From 68f3ab249cd69e93d0a89564eb57e5f20dd542ee Mon Sep 17 00:00:00 2001 From: Frank Denis Date: Tue, 7 Feb 2023 09:56:12 +0100 Subject: [PATCH] Unbreak cloaking plugin In version 2.1.3, when the cloaking pluging was enabled, a blocked response was returned for records that were not A/AAAA/PTR, even with names that were not in the cloaked list. --- .ci/ci-test.sh | 3 +++ dnscrypt-proxy/plugin_cloak.go | 13 +++++++------ 2 files changed, 10 insertions(+), 6 deletions(-) diff --git a/.ci/ci-test.sh b/.ci/ci-test.sh index 63410f00..495ba74d 100755 --- a/.ci/ci-test.sh +++ b/.ci/ci-test.sh @@ -67,6 +67,9 @@ t || dig -p${DNS_PORT} +dnssec www.darpa.mil @127.0.0.1 2>&1 | grep -Fvq 'RRSIG' section t || dig -p${DNS_PORT} +short cloaked.com @127.0.0.1 | grep -Eq '1.1.1.1|1.0.0.1' || fail +t || dig -p${DNS_PORT} +short MX cloaked.com @127.0.0.1 | grep -Fq 'locally blocked' || fail +t || dig -p${DNS_PORT} +short MX example.com @127.0.0.1 | grep -Fvq 'locally blocked' || fail +t || dig -p${DNS_PORT} NS cloaked.com @127.0.0.1 | grep -Fiq 'gtld-servers.net' || fail t || dig -p${DNS_PORT} +short www.cloaked2.com @127.0.0.1 | grep -Eq '1.1.1.1|1.0.0.1' || fail t || dig -p${DNS_PORT} +short www.dnscrypt-test @127.0.0.1 | grep -Fq '192.168.100.100' || fail t || dig -p${DNS_PORT} a.www.dnscrypt-test @127.0.0.1 | grep -Fq 'NXDOMAIN' || fail diff --git a/dnscrypt-proxy/plugin_cloak.go b/dnscrypt-proxy/plugin_cloak.go index d7643a55..4148bbfd 100644 --- a/dnscrypt-proxy/plugin_cloak.go +++ b/dnscrypt-proxy/plugin_cloak.go @@ -136,12 +136,7 @@ func (plugin *PluginCloak) Reload() error { func (plugin *PluginCloak) Eval(pluginsState *PluginsState, msg *dns.Msg) error { question := msg.Question[0] - if question.Qclass != dns.ClassINET || - (question.Qtype != dns.TypeA && question.Qtype != dns.TypeAAAA && question.Qtype != dns.TypePTR) { - if question.Qclass != dns.ClassINET || (question.Qtype != dns.TypeNS || question.Qtype == dns.TypeSOA) { - pluginsState.action = PluginsActionReject - pluginsState.returnCode = PluginsReturnCodeCloak - } + if question.Qclass != dns.ClassINET || question.Qtype == dns.TypeNS || question.Qtype == dns.TypeSOA { return nil } now := time.Now() @@ -151,6 +146,12 @@ func (plugin *PluginCloak) Eval(pluginsState *PluginsState, msg *dns.Msg) error plugin.RUnlock() return nil } + if question.Qtype != dns.TypeA && question.Qtype != dns.TypeAAAA && question.Qtype != dns.TypePTR { + plugin.RUnlock() + pluginsState.action = PluginsActionReject + pluginsState.returnCode = PluginsReturnCodeCloak + return nil + } cloakedName := xcloakedName.(*CloakedName) ttl, expired := plugin.ttl, false if cloakedName.lastUpdate != nil {