Pattern matching in blacklists: done
This commit is contained in:
parent
d7e74318d1
commit
404fcea50b
50
README.md
50
README.md
|
@ -8,39 +8,39 @@ A modern client implementation of the [DNSCrypt](https://github.com/DNSCrypt/dns
|
|||
|
||||
## Current status/features
|
||||
|
||||
| Features | dnscrypt-proxy 1.x | dnscrypt-proxy 2.x |
|
||||
| -------------------------------------------------- | ---------------------------------------------------------------------------- | ------------------------------------------------------- |
|
||||
| Status | Old PoC, barely maintained any more | Very new, but quickly evolving |
|
||||
| Code quality | Big ugly mess | Readable, easy to work on |
|
||||
| Reliability | Poor, due to completely broken handling of edge cases | Excellent |
|
||||
| Security | Written in C, bundles patched versions from old branches of system libraries | Written in standard and portable Go |
|
||||
| Dependencies | Specific versions of dnscrypt-proxy, libldns and libtool | None |
|
||||
| Upstream connections using TCP | Catastrophic, requires client retries | Implemented as anyone would expect, works well with TOR |
|
||||
| XChaCha20 support | Only if compiled with recent versions of libsodium | Yes, always available |
|
||||
| Support of links with small MTU | Unreliable due to completely broken padding | Reliable, properly implemented |
|
||||
| Support for multiple servers | Nonexistent | Yes, with automatic failover and load-balancing |
|
||||
| Custom additions | C API, requires libldns for sanity | Simple Go structures using miekg/dns |
|
||||
| AAAA blocking for IPv4-only networks | Yes | Yes |
|
||||
| DNS caching | Yes, with ugly hacks for DNSSEC support | Yes, without ugly hacks |
|
||||
| EDNS support | Broken with custom records | Yes |
|
||||
| Asynchronous filters | Lol, no, filters block everything | Of course, thanks to Go |
|
||||
| Session-local storage for extensions | Impossible | Yes |
|
||||
| Multicore support | Nonexistent | Yes, thanks to Go |
|
||||
| Efficient padding of queries | Couldn't be any worse | Yes |
|
||||
| Multiple local sockets | Impossible | Of course. IPv4, IPv6, as many as you like |
|
||||
| Automatically picks the fastest servers | Lol, it supports only one at a time, anyway | Yes, out of the box |
|
||||
| Official, always up-to-date pre-built libraries | None | Yes, for many platforms. See below. |
|
||||
| Automatically downloads and verifies servers lists | No. Requires custom scripts, cron jobs and dependencies (minisign) | Yes, built-in, including signature verification |
|
||||
| Features | dnscrypt-proxy 1.x | dnscrypt-proxy 2.x |
|
||||
| ---------------------------------------------------------- | ---------------------------------------------------------------------------- | ------------------------------------------------------- |
|
||||
| Status | Old PoC, barely maintained any more | Very new, but quickly evolving |
|
||||
| Code quality | Big ugly mess | Readable, easy to work on |
|
||||
| Reliability | Poor, due to completely broken handling of edge cases | Excellent |
|
||||
| Security | Written in C, bundles patched versions from old branches of system libraries | Written in standard and portable Go |
|
||||
| Dependencies | Specific versions of dnscrypt-proxy, libldns and libtool | None |
|
||||
| Upstream connections using TCP | Catastrophic, requires client retries | Implemented as anyone would expect, works well with TOR |
|
||||
| XChaCha20 support | Only if compiled with recent versions of libsodium | Yes, always available |
|
||||
| Support of links with small MTU | Unreliable due to completely broken padding | Reliable, properly implemented |
|
||||
| Support for multiple servers | Nonexistent | Yes, with automatic failover and load-balancing |
|
||||
| Custom additions | C API, requires libldns for sanity | Simple Go structures using miekg/dns |
|
||||
| AAAA blocking for IPv4-only networks | Yes | Yes |
|
||||
| DNS caching | Yes, with ugly hacks for DNSSEC support | Yes, without ugly hacks |
|
||||
| EDNS support | Broken with custom records | Yes |
|
||||
| Asynchronous filters | Lol, no, filters block everything | Of course, thanks to Go |
|
||||
| Session-local storage for extensions | Impossible | Yes |
|
||||
| Multicore support | Nonexistent | Yes, thanks to Go |
|
||||
| Efficient padding of queries | Couldn't be any worse | Yes |
|
||||
| Multiple local sockets | Impossible | Of course. IPv4, IPv6, as many as you like |
|
||||
| Automatically picks the fastest servers | Lol, it supports only one at a time, anyway | Yes, out of the box |
|
||||
| Official, always up-to-date pre-built libraries | None | Yes, for many platforms. See below. |
|
||||
| Automatically downloads and verifies servers lists | No. Requires custom scripts, cron jobs and dependencies (minisign) | Yes, built-in, including signature verification |
|
||||
| Advanced expresions in blacklists (ads*.example[0-9]*.com) | No | Yes |
|
||||
|
||||
## Planned features
|
||||
|
||||
* New super simple (to copy&paste), extensible format for servers parameters: "stamps"
|
||||
* Filtering with regexes
|
||||
* Offline responses
|
||||
* Local DNSSEC validation
|
||||
* Flexible logging
|
||||
* Windows support that doesn't suck
|
||||
* DNS-over-HTTP2
|
||||
* [DNS-over-HTTPS (DoH)](https://datatracker.ietf.org/wg/doh/about/)
|
||||
* Some real documentation
|
||||
|
||||
## Pre-built binaries
|
||||
|
|
|
@ -54,17 +54,21 @@ block_ipv6 = false
|
|||
|
||||
[query_log]
|
||||
### Full path to the query log file
|
||||
# file = "/tmp/query.log"
|
||||
# file = "query.log"
|
||||
|
||||
### Query log format (currently supported: tsv and ltsv)
|
||||
format = "tsv"
|
||||
|
||||
|
||||
############## Pattern-based blocking (fully compatible with dnscrypt-proxy 1.x) ##############
|
||||
|
||||
############## Pattern-based blocking (blacklists) ##############
|
||||
# Blacklists are made of one pattern per line. Example of valid patterns:
|
||||
# example.com
|
||||
# *sex*
|
||||
# ads.*
|
||||
# ads*.example.*
|
||||
[block_name]
|
||||
## Full path to the file of blocking rules
|
||||
# file = "/tmp/mybase.txt"
|
||||
file = "blacklist.txt"
|
||||
|
||||
|
||||
############## DNS Cache ##############
|
||||
|
|
|
@ -1,7 +1,9 @@
|
|||
package main
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"io/ioutil"
|
||||
"path/filepath"
|
||||
"strings"
|
||||
|
||||
"github.com/hashicorp/go-immutable-radix"
|
||||
|
@ -50,7 +52,15 @@ func (plugin *PluginBlockName) Init(proxy *Proxy) error {
|
|||
leadingStar := strings.HasPrefix(line, "*")
|
||||
trailingStar := strings.HasSuffix(line, "*")
|
||||
blockType := PluginBlockTypeNone
|
||||
if leadingStar && trailingStar {
|
||||
if isGlobCandidate(line) {
|
||||
blockType = PluginBlockTypePattern
|
||||
fmt.Println(line)
|
||||
_, err := filepath.Match(line, "example.com")
|
||||
if len(line) < 2 || err != nil {
|
||||
dlog.Errorf("Syntax error in block rules at line %d", lineNo)
|
||||
continue
|
||||
}
|
||||
} else if leadingStar && trailingStar {
|
||||
blockType = PluginBlockTypeSubstring
|
||||
if len(line) < 3 {
|
||||
dlog.Errorf("Syntax error in block rules at line %d", lineNo)
|
||||
|
@ -81,6 +91,8 @@ func (plugin *PluginBlockName) Init(proxy *Proxy) error {
|
|||
switch blockType {
|
||||
case PluginBlockTypeSubstring:
|
||||
plugin.blockedSubstrings = append(plugin.blockedSubstrings, line)
|
||||
case PluginBlockTypePattern:
|
||||
plugin.blockedPatterns = append(plugin.blockedPatterns, line)
|
||||
case PluginBlockTypePrefix:
|
||||
plugin.blockedPrefixes, _, _ = plugin.blockedPrefixes.Insert([]byte(line), 0)
|
||||
case PluginBlockTypeSuffix:
|
||||
|
@ -125,5 +137,22 @@ func (plugin *PluginBlockName) Eval(pluginsState *PluginsState, msg *dns.Msg) er
|
|||
return nil
|
||||
}
|
||||
}
|
||||
for _, pattern := range plugin.blockedPatterns {
|
||||
if found, _ := filepath.Match(pattern, question); found {
|
||||
pluginsState.action = PluginsActionReject
|
||||
return nil
|
||||
}
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
func isGlobCandidate(str string) bool {
|
||||
for i, c := range str {
|
||||
if c == '?' || c == '[' {
|
||||
return true
|
||||
} else if c == '*' && i != 0 && i != len(str)-1 {
|
||||
return true
|
||||
}
|
||||
}
|
||||
return false
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue