modules/refuse_nord: refuse queries without RD bit set

author Tomas Krizek <tomas.krizek@nic.cz>

Sun, 7 Jul 2019 10:53:01 +0000 (12:53 +0200)

committer Tomas Krizek <tomas.krizek@nic.cz>

Wed, 24 Jul 2019 09:52:58 +0000 (11:52 +0200)
author Tomas Krizek <tomas.krizek@nic.cz>
Sun, 7 Jul 2019 10:53:01 +0000 (12:53 +0200)
committer Tomas Krizek <tomas.krizek@nic.cz>
Wed, 24 Jul 2019 09:52:58 +0000 (11:52 +0200)
diff --git a/daemon/lua/sandbox.lua.in b/daemon/lua/sandbox.lua.in

index cc867ef9b61e5ec7a2525e8d49f79fef0e0e51a9..cbe020d31808db4e888e241f36a8dd7b7636099e 100644 (file)
--- a/daemon/lua/sandbox.lua.in
+++ b/daemon/lua/sandbox.lua.in
@@ -424,6 +424,7 @@ modules.load('detect_time_skew')
  modules.load('detect_time_jump')
  modules.load('ta_sentinel')
  modules.load('edns_keepalive')
+modules.load('refuse_nord')
  
  -- Load keyfile_default
  trust_anchors.add_file('@keyfile_default@', @unmanaged@)
diff --git a/modules/meson.build b/modules/meson.build

index 916bb3dc90f322dbd7c3d36b81320c63d00feaa6..90c3449f664a3b604d1dc93fec067329093dd97b 100644 (file)
--- a/modules/meson.build
+++ b/modules/meson.build
@@ -48,6 +48,7 @@ subdir('hints')
  subdir('http')
  subdir('nsid')
  subdir('policy')
+subdir('refuse_nord')
  subdir('stats')
  subdir('view')
  if libsystemd.found() and libsystemd.version().version_compare('>=183')
diff --git a/modules/refuse_nord/meson.build b/modules/refuse_nord/meson.build

new file mode 100644 (file)

index 0000000..fac1007
--- /dev/null
+++ b/modules/refuse_nord/meson.build
@@ -0,0 +1,15 @@
+# C module: refuse_nord
+
+refuse_nord_src = files([
+  'refuse_nord.c',
+])
+c_src_lint += refuse_nord_src
+
+refuse_nord_mod = shared_module(
+  'refuse_nord',
+  refuse_nord_src,
+  include_directories: mod_inc_dir,
+  name_prefix: '',
+  install: true,
+  install_dir: modules_dir,
+)
diff --git a/modules/refuse_nord/refuse_nord.c b/modules/refuse_nord/refuse_nord.c

new file mode 100644 (file)

index 0000000..8a5e5da
--- /dev/null
+++ b/modules/refuse_nord/refuse_nord.c
@@ -0,0 +1,36 @@
+/* Copyright (C) Knot Resolver contributors. Licensed under GNU GPLv3 or
+ * (at your option) any later version. See COPYING for text of the license.
+ *
+ * This module responds to all queries without RD bit set with REFUSED. */
+
+#include <libknot/consts.h>
+#include <libknot/packet/pkt.h>
+#include "daemon/worker.h"
+#include "lib/module.h"
+#include "lib/layer.h"
+
+static int refuse_nord_query(kr_layer_t *ctx)
+{
+       struct kr_request *req = ctx->req;
+       uint8_t rd = knot_wire_get_rd(req->qsource.packet->wire);
+
+       if (!rd) {
+               knot_pkt_t *answer = req->answer;
+               knot_wire_set_rcode(answer->wire, KNOT_RCODE_REFUSED);
+               knot_wire_clear_ad(answer->wire);
+               ctx->state = KR_STATE_DONE;
+       }
+
+       return ctx->state;
+}
+
+KR_EXPORT int refuse_nord_init(struct kr_module *module)
+{
+       static const kr_layer_api_t layer = {
+               .begin = &refuse_nord_query,
+       };
+       module->layer = &layer;
+       return kr_ok();
+}
+
+KR_MODULE_EXPORT(refuse_nord)
author	Tomas Krizek <tomas.krizek@nic.cz>
	Sun, 7 Jul 2019 10:53:01 +0000 (12:53 +0200)
committer	Tomas Krizek <tomas.krizek@nic.cz>
	Wed, 24 Jul 2019 09:52:58 +0000 (11:52 +0200)
daemon/lua/sandbox.lua.in		patch \| blob \| blame \| history
modules/meson.build		patch \| blob \| blame \| history
modules/refuse_nord/meson.build	[new file with mode: 0644]	patch \| blob
modules/refuse_nord/refuse_nord.c	[new file with mode: 0644]	patch \| blob