Support IP accept list
This commit is contained in:
Nick Peng
@@ -560,16 +560,17 @@ https://github.com/pymumu/smartdns/releases
|
||||
|audit-size|审计大小|128K|数字+K,M,G|audit-size 128K
|
||||
|audit-num|审计归档个数|2|数字|audit-num 2
|
||||
|conf-file|附加配置文件|无|文件路径|conf-file /etc/smartdns/smartdns.more.conf
|
||||
|server|上游UDP DNS|无|可重复<br>`[ip][:port]`:服务器IP,端口可选。<br>`[-blacklist-ip]`:blacklist-ip参数指定使用blacklist-ip配置IP过滤结果。<br>`[-group [group] ...]`:DNS服务器所属组,比如office, foreign,和nameserver配套使用。<br>`[-exclude-default-group]`:将DNS服务器从默认组中排除| server 8.8.8.8:53 -blacklist-ip -group g1
|
||||
|server-tcp|上游TCP DNS|无|可重复<br>`[ip][:port]`:服务器IP,端口可选。<br>`[-blacklist-ip]`:blacklist-ip参数指定使用blacklist-ip配置IP过滤结果。<br>`[-group [group] ...]`:DNS服务器所属组,比如office, foreign,和nameserver配套使用。<br>`[-exclude-default-group]`:将DNS服务器从默认组中排除| server-tcp 8.8.8.8:53
|
||||
|server-tls|上游TLS DNS|无|可重复<br>`[ip][:port]`:服务器IP,端口可选。<br>`[-spki-pin [sha256-pin]]`: TLS合法性校验SPKI值,base64编码的sha256 SPKI pin值<br>`[host-name]`:TLS SNI名称<br>`[-blacklist-ip]`:blacklist-ip参数指定使用blacklist-ip配置IP过滤结果。<br>`[-group [group] ...]`:DNS服务器所属组,比如office, foreign,和nameserver配套使用。<br>`[-exclude-default-group]`:将DNS服务器从默认组中排除| server-tls 8.8.8.8:853
|
||||
|server-https|上游HTTPS DNS|无|可重复<br>`https://[host][:port]/path`:服务器IP,端口可选。<br>`[-spki-pin [sha256-pin]]`: TLS合法性校验SPKI值,base64编码的sha256 SPKI pin值<br>`[host-name]`:TLS SNI名称<br>`[http-host]`:http协议头主机名<br>`[-blacklist-ip]`:blacklist-ip参数指定使用blacklist-ip配置IP过滤结果。<br>`[-group [group] ...]`:DNS服务器所属组,比如office, foreign,和nameserver配套使用。<br>`[-exclude-default-group]`:将DNS服务器从默认组中排除| server-https https://cloudflare-dns.com/dns-query
|
||||
|server|上游UDP DNS|无|可重复<br>`[ip][:port]`:服务器IP,端口可选。<br>`[-blacklist-ip]`:blacklist-ip参数指定使用blacklist-ip配置IP过滤结果。<br>`[-accept-ip]`:accept-ip参数指定仅接受accept-ip中配置IP范围。<br>`[-group [group] ...]`:DNS服务器所属组,比如office, foreign,和nameserver配套使用。<br>`[-exclude-default-group]`:将DNS服务器从默认组中排除| server 8.8.8.8:53 -blacklist-ip -group g1
|
||||
|server-tcp|上游TCP DNS|无|可重复<br>`[ip][:port]`:服务器IP,端口可选。<br>`[-blacklist-ip]`:blacklist-ip参数指定使用blacklist-ip配置IP过滤结果。<br>`[-accept-ip]`:accept-ip参数指定仅接受accept-ip中配置IP范围。<br>`[-group [group] ...]`:DNS服务器所属组,比如office, foreign,和nameserver配套使用。<br>`[-exclude-default-group]`:将DNS服务器从默认组中排除| server-tcp 8.8.8.8:53
|
||||
|server-tls|上游TLS DNS|无|可重复<br>`[ip][:port]`:服务器IP,端口可选。<br>`[-spki-pin [sha256-pin]]`: TLS合法性校验SPKI值,base64编码的sha256 SPKI pin值<br>`[host-name]`:TLS SNI名称。<br>`[-blacklist-ip]`:blacklist-ip参数指定使用blacklist-ip配置IP过滤结果。<br>`[-accept-ip]`:accept-ip参数指定仅接受accept-ip中配置IP范围。<br>`[-group [group] ...]`:DNS服务器所属组,比如office, foreign,和nameserver配套使用。<br>`[-exclude-default-group]`:将DNS服务器从默认组中排除| server-tls 8.8.8.8:853
|
||||
|server-https|上游HTTPS DNS|无|可重复<br>`https://[host][:port]/path`:服务器IP,端口可选。<br>`[-spki-pin [sha256-pin]]`: TLS合法性校验SPKI值,base64编码的sha256 SPKI pin值<br>`[host-name]`:TLS SNI名称<br>`[http-host]`:http协议头主机名。<br>`[-blacklist-ip]`:blacklist-ip参数指定使用blacklist-ip配置IP过滤结果。<br>`[-accept-ip]`:accept-ip参数指定仅接受accept-ip中配置IP范围。<br>`[-group [group] ...]`:DNS服务器所属组,比如office, foreign,和nameserver配套使用。<br>`[-exclude-default-group]`:将DNS服务器从默认组中排除| server-https https://cloudflare-dns.com/dns-query
|
||||
|address|指定域名IP地址|无|address /domain/[ip\|-\|-4\|-6\|#\|#4\|#6] <br>`-`表示忽略 <br>`#`表示返回SOA <br>`4`表示IPV4 <br>`6`表示IPV6| address /www.example.com/1.2.3.4
|
||||
|nameserver|指定域名使用server组解析|无|nameserver /domain/[group\|-], `group`为组名,`-`表示忽略此规则,配套server中的`-group`参数使用| nameserver /www.example.com/office
|
||||
|ipset|域名IPSET|None|ipset /domain/[ipset\|-], `-`表示忽略|ipset /www.example.com/pass
|
||||
|ipset-timeout|设置IPSET超时功能启用|auto|[yes]|ipset-timeout yes
|
||||
|bogus-nxdomain|假冒IP地址过滤|无|[ip/subnet],可重复| bogus-nxdomain 1.2.3.4/16
|
||||
|ignore-ip|忽略IP地址|无|[ip/subnet],可重复| ignore-ip 1.2.3.4/16
|
||||
|accept-ip|接受IP地址|无|[ip/subnet],可重复| accept-ip 1.2.3.4/16
|
||||
|blacklist-ip|黑名单IP地址|无|[ip/subnet],可重复| blacklist-ip 1.2.3.4/16
|
||||
|force-AAAA-SOA|强制AAAA地址返回SOA|no|[yes\|no]|force-AAAA-SOA yes
|
||||
|prefetch-domain|域名预先获取功能|no|[yes\|no]|prefetch-domain yes
|
||||
|
||||
@@ -555,10 +555,10 @@ Note: Merlin firmware is derived from ASUS firmware and can theoretically be use
|
||||
|audit-size|audit log size|128K|number+K,M,G|audit-size 128K
|
||||
|audit-num|archived audit log number|2|Integer|audit-num 2
|
||||
|conf-file|additional conf file|None|File path|conf-file /etc/smartdns/smartdns.more.conf
|
||||
|server|Upstream UDP DNS server|None|Repeatable <br>`[ip][:port]`: Server IP, port optional. <br>`[-blacklist-ip]`: The "-blacklist-ip" parameter is to filtering IPs which is configured by "blacklist-ip". <br>`[-group [group] ...]`: The group to which the DNS server belongs, such as office, foreign, use with nameserver. <br>`[-exclude-default-group]`: Exclude DNS servers from the default group| server 8.8.8.8:53 -blacklist-ip
|
||||
|server-tcp|Upstream TCP DNS server|None|Repeatable <br>`[ip][:port]`: Server IP, port optional. <br>`[-blacklist-ip]`: The "-blacklist-ip" parameter is to filtering IPs which is configured by "blacklist-ip". <br>`[-group [group] ...]`: The group to which the DNS server belongs, such as office, foreign, use with nameserver. <br>`[-exclude-default-group]`: Exclude DNS servers from the default group| server-tcp 8.8.8.8:53
|
||||
|server-tls|Upstream TLS DNS server|None|Repeatable <br>`[ip][:port]`: Server IP, port optional. <br>`[-spki-pin [sha256-pin]]`: TLS verify SPKI value, a base64 encoded SHA256 hash<br>`[host-name]`:TLS Server name<br>`[-blacklist-ip]`: The "-blacklist-ip" parameter is to filtering IPs which is configured by "blacklist-ip". <br>`[-group [group] ...]`: The group to which the DNS server belongs, such as office, foreign, use with nameserver. <br>`[-exclude-default-group]`: Exclude DNS servers from the default group| server-tls 8.8.8.8:853
|
||||
|server-https|Upstream HTTPS DNS server|None|Repeatable <br>`https://[host][:port]/path`: Server IP, port optional. <br>`[-spki-pin [sha256-pin]]`: TLS verify SPKI value, a base64 encoded SHA256 hash<br>`[host-name]`:TLS Server name<br>`[http-host]`:http header host<br>`[-blacklist-ip]`: The "-blacklist-ip" parameter is to filtering IPs which is configured by "blacklist-ip". <br>`[-group [group] ...]`: The group to which the DNS server belongs, such as office, foreign, use with nameserver. <br>`[-exclude-default-group]`: Exclude DNS servers from the default group| server-https https://cloudflare-dns.com/dns-query
|
||||
|server|Upstream UDP DNS server|None|Repeatable <br>`[ip][:port]`: Server IP, port optional. <br>`[-blacklist-ip]`: The "-blacklist-ip" parameter is to filtering IPs which is configured by "blacklist-ip". <br>`[-accept-ip]`: accept-ip parameter specifies that only the IP range configured in accept-ip is accepted. <br>`[-group [group] ...]`: The group to which the DNS server belongs, such as office, foreign, use with nameserver. <br>`[-exclude-default-group]`: Exclude DNS servers from the default group| server 8.8.8.8:53 -blacklist-ip
|
||||
|server-tcp|Upstream TCP DNS server|None|Repeatable <br>`[ip][:port]`: Server IP, port optional. <br>`[-blacklist-ip]`: The "-blacklist-ip" parameter is to filtering IPs which is configured by "blacklist-ip". <br>`[-accept-ip]`: accept-ip parameter specifies that only the IP range configured in accept-ip is accepted. <br>`[-group [group] ...]`: The group to which the DNS server belongs, such as office, foreign, use with nameserver. <br>`[-exclude-default-group]`: Exclude DNS servers from the default group| server-tcp 8.8.8.8:53
|
||||
|server-tls|Upstream TLS DNS server|None|Repeatable <br>`[ip][:port]`: Server IP, port optional. <br>`[-spki-pin [sha256-pin]]`: TLS verify SPKI value, a base64 encoded SHA256 hash<br>`[host-name]`:TLS Server name. <br>`[-blacklist-ip]`: The "-blacklist-ip" parameter is to filtering IPs which is configured by "blacklist-ip". <br>`[-accept-ip]`: accept-ip parameter specifies that only the IP range configured in accept-ip is accepted. <br>`[-group [group] ...]`: The group to which the DNS server belongs, such as office, foreign, use with nameserver. <br>`[-exclude-default-group]`: Exclude DNS servers from the default group| server-tls 8.8.8.8:853
|
||||
|server-https|Upstream HTTPS DNS server|None|Repeatable <br>`https://[host][:port]/path`: Server IP, port optional. <br>`[-spki-pin [sha256-pin]]`: TLS verify SPKI value, a base64 encoded SHA256 hash<br>`[host-name]`:TLS Server name<br>`[http-host]`:http header host. <br>`[-blacklist-ip]`: The "-blacklist-ip" parameter is to filtering IPs which is configured by "blacklist-ip". <br>`[-accept-ip]`: accept-ip parameter specifies that only the IP range configured in accept-ip is accepted. <br>`[-group [group] ...]`: The group to which the DNS server belongs, such as office, foreign, use with nameserver. <br>`[-exclude-default-group]`: Exclude DNS servers from the default group| server-https https://cloudflare-dns.com/dns-query
|
||||
|address|Domain IP address|None|address /domain/[ip\|-\|-4\|-6\|#\|#4\|#6], `-` for ignore, `#` for return SOA, `4` for IPV4, `6` for IPV6| address /www.example.com/1.2.3.4
|
||||
|nameserver|To query domain with specific server group|None|nameserver /domain/[group\|-], `group` is the group name, `-` means ignore this rule, use the `-group` parameter in the related server|nameserver /www.example.com/office
|
||||
|ipset|Domain IPSet|None|ipset /domain/[ipset\|-], `-` for ignore|ipset /www.example.com/pass
|
||||
|
||||
@@ -39,6 +39,9 @@ cache-size 512
|
||||
# List of IPs that will be ignored
|
||||
# ignore-ip [ip/subnet]
|
||||
|
||||
# List of IPs that will be accepted
|
||||
# accept-ip [ip/subnet]
|
||||
|
||||
# force AAAA query return SOA
|
||||
# force-AAAA-SOA [yes|no]
|
||||
|
||||
@@ -80,30 +83,31 @@ log-level info
|
||||
# audit-num 2
|
||||
|
||||
# remote udp dns server list
|
||||
# server [IP]:[PORT] [-blacklist-ip] [-check-edns] [-group [group] ...] [-exclude-default-group]
|
||||
# server [IP]:[PORT] [-blacklist-ip] [-accept-ip] [-check-edns] [-group [group] ...] [-exclude-default-group]
|
||||
# default port is 53
|
||||
# -blacklist-ip: filter result with blacklist ip
|
||||
# -accept-ip: accept ip result with accept-ip list
|
||||
# -check-edns: result must exist edns RR, or discard result.
|
||||
# -group [group]: set server to group, use with nameserver /domain/group.
|
||||
# -exclude-default-group: exclude this server from default group.
|
||||
# server 8.8.8.8 -blacklist-ip -check-edns -group g1 -group g2
|
||||
|
||||
# remote tcp dns server list
|
||||
# server-tcp [IP]:[PORT] [-blacklist-ip] [-group [group] ...] [-exclude-default-group]
|
||||
# server-tcp [IP]:[PORT] [-blacklist-ip] [-accept-ip] [-group [group] ...] [-exclude-default-group]
|
||||
# default port is 53
|
||||
# server-tcp 8.8.8.8
|
||||
|
||||
# remote tls dns server list
|
||||
# server-tls [IP]:[PORT] [-blacklist-ip] [-spki-pin [sha256-pin]] [-group [group] ...] [-exclude-default-group]
|
||||
# server-tls [IP]:[PORT] [-blacklist-ip] [-accept-ip] [-spki-pin [sha256-pin]] [-group [group] ...] [-exclude-default-group]
|
||||
# -spki-pin: TLS spki pin to verify.
|
||||
# Get SKPI with this command:
|
||||
# Get SPKI with this command:
|
||||
# echo | openssl s_client -connect '[ip]:853' | openssl x509 -pubkey -noout | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64
|
||||
# default port is 853
|
||||
# server-tls 8.8.8.8
|
||||
# server-tls 1.0.0.1
|
||||
|
||||
# remote https dns server list
|
||||
# server-https https://[host]:[port]/path [-blacklist-ip] [-spki-pin [sha256-pin]] [-group [group] ...] [-exclude-default-group]
|
||||
# server-https https://[host]:[port]/path [-blacklist-ip] [-accept-ip] [-spki-pin [sha256-pin]] [-group [group] ...] [-exclude-default-group]
|
||||
# -spki-pin: TLS spki pin to verify.
|
||||
# default port is 443
|
||||
# server-https https://cloudflare-dns.com/dns-query
|
||||
@@ -126,4 +130,3 @@ log-level info
|
||||
# ipset /domain/[ipset|-]
|
||||
# ipset /www.example.com/block, set ipset with ipset name of block
|
||||
# ipset /www.example.com/-, ignore this domain
|
||||
|
||||
|
||||
@@ -22,6 +22,7 @@ typedef enum dns_result_type {
|
||||
#define DNSSERVER_FLAG_BLACKLIST_IP (0x1 << 0)
|
||||
#define DNSSERVER_FLAG_CHECK_EDNS (0x1 << 1)
|
||||
#define DNSSERVER_FLAG_CHECK_TTL (0x1 << 2)
|
||||
#define DNSSERVER_FLAG_ACCEPT_IP (0x1 << 3)
|
||||
|
||||
int dns_client_init(void);
|
||||
|
||||
|
||||
@@ -9,7 +9,7 @@
|
||||
#include <string.h>
|
||||
#include <syslog.h>
|
||||
#include <unistd.h>
|
||||
#include <libgen.h>
|
||||
#include <libgen.h>
|
||||
|
||||
#define DEFAULT_DNS_CACHE_SIZE 512
|
||||
|
||||
@@ -168,10 +168,10 @@ static int _config_server(int argc, char *argv[], dns_server_type_t type, int de
|
||||
/* clang-format off */
|
||||
static struct option long_options[] = {
|
||||
{"blacklist-ip", no_argument, NULL, 'b'}, /* filtering with blacklist-ip */
|
||||
#ifdef FEATURE_CHECK_EDNS
|
||||
#ifdef FEATURE_CHECK_EDNS
|
||||
/* experimental feature */
|
||||
{"check-edns", no_argument, NULL, 'e'}, /* check edns */
|
||||
#endif
|
||||
#endif
|
||||
{"spki-pin", required_argument, NULL, 'p'}, /* check SPKI pin */
|
||||
{"host-name", required_argument, NULL, 'h'}, /* host name */
|
||||
{"http-host", required_argument, NULL, 'H'}, /* http host */
|
||||
@@ -236,6 +236,10 @@ static int _config_server(int argc, char *argv[], dns_server_type_t type, int de
|
||||
result_flag |= DNSSERVER_FLAG_CHECK_EDNS;
|
||||
break;
|
||||
}
|
||||
case 'a': {
|
||||
result_flag |= DNSSERVER_FLAG_ACCEPT_IP;
|
||||
break;
|
||||
}
|
||||
case 'h': {
|
||||
strncpy(server->hostname, optarg, DNS_MAX_CNAME_LEN);
|
||||
break;
|
||||
@@ -886,6 +890,12 @@ static int _config_iplist_rule(char *subnet, enum address_rule rule)
|
||||
break;
|
||||
case ADDRESS_RULE_IP_IGNORE:
|
||||
ip_rule->ip_ignore = 1;
|
||||
break;
|
||||
case ADDRESS_RULE_IP_ACCEPT:
|
||||
ip_rule->ip_accept = 1;
|
||||
break;
|
||||
default:
|
||||
return -1;
|
||||
}
|
||||
|
||||
return 0;
|
||||
@@ -918,6 +928,15 @@ static int _conf_ip_ignore(void *data, int argc, char *argv[])
|
||||
return _config_iplist_rule(argv[1], ADDRESS_RULE_IP_IGNORE);
|
||||
}
|
||||
|
||||
static int _conf_ip_accept(void *data, int argc, char *argv[])
|
||||
{
|
||||
if (argc <= 1) {
|
||||
return -1;
|
||||
}
|
||||
|
||||
return _config_iplist_rule(argv[1], ADDRESS_RULE_IP_ACCEPT);
|
||||
}
|
||||
|
||||
static int _conf_edns_client_subnet(void *data, int argc, char *argv[])
|
||||
{
|
||||
char *slash = NULL;
|
||||
@@ -1024,6 +1043,7 @@ static struct config_item _config_item[] = {
|
||||
CONF_CUSTOM("blacklist-ip", _config_blacklist_ip, NULL),
|
||||
CONF_CUSTOM("bogus-nxdomain", _conf_bogus_nxdomain, NULL),
|
||||
CONF_CUSTOM("ignore-ip", _conf_ip_ignore, NULL),
|
||||
CONF_CUSTOM("accept-ip", _conf_ip_accept, NULL),
|
||||
CONF_CUSTOM("edns-client-subnet", _conf_edns_client_subnet, NULL),
|
||||
CONF_CUSTOM("conf-file", config_addtional_file, NULL),
|
||||
CONF_END(),
|
||||
|
||||
@@ -116,12 +116,14 @@ enum address_rule {
|
||||
ADDRESS_RULE_BLACKLIST = 1,
|
||||
ADDRESS_RULE_BOGUS = 2,
|
||||
ADDRESS_RULE_IP_IGNORE = 3,
|
||||
ADDRESS_RULE_IP_ACCEPT = 4,
|
||||
};
|
||||
|
||||
struct dns_ip_address_rule {
|
||||
unsigned int blacklist : 1;
|
||||
unsigned int bogus : 1;
|
||||
unsigned int ip_ignore : 1;
|
||||
unsigned int ip_accept : 1;
|
||||
};
|
||||
|
||||
struct dns_edns_client_subnet {
|
||||
|
||||
@@ -962,11 +962,11 @@ static int _dns_server_ip_rule_check(struct dns_request *request, unsigned char
|
||||
}
|
||||
|
||||
if (node == NULL) {
|
||||
return -1;
|
||||
goto rule_not_found;
|
||||
}
|
||||
|
||||
if (node->data == NULL) {
|
||||
return -1;
|
||||
goto rule_not_found;
|
||||
}
|
||||
|
||||
/* bogux-nxdomain */
|
||||
@@ -986,7 +986,17 @@ static int _dns_server_ip_rule_check(struct dns_request *request, unsigned char
|
||||
if (rule->ip_ignore) {
|
||||
goto skip;
|
||||
}
|
||||
|
||||
rule_not_found:
|
||||
if (result_flag & DNSSERVER_FLAG_ACCEPT_IP) {
|
||||
if (rule == NULL) {
|
||||
goto skip;
|
||||
}
|
||||
|
||||
if (!rule->ip_accept) {
|
||||
goto skip;
|
||||
}
|
||||
}
|
||||
return -1;
|
||||
skip:
|
||||
return -2;
|
||||
|
||||
Reference in New Issue
Block a user