[Dnsmasq-discuss] [PATCH] check bogus-nxdomain even when ip is from --address
Chen Wei
weichen302 at icloud.com
Thu Mar 12 08:29:41 GMT 2015
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
This patch is mainly for blocking malware domains.
Usage scenario:
Let's say we want block malware.com, in dnsmasq configure file, use:
bogus-nxdomain=192.0.2.1
address=/malware.com/192.0.2.1
where 192.0.2.1 can be any ip that we know doesn't exist on the LAN.
Then the query for *.malware.com will return 0 answer, together with the
query status set to NXDOMAIN.
- --
Chen Wei
- ---
src/rfc1035.c | 30 ++++++++++++++++++++++++++----
1 file changed, 26 insertions(+), 4 deletions(-)
diff --git a/src/rfc1035.c b/src/rfc1035.c
index 5ef5ddb..5998757 100644
- --- a/src/rfc1035.c
+++ b/src/rfc1035.c
@@ -1198,6 +1198,8 @@ unsigned int extract_request(struct dns_header *header, size_t qlen, char *name,
size_t setup_reply(struct dns_header *header, size_t qlen,
struct all_addr *addrp, unsigned int flags, unsigned long ttl)
{
+ struct bogus_addr *baddrp;
+ int is_nxdomain = 0;
unsigned char *p = skip_questions(header, qlen);
/* clear authoritative and truncated flags, set QR flag */
@@ -1216,10 +1218,30 @@ size_t setup_reply(struct dns_header *header, size_t qlen,
SET_RCODE(header, NXDOMAIN);
else if (p && flags == F_IPV4)
{ /* we know the address */
- - SET_RCODE(header, NOERROR);
- - header->ancount = htons(1);
- - header->hb3 |= HB3_AA;
- - add_resource_record(header, NULL, NULL, sizeof(struct dns_header), &p, ttl, NULL, T_A, C_IN, "4", addrp);
+
+ /* set bogus address even when ip is from --address */
+ if (addrp)
+ {
+ for (baddrp = daemon->bogus_addr; baddrp; baddrp = baddrp->next)
+ if (memcmp(&baddrp->addr, &addrp->addr, INADDRSZ) == 0)
+ {
+ SET_RCODE(header, NXDOMAIN);
+ is_nxdomain = 1;
+ cache_start_insert();
+ cache_insert(daemon->namebuff, NULL, dnsmasq_time(), 86400,
+ F_IPV4 | F_FORWARD | F_NEG | F_NXDOMAIN);
+ cache_end_insert();
+ break;
+ }
+ }
+
+ if(!is_nxdomain)
+ {
+ SET_RCODE(header, NOERROR);
+ header->ancount = htons(1);
+ header->hb3 |= HB3_AA;
+ add_resource_record(header, NULL, NULL, sizeof(struct dns_header), &p, ttl, NULL, T_A, C_IN, "4", addrp);
+ }
}
#ifdef HAVE_IPV6
else if (p && flags == F_IPV6)
- --
1.7.10.4
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQIcBAEBAgAGBQJVAUnrAAoJEFXRMNWCXLEmq8cP/02Z9mUNjXT9Bxmy2tUJKtRB
49cME6DRomQv+zGexBZ0y5HePj7Ppucn7kfq5hXI7iwZZpqcFrOLXZRTG58rwDH3
O5NkWyMnu0/tBvOpOjaDD07S5C/jlkCE0qyh7R3DgQOAttkKYiqqctEsV7joTXIX
JvgjmnWfDcc0WsI6yWZWA+pO6xHob2qSdhVZZlc+tlC8XtQ6oFfiq999e/ViGKdB
RQf6Oarza16HUiJH2Vx7w39qTzGgU9Ll/9uwYA6OsXiHLhofKnPoiAiIhQZhML6d
2ebxNUQoW0vCuxc9IUWYrkT5HgGPpg8Xg3YZGv0E16a4lOE+PQAzBulWa5RjviNK
JQ9II8fppoElkcb8RrwoArvzEYfuZMGg1Fo8nZKY9Bsk6DYy93xPutCYJI/b564C
txhP/7BLEdKfQzI3jSZQiXrNOxsXD8ldlQouW7bVVQyo1Bv4tsBNJLjktodHmKMp
jXtobx3gDZzSo50+AWkGa4lSauNTg6TJPRLOr22D0faf5Ra52EhZbt7UA1DnB92B
B/ZTrqOvWVbY68U0Wv6zT8F6VkAOYOuY1LFwzTal2AffmzrXCYMic7fHf/FsT0Dj
gDJn32ReXu+YWpTWqPZRL6RRoi9urAc7z5fW5vukRjzHwQlsLcR7sqH9fA0o3BId
TYTSCGK1DvP3m3RSsoUk
=gLr9
-----END PGP SIGNATURE-----
More information about the Dnsmasq-discuss
mailing list