules", s.urlFilterID, s.engine.RulesCount)
+
+	return nil
+}
+
+// matchesQType returns true if dnsrewrite matches the question type qt.
+func matchesQType(dnsrr *rules.DNSRewrite, qt uint16) (ok bool) {
+	// Add CNAMEs, since they match for all types requests.
+	if dnsrr.RRType == dns.TypeCNAME {
+		return true
+	}
+
+	// Reject types other than A and AAAA.
+	if qt != dns.TypeA && qt != dns.TypeAAAA {
+		return false
+	}
+
+	return dnsrr.RRType == qt
+}
+
+// isWildcard returns true if pat is a wildcard domain pattern.
+func isWildcard(pat string) (res bool) {
+	return strings.HasPrefix(pat, "|*.")
+}

internal/filtering/rewrite/storage_test.go

@@ -0,0 +1,458 @@
+package rewrite
+
+import (
+	"net"
+	"testing"
+
+	"github.com/AdguardTeam/urlfilter"
+	"github.com/AdguardTeam/urlfilter/rules"
+	"github.com/miekg/dns"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestNewDefaultStorage(t *testing.T) {
+	items := []*Item{{
+		Domain: "example.com",
+		Answer: "answer.com",
+	}}
+
+	s, err := NewDefaultStorage(-1, items)
+	require.NoError(t, err)
+
+	require.Len(t, s.List(), 1)
+}
+
+func TestDefaultStorage_CRUD(t *testing.T) {
+	var items []*Item
+
+	s, err := NewDefaultStorage(-1, items)
+	require.NoError(t, err)
+	require.Len(t, s.List(), 0)
+
+	item := &Item{Domain: "example.com", Answer: "answer.com"}
+
+	err = s.Add(item)
+	require.NoError(t, err)
+
+	list := s.List()
+	require.Len(t, list, 1)
+	require.True(t, item.equal(list[0]))
+
+	err = s.Remove(item)
+	require.NoError(t, err)
+	require.Len(t, s.List(), 0)
+}
+
+func TestDefaultStorage_MatchRequest(t *testing.T) {
+	items := []*Item{{
+		// This one and below are about CNAME, A and AAAA.
+		Domain: "somecname",
+		Answer: "somehost.com",
+	}, {
+		Domain: "somehost.com",
+		Answer: "0.0.0.0",
+	}, {
+		Domain: "host.com",
+		Answer: "1.2.3.4",
+	}, {
+		Domain: "host.com",
+		Answer: "1.2.3.5",
+	}, {
+		Domain: "host.com",
+		Answer: "1:2:3::4",
+	}, {
+		Domain: "www.host.com",
+		Answer: "host.com",
+	}, {
+		// This one is a wildcard.
+		Domain: "*.host.com",
+		Answer: "1.2.3.5",
+	}, {
+		// This one and below are about wildcard overriding.
+		Domain: "a.host.com",
+		Answer: "1.2.3.4",
+	}, {
+		// This one is about CNAME and wildcard interacting.
+		Domain: "*.host2.com",
+		Answer: "host.com",
+	}, {
+		// This one and below are about 2 level CNAME.
+		Domain: "b.host.com",
+		Answer: "somecname",
+	}, {
+		// This one and below are about 2 level CNAME and wildcard.
+		Domain: "b.host3.com",
+		Answer: "a.host3.com",
+	}, {
+		Domain: "a.host3.com",
+		Answer: "x.host.com",
+	}, {
+		Domain: "*.hostboth.com",
+		Answer: "1.2.3.6",
+	}, {
+		Domain: "*.hostboth.com",
+		Answer: "1234::5678",
+	}, {
+		Domain: "BIGHOST.COM",
+		Answer: "1.2.3.7",
+	}, {
+		Domain: "*.issue4016.com",
+		Answer: "sub.issue4016.com",
+	}}
+
+	s, err := NewDefaultStorage(-1, items)
+	require.NoError(t, err)
+
+	testCases := []struct {
+		name            string
+		host            string
+		wantDNSRewrites []*rules.DNSRewrite
+		dtyp            uint16
+	}{{
+		name:            "not_filtered_not_found",
+		host:            "hoost.com",
+		wantDNSRewrites: nil,
+		dtyp:            dns.TypeA,
+	}, {
+		name:            "not_filtered_qtype",
+		host:            "www.host.com",
+		wantDNSRewrites: nil,
+		dtyp:            dns.TypeMX,
+	}, {
+		name: "rewritten_a",
+		host: "www.host.com",
+		wantDNSRewrites: []*rules.DNSRewrite{{
+			Value:    net.IP{1, 2, 3, 4}.To16(),
+			NewCNAME: "",
+			RCode:    dns.RcodeSuccess,
+			RRType:   dns.TypeA,
+		}, {
+			Value:    net.IP{1, 2, 3, 5}.To16(),
+			NewCNAME: "",
+			RCode:    dns.RcodeSuccess,
+			RRType:   dns.TypeA,
+		}},
+		dtyp: dns.TypeA,
+	}, {
+		name: "rewritten_aaaa",
+		host: "www.host.com",
+		wantDNSRewrites: []*rules.DNSRewrite{{
+			Value:    net.ParseIP("1:2:3::4"),
+			NewCNAME: "",
+			RCode:    dns.RcodeSuccess,
+			RRType:   dns.TypeAAAA,
+		}},
+		dtyp: dns.TypeAAAA,
+	}, {
+		name: "wildcard_match",
+		host: "abc.host.com",
+		wantDNSRewrites: []*rules.DNSRewrite{{
+			Value:    net.IP{1, 2, 3, 5}.To16(),
+			NewCNAME: "",
+			RCode:    dns.RcodeSuccess,
+			RRType:   dns.TypeA,
+		}},
+		dtyp: dns.TypeA,
+		//}, {
+		// TODO(d.kolyshev): This is about matching in urlfilter.
+		//	name: "wildcard_override",
+		//	host: "a.host.com",
+		//	wantDNSRewrites: []*rules.DNSRewrite{{
+		//		Value:    net.IP{1, 2, 3, 4}.To16(),
+		//		NewCNAME: "",
+		//		RCode:    dns.RcodeSuccess,
+		//		RRType:   dns.TypeA,
+		//	}},
+		//	dtyp: dns.TypeA,
+	}, {
+		name: "wildcard_cname_interaction",
+		host: "www.host2.com",
+		wantDNSRewrites: []*rules.DNSRewrite{{
+			Value:    net.IP{1, 2, 3, 4}.To16(),
+			NewCNAME: "",
+			RCode:    dns.RcodeSuccess,
+			RRType:   dns.TypeA,
+		}, {
+			Value:    net.IP{1, 2, 3, 5}.To16(),
+			NewCNAME: "",
+			RCode:    dns.RcodeSuccess,
+			RRType:   dns.TypeA,
+		}},
+		dtyp: dns.TypeA,
+	}, {
+		name: "two_cnames",
+		host: "b.host.com",
+		wantDNSRewrites: []*rules.DNSRewrite{{
+			Value:    net.IP{0, 0, 0, 0}.To16(),
+			NewCNAME: "",
+			RCode:    dns.RcodeSuccess,
+			RRType:   dns.TypeA,
+		}},
+		dtyp: dns.TypeA,
+	}, {
+		name: "two_cnames_and_wildcard",
+		host: "b.host3.com",
+		wantDNSRewrites: []*rules.DNSRewrite{{
+			Value:    net.IP{1, 2, 3, 5}.To16(),
+			NewCNAME: "",
+			RCode:    dns.RcodeSuccess,
+			RRType:   dns.TypeA,
+		}},
+		dtyp: dns.TypeA,
+	}, {
+		name: "issue3343",
+		host: "www.hostboth.com",
+		wantDNSRewrites: []*rules.DNSRewrite{{
+			Value:    net.ParseIP("1234::5678"),
+			NewCNAME: "",
+			RCode:    dns.RcodeSuccess,
+			RRType:   dns.TypeAAAA,
+		}},
+		dtyp: dns.TypeAAAA,
+	}, {
+		name: "issue3351",
+		host: "bighost.com",
+		wantDNSRewrites: []*rules.DNSRewrite{{
+			Value:    net.IP{1, 2, 3, 7}.To16(),
+			NewCNAME: "",
+			RCode:    dns.RcodeSuccess,
+			RRType:   dns.TypeA,
+		}},
+		dtyp: dns.TypeA,
+	}, {
+		name:            "issue4008",
+		host:            "somehost.com",
+		wantDNSRewrites: nil,
+		dtyp:            dns.TypeHTTPS,
+	}, {
+		name: "issue4016",
+		host: "www.issue4016.com",
+		wantDNSRewrites: []*rules.DNSRewrite{{
+			Value:    nil,
+			NewCNAME: "sub.issue4016.com",
+			RCode:    dns.RcodeSuccess,
+			RRType:   dns.TypeNone,
+		}},
+		dtyp: dns.TypeA,
+	}, {
+		name:            "issue4016_self",
+		host:            "sub.issue4016.com",
+		wantDNSRewrites: nil,
+		dtyp:            dns.TypeA,
+	}}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			dnsRewrites := s.MatchRequest(&urlfilter.DNSRequest{
+				Hostname: tc.host,
+				DNSType:  tc.dtyp,
+			})
+
+			assert.Equal(t, tc.wantDNSRewrites, dnsRewrites)
+		})
+	}
+}
+
+func TestDefaultStorage_MatchRequest_Levels(t *testing.T) {
+	// Exact host, wildcard L2, wildcard L3.
+	items := []*Item{{
+		Domain: "host.com",
+		Answer: "1.1.1.1",
+	}, {
+		Domain: "*.host.com",
+		Answer: "2.2.2.2",
+	}, {
+		Domain: "*.sub.host.com",
+		Answer: "3.3.3.3",
+	}}
+
+	s, err := NewDefaultStorage(-1, items)
+	require.NoError(t, err)
+
+	testCases := []struct {
+		name            string
+		host            string
+		wantDNSRewrites []*rules.DNSRewrite
+		dtyp            uint16
+	}{{
+		name: "exact_match",
+		host: "host.com",
+		wantDNSRewrites: []*rules.DNSRewrite{{
+			Value:    net.IP{1, 1, 1, 1}.To16(),
+			NewCNAME: "",
+			RCode:    dns.RcodeSuccess,
+			RRType:   dns.TypeA,
+		}},
+		dtyp: dns.TypeA,
+	}, {
+		name: "l2_match",
+		host: "sub.host.com",
+		wantDNSRewrites: []*rules.DNSRewrite{{
+			Value:    net.IP{2, 2, 2, 2}.To16(),
+			NewCNAME: "",
+			RCode:    dns.RcodeSuccess,
+			RRType:   dns.TypeA,
+		}},
+		dtyp: dns.TypeA,
+		//}, {
+		// TODO(d.kolyshev): This is about matching in urlfilter.
+		//	name: "l3_match",
+		//	host: "my.sub.host.com",
+		//	wantDNSRewrites: []*rules.DNSRewrite{{
+		//		Value:    net.IP{3, 3, 3, 3}.To16(),
+		//		NewCNAME: "",
+		//		RCode:    dns.RcodeSuccess,
+		//		RRType:   dns.TypeA,
+		//	}},
+		//	dtyp: dns.TypeA,
+	}}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			dnsRewrites := s.MatchRequest(&urlfilter.DNSRequest{
+				Hostname: tc.host,
+				DNSType:  tc.dtyp,
+			})
+
+			assert.Equal(t, tc.wantDNSRewrites, dnsRewrites)
+		})
+	}
+}
+
+func TestDefaultStorage_MatchRequest_ExceptionCNAME(t *testing.T) {
+	// Wildcard and exception for a sub-domain.
+	items := []*Item{{
+		Domain: "*.host.com",
+		Answer: "2.2.2.2",
+	}, {
+		Domain: "sub.host.com",
+		Answer: "sub.host.com",
+	}, {
+		Domain: "*.sub.host.com",
+		Answer: "*.sub.host.com",
+	}}
+
+	s, err := NewDefaultStorage(-1, items)
+	require.NoError(t, err)
+
+	testCases := []struct {
+		name            string
+		host            string
+		wantDNSRewrites []*rules.DNSRewrite
+		dtyp            uint16
+	}{{
+		name: "match_subdomain",
+		host: "my.host.com",
+		wantDNSRewrites: []*rules.DNSRewrite{{
+			Value:    net.IP{2, 2, 2, 2}.To16(),
+			NewCNAME: "",
+			RCode:    dns.RcodeSuccess,
+			RRType:   dns.TypeA,
+		}},
+		dtyp: dns.TypeA,
+	}, {
+		name:            "exception_cname",
+		host:            "sub.host.com",
+		wantDNSRewrites: nil,
+		dtyp:            dns.TypeA,
+		//}, {
+		// TODO(d.kolyshev): This is about matching in urlfilter.
+		//	name:            "exception_wildcard",
+		//	host:            "my.sub.host.com",
+		//	wantDNSRewrites: nil,
+		//	dtyp:            dns.TypeA,
+	}}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			dnsRewrites := s.MatchRequest(&urlfilter.DNSRequest{
+				Hostname: tc.host,
+				DNSType:  tc.dtyp,
+			})
+
+			assert.Equal(t, tc.wantDNSRewrites, dnsRewrites)
+		})
+	}
+}
+
+func TestDefaultStorage_MatchRequest_ExceptionIP(t *testing.T) {
+	// Exception for AAAA record.
+	items := []*Item{{
+		Domain: "host.com",
+		Answer: "1.2.3.4",
+	}, {
+		Domain: "host.com",
+		Answer: "AAAA",
+	}, {
+		Domain: "host2.com",
+		Answer: "::1",
+	}, {
+		Domain: "host2.com",
+		Answer: "A",
+	}, {
+		Domain: "host3.com",
+		Answer: "A",
+	}}
+
+	s, err := NewDefaultStorage(-1, items)
+	require.NoError(t, err)
+
+	testCases := []struct {
+		name            string
+		host            string
+		wantDNSRewrites []*rules.DNSRewrite
+		dtyp            uint16
+	}{{
+		name: "match_A",
+		host: "host.com",
+		wantDNSRewrites: []*rules.DNSRewrite{{
+			Value:    net.IP{1, 2, 3, 4}.To16(),
+			NewCNAME: "",
+			RCode:    dns.RcodeSuccess,
+			RRType:   dns.TypeA,
+		}},
+		dtyp: dns.TypeA,
+	}, {
+		name:            "exception_AAAA_host.com",
+		host:            "host.com",
+		wantDNSRewrites: nil,
+		dtyp:            dns.TypeAAAA,
+	}, {
+		name:            "exception_A_host2.com",
+		host:            "host2.com",
+		wantDNSRewrites: nil,
+		dtyp:            dns.TypeA,
+	}, {
+		name: "match_AAAA_host2.com",
+		host: "host2.com",
+		wantDNSRewrites: []*rules.DNSRewrite{{
+			Value:    net.ParseIP("::1"),
+			NewCNAME: "",
+			RCode:    dns.RcodeSuccess,
+			RRType:   dns.TypeAAAA,
+		}},
+		dtyp: dns.TypeAAAA,
+	}, {
+		name:            "exception_A_host3.com",
+		host:            "host3.com",
+		wantDNSRewrites: nil,
+		dtyp:            dns.TypeA,
+	}, {
+		name:            "match_AAAA_host3.com",
+		host:            "host3.com",
+		wantDNSRewrites: nil,
+		dtyp:            dns.TypeAAAA,
+	}}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			dnsRewrites := s.MatchRequest(&urlfilter.DNSRequest{
+				Hostname: tc.host,
+				DNSType:  tc.dtyp,
+			})
+
+			assert.Equal(t, tc.wantDNSRewrites, dnsRewrites)
+		})
+	}
+}

internal/filtering/rewritehttp.go

@@ -0,0 +1,93 @@
+package filtering
+
+import (
+	"encoding/json"
+	"net/http"
+
+	"github.com/AdguardTeam/AdGuardHome/internal/aghhttp"
+	"github.com/AdguardTeam/golibs/log"
+)
+
+// TODO(d.kolyshev): Use [rewrite.Item] instead.
+type rewriteEntryJSON struct {
+	Domain string `json:"domain"`
+	Answer string `json:"answer"`
+}
+
+func (d *DNSFilter) handleRewriteList(w http.ResponseWriter, r *http.Request) {
+	arr := []*rewriteEntryJSON{}
+
+	d.confLock.Lock()
+	for _, ent := range d.Config.Rewrites {
+		jsent := rewriteEntryJSON{
+			Domain: ent.Domain,
+			Answer: ent.Answer,
+		}
+		arr = append(arr, &jsent)
+	}
+	d.confLock.Unlock()
+
+	_ = aghhttp.WriteJSONResponse(w, r, arr)
+}
+
+func (d *DNSFilter) handleRewriteAdd(w http.ResponseWriter, r *http.Request) {
+	rwJSON := rewriteEntryJSON{}
+	err := json.NewDecoder(r.Body).Decode(&rwJSON)
+	if err != nil {
+		aghhttp.Error(r, w, http.StatusBadRequest, "json.Decode: %s", err)
+
+		return
+	}
+
+	rw := &LegacyRewrite{
+		Domain: rwJSON.Domain,
+		Answer: rwJSON.Answer,
+	}
+
+	err = rw.normalize()
+	if err != nil {
+		// Shouldn't happen currently, since normalize only returns a non-nil
+		// error when a rewrite is nil, but be change-proof.
+		aghhttp.Error(r, w, http.StatusBadRequest, "normalizing: %s", err)
+
+		return
+	}
+
+	d.confLock.Lock()
+	d.Config.Rewrites = append(d.Config.Rewrites, rw)
+	d.confLock.Unlock()
+	log.Debug("rewrite: added element: %s -> %s [%d]", rw.Domain, rw.Answer, len(d.Config.Rewrites))
+
+	d.Config.ConfigModified()
+}
+
+func (d *DNSFilter) handleRewriteDelete(w http.ResponseWriter, r *http.Request) {
+	jsent := rewriteEntryJSON{}
+	err := json.NewDecoder(r.Body).Decode(&jsent)
+	if err != nil {
+		aghhttp.Error(r, w, http.StatusBadRequest, "json.Decode: %s", err)
+
+		return
+	}
+
+	entDel := &LegacyRewrite{
+		Domain: jsent.Domain,
+		Answer: jsent.Answer,
+	}
+	arr := []*LegacyRewrite{}
+
+	d.confLock.Lock()
+	for _, ent := range d.Config.Rewrites {
+		if ent.equal(entDel) {
+			log.Debug("rewrite: removed element: %s -> %s", ent.Domain, ent.Answer)
+
+			continue
+		}
+
+		arr = append(arr, ent)
+	}
+	d.Config.Rewrites = arr
+	d.confLock.Unlock()
+
+	d.Config.ConfigModified()
+}

internal/filtering/rewrites.go

@@ -3,16 +3,12 @@
 package filtering
 
 import (
-	"encoding/json"
 	"fmt"
 	"net"
-	"net/http"
 	"sort"
 	"strings"
 
-	"github.com/AdguardTeam/AdGuardHome/internal/aghhttp"
 	"github.com/AdguardTeam/golibs/errors"
-	"github.com/AdguardTeam/golibs/log"
 	"github.com/miekg/dns"
 	"golang.org/x/exp/slices"
 )
@@ -221,86 +217,3 @@ func max(a, b int) int {
 
 	return b
 }
-
-type rewriteEntryJSON struct {
-	Domain string `json:"domain"`
-	Answer string `json:"answer"`
-}
-
-func (d *DNSFilter) handleRewriteList(w http.ResponseWriter, r *http.Request) {
-	arr := []*rewriteEntryJSON{}
-
-	d.confLock.Lock()
-	for _, ent := range d.Config.Rewrites {
-		jsent := rewriteEntryJSON{
-			Domain: ent.Domain,
-			Answer: ent.Answer,
-		}
-		arr = append(arr, &jsent)
-	}
-	d.confLock.Unlock()
-
-	_ = aghhttp.WriteJSONResponse(w, r, arr)
-}
-
-func (d *DNSFilter) handleRewriteAdd(w http.ResponseWriter, r *http.Request) {
-	rwJSON := rewriteEntryJSON{}
-	err := json.NewDecoder(r.Body).Decode(&rwJSON)
-	if err != nil {
-		aghhttp.Error(r, w, http.StatusBadRequest, "json.Decode: %s", err)
-
-		return
-	}
-
-	rw := &LegacyRewrite{
-		Domain: rwJSON.Domain,
-		Answer: rwJSON.Answer,
-	}
-
-	err = rw.normalize()
-	if err != nil {
-		// Shouldn't happen currently, since normalize only returns a non-nil
-		// error when a rewrite is nil, but be change-proof.
-		aghhttp.Error(r, w, http.StatusBadRequest, "normalizing: %s", err)
-
-		return
-	}
-
-	d.confLock.Lock()
-	d.Config.Rewrites = append(d.Config.Rewrites, rw)
-	d.confLock.Unlock()
-	log.Debug("rewrite: added element: %s -> %s [%d]", rw.Domain, rw.Answer, len(d.Config.Rewrites))
-
-	d.Config.ConfigModified()
-}
-
-func (d *DNSFilter) handleRewriteDelete(w http.ResponseWriter, r *http.Request) {
-	jsent := rewriteEntryJSON{}
-	err := json.NewDecoder(r.Body).Decode(&jsent)
-	if err != nil {
-		aghhttp.Error(r, w, http.StatusBadRequest, "json.Decode: %s", err)
-
-		return
-	}
-
-	entDel := &LegacyRewrite{
-		Domain: jsent.Domain,
-		Answer: jsent.Answer,
-	}
-	arr := []*LegacyRewrite{}
-
-	d.confLock.Lock()
-	for _, ent := range d.Config.Rewrites {
-		if ent.equal(entDel) {
-			log.Debug("rewrite: removed element: %s -> %s", ent.Domain, ent.Answer)
-
-			continue
-		}
-
-		arr = append(arr, ent)
-	}
-	d.Config.Rewrites = arr
-	d.confLock.Unlock()
-
-	d.Config.ConfigModified()
-}

internal/filtering/servicelist.go

@@ -251,14 +251,12 @@ var blockedServices = []blockedService{{
 	Name:    "Mastodon",
 	IconSVG: []byte("<svg xmlns=\"http://www.w3.org/2000/svg\" fill=\"currentColor\" viewBox=\"0 0 512 512\"><path d=\"M433 179.11c0-97.2-63.71-125.7-63.71-125.7-62.52-28.7-228.56-28.4-290.48 0 0 0-63.72 28.5-63.72 125.7 0 115.7-6.6 259.4 105.63 289.1 40.51 10.7 75.32 13 103.33 11.4 50.81-2.8 79.32-18.1 79.32-18.1l-1.7-36.9s-36.31 11.4-77.12 10.1c-40.41-1.4-83-4.4-89.63-54a102.54 102.54 0 0 1-.9-13.9c85.63 20.9 158.65 9.1 178.75 6.7 56.12-6.7 105-41.3 111.23-72.9 9.8-49.8 9-121.5 9-121.5zm-75.12 125.2h-46.63v-114.2c0-49.7-64-51.6-64 6.9v62.5h-46.33V197c0-58.5-64-56.6-64-6.9v114.2H90.19c0-122.1-5.2-147.9 18.41-175 25.9-28.9 79.82-30.8 103.83 6.1l11.6 19.5 11.6-19.5c24.11-37.1 78.12-34.8 103.83-6.1 23.71 27.3 18.4 53 18.4 175z\"/></svg>"),
 	Rules: []string{
+		"||aus.social^",
 		"||awscommunity.social^",
-		"||colorid.es^",
-		"||dizl.de^",
 		"||dju.social^",
 		"||dresden.network^",
 		"||fedibird.com^",
 		"||fosstodon.org^",
-		"||freiburg.social^",
 		"||glasgow.social^",
 		"||h4.io^",
 		"||hachyderm.io^",
@@ -269,32 +267,30 @@ var blockedServices = []blockedService{{
 		"||ieji.de^",
 		"||indieweb.social^",
 		"||ioc.exchange^",
-		"||kfem.cat^",
 		"||kolektiva.social^",
-		"||kurry.social^",
-		"||libretooth.gr^",
 		"||livellosegreto.it^",
 		"||lor.sh^",
 		"||m.cmx.im^",
-		"||mast.dragon-fly.club^",
+		"||mas.to^",
 		"||masto.ai^",
 		"||masto.es^",
 		"||masto.nobigtech.es^",
 		"||masto.pt^",
-		"||mastodon-belgium.be^",
 		"||mastodon.au^",
 		"||mastodon.bida.im^",
+		"||mastodon.com.tr^",
 		"||mastodon.eus^",
 		"||mastodon.ie^",
 		"||mastodon.iriseden.eu^",
+		"||mastodon.lol^",
 		"||mastodon.nl^",
 		"||mastodon.nu^",
 		"||mastodon.nz^",
 		"||mastodon.online^",
 		"||mastodon.scot^",
 		"||mastodon.sdf.org^",
-		"||mastodon.se^",
 		"||mastodon.social^",
+		"||mastodon.top^",
 		"||mastodon.uno^",
 		"||mastodon.world^",
 		"||mastodon.zaclys.com^",
@@ -304,6 +300,8 @@ var blockedServices = []blockedService{{
 		"||mastodontti.fi^",
 		"||mastouille.fr^",
 		"||mathstodon.xyz^",
+		"||meow.social^",
+		"||metalhead.club^",
 		"||mindly.social^",
 		"||mstdn.ca^",
 		"||mstdn.jp^",
@@ -311,14 +309,13 @@ var blockedServices = []blockedService{{
 		"||mstdn.social^",
 		"||muenchen.social^",
 		"||muenster.im^",
+		"||nerdculture.de^",
 		"||newsie.social^",
 		"||noc.social^",
 		"||norden.social^",
 		"||nrw.social^",
 		"||o3o.ca^",
 		"||ohai.social^",
-		"||oslo.town^",
-		"||pettingzoo.co^",
 		"||pewtix.com^",
 		"||phpc.social^",
 		"||piaille.fr^",
@@ -329,18 +326,20 @@ var blockedServices = []blockedService{{
 		"||ruby.social^",
 		"||ruhr.social^",
 		"||sfba.social^",
-		"||snabelen.no^",
+		"||socel.net^",
 		"||social.anoxinon.de^",
 		"||social.cologne^",
 		"||social.dev-wiki.de^",
+		"||social.linux.pizza^",
 		"||social.politicaconciencia.org^",
 		"||social.vivaldi.net^",
-		"||sociale.network^",
+		"||sself.co^",
 		"||sueden.social^",
 		"||techhub.social^",
 		"||theblower.au^",
 		"||tkz.one^",
 		"||toot.aquilenet.fr^",
+		"||toot.community^",
 		"||toot.funami.tech^",
 		"||toot.wales^",
 		"||troet.cafe^",
@@ -350,6 +349,7 @@ var blockedServices = []blockedService{{
 		"||urbanists.social^",
 		"||vocalodon.net^",
 		"||wxw.moe^",
+		"||xarxa.cloud^",
 	},
 }, {
 	ID:      "minecraft",