Re: [Dnsmasq-discuss] [PATCH] check bogus-nxdomain even when ip is from --address

2015-03-15 Thread Simon Kelley 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 12/03/15 08:29, Chen Wei wrote:
 This patch is mainly for blocking malware domains.
 
 Usage scenario:
 
 Let's say we want block malware.com, in dnsmasq configure file,
 use:
 
 bogus-nxdomain=192.0.2.1 address=/malware.com/192.0.2.1
 
 where 192.0.2.1 can be any ip that we know doesn't exist on the
 LAN.
 
 Then the query for *.malware.com will return 0 answer, together
 with the query status set to NXDOMAIN.
 
 

Why use a fake address. It seems more sensible to have some syntax
which directly means return NXDOMAIN.


The code to decode --address is just the same as the code to decode
- --server, and there's already a special value for the address in
- --server

- --server=/.google.com/#

means use the standard servers for *.google.com

we could re-use that syntax so that

address=/malware.com/#

means return NXDOMAIN for *.malware.com


Seems cleaner.

Simon.

-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iEYEARECAAYFAlUF9Z4ACgkQKPyGmiibgrdy0gCgogJ1Akweow8ZafJHfEKOFfFl
lIMAnjGkQujDN/CLXcOL2wMn1/b3yh27
=P4wJ
-END PGP SIGNATURE-

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

[Dnsmasq-discuss] [PATCH] check bogus-nxdomain even when ip is from --address

2015-03-12 Thread Chen Wei 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

This patch is mainly for blocking malware domains.

Usage scenario:

Let's say we want block malware.com, in dnsmasq configure file, use:

bogus-nxdomain=192.0.2.1
address=/malware.com/192.0.2.1

where 192.0.2.1 can be any ip that we know doesn't exist on the LAN.

Then the query for *.malware.com will return 0 answer, together with the
query status set to NXDOMAIN.


- -- 
Chen Wei


- ---
 src/rfc1035.c |   30 ++
 1 file changed, 26 insertions(+), 4 deletions(-)

diff --git a/src/rfc1035.c b/src/rfc1035.c
index 5ef5ddb..5998757 100644
- --- a/src/rfc1035.c
+++ b/src/rfc1035.c
@@ -1198,6 +1198,8 @@ unsigned int extract_request(struct dns_header *header, 
size_t qlen, char *name,
 size_t setup_reply(struct dns_header *header, size_t qlen,
struct all_addr *addrp, unsigned int flags, unsigned long ttl)
 {
+  struct bogus_addr *baddrp;
+  int is_nxdomain = 0;
   unsigned char *p = skip_questions(header, qlen);
   
   /* clear authoritative and truncated flags, set QR flag */
@@ -1216,10 +1218,30 @@ size_t setup_reply(struct dns_header *header, size_t 
qlen,
 SET_RCODE(header, NXDOMAIN);
   else if (p  flags == F_IPV4)
 { /* we know the address */
- -  SET_RCODE(header, NOERROR);
- -  header-ancount = htons(1);
- -  header-hb3 |= HB3_AA;
- -  add_resource_record(header, NULL, NULL, sizeof(struct dns_header), p, 
ttl, NULL, T_A, C_IN, 4, addrp);
+
+  /* set bogus address even when ip is from --address */
+  if (addrp)
+{
+  for (baddrp = daemon-bogus_addr; baddrp; baddrp = baddrp-next)
+if (memcmp(baddrp-addr, addrp-addr, INADDRSZ) == 0)
+  {
+SET_RCODE(header, NXDOMAIN);
+is_nxdomain = 1;
+cache_start_insert();
+cache_insert(daemon-namebuff, NULL, dnsmasq_time(), 86400,
+ F_IPV4 | F_FORWARD | F_NEG | F_NXDOMAIN);
+cache_end_insert();
+break;
+  }
+}
+
+  if(!is_nxdomain)
+{
+  SET_RCODE(header, NOERROR);
+  header-ancount = htons(1);
+  header-hb3 |= HB3_AA;
+  add_resource_record(header, NULL, NULL, sizeof(struct dns_header), 
p, ttl, NULL, T_A, C_IN, 4, addrp);
+}
 }
 #ifdef HAVE_IPV6
   else if (p  flags == F_IPV6)
- -- 
1.7.10.4

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBAgAGBQJVAUnrAAoJEFXRMNWCXLEmq8cP/02Z9mUNjXT9Bxmy2tUJKtRB
49cME6DRomQv+zGexBZ0y5HePj7Ppucn7kfq5hXI7iwZZpqcFrOLXZRTG58rwDH3
O5NkWyMnu0/tBvOpOjaDD07S5C/jlkCE0qyh7R3DgQOAttkKYiqqctEsV7joTXIX
JvgjmnWfDcc0WsI6yWZWA+pO6xHob2qSdhVZZlc+tlC8XtQ6oFfiq999e/ViGKdB
RQf6Oarza16HUiJH2Vx7w39qTzGgU9Ll/9uwYA6OsXiHLhofKnPoiAiIhQZhML6d
2ebxNUQoW0vCuxc9IUWYrkT5HgGPpg8Xg3YZGv0E16a4lOE+PQAzBulWa5RjviNK
JQ9II8fppoElkcb8RrwoArvzEYfuZMGg1Fo8nZKY9Bsk6DYy93xPutCYJI/b564C
txhP/7BLEdKfQzI3jSZQiXrNOxsXD8ldlQouW7bVVQyo1Bv4tsBNJLjktodHmKMp
jXtobx3gDZzSo50+AWkGa4lSauNTg6TJPRLOr22D0faf5Ra52EhZbt7UA1DnB92B
B/ZTrqOvWVbY68U0Wv6zT8F6VkAOYOuY1LFwzTal2AffmzrXCYMic7fHf/FsT0Dj
gDJn32ReXu+YWpTWqPZRL6RRoi9urAc7z5fW5vukRjzHwQlsLcR7sqH9fA0o3BId
TYTSCGK1DvP3m3RSsoUk
=gLr9
-END PGP SIGNATURE-

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss