block_name plugin: also check names found in CNAME records

This commit is contained in:
Frank Denis 2019-11-24 10:04:16 +01:00
parent 1152491b2d
commit 67c7254dc5
2 changed files with 97 additions and 41 deletions

View File

@ -20,8 +20,57 @@ type BlockedNames struct {
format string format string
} }
const aliasesLimit = 8
var blockedNames *BlockedNames
func (blockedNames *BlockedNames) check(pluginsState *PluginsState, qName string) (bool, error) {
qName = strings.ToLower(StripTrailingDot(qName))
reject, reason, xweeklyRanges := blockedNames.patternMatcher.Eval(qName)
var weeklyRanges *WeeklyRanges
if xweeklyRanges != nil {
weeklyRanges = xweeklyRanges.(*WeeklyRanges)
}
if reject {
if weeklyRanges != nil && !weeklyRanges.Match() {
reject = false
}
}
if !reject {
return false, nil
}
pluginsState.action = PluginsActionReject
pluginsState.returnCode = PluginsReturnCodeReject
if blockedNames.logger != nil {
var clientIPStr string
if pluginsState.clientProto == "udp" {
clientIPStr = (*pluginsState.clientAddr).(*net.UDPAddr).IP.String()
} else {
clientIPStr = (*pluginsState.clientAddr).(*net.TCPAddr).IP.String()
}
var line string
if blockedNames.format == "tsv" {
now := time.Now()
year, month, day := now.Date()
hour, minute, second := now.Clock()
tsStr := fmt.Sprintf("[%d-%02d-%02d %02d:%02d:%02d]", year, int(month), day, hour, minute, second)
line = fmt.Sprintf("%s\t%s\t%s\t%s\n", tsStr, clientIPStr, StringQuote(qName), StringQuote(reason))
} else if blockedNames.format == "ltsv" {
line = fmt.Sprintf("time:%d\thost:%s\tqname:%s\tmessage:%s\n", time.Now().Unix(), clientIPStr, StringQuote(qName), StringQuote(reason))
} else {
dlog.Fatalf("Unexpected log format: [%s]", blockedNames.format)
}
if blockedNames.logger == nil {
return false, errors.New("Log file not initialized")
}
blockedNames.logger.Write([]byte(line))
}
return true, nil
}
// ---
type PluginBlockName struct { type PluginBlockName struct {
blockedNames *BlockedNames
} }
func (plugin *PluginBlockName) Name() string { func (plugin *PluginBlockName) Name() string {
@ -38,7 +87,7 @@ func (plugin *PluginBlockName) Init(proxy *Proxy) error {
if err != nil { if err != nil {
return err return err
} }
blockedNames := BlockedNames{ xBlockedNames := BlockedNames{
allWeeklyRanges: proxy.allWeeklyRanges, allWeeklyRanges: proxy.allWeeklyRanges,
patternMatcher: NewPatternPatcher(), patternMatcher: NewPatternPatcher(),
} }
@ -65,12 +114,12 @@ func (plugin *PluginBlockName) Init(proxy *Proxy) error {
weeklyRanges = &weeklyRangesX weeklyRanges = &weeklyRangesX
} }
} }
if err := blockedNames.patternMatcher.Add(line, weeklyRanges, lineNo+1); err != nil { if err := xBlockedNames.patternMatcher.Add(line, weeklyRanges, lineNo+1); err != nil {
dlog.Error(err) dlog.Error(err)
continue continue
} }
} }
plugin.blockedNames = &blockedNames blockedNames = &xBlockedNames
if len(proxy.blockNameLogFile) == 0 { if len(proxy.blockNameLogFile) == 0 {
return nil return nil
} }
@ -89,56 +138,60 @@ func (plugin *PluginBlockName) Reload() error {
} }
func (plugin *PluginBlockName) Eval(pluginsState *PluginsState, msg *dns.Msg) error { func (plugin *PluginBlockName) Eval(pluginsState *PluginsState, msg *dns.Msg) error {
if plugin.blockedNames == nil || pluginsState.sessionData["whitelisted"] != nil { if blockedNames == nil || pluginsState.sessionData["whitelisted"] != nil {
return nil return nil
} }
questions := msg.Question questions := msg.Question
if len(questions) != 1 { if len(questions) != 1 {
return nil return nil
} }
return plugin.blockedNames.check(pluginsState, questions[0].Name) _, err := blockedNames.check(pluginsState, questions[0].Name)
return err
} }
func (blockedNames *BlockedNames) check(pluginsState *PluginsState, qName string) error { // ---
qName = strings.ToLower(StripTrailingDot(qName))
reject, reason, xweeklyRanges := blockedNames.patternMatcher.Eval(qName) type PluginBlockNameResponse struct {
var weeklyRanges *WeeklyRanges
if xweeklyRanges != nil {
weeklyRanges = xweeklyRanges.(*WeeklyRanges)
} }
if reject {
if weeklyRanges != nil && !weeklyRanges.Match() { func (plugin *PluginBlockNameResponse) Name() string {
reject = false return "block_name"
} }
func (plugin *PluginBlockNameResponse) Description() string {
return "Block DNS responses matching name patterns"
} }
if !reject {
func (plugin *PluginBlockNameResponse) Init(proxy *Proxy) error {
return nil return nil
} }
pluginsState.action = PluginsActionReject
pluginsState.returnCode = PluginsReturnCodeReject func (plugin *PluginBlockNameResponse) Drop() error {
if blockedNames.logger != nil { return nil
var clientIPStr string
if pluginsState.clientProto == "udp" {
clientIPStr = (*pluginsState.clientAddr).(*net.UDPAddr).IP.String()
} else {
clientIPStr = (*pluginsState.clientAddr).(*net.TCPAddr).IP.String()
} }
var line string
if blockedNames.format == "tsv" { func (plugin *PluginBlockNameResponse) Reload() error {
now := time.Now() return nil
year, month, day := now.Date()
hour, minute, second := now.Clock()
tsStr := fmt.Sprintf("[%d-%02d-%02d %02d:%02d:%02d]", year, int(month), day, hour, minute, second)
line = fmt.Sprintf("%s\t%s\t%s\t%s\n", tsStr, clientIPStr, StringQuote(qName), StringQuote(reason))
} else if blockedNames.format == "ltsv" {
line = fmt.Sprintf("time:%d\thost:%s\tqname:%s\tmessage:%s\n", time.Now().Unix(), clientIPStr, StringQuote(qName), StringQuote(reason))
} else {
dlog.Fatalf("Unexpected log format: [%s]", blockedNames.format)
} }
if blockedNames.logger == nil {
return errors.New("Log file not initialized") func (plugin *PluginBlockNameResponse) Eval(pluginsState *PluginsState, msg *dns.Msg) error {
if blockedNames == nil || pluginsState.sessionData["whitelisted"] != nil {
return nil
}
aliasesLeft := aliasesLimit
answers := msg.Answer
for _, answer := range answers {
header := answer.Header()
if header.Class != dns.ClassINET || header.Rrtype != dns.TypeCNAME {
continue
}
if blocked, err := blockedNames.check(pluginsState, answer.(*dns.CNAME).Target); blocked || err != nil {
return err
}
aliasesLeft--
if aliasesLeft == 0 {
break
} }
blockedNames.logger.Write([]byte(line))
} }
return nil return nil
} }

View File

@ -120,6 +120,9 @@ func (proxy *Proxy) InitPluginsGlobals() error {
if len(proxy.nxLogFile) != 0 { if len(proxy.nxLogFile) != 0 {
*responsePlugins = append(*responsePlugins, Plugin(new(PluginNxLog))) *responsePlugins = append(*responsePlugins, Plugin(new(PluginNxLog)))
} }
if len(proxy.blockNameFile) != 0 {
*responsePlugins = append(*responsePlugins, Plugin(new(PluginBlockNameResponse)))
}
if len(proxy.blockIPFile) != 0 { if len(proxy.blockIPFile) != 0 {
*responsePlugins = append(*responsePlugins, Plugin(new(PluginBlockIP))) *responsePlugins = append(*responsePlugins, Plugin(new(PluginBlockIP)))
} }