-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
This patch is mainly for blocking malware domains.
Usage scenario:
Let's say we want block malware.com, in dnsmasq configure file, use:
bogus-nxdomain=192.0.2.1
address=/malware.com/192.0.2.1
where 192.0.2.1 can be any ip that we know doesn't exist on the LAN.
Then the query for *.malware.com will return 0 answer, together with the
query status set to NXDOMAIN.
- --
Chen Wei
- ---
src/rfc1035.c | 30 ++
1 file changed, 26 insertions(+), 4 deletions(-)
diff --git a/src/rfc1035.c b/src/rfc1035.c
index 5ef5ddb..5998757 100644
- --- a/src/rfc1035.c
+++ b/src/rfc1035.c
@@ -1198,6 +1198,8 @@ unsigned int extract_request(struct dns_header *header,
size_t qlen, char *name,
size_t setup_reply(struct dns_header *header, size_t qlen,
struct all_addr *addrp, unsigned int flags, unsigned long ttl)
{
+ struct bogus_addr *baddrp;
+ int is_nxdomain = 0;
unsigned char *p = skip_questions(header, qlen);
/* clear authoritative and truncated flags, set QR flag */
@@ -1216,10 +1218,30 @@ size_t setup_reply(struct dns_header *header, size_t
qlen,
SET_RCODE(header, NXDOMAIN);
else if (p flags == F_IPV4)
{ /* we know the address */
- - SET_RCODE(header, NOERROR);
- - header-ancount = htons(1);
- - header-hb3 |= HB3_AA;
- - add_resource_record(header, NULL, NULL, sizeof(struct dns_header), p,
ttl, NULL, T_A, C_IN, 4, addrp);
+
+ /* set bogus address even when ip is from --address */
+ if (addrp)
+{
+ for (baddrp = daemon-bogus_addr; baddrp; baddrp = baddrp-next)
+if (memcmp(baddrp-addr, addrp-addr, INADDRSZ) == 0)
+ {
+SET_RCODE(header, NXDOMAIN);
+is_nxdomain = 1;
+cache_start_insert();
+cache_insert(daemon-namebuff, NULL, dnsmasq_time(), 86400,
+ F_IPV4 | F_FORWARD | F_NEG | F_NXDOMAIN);
+cache_end_insert();
+break;
+ }
+}
+
+ if(!is_nxdomain)
+{
+ SET_RCODE(header, NOERROR);
+ header-ancount = htons(1);
+ header-hb3 |= HB3_AA;
+ add_resource_record(header, NULL, NULL, sizeof(struct dns_header),
p, ttl, NULL, T_A, C_IN, 4, addrp);
+}
}
#ifdef HAVE_IPV6
else if (p flags == F_IPV6)
- --
1.7.10.4
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)
iQIcBAEBAgAGBQJVAUnrAAoJEFXRMNWCXLEmq8cP/02Z9mUNjXT9Bxmy2tUJKtRB
49cME6DRomQv+zGexBZ0y5HePj7Ppucn7kfq5hXI7iwZZpqcFrOLXZRTG58rwDH3
O5NkWyMnu0/tBvOpOjaDD07S5C/jlkCE0qyh7R3DgQOAttkKYiqqctEsV7joTXIX
JvgjmnWfDcc0WsI6yWZWA+pO6xHob2qSdhVZZlc+tlC8XtQ6oFfiq999e/ViGKdB
RQf6Oarza16HUiJH2Vx7w39qTzGgU9Ll/9uwYA6OsXiHLhofKnPoiAiIhQZhML6d
2ebxNUQoW0vCuxc9IUWYrkT5HgGPpg8Xg3YZGv0E16a4lOE+PQAzBulWa5RjviNK
JQ9II8fppoElkcb8RrwoArvzEYfuZMGg1Fo8nZKY9Bsk6DYy93xPutCYJI/b564C
txhP/7BLEdKfQzI3jSZQiXrNOxsXD8ldlQouW7bVVQyo1Bv4tsBNJLjktodHmKMp
jXtobx3gDZzSo50+AWkGa4lSauNTg6TJPRLOr22D0faf5Ra52EhZbt7UA1DnB92B
B/ZTrqOvWVbY68U0Wv6zT8F6VkAOYOuY1LFwzTal2AffmzrXCYMic7fHf/FsT0Dj
gDJn32ReXu+YWpTWqPZRL6RRoi9urAc7z5fW5vukRjzHwQlsLcR7sqH9fA0o3BId
TYTSCGK1DvP3m3RSsoUk
=gLr9
-END PGP SIGNATURE-
___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss