miracle091/dnscrypt-proxy
miracle091
/
dnscrypt-proxy
mirror of https://github.com/DNSCrypt/dnscrypt-proxy.git
1
0
Fork 0
Code Issues Releases Wiki Activity

Pattern matching in blacklists: done

This commit is contained in:
Frank Denis 2018-01-17 08:46:42 +01:00
parent d7e74318d1
commit 404fcea50b
3 changed files with 63 additions and 30 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

50
README.md
View File

@ -8,39 +8,39 @@ A modern client implementation of the [DNSCrypt](https://github.com/DNSCrypt/dns
## Current status/features
| Features | dnscrypt-proxy 1.x | dnscrypt-proxy 2.x |
| -------------------------------------------------- | ---------------------------------------------------------------------------- | ------------------------------------------------------- |
| Status | Old PoC, barely maintained any more | Very new, but quickly evolving |
| Code quality | Big ugly mess | Readable, easy to work on |
| Reliability | Poor, due to completely broken handling of edge cases | Excellent |
| Security | Written in C, bundles patched versions from old branches of system libraries | Written in standard and portable Go |
| Dependencies | Specific versions of dnscrypt-proxy, libldns and libtool | None |
| Upstream connections using TCP | Catastrophic, requires client retries | Implemented as anyone would expect, works well with TOR |
| XChaCha20 support | Only if compiled with recent versions of libsodium | Yes, always available |
| Support of links with small MTU | Unreliable due to completely broken padding | Reliable, properly implemented |
| Support for multiple servers | Nonexistent | Yes, with automatic failover and load-balancing |
| Custom additions | C API, requires libldns for sanity | Simple Go structures using miekg/dns |
| AAAA blocking for IPv4-only networks | Yes | Yes |
| DNS caching | Yes, with ugly hacks for DNSSEC support | Yes, without ugly hacks |
| EDNS support | Broken with custom records | Yes |
| Asynchronous filters | Lol, no, filters block everything | Of course, thanks to Go |
| Session-local storage for extensions | Impossible | Yes |
| Multicore support | Nonexistent | Yes, thanks to Go |
| Efficient padding of queries | Couldn't be any worse | Yes |
| Multiple local sockets | Impossible | Of course. IPv4, IPv6, as many as you like |
| Automatically picks the fastest servers | Lol, it supports only one at a time, anyway | Yes, out of the box |
| Official, always up-to-date pre-built libraries | None | Yes, for many platforms. See below. |
| Automatically downloads and verifies servers lists | No. Requires custom scripts, cron jobs and dependencies (minisign) | Yes, built-in, including signature verification |
| Features | dnscrypt-proxy 1.x | dnscrypt-proxy 2.x |
| ---------------------------------------------------------- | ---------------------------------------------------------------------------- | ------------------------------------------------------- |
| Status | Old PoC, barely maintained any more | Very new, but quickly evolving |
| Code quality | Big ugly mess | Readable, easy to work on |
| Reliability | Poor, due to completely broken handling of edge cases | Excellent |
| Security | Written in C, bundles patched versions from old branches of system libraries | Written in standard and portable Go |
| Dependencies | Specific versions of dnscrypt-proxy, libldns and libtool | None |
| Upstream connections using TCP | Catastrophic, requires client retries | Implemented as anyone would expect, works well with TOR |
| XChaCha20 support | Only if compiled with recent versions of libsodium | Yes, always available |
| Support of links with small MTU | Unreliable due to completely broken padding | Reliable, properly implemented |
| Support for multiple servers | Nonexistent | Yes, with automatic failover and load-balancing |
| Custom additions | C API, requires libldns for sanity | Simple Go structures using miekg/dns |
| AAAA blocking for IPv4-only networks | Yes | Yes |
| DNS caching | Yes, with ugly hacks for DNSSEC support | Yes, without ugly hacks |
| EDNS support | Broken with custom records | Yes |
| Asynchronous filters | Lol, no, filters block everything | Of course, thanks to Go |
| Session-local storage for extensions | Impossible | Yes |
| Multicore support | Nonexistent | Yes, thanks to Go |
| Efficient padding of queries | Couldn't be any worse | Yes |
| Multiple local sockets | Impossible | Of course. IPv4, IPv6, as many as you like |
| Automatically picks the fastest servers | Lol, it supports only one at a time, anyway | Yes, out of the box |
| Official, always up-to-date pre-built libraries | None | Yes, for many platforms. See below. |
| Automatically downloads and verifies servers lists | No. Requires custom scripts, cron jobs and dependencies (minisign) | Yes, built-in, including signature verification |
| Advanced expresions in blacklists (ads*.example[0-9]*.com) | No | Yes |
## Planned features
* New super simple (to copy&paste), extensible format for servers parameters: "stamps"
* Filtering with regexes
* Offline responses
* Local DNSSEC validation
* Flexible logging
* Windows support that doesn't suck
* DNS-over-HTTP2
* [DNS-over-HTTPS (DoH)](https://datatracker.ietf.org/wg/doh/about/)
* Some real documentation
## Pre-built binaries

12
dnscrypt-proxy/dnscrypt-proxy.toml
View File

@ -54,17 +54,21 @@ block_ipv6 = false
[query_log]
### Full path to the query log file
# file = "/tmp/query.log"
# file = "query.log"
### Query log format (currently supported: tsv and ltsv)
format = "tsv"
############## Pattern-based blocking (fully compatible with dnscrypt-proxy 1.x) ##############
############## Pattern-based blocking (blacklists) ##############
# Blacklists are made of one pattern per line. Example of valid patterns:
# example.com
# *sex*
# ads.*
# ads*.example.*
[block_name]
## Full path to the file of blocking rules
# file = "/tmp/mybase.txt"
file = "blacklist.txt"
############## DNS Cache ##############

31
dnscrypt-proxy/plugin_block_name.go
View File

@ -1,7 +1,9 @@
package main
import (
"fmt"
"io/ioutil"
"path/filepath"
"strings"
"github.com/hashicorp/go-immutable-radix"
@ -50,7 +52,15 @@ func (plugin *PluginBlockName) Init(proxy *Proxy) error {
leadingStar := strings.HasPrefix(line, "*")
trailingStar := strings.HasSuffix(line, "*")
blockType := PluginBlockTypeNone
if leadingStar && trailingStar {
if isGlobCandidate(line) {
blockType = PluginBlockTypePattern
fmt.Println(line)
_, err := filepath.Match(line, "example.com")
if len(line) < 2 || err != nil {
dlog.Errorf("Syntax error in block rules at line %d", lineNo)
continue
}
} else if leadingStar && trailingStar {
blockType = PluginBlockTypeSubstring
if len(line) < 3 {
dlog.Errorf("Syntax error in block rules at line %d", lineNo)
@ -81,6 +91,8 @@ func (plugin *PluginBlockName) Init(proxy *Proxy) error {
switch blockType {
case PluginBlockTypeSubstring:
plugin.blockedSubstrings = append(plugin.blockedSubstrings, line)
case PluginBlockTypePattern:
plugin.blockedPatterns = append(plugin.blockedPatterns, line)
case PluginBlockTypePrefix:
plugin.blockedPrefixes, _, _ = plugin.blockedPrefixes.Insert([]byte(line), 0)
case PluginBlockTypeSuffix:
@ -125,5 +137,22 @@ func (plugin *PluginBlockName) Eval(pluginsState *PluginsState, msg *dns.Msg) er
return nil
}
}
for _, pattern := range plugin.blockedPatterns {
if found, _ := filepath.Match(pattern, question); found {
pluginsState.action = PluginsActionReject
return nil
}
}
return nil
}
func isGlobCandidate(str string) bool {
for i, c := range str {
if c == '?' || c == '[' {
return true
} else if c == '*' && i != 0 && i != len(str)-1 {
return true
}
}
return false
}