mirror of
https://github.com/AdguardTeam/AdGuardHome.git
synced 2024-12-15 19:31:45 +03:00
ff7c715c5f
Closes #6854.Updates #6875. Squashed commit of the following: commit b98adbc0cc6eeaffb262d57775c487e03b1d5ba5 Author: Eugene Burkov <E.Burkov@AdGuard.COM> Date: Wed Apr 10 19:21:44 2024 +0300 dnsforward: upd proxy, imp code, docs commit 4de1eb2bca1047426e02ba680c212f46782e5616 Author: Eugene Burkov <E.Burkov@AdGuard.COM> Date: Wed Apr 10 16:09:58 2024 +0300 WIP commit afa9d61e8dc129f907dc681cd2f831cb5c3b054a Author: Eugene Burkov <E.Burkov@AdGuard.COM> Date: Tue Apr 9 19:24:09 2024 +0300 all: log changes commit c8340676a448687a39acd26bc8ce5f94473e441f Author: Eugene Burkov <E.Burkov@AdGuard.COM> Date: Tue Apr 9 19:06:10 2024 +0300 dnsforward: move code commit 08bb7d43d2a3f689ef2ef2409935dc3946752e94 Author: Eugene Burkov <E.Burkov@AdGuard.COM> Date: Tue Apr 9 18:09:46 2024 +0300 dnsforward: imp code commit b27547ec806dd9bce502d3c6a7c28f33693ed575 Merge: b7efca7886f36ebc06Author: Eugene Burkov <E.Burkov@AdGuard.COM> Date: Tue Apr 9 17:33:19 2024 +0300 Merge branch 'master' into AGDNS-1982-upd-proxy commit b7efca788b66aa672598b088040d4534ce2e55b0 Author: Eugene Burkov <E.Burkov@AdGuard.COM> Date: Tue Apr 9 17:27:14 2024 +0300 all: upd proxy finally commit 3e16fa87befe4c0ef3a3e7a638d7add28627f9b6 Author: Eugene Burkov <E.Burkov@AdGuard.COM> Date: Fri Apr 5 18:20:13 2024 +0300 dnsforward: upd proxy commit f3cdfc86334a182effcd0de22fac5e678fa53ea7 Author: Eugene Burkov <E.Burkov@AdGuard.COM> Date: Thu Apr 4 20:37:32 2024 +0300 all: upd proxy, golibs commit a79298d6d0504521893ee11fdc3a23c098aea911 Merge: 9feeba5c7fd25dcacbAuthor: Eugene Burkov <E.Burkov@AdGuard.COM> Date: Thu Apr 4 20:34:01 2024 +0300 Merge branch 'master' into AGDNS-1982-upd-proxy commit 9feeba5c7f24ff1d308a216608d985cb2a7b7588 Author: Eugene Burkov <E.Burkov@AdGuard.COM> Date: Thu Apr 4 20:25:57 2024 +0300 all: imp code, docs commit 6c68d463db64293eb9c5e29ff91879fd68920a77 Merge: d8108e651ee619b2dbAuthor: Eugene Burkov <E.Burkov@AdGuard.COM> Date: Thu Apr 4 18:46:11 2024 +0300 Merge branch 'master' into AGDNS-1982-upd-proxy commit d8108e65164df8d67aa4e95154a8768a06255b78 Author: Eugene Burkov <E.Burkov@AdGuard.COM> Date: Wed Apr 3 19:25:27 2024 +0300 all: imp code commit 20461565801c9fcd06a652c6066b524b06c80433 Author: Eugene Burkov <E.Burkov@AdGuard.COM> Date: Wed Apr 3 17:10:33 2024 +0300 all: remove private rdns logic
114 lines
3.0 KiB
Go
114 lines
3.0 KiB
Go
package dnsforward
|
|
|
|
import (
|
|
"encoding/binary"
|
|
"fmt"
|
|
|
|
"github.com/AdguardTeam/AdGuardHome/internal/aghnet"
|
|
"github.com/AdguardTeam/dnsproxy/proxy"
|
|
"github.com/AdguardTeam/golibs/errors"
|
|
"github.com/AdguardTeam/golibs/log"
|
|
"github.com/miekg/dns"
|
|
)
|
|
|
|
// type check
|
|
var _ proxy.BeforeRequestHandler = (*Server)(nil)
|
|
|
|
// HandleBefore is the handler that is called before any other processing,
|
|
// including logs. It performs access checks and puts the client ID, if there
|
|
// is one, into the server's cache.
|
|
//
|
|
// TODO(e.burkov): Write tests.
|
|
func (s *Server) HandleBefore(
|
|
_ *proxy.Proxy,
|
|
pctx *proxy.DNSContext,
|
|
) (err error) {
|
|
clientID, err := s.clientIDFromDNSContext(pctx)
|
|
if err != nil {
|
|
return fmt.Errorf("getting clientid: %w", err)
|
|
}
|
|
|
|
blocked, _ := s.IsBlockedClient(pctx.Addr.Addr(), clientID)
|
|
if blocked {
|
|
return s.preBlockedResponse(pctx)
|
|
}
|
|
|
|
if len(pctx.Req.Question) == 1 {
|
|
q := pctx.Req.Question[0]
|
|
qt := q.Qtype
|
|
host := aghnet.NormalizeDomain(q.Name)
|
|
if s.access.isBlockedHost(host, qt) {
|
|
log.Debug("access: request %s %s is in access blocklist", dns.Type(qt), host)
|
|
|
|
return s.preBlockedResponse(pctx)
|
|
}
|
|
}
|
|
|
|
if clientID != "" {
|
|
key := [8]byte{}
|
|
binary.BigEndian.PutUint64(key[:], pctx.RequestID)
|
|
s.clientIDCache.Set(key[:], []byte(clientID))
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
// clientIDFromDNSContext extracts the client's ID from the server name of the
|
|
// client's DoT or DoQ request or the path of the client's DoH. If the protocol
|
|
// is not one of these, clientID is an empty string and err is nil.
|
|
func (s *Server) clientIDFromDNSContext(pctx *proxy.DNSContext) (clientID string, err error) {
|
|
proto := pctx.Proto
|
|
if proto == proxy.ProtoHTTPS {
|
|
clientID, err = clientIDFromDNSContextHTTPS(pctx)
|
|
if err != nil {
|
|
return "", fmt.Errorf("checking url: %w", err)
|
|
} else if clientID != "" {
|
|
return clientID, nil
|
|
}
|
|
|
|
// Go on and check the domain name as well.
|
|
} else if proto != proxy.ProtoTLS && proto != proxy.ProtoQUIC {
|
|
return "", nil
|
|
}
|
|
|
|
hostSrvName := s.conf.ServerName
|
|
if hostSrvName == "" {
|
|
return "", nil
|
|
}
|
|
|
|
cliSrvName, err := clientServerName(pctx, proto)
|
|
if err != nil {
|
|
return "", err
|
|
}
|
|
|
|
clientID, err = clientIDFromClientServerName(
|
|
hostSrvName,
|
|
cliSrvName,
|
|
s.conf.StrictSNICheck,
|
|
)
|
|
if err != nil {
|
|
return "", fmt.Errorf("clientid check: %w", err)
|
|
}
|
|
|
|
return clientID, nil
|
|
}
|
|
|
|
// errAccessBlocked is a sentinel error returned when a request is blocked by
|
|
// access settings.
|
|
var errAccessBlocked errors.Error = "blocked by access settings"
|
|
|
|
// preBlockedResponse returns a protocol-appropriate response for a request that
|
|
// was blocked by access settings.
|
|
func (s *Server) preBlockedResponse(pctx *proxy.DNSContext) (err error) {
|
|
if pctx.Proto == proxy.ProtoUDP || pctx.Proto == proxy.ProtoDNSCrypt {
|
|
// Return nil so that dnsproxy drops the connection and thus
|
|
// prevent DNS amplification attacks.
|
|
return errAccessBlocked
|
|
}
|
|
|
|
return &proxy.BeforeRequestError{
|
|
Err: errAccessBlocked,
|
|
Response: s.makeResponseREFUSED(pctx.Req),
|
|
}
|
|
}
|