fix: log.privacy option no longer hides domain names being resolved (#1255)

2023-11-17 15:59:22 +01:00 · 2023-11-17 15:59:22 +01:00 · 4a5a395655
parent b498bc5094
commit 4a5a395655
5 changed files with 51 additions and 6 deletions
--- a/e2e/basic_test.go
+++ b/e2e/basic_test.go
@ -140,4 +140,50 @@ var _ = Describe("Basic functional tests", func() {
 			})
 		})
 	})
+
+	Describe("Logging", func() {
+		BeforeEach(func() {
+			moka, err = createDNSMokkaContainer("moka1", `A google/NOERROR("A 1.2.3.4 123")`)
+
+			Expect(err).Should(Succeed())
+			DeferCleanup(moka.Terminate)
+		})
+		When("log privacy is enabled", func() {
+			BeforeEach(func() {
+				blocky, err = createBlockyContainer(tmpDir,
+					"upstreams:",
+					"  groups:",
+					"    default:",
+					"      - moka1",
+					"log:",
+					"  level: trace",
+					"  privacy: true",
+				)
+				Expect(err).Should(Succeed())
+				DeferCleanup(blocky.Terminate)
+			})
+			It("should not log answers and questions", func() {
+				msg := util.NewMsgWithQuestion("google.com.", A)
+
+				// do 2 requests
+
+				Expect(doDNSRequest(blocky, msg)).
+					Should(
+						SatisfyAll(
+							BeDNSRecord("google.com.", A, "1.2.3.4"),
+							HaveTTL(BeNumerically("==", 123)),
+						))
+
+				Expect(doDNSRequest(blocky, msg)).
+					Should(
+						SatisfyAll(
+							BeDNSRecord("google.com.", A, "1.2.3.4"),
+							HaveTTL(BeNumerically("<=", 123)),
+						))
+
+				Expect(getContainerLogs(blocky)).Should(Not(ContainElement(ContainSubstring("google.com"))))
+				Expect(getContainerLogs(blocky)).Should(Not(ContainElement(ContainSubstring("1.2.3.4"))))
+			})
+		})
+	})
 })
--- a/resolver/conditional_upstream_resolver.go
+++ b/resolver/conditional_upstream_resolver.go
@ -121,7 +121,7 @@ func (r *ConditionalUpstreamResolver) internalResolve(reso Resolver, doFQ, do st

 	logger.WithFields(logrus.Fields{
 		"answer":   answer,
-		"domain":   do,
+		"domain":   util.Obfuscate(do),
 		"upstream": reso,
 	}).Debugf("received response from conditional upstream")

--- a/resolver/hosts_file_resolver.go
+++ b/resolver/hosts_file_resolver.go
@ -126,7 +126,7 @@ func (r *HostsFileResolver) Resolve(request *model.Request) (*model.Response, er
 	if response != nil {
 		r.log().WithFields(logrus.Fields{
 			"answer": util.AnswerToString(response.Answer),
-			"domain": domain,
+			"domain": util.Obfuscate(domain),
 		}).Debugf("returning hosts file entry")

 		return &model.Response{Res: response, RType: model.ResponseTypeHOSTSFILE, Reason: "HOSTS FILE"}, nil
--- a/resolver/query_logging_resolver.go
+++ b/resolver/query_logging_resolver.go
@ -157,7 +157,7 @@ func (r *QueryLoggingResolver) createLogEntry(request *model.Request, response *
 			entry.Answer = util.AnswerToString(response.Res.Answer)

 		case config.QueryLogFieldQuestion:
-			entry.QuestionName = request.Req.Question[0].Name
+			entry.QuestionName = util.Obfuscate(request.Req.Question[0].Name)
 			entry.QuestionType = dns.TypeToString[request.Req.Question[0].Qtype]

 		case config.QueryLogFieldDuration:
--- a/resolver/rewriter_resolver.go
+++ b/resolver/rewriter_resolver.go
@ -126,9 +126,8 @@ func (r *RewriterResolver) rewriteRequest(logger *logrus.Entry, request *dns.Msg
 			rewritten.Question[i].Name = dns.Fqdn(domainRewritten)

 			logger.WithFields(logrus.Fields{
-				"domain":  domainOriginal,
-				"rewrite": rewriteKey + ":" + r.cfg.Rewrite[rewriteKey],
-			}).Debugf("rewriting %q to %q", domainOriginal, domainRewritten)
+				"rewrite": util.Obfuscate(rewriteKey) + ":" + util.Obfuscate(r.cfg.Rewrite[rewriteKey]),
+			}).Debugf("rewriting %q to %q", util.Obfuscate(domainOriginal), util.Obfuscate(domainRewritten))
 		}
 	}