Add a new plugin to block unqualified host names

2019-12-09 20:25:38 +01:00 · 2019-12-09 20:25:38 +01:00 · a635e92606
parent 56d02597a6
commit a635e92606
5 changed files with 64 additions and 0 deletions
--- a/dnscrypt-proxy/config.go
+++ b/dnscrypt-proxy/config.go
@ -46,6 +46,7 @@ type Config struct {
 	LBStrategy               string `toml:"lb_strategy"`
 	LBEstimator              bool   `toml:"lb_estimator"`
 	BlockIPv6                bool   `toml:"block_ipv6"`
+	BlockUnqualified         bool   `toml:"block_unqualified"`
 	Cache                    bool
 	CacheSize                int                         `toml:"cache_size"`
 	CacheNegTTL              uint32                      `toml:"cache_neg_ttl"`
@ -366,6 +367,7 @@ func ConfigLoad(proxy *Proxy, flags *ConfigFlags) error {
 	proxy.localDoHCertKeyFile = config.LocalDoH.CertKeyFile
 	proxy.daemonize = config.Daemonize
 	proxy.pluginBlockIPv6 = config.BlockIPv6
+	proxy.pluginBlockUnqualified = config.BlockUnqualified
 	proxy.cache = config.Cache
 	proxy.cacheSize = config.CacheSize

--- a/dnscrypt-proxy/example-dnscrypt-proxy.toml
+++ b/dnscrypt-proxy/example-dnscrypt-proxy.toml
@ -267,6 +267,11 @@ log_files_max_backups = 1
 block_ipv6 = false


+## Immediately respond to A and AAAA queries for host names without a domain name
+
+block_unqualified = true
+
+
 ## TTL for synthetic responses sent when a request has been blocked (due to
 ## IPv6 or blacklists).

--- a/dnscrypt-proxy/plugin_block_unqualified.go
+++ b/dnscrypt-proxy/plugin_block_unqualified.go
@ -0,0 +1,53 @@
+package main
+
+import (
+	"strings"
+
+	"github.com/miekg/dns"
+)
+
+type PluginBlockUnqualified struct {
+}
+
+func (plugin *PluginBlockUnqualified) Name() string {
+	return "block_unqualified"
+}
+
+func (plugin *PluginBlockUnqualified) Description() string {
+	return "Block unqualified DNS names"
+}
+
+func (plugin *PluginBlockUnqualified) Init(proxy *Proxy) error {
+	return nil
+}
+
+func (plugin *PluginBlockUnqualified) Drop() error {
+	return nil
+}
+
+func (plugin *PluginBlockUnqualified) Reload() error {
+	return nil
+}
+
+func (plugin *PluginBlockUnqualified) Eval(pluginsState *PluginsState, msg *dns.Msg) error {
+	questions := msg.Question
+	if len(questions) != 1 {
+		return nil
+	}
+	question := questions[0]
+	if question.Qclass != dns.ClassINET || (question.Qtype != dns.TypeA && question.Qtype != dns.TypeAAAA) {
+		return nil
+	}
+	qName := questions[0].Name
+	idx := strings.IndexByte(qName, '.')
+	if idx == -1 || idx+1 != len(qName) {
+		return nil
+	}
+	synth := EmptyResponseFromMessage(msg)
+	synth.Rcode = dns.RcodeNameError
+	pluginsState.synthResponse = synth
+	pluginsState.action = PluginsActionSynth
+	pluginsState.returnCode = PluginsReturnCodeSynth
+
+	return nil
+}
--- a/dnscrypt-proxy/plugins.go
+++ b/dnscrypt-proxy/plugins.go
@ -115,6 +115,9 @@ func (proxy *Proxy) InitPluginsGlobals() error {
 	if len(proxy.forwardFile) != 0 {
 		*queryPlugins = append(*queryPlugins, Plugin(new(PluginForward)))
 	}
+	if proxy.pluginBlockUnqualified {
+		*queryPlugins = append(*queryPlugins, Plugin(new(PluginBlockUnqualified)))
+	}

 	responsePlugins := &[]Plugin{}
 	if len(proxy.nxLogFile) != 0 {
--- a/dnscrypt-proxy/proxy.go
+++ b/dnscrypt-proxy/proxy.go
@ -39,6 +39,7 @@ type Proxy struct {
 	registeredServers             []RegisteredServer
 	registeredRelays              []RegisteredServer
 	pluginBlockIPv6               bool
+	pluginBlockUnqualified        bool
 	cache                         bool
 	cacheSize                     int
 	cacheNegMinTTL                uint32