}
if (allEmpty) {
- cerr << " allempty" << endl;
+ //cerr << " allempty" << endl;
return false;
}
return false;
}
-bool DNSFilterEngine::getQueryPolicy(const DNSName& qname, const std::unordered_map<std::string,bool>& discardedPolicies, Policy& pol) const
+bool DNSFilterEngine::getQueryPolicy(const DNSName& qname, const std::unordered_map<std::string,bool>& discardedPolicies, Policy& pol, bool equalOK) const
{
- cerr<<"Got question for "<<qname<<' '<< pol.getPriority()<< endl;
+ //cerr<<"Got question for "<<qname<<' '<< pol.getPriority()<< endl;
std::vector<bool> zoneEnabled(d_zones.size());
size_t count = 0;
bool allEmpty = true;
for (const auto& z : d_zones) {
bool enabled = true;
- if (z->getPriority() >= pol.getPriority()) {
+ if (z->getPriority() > pol.getPriority() || (!equalOK && z->getPriority() == pol.getPriority())) {
enabled = false;
} else {
const auto& zoneName = z->getName();
}
if (allEmpty) {
- cerr << " allempty" << endl;
+ //cerr << " allempty" << endl;
return false;
}
return true;
}
}
- cerr << "no hit on " << qname << endl;
+ //cerr << "no hit on " << qname << endl;
++count;
}
}
}
- bool getQueryPolicy(const DNSName& qname, const std::unordered_map<std::string,bool>& discardedPolicies, Policy& policy) const;
+ bool getQueryPolicy(const DNSName& qname, const std::unordered_map<std::string,bool>& discardedPolicies, Policy& policy, bool equalOK = false) const;
bool getClientPolicy(const ComboAddress& ca, const std::unordered_map<std::string,bool>& discardedPolicies, Policy& policy) const;
bool getProcessingPolicy(const DNSName& qname, const std::unordered_map<std::string,bool>& discardedPolicies, Policy& policy) const;
bool getProcessingPolicy(const ComboAddress& address, const std::unordered_map<std::string,bool>& discardedPolicies, Policy& policy) const;
}
#endif
+#if 0
/**
* Chases the CNAME provided by the PolicyCustom RPZ policy.
*
sr.setWantsRPZ(oldWantsRPZ);
}
}
+#endif
static bool addRecordToPacket(DNSPacketWriter& pw, const DNSRecord& rec, uint32_t& minTTL, uint32_t ttlCap, const uint16_t maxAnswerSize)
{
return PolicyResult::HaveAnswer;
}
return PolicyResult::NoAction;
-
case DNSFilterEngine::PolicyKind::Custom:
+ return PolicyResult::NoAction; // Now handled in syncres
+#if 0
ret.clear();
res = RCode::NoError;
{
}
}
return PolicyResult::HaveAnswer;
+#endif
}
return PolicyResult::NoAction;
return ret;
}
+bool SyncRes::qnameRPZHit(const DNSFilterEngine& dfe, DNSName& target, const QType& qtype)
+{
+ //cerr << "wants: " << target << '/' << qtype.getName() << ' ' << d_wantsRPZ << ' ' << int(d_appliedPolicy.d_type) << ' ' << int(d_appliedPolicy.d_kind) << endl;
+ if (d_wantsRPZ) {
+ //cerr << "check" << endl;
+ bool match = dfe.getQueryPolicy(target, d_discardedPolicies, d_appliedPolicy, true);
+ if (match) {
+ mergePolicyTags(d_policyTags, d_appliedPolicy.getTags());
+ if (d_appliedPolicy.d_kind != DNSFilterEngine::PolicyKind::NoAction) {
+ LOG(" (CNAME hit by RPZ policy '" + d_appliedPolicy.getName() + "')");
+ if (d_appliedPolicy.d_kind == DNSFilterEngine::PolicyKind::Custom) {
+ auto spoofed = d_appliedPolicy.getCustomRecords(target, qtype.getCode());
+ for (auto& dr : spoofed) {
+ auto content = getRR<CNAMERecordContent>(dr);
+ if (content) {
+ target = content->getTarget();
+ //cerr << "NEW TARGET " << target << endl;
+ return false;
+ }
+ }
+ }
+ //cerr << "OTHER POLICY HIT" << endl;
+ return true;
+ }
+ }
+ }
+ //cerr << "NOMATCH" << endl;
+ return false;
+}
+
#define QLOG(x) LOG(prefix << " child=" << child << ": " << x << endl)
-int SyncRes::doResolve(const DNSName &qname, const QType &qtype, vector<DNSRecord>&ret, unsigned int depth, set<GetBestNSAnswer>& beenthere, vState& state) {
+int SyncRes::doResolve(const DNSName &qnameArg, const QType &qtype, vector<DNSRecord>&ret, unsigned int depth, set<GetBestNSAnswer>& beenthere, vState& state) {
- // In the auth or recursive forward case, it does nt make sense to do qname-minimization
+ auto luaconfsLocal = g_luaconfs.getLocal();
+
+ DNSName qname(qnameArg);
+ bool hit = qnameRPZHit(luaconfsLocal->dfe, qname, qtype);
+ if (hit) {
+ throw PolicyHitException();
+ }
+ // In the auth or recursive forward case, it does not make sense to do qname-minimization
if (!getQNameMinimization() || isRecursiveForwardOrAuth(qname)) {
return doResolveNoQNameMinimization(qname, qtype, ret, depth, beenthere, state);
}
bool doResolveAtThisIP(const std::string& prefix, const DNSName& qname, const QType& qtype, LWResult& lwr, boost::optional<Netmask>& ednsmask, const DNSName& auth, bool const sendRDQuery, const DNSName& nsName, const ComboAddress& remoteIP, bool doTCP, bool* truncated);
bool processAnswer(unsigned int depth, LWResult& lwr, const DNSName& qname, const QType& qtype, DNSName& auth, bool wasForwarded, const boost::optional<Netmask> ednsmask, bool sendRDQuery, NsSet &nameservers, std::vector<DNSRecord>& ret, const DNSFilterEngine& dfe, bool* gotNewServers, int* rcode, vState& state);
+ bool qnameRPZHit(const DNSFilterEngine& dfe, DNSName& target, const QType& qtype);
int doResolve(const DNSName &qname, const QType &qtype, vector<DNSRecord>&ret, unsigned int depth, set<GetBestNSAnswer>& beenthere, vState& state);
int doResolveNoQNameMinimization(const DNSName &qname, const QType &qtype, vector<DNSRecord>&ret, unsigned int depth, set<GetBestNSAnswer>& beenthere, vState& state, bool* fromCache = NULL, StopAtDelegation* stopAtDelegation = NULL, bool considerforwards = true);
bool doOOBResolve(const AuthDomain& domain, const DNSName &qname, const QType &qtype, vector<DNSRecord>&ret, int& res);
projects / thirdparty / pdns.git / commitdiff
