[Dnsmasq-discuss] [PATCH V2] check bogus-nxdomain even when ip is from --address

Chen Wei weichen302 at icloud.com
Mon Mar 16 07:33:55 GMT 2015 

On Sun, Mar 15, 2015 at 09:11:58PM +0000, Simon Kelley wrote:
> On 12/03/15 08:29, Chen Wei wrote:
> > This patch is mainly for blocking malware domains.
> Why use a fake address. It seems more sensible to have some syntax
> we could re-use that syntax so that
> address=/malware.com/#
> means "return NXDOMAIN for *.malware.com"

It is cleaner indeed.


-- 
Chen Wei


---
 src/dnsmasq.h |    1 +
 src/forward.c |    2 ++
 src/option.c  |   13 ++++++++++---
 3 files changed, 13 insertions(+), 3 deletions(-)

diff --git a/src/dnsmasq.h b/src/dnsmasq.h
index de95d0e..c96e074 100644
--- a/src/dnsmasq.h
+++ b/src/dnsmasq.h
@@ -485,6 +485,7 @@ union mysockaddr {
 #define SERV_NO_REBIND      2048  /* inhibit dns-rebind protection */
 #define SERV_FROM_FILE      4096  /* read from --servers-file */
 #define SERV_LOOP           8192  /* server causes forwarding loop */
+#define SERV_NXDOMAIN      16384  /* domain should return NXDOMAIN */
 
 struct serverfd {
   int fd;
diff --git a/src/forward.c b/src/forward.c
index 7c0fa8d..471e667 100644
--- a/src/forward.c
+++ b/src/forward.c
@@ -162,6 +162,8 @@ static unsigned int search_servers(time_t now, struct all_addr **addrpp,
 	  {
 	    if (serv->flags & SERV_NO_REBIND)	
 	      *norebind = 1;
+            else if (serv->flags & SERV_NXDOMAIN)
+              flags = F_NXDOMAIN;
 	    else
 	      {
 		unsigned int sflag = serv->addr.sa.sa_family == AF_INET ? F_IPV4 : F_IPV6;
diff --git a/src/option.c b/src/option.c
index eace40b..ba54a48 100644
--- a/src/option.c
+++ b/src/option.c
@@ -2290,9 +2290,16 @@ static int one_opt(int option, char *arg, char *errstr, char *gen_err, int comma
 
 	else if (strcmp(arg, "#") == 0)
 	  {
-	    newlist->flags |= SERV_USE_RESOLV; /* treat in ordinary way */
-	    if (newlist->flags & SERV_LITERAL_ADDRESS)
-	      ret_err(gen_err);
+            if (option == 'S')
+              {
+                newlist->flags |= SERV_USE_RESOLV; /* treat in ordinary way */
+                if (newlist->flags & SERV_LITERAL_ADDRESS)
+                  ret_err(gen_err);
+              }
+            else if (option == 'A')
+              {
+                newlist->flags |= SERV_NXDOMAIN; /* domain return NXDOMAIN */
+              }
 	  }
 	else
 	  {
-- 
1.7.10.4

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20150316/b9bdd874/attachment.sig>

More information about the Dnsmasq-discuss mailing list