diff --git a/CHANGELOG.md b/CHANGELOG.md index 0903fdbf..8389f5b9 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -42,6 +42,8 @@ and this project adheres to ### Changed +- Clients who are blocked by access settings now receive a `REFUSED` response + when a protocol other than DNS-over-UDP and DNSCrypt is used. - `querylog_interval` setting is now formatted in hours. - Query log search now supports internationalized domains ([#3012]). - Internationalized domains are now shown decoded in the query log with the diff --git a/go.mod b/go.mod index 2a4b1b46..1165bf79 100644 --- a/go.mod +++ b/go.mod @@ -3,7 +3,7 @@ module github.com/AdguardTeam/AdGuardHome go 1.16 require ( - github.com/AdguardTeam/dnsproxy v0.38.2 + github.com/AdguardTeam/dnsproxy v0.38.3 github.com/AdguardTeam/golibs v0.8.0 github.com/AdguardTeam/urlfilter v0.14.6 github.com/NYTimes/gziphandler v1.1.1 diff --git a/go.sum b/go.sum index b4cc787d..4760bc7e 100644 --- a/go.sum +++ b/go.sum @@ -9,8 +9,8 @@ dmitri.shuralyov.com/state v0.0.0-20180228185332-28bcc343414c/go.mod h1:0PRwlb0D git.apache.org/thrift.git v0.0.0-20180902110319-2566ecd5d999/go.mod h1:fPE2ZNJGynbRyZ4dJvy6G277gSllfV2HJqblrnkyeyg= github.com/AdguardTeam/dhcp v0.0.0-20210519141215-51808c73c0bf h1:gc042VRSIRSUzZ+Px6xQCRWNJZTaPkomisDfUZmoFNk= github.com/AdguardTeam/dhcp v0.0.0-20210519141215-51808c73c0bf/go.mod h1:TKl4jN3Voofo4UJIicyNhWGp/nlQqQkFxmwIFTvBkKI= -github.com/AdguardTeam/dnsproxy v0.38.2 h1:QHxvShAm4GwH0PyRN60xf18+5nAzmbvhPoEvhfVycSA= -github.com/AdguardTeam/dnsproxy v0.38.2/go.mod h1:aNXKNdTyKfgAG2OS712SYSaGIM9AasZsZxfiY4YiR/0= +github.com/AdguardTeam/dnsproxy v0.38.3 h1:DvycTEOn2wuHmY+HE5XL4EnCV2EVbpREpbgZB06IJ0I= +github.com/AdguardTeam/dnsproxy v0.38.3/go.mod h1:aNXKNdTyKfgAG2OS712SYSaGIM9AasZsZxfiY4YiR/0= github.com/AdguardTeam/golibs v0.4.0/go.mod h1:skKsDKIBB7kkFflLJBpfGX+G8QFTx0WKUzB6TIgtUj4= github.com/AdguardTeam/golibs v0.4.2/go.mod h1:skKsDKIBB7kkFflLJBpfGX+G8QFTx0WKUzB6TIgtUj4= github.com/AdguardTeam/golibs v0.8.0 h1:rHo+yIgT2fivFG0yW2Cwk/DPc2+t/Aw6QvzPpiIFre0= diff --git a/internal/dnsforward/filter.go b/internal/dnsforward/filter.go index d7510eeb..1f2d5998 100644 --- a/internal/dnsforward/filter.go +++ b/internal/dnsforward/filter.go @@ -27,7 +27,7 @@ func (s *Server) beforeRequestHandler( blocked, _ := s.IsBlockedClient(ip, clientID) if blocked { - return false, nil + return s.preBlockedResponse(pctx) } if len(pctx.Req.Question) == 1 { @@ -35,7 +35,7 @@ func (s *Server) beforeRequestHandler( if s.access.isBlockedHost(host) { log.Debug("host %s is in access blocklist", host) - return false, nil + return s.preBlockedResponse(pctx) } } diff --git a/internal/dnsforward/msg.go b/internal/dnsforward/msg.go index 42307619..3735d71c 100644 --- a/internal/dnsforward/msg.go +++ b/internal/dnsforward/msg.go @@ -266,6 +266,20 @@ func (s *Server) genBlockedHost(request *dns.Msg, newAddr string, d *proxy.DNSCo return resp } +// preBlockedResponse returns a protocol-appropriate response for a request that +// was blocked by access settings. +func (s *Server) preBlockedResponse(pctx *proxy.DNSContext) (reply bool, err error) { + if pctx.Proto == proxy.ProtoUDP || pctx.Proto == proxy.ProtoDNSCrypt { + // Return nil so that dnsproxy drops the connection and thus + // prevent DNS amplification attacks. + return false, nil + } + + pctx.Res = s.makeResponseREFUSED(pctx.Req) + + return true, nil +} + // Create REFUSED DNS response func (s *Server) makeResponseREFUSED(request *dns.Msg) *dns.Msg { resp := dns.Msg{}