From: Tomas Krizek <tomas.krizek@nic.cz>
Date: Sun, 7 Jul 2019 10:53:01 +0000 (+0200)
Subject: modules/refuse_nord: refuse queries without RD bit set
X-Git-Tag: v4.2.0~2^2~4
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c52859502ce3feddcbe5b865bb6481d6e2bcc2ed;p=thirdparty%2Fknot-resolver.git

modules/refuse_nord: refuse queries without RD bit set

Refusing to answer queries without RD bit makes it harder
to read what data is present in resolver's cache.
---

diff --git a/daemon/lua/sandbox.lua.in b/daemon/lua/sandbox.lua.in
index cc867ef9b..cbe020d31 100644
--- a/daemon/lua/sandbox.lua.in
+++ b/daemon/lua/sandbox.lua.in
@@ -424,6 +424,7 @@ modules.load('detect_time_skew')
 modules.load('detect_time_jump')
 modules.load('ta_sentinel')
 modules.load('edns_keepalive')
+modules.load('refuse_nord')
 
 -- Load keyfile_default
 trust_anchors.add_file('@keyfile_default@', @unmanaged@)
diff --git a/modules/meson.build b/modules/meson.build
index 916bb3dc9..90c3449f6 100644
--- a/modules/meson.build
+++ b/modules/meson.build
@@ -48,6 +48,7 @@ subdir('hints')
 subdir('http')
 subdir('nsid')
 subdir('policy')
+subdir('refuse_nord')
 subdir('stats')
 subdir('view')
 if libsystemd.found() and libsystemd.version().version_compare('>=183')
diff --git a/modules/refuse_nord/meson.build b/modules/refuse_nord/meson.build
new file mode 100644
index 000000000..fac10073a
--- /dev/null
+++ b/modules/refuse_nord/meson.build
@@ -0,0 +1,15 @@
+# C module: refuse_nord
+
+refuse_nord_src = files([
+  'refuse_nord.c',
+])
+c_src_lint += refuse_nord_src
+
+refuse_nord_mod = shared_module(
+  'refuse_nord',
+  refuse_nord_src,
+  include_directories: mod_inc_dir,
+  name_prefix: '',
+  install: true,
+  install_dir: modules_dir,
+)
diff --git a/modules/refuse_nord/refuse_nord.c b/modules/refuse_nord/refuse_nord.c
new file mode 100644
index 000000000..8a5e5da93
--- /dev/null
+++ b/modules/refuse_nord/refuse_nord.c
@@ -0,0 +1,36 @@
+/* Copyright (C) Knot Resolver contributors. Licensed under GNU GPLv3 or
+ * (at your option) any later version. See COPYING for text of the license.
+ *
+ * This module responds to all queries without RD bit set with REFUSED. */
+
+#include <libknot/consts.h>
+#include <libknot/packet/pkt.h>
+#include "daemon/worker.h"
+#include "lib/module.h"
+#include "lib/layer.h"
+
+static int refuse_nord_query(kr_layer_t *ctx)
+{
+	struct kr_request *req = ctx->req;
+	uint8_t rd = knot_wire_get_rd(req->qsource.packet->wire);
+
+	if (!rd) {
+		knot_pkt_t *answer = req->answer;
+		knot_wire_set_rcode(answer->wire, KNOT_RCODE_REFUSED);
+		knot_wire_clear_ad(answer->wire);
+		ctx->state = KR_STATE_DONE;
+	}
+
+	return ctx->state;
+}
+
+KR_EXPORT int refuse_nord_init(struct kr_module *module)
+{
+	static const kr_layer_api_t layer = {
+		.begin = &refuse_nord_query,
+	};
+	module->layer = &layer;
+	return kr_ok();
+}
+
+KR_MODULE_EXPORT(refuse_nord)