add routine to do EDE on ACL blocked messages

author TCY16 <tom@nlnetlabs.nl>

Mon, 20 Sep 2021 09:35:00 +0000 (11:35 +0200)

committer TCY16 <tom@nlnetlabs.nl>

Mon, 20 Sep 2021 09:35:00 +0000 (11:35 +0200)
author TCY16 <tom@nlnetlabs.nl>
Mon, 20 Sep 2021 09:35:00 +0000 (11:35 +0200)
committer TCY16 <tom@nlnetlabs.nl>
Mon, 20 Sep 2021 09:35:00 +0000 (11:35 +0200)
diff --git a/daemon/worker.c b/daemon/worker.c

index c059214efa980548f4622fae61d58edc86ff7702..ed06a8c58c95c10af64f6c5c5ee4739cfa2c2d6a 100644 (file)
--- a/daemon/worker.c
+++ b/daemon/worker.c
@@ -1155,6 +1155,12 @@ worker_handle_request(struct comm_point* c, void* arg, int error,
         acl = acl_get_control(acladdr);
         if((ret=deny_refuse_all(c, acl, worker, repinfo)) != -1)
         {
+               /* parse packet to check for EDNS. Add EDE blocked if possible */
+               sldns_buffer_rewind(c->buffer)
+               if (msgparse_check_edns_in_packet(c->buffer))
+                       EDNS_OPT_APPEND_EDE(edns, worker->scratchpad,
+                               LDNS_EDE_BLOCKED, "");
+
                 if(ret == 1)
                         goto send_reply;
                 return ret;
diff --git a/util/data/msgparse.c b/util/data/msgparse.c

index 6ee5559db07b0b06de820ca4474c06996800ee75..db3e229e12553430aa62cb0705ebe91367d0f790 100644 (file)
--- a/util/data/msgparse.c
+++ b/util/data/msgparse.c
@@ -1127,3 +1127,25 @@ log_edns_opt_list(enum verbosity_value level, const char* info_str,
                 }
         }
  }
+
+
+/** parse a DNS packet to find out if it contains an EDNS section */
+int
+msgparse_check_edns_in_packet(sldns_buffer* pkt)
+{
+       size_t rdata_len;
+       uint8_t* rdata_ptr;
+       log_assert(LDNS_QDCOUNT(sldns_buffer_begin(pkt)) == 1);
+       if(LDNS_ANCOUNT(sldns_buffer_begin(pkt)) != 0 ||
+               LDNS_NSCOUNT(sldns_buffer_begin(pkt)) != 0) {
+               if(!skip_pkt_rrs(pkt, ((int)LDNS_ANCOUNT(sldns_buffer_begin(pkt)))+
+                       ((int)LDNS_NSCOUNT(sldns_buffer_begin(pkt)))))
+                       return LDNS_RCODE_FORMERR;
+       }
+       /* check edns section is present */
+       if(LDNS_ARCOUNT(sldns_buffer_begin(pkt)) == 1)
+               return 0;
+       else
+               return 1;
+}
+
diff --git a/util/data/msgparse.h b/util/data/msgparse.h

index d2fd9c806657b721b7995885ab22ce5be9a6e62b..5e22f6f74908c971f216b70fa578220a54dc70c2 100644 (file)
--- a/util/data/msgparse.h
+++ b/util/data/msgparse.h
@@ -341,4 +341,12 @@ void msgparse_bucket_remove(struct msg_parse* msg, struct rrset_parse* rrset);
  void log_edns_opt_list(enum verbosity_value level, const char* info_str,
         struct edns_option* list);
  
+/**
+ * Verify if the packet contains EDNS (RFC6891)
+ * @param pkt: the packet.
+ * @return 0 if true, 1 if false
+ */
+int msgparse_check_edns_in_packet(sldns_buffer* pkt);
+
+
  #endif /* UTIL_DATA_MSGPARSE_H */
author	TCY16 <tom@nlnetlabs.nl>
	Mon, 20 Sep 2021 09:35:00 +0000 (11:35 +0200)
committer	TCY16 <tom@nlnetlabs.nl>
	Mon, 20 Sep 2021 09:35:00 +0000 (11:35 +0200)
daemon/worker.c		patch \| blob \| blame \| history
util/data/msgparse.c		patch \| blob \| blame \| history
util/data/msgparse.h		patch \| blob \| blame \| history