[Dnsmasq-discuss] [PATCH V2] check bogus-nxdomain even when ip is from --address

Mon, 16 Mar 2015 00:58:13 -0700 

On Sun, Mar 15, 2015 at 09:11:58PM +0000, Simon Kelley wrote:
> On 12/03/15 08:29, Chen Wei wrote:
> > This patch is mainly for blocking malware domains.
> Why use a fake address. It seems more sensible to have some syntax
> we could re-use that syntax so that
> address=/malware.com/#
> means "return NXDOMAIN for *.malware.com"

It is cleaner indeed.


-- 
Chen Wei


---
 src/dnsmasq.h |    1 +
 src/forward.c |    2 ++
 src/option.c  |   13 ++++++++++---
 3 files changed, 13 insertions(+), 3 deletions(-)

diff --git a/src/dnsmasq.h b/src/dnsmasq.h
index de95d0e..c96e074 100644
--- a/src/dnsmasq.h
+++ b/src/dnsmasq.h
@@ -485,6 +485,7 @@ union mysockaddr {
 #define SERV_NO_REBIND      2048  /* inhibit dns-rebind protection */
 #define SERV_FROM_FILE      4096  /* read from --servers-file */
 #define SERV_LOOP           8192  /* server causes forwarding loop */
+#define SERV_NXDOMAIN      16384  /* domain should return NXDOMAIN */
 
 struct serverfd {
   int fd;
diff --git a/src/forward.c b/src/forward.c
index 7c0fa8d..471e667 100644
--- a/src/forward.c
+++ b/src/forward.c
@@ -162,6 +162,8 @@ static unsigned int search_servers(time_t now, struct 
all_addr **addrpp,
          {
            if (serv->flags & SERV_NO_REBIND)   
              *norebind = 1;
+            else if (serv->flags & SERV_NXDOMAIN)
+              flags = F_NXDOMAIN;
            else
              {
                unsigned int sflag = serv->addr.sa.sa_family == AF_INET ? 
F_IPV4 : F_IPV6;
diff --git a/src/option.c b/src/option.c
index eace40b..ba54a48 100644
--- a/src/option.c
+++ b/src/option.c
@@ -2290,9 +2290,16 @@ static int one_opt(int option, char *arg, char *errstr, 
char *gen_err, int comma
 
        else if (strcmp(arg, "#") == 0)
          {
-           newlist->flags |= SERV_USE_RESOLV; /* treat in ordinary way */
-           if (newlist->flags & SERV_LITERAL_ADDRESS)
-             ret_err(gen_err);
+            if (option == 'S')
+              {
+                newlist->flags |= SERV_USE_RESOLV; /* treat in ordinary way */
+                if (newlist->flags & SERV_LITERAL_ADDRESS)
+                  ret_err(gen_err);
+              }
+            else if (option == 'A')
+              {
+                newlist->flags |= SERV_NXDOMAIN; /* domain return NXDOMAIN */
+              }
          }
        else
          {
-- 
1.7.10.4

Attachment: signature.asc
Description: Digital signature

_______________________________________________
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Reply via email to