#165: Block additional DNS record types

2021-03-26 22:29:35 +01:00 · 2021-03-26 22:29:35 +01:00 · 6f5384650e
parent d5b0e0a2c7
commit 6f5384650e
2 changed files with 18 additions and 15 deletions
--- a/resolver/blocking_resolver.go
+++ b/resolver/blocking_resolver.go
@ -192,20 +192,12 @@ func (r *BlockingResolver) Configuration() (result []string) {
 	return
 }

-func shouldHandle(question dns.Question) bool {
-	return question.Qtype == dns.TypeA || question.Qtype == dns.TypeAAAA
-}
-
 func (r *BlockingResolver) handleBlacklist(groupsToCheck []string,
 	request *Request, logger *logrus.Entry) (*Response, error) {
 	logger.WithField("groupsToCheck", strings.Join(groupsToCheck, "; ")).Debug("checking groups for request")
 	whitelistOnlyAllowed := reflect.DeepEqual(groupsToCheck, r.whitelistOnlyGroups)

 	for _, question := range request.Req.Question {
-		if !shouldHandle(question) {
-			return r.next.Resolve(request)
-		}
-
 		domain := util.ExtractDomain(question)
 		logger := logger.WithField("domain", domain)

@ -360,8 +352,11 @@ func (b zeroIPBlockHandler) handleBlock(question dns.Question, response *dns.Msg
 	switch question.Qtype {
 	case dns.TypeAAAA:
 		zeroIP = net.IPv6zero
-	default:
+	case dns.TypeA:
 		zeroIP = net.IPv4zero
+	default:
+		response.Rcode = dns.RcodeNameError
+		return
 	}

 	rr, _ := util.CreateAnswerFromQuestion(question, zeroIP, blockTTL)
--- a/resolver/blocking_resolver_test.go
+++ b/resolver/blocking_resolver_test.go
@ -61,6 +61,7 @@ badcnamedomain.com`)
 		m.On("Resolve", mock.Anything).Return(&Response{Res: mockAnswer}, nil)
 		sut = NewBlockingResolver(sutConfig).(*BlockingResolver)
 		sut.Next(m)
+		sut.RefreshLists()
 	})

 	AfterEach(func() {
@ -134,6 +135,18 @@ badcnamedomain.com`)

 				Expect(resp.Res.Answer).Should(BeDNSRecord("domain1.com.", dns.TypeAAAA, 21600, "::"))
 			})
+			It("should block the HTTPS query if domain is on the black list", func() {
+				resp, err = sut.Resolve(newRequestWithClient("domain1.com.", dns.TypeHTTPS, "1.2.1.2", "client1"))
+
+				expectedReturnCode = dns.RcodeNameError
+				Expect(resp.Res.Rcode).Should(Equal(dns.RcodeNameError))
+			})
+			It("should block the MX query if domain is on the black list", func() {
+				resp, err = sut.Resolve(newRequestWithClient("domain1.com.", dns.TypeMX, "1.2.1.2", "client1"))
+
+				expectedReturnCode = dns.RcodeNameError
+				Expect(resp.Res.Rcode).Should(Equal(dns.RcodeNameError))
+			})
 		})

 		When("Client ip is defined in client groups block", func() {
@ -252,7 +265,7 @@ badcnamedomain.com`)
 				Expect(resp.Res.Answer).Should(BeDNSRecord("blocked3.com.", dns.TypeA, 21600, "12.12.12.12"))
 			})

-			It("should return ipv6 address for AAAAA query if query is blocked", func() {
+			It("should return ipv6 address for AAAA query if query is blocked", func() {
 				resp, err = sut.Resolve(newRequestWithClient("blocked3.com.", dns.TypeAAAA, "1.2.1.2", "unknown"))

 				Expect(resp.Reason).Should(Equal("BLOCKED (defaultGroup)"))
@ -408,11 +421,6 @@ badcnamedomain.com`)
 				resp, err = sut.Resolve(newRequestWithClient("example.com.", dns.TypeA, "1.2.1.2", "unknown"))
 			})
 		})
-		When("request is not A or AAAA", func() {
-			It("should delegate to next resolver", func() {
-				resp, err = sut.Resolve(newRequestWithClient("domain1.com.", dns.TypeMX, "1.2.1.2", "unknown"))
-			})
-		})
 		When("no lists defined", func() {
 			BeforeEach(func() {
 				sutConfig = config.BlockingConfig{}