Pull request: dnsforward: reply with appropriate block resp

Merge in DNS/adguard-home from access-proto-resp to master Squashed commit of the following: commit 9e78c00 Author: Ainar Garipov <A.Garipov@AdGuard.COM> Date: Tue Jul 20 13:16:44 2021 +0300 dnsforward: reply with appropriate block resp
heyxkhoa · Mar 17, 2023 · a30d4f3 · a30d4f3
1 parent d3e813e
commit a30d4f3
Show file tree

Hide file tree

Showing 5 changed files with 21 additions and 5 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -42,6 +42,8 @@ and this project adheres to
 
 ### Changed
 
+- Clients who are blocked by access settings now receive a `REFUSED` response
+  when a protocol other than DNS-over-UDP and DNSCrypt is used.
 - `querylog_interval` setting is now formatted in hours.
 - Query log search now supports internationalized domains ([#3012]).
 - Internationalized domains are now shown decoded in the query log with the

diff --git a/go.mod b/go.mod
@@ -3,7 +3,7 @@ module github.com/AdguardTeam/AdGuardHome
 go 1.16
 
 require (
-	github.com/AdguardTeam/dnsproxy v0.38.2
+	github.com/AdguardTeam/dnsproxy v0.38.3
 	github.com/AdguardTeam/golibs v0.8.0
 	github.com/AdguardTeam/urlfilter v0.14.6
 	github.com/NYTimes/gziphandler v1.1.1

diff --git a/go.sum b/go.sum
@@ -9,8 +9,8 @@ dmitri.shuralyov.com/state v0.0.0-20180228185332-28bcc343414c/go.mod h1:0PRwlb0D
 git.apache.org/thrift.git v0.0.0-20180902110319-2566ecd5d999/go.mod h1:fPE2ZNJGynbRyZ4dJvy6G277gSllfV2HJqblrnkyeyg=
 github.com/AdguardTeam/dhcp v0.0.0-20210519141215-51808c73c0bf h1:gc042VRSIRSUzZ+Px6xQCRWNJZTaPkomisDfUZmoFNk=
 github.com/AdguardTeam/dhcp v0.0.0-20210519141215-51808c73c0bf/go.mod h1:TKl4jN3Voofo4UJIicyNhWGp/nlQqQkFxmwIFTvBkKI=
-github.com/AdguardTeam/dnsproxy v0.38.2 h1:QHxvShAm4GwH0PyRN60xf18+5nAzmbvhPoEvhfVycSA=
-github.com/AdguardTeam/dnsproxy v0.38.2/go.mod h1:aNXKNdTyKfgAG2OS712SYSaGIM9AasZsZxfiY4YiR/0=
+github.com/AdguardTeam/dnsproxy v0.38.3 h1:DvycTEOn2wuHmY+HE5XL4EnCV2EVbpREpbgZB06IJ0I=
+github.com/AdguardTeam/dnsproxy v0.38.3/go.mod h1:aNXKNdTyKfgAG2OS712SYSaGIM9AasZsZxfiY4YiR/0=
 github.com/AdguardTeam/golibs v0.4.0/go.mod h1:skKsDKIBB7kkFflLJBpfGX+G8QFTx0WKUzB6TIgtUj4=
 github.com/AdguardTeam/golibs v0.4.2/go.mod h1:skKsDKIBB7kkFflLJBpfGX+G8QFTx0WKUzB6TIgtUj4=
 github.com/AdguardTeam/golibs v0.8.0 h1:rHo+yIgT2fivFG0yW2Cwk/DPc2+t/Aw6QvzPpiIFre0=

diff --git a/internal/dnsforward/filter.go b/internal/dnsforward/filter.go
@@ -27,15 +27,15 @@ func (s *Server) beforeRequestHandler(
 
 	blocked, _ := s.IsBlockedClient(ip, clientID)
 	if blocked {
-		return false, nil
+		return s.preBlockedResponse(pctx)
 	}
 
 	if len(pctx.Req.Question) == 1 {
 		host := strings.TrimSuffix(pctx.Req.Question[0].Name, ".")
 		if s.access.isBlockedHost(host) {
 			log.Debug("host %s is in access blocklist", host)
 
-			return false, nil
+			return s.preBlockedResponse(pctx)
 		}
 	}
 

diff --git a/internal/dnsforward/msg.go b/internal/dnsforward/msg.go
@@ -266,6 +266,20 @@ func (s *Server) genBlockedHost(request *dns.Msg, newAddr string, d *proxy.DNSCo
 	return resp
 }
 
+// preBlockedResponse returns a protocol-appropriate response for a request that
+// was blocked by access settings.
+func (s *Server) preBlockedResponse(pctx *proxy.DNSContext) (reply bool, err error) {
+	if pctx.Proto == proxy.ProtoUDP || pctx.Proto == proxy.ProtoDNSCrypt {
+		// Return nil so that dnsproxy drops the connection and thus
+		// prevent DNS amplification attacks.
+		return false, nil
+	}
+
+	pctx.Res = s.makeResponseREFUSED(pctx.Req)
+
+	return true, nil
+}
+
 // Create REFUSED DNS response
 func (s *Server) makeResponseREFUSED(request *dns.Msg) *dns.Msg {
 	resp := dns.Msg{}