Pull request 1944: 6049-block-ns-root

Updates #6049. Squashed commit of the following: commit 288a486b741b4dc57769bd5a0bdd67b4d75cc8c0 Author: Ainar Garipov <A.Garipov@AdGuard.COM> Date: Thu Jul 27 20:59:14 2023 +0300 dnsforward: fix blocking of ns root
2024-12-15 03:02:07 +03:00 · 2023-07-27 21:06:51 +03:00 · 2023-07-27 21:06:51 +03:00 · 79306cb48a
commit 79306cb48a
parent 300821a7fb
4 changed files with 22 additions and 5 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -25,10 +25,15 @@ NOTE: Add new changes BELOW THIS COMMENT.
 ### Fixed
 - Inability to block queries for the root domain, such as `NS .` queries, using
  the *Disallowed domains* feature on the *DNS settings* page ([#6049]).  Users
  who want to block `.` queries should use the `|.^` AdBlock rule or a similar
  regular expression.
 - Client hostnames not resolving when upstream server responds with zero-TTL
  records ([#6046]).
 [#6046]: https://github.com/AdguardTeam/AdGuardHome/issues/6046
 [#6049]: https://github.com/AdguardTeam/AdGuardHome/issues/6049
 <!--
 NOTE: Add new changes ABOVE THIS COMMENT.
--- a/internal/dnsforward/access.go
+++ b/internal/dnsforward/access.go
@ -90,7 +90,7 @@ func newAccessCtx(allowed, blocked, blockedHosts []string) (a *accessManager, er
 	lists := []filterlist.RuleList{
 		&filterlist.StringRuleList{
-			ID:             int(0),
+			ID:             0,
 			RulesText:      b.String(),
 			IgnoreCosmetic: true,
 		},
--- a/internal/dnsforward/access_test.go
+++ b/internal/dnsforward/access_test.go
@ -31,6 +31,7 @@ func TestIsBlockedHost(t *testing.T) {
 		"*.host.com",
 		"||host3.com^",
 		"||*^$dnstype=HTTPS",
 		"|.^",
 	})
 	require.NoError(t, err)
@ -94,6 +95,11 @@ func TestIsBlockedHost(t *testing.T) {
 		name: "by_qtype_other",
 		host: "site-with-https-record.example",
 		qt:   dns.TypeA,
 	}, {
 		want: assert.True,
 		name: "ns_root",
 		host: ".",
 		qt:   dns.TypeNS,
 	}}
 	for _, tc := range testCases {
--- a/internal/dnsforward/filter.go
+++ b/internal/dnsforward/filter.go
@ -5,6 +5,7 @@ import (
 	"fmt"
 	"strings"
 	"github.com/AdguardTeam/AdGuardHome/internal/aghnet"
 	"github.com/AdguardTeam/AdGuardHome/internal/filtering"
 	"github.com/AdguardTeam/dnsproxy/proxy"
 	"github.com/AdguardTeam/golibs/log"
@ -33,9 +34,9 @@ func (s *Server) beforeRequestHandler(
 	if len(pctx.Req.Question) == 1 {
 		q := pctx.Req.Question[0]
 		qt := q.Qtype
-		host := strings.TrimSuffix(q.Name, ".")
+		host := aghnet.NormalizeDomain(q.Name)
 		if s.access.isBlockedHost(host, qt) {
-			log.Debug("request %s %s is in access blocklist", dns.Type(qt), host)
+			log.Debug("access: request %s %s is in access blocklist", dns.Type(qt), host)
 			return s.preBlockedResponse(pctx)
 		}
@ -79,7 +80,12 @@ func (s *Server) filterDNSRequest(dctx *dnsContext) (res *filtering.Result, err
 	res = &resVal
 	switch {
 	case res.IsFiltered:
-		log.Tracef("host %q is filtered, reason %q, rule: %q", host, res.Reason, res.Rules[0].Text)
+		log.Debug(
 			"dnsforward: host %q is filtered, reason: %q; rule: %q",
 			host,
 			res.Reason,
 			res.Rules[0].Text,
 		)
 		pctx.Res = s.genDNSFilterMessage(pctx, res)
 	case res.Reason.In(filtering.Rewritten, filtering.RewrittenRule) &&
 		res.CanonName != "" &&
@ -189,7 +195,7 @@ func (s *Server) filterDNSResponse(
 			continue
 		} else if res.IsFiltered {
 			pctx.Res = s.genDNSFilterMessage(pctx, res)
-			log.Debug("DNSFwd: Matched %s by response: %s", pctx.Req.Question[0].Name, host)
+			log.Debug("dnsforward: matched %q by response: %q", pctx.Req.Question[0].Name, host)
 			return res, nil
 		}