dnsforward: https blocked rcode

AdguardTeam · Aug 9, 2023 · d98cbaf · d98cbaf
1 parent c13ffda
commit d98cbaf
Show file tree

Hide file tree

Showing 2 changed files with 51 additions and 50 deletions.
diff --git a/internal/dnsforward/filter_test.go b/internal/dnsforward/filter_test.go
@@ -75,16 +75,19 @@ func TestHandleDNSRequest_handleDNSRequest(t *testing.T) {
 	startDeferStop(t, s)
 
 	testCases := []struct {
-		req     *dns.Msg
-		name    string
-		wantAns []dns.RR
+		req       *dns.Msg
+		name      string
+		wantRCode int
+		wantAns   []dns.RR
 	}{{
-		req:     createTestMessage(aghtest.ReqFQDN),
-		name:    "pass",
-		wantAns: nil,
+		req:       createTestMessage(aghtest.ReqFQDN),
+		name:      "pass",
+		wantRCode: dns.RcodeNameError,
+		wantAns:   nil,
 	}, {
-		req:  createTestMessage("cname.exception."),
-		name: "cname_exception",
+		req:       createTestMessage("cname.exception."),
+		name:      "cname_exception",
+		wantRCode: dns.RcodeSuccess,
 		wantAns: []dns.RR{&dns.CNAME{
 			Hdr: dns.RR_Header{
 				Name:   "cname.exception.",
@@ -93,8 +96,9 @@ func TestHandleDNSRequest_handleDNSRequest(t *testing.T) {
 			Target: "cname.specific.",
 		}},
 	}, {
-		req:  createTestMessage("should.block."),
-		name: "blocked_by_cname",
+		req:       createTestMessage("should.block."),
+		name:      "blocked_by_cname",
+		wantRCode: dns.RcodeSuccess,
 		wantAns: []dns.RR{&dns.A{
 			Hdr: dns.RR_Header{
 				Name:   "should.block.",
@@ -104,8 +108,9 @@ func TestHandleDNSRequest_handleDNSRequest(t *testing.T) {
 			A: netutil.IPv4Zero(),
 		}},
 	}, {
-		req:  createTestMessage("a.exception."),
-		name: "a_exception",
+		req:       createTestMessage("a.exception."),
+		name:      "a_exception",
+		wantRCode: dns.RcodeSuccess,
 		wantAns: []dns.RR{&dns.A{
 			Hdr: dns.RR_Header{
 				Name:   "a.exception.",
@@ -114,8 +119,9 @@ func TestHandleDNSRequest_handleDNSRequest(t *testing.T) {
 			A: net.IP{0, 0, 0, 1},
 		}},
 	}, {
-		req:  createTestMessageWithType("aaaa.exception.", dns.TypeAAAA),
-		name: "aaaa_exception",
+		req:       createTestMessageWithType("aaaa.exception.", dns.TypeAAAA),
+		name:      "aaaa_exception",
+		wantRCode: dns.RcodeSuccess,
 		wantAns: []dns.RR{&dns.AAAA{
 			Hdr: dns.RR_Header{
 				Name:   "aaaa.exception.",
@@ -124,8 +130,9 @@ func TestHandleDNSRequest_handleDNSRequest(t *testing.T) {
 			AAAA: net.ParseIP("::1"),
 		}},
 	}, {
-		req:  createTestMessage("allowed.first."),
-		name: "allowed_first",
+		req:       createTestMessage("allowed.first."),
+		name:      "allowed_first",
+		wantRCode: dns.RcodeSuccess,
 		wantAns: []dns.RR{&dns.A{
 			Hdr: dns.RR_Header{
 				Name:   "allowed.first.",
@@ -135,8 +142,9 @@ func TestHandleDNSRequest_handleDNSRequest(t *testing.T) {
 			A: netutil.IPv4Zero(),
 		}},
 	}, {
-		req:  createTestMessage("blocked.first."),
-		name: "blocked_first",
+		req:       createTestMessage("blocked.first."),
+		name:      "blocked_first",
+		wantRCode: dns.RcodeSuccess,
 		wantAns: []dns.RR{&dns.A{
 			Hdr: dns.RR_Header{
 				Name:   "blocked.first.",
@@ -146,8 +154,9 @@ func TestHandleDNSRequest_handleDNSRequest(t *testing.T) {
 			A: netutil.IPv4Zero(),
 		}},
 	}, {
-		req:  createTestMessage("duplicate.domain."),
-		name: "duplicate_domain",
+		req:       createTestMessage("duplicate.domain."),
+		name:      "duplicate_domain",
+		wantRCode: dns.RcodeSuccess,
 		wantAns: []dns.RR{&dns.A{
 			Hdr: dns.RR_Header{
 				Name:   "duplicate.domain.",
@@ -157,27 +166,15 @@ func TestHandleDNSRequest_handleDNSRequest(t *testing.T) {
 			A: netutil.IPv4Zero(),
 		}},
 	}, {
-		req:  createTestMessageWithType("blocked.first.", dns.TypeHTTPS),
-		name: "blocked_https_req",
-		wantAns: []dns.RR{&dns.A{
-			Hdr: dns.RR_Header{
-				Name:   "blocked.first.",
-				Rrtype: dns.TypeA,
-				Class:  dns.ClassINET,
-			},
-			A: netutil.IPv4Zero(),
-		}},
+		req:       createTestMessageWithType("blocked.domain.", dns.TypeHTTPS),
+		name:      "blocked_https_req",
+		wantRCode: dns.RcodeSuccess,
+		wantAns:   nil,
 	}, {
-		req:  createTestMessageWithType("blocked.by.hostrule.", dns.TypeHTTPS),
-		name: "blocked_host_rule_https_req",
-		wantAns: []dns.RR{&dns.A{
-			Hdr: dns.RR_Header{
-				Name:   "blocked.by.hostrule.",
-				Rrtype: dns.TypeA,
-				Class:  dns.ClassINET,
-			},
-			A: netutil.IPv4Zero(),
-		}},
+		req:       createTestMessageWithType("blocked.by.hostrule.", dns.TypeHTTPS),
+		name:      "blocked_host_rule_https_req",
+		wantRCode: dns.RcodeSuccess,
+		wantAns:   nil,
 	}}
 
 	for _, tc := range testCases {
@@ -192,6 +189,7 @@ func TestHandleDNSRequest_handleDNSRequest(t *testing.T) {
 			require.NoError(t, err)
 			require.NotNil(t, dctx.Res)
 
+			assert.Equal(t, tc.wantRCode, dctx.Res.Rcode)
 			assert.Equal(t, tc.wantAns, dctx.Res.Answer)
 		})
 	}

diff --git a/internal/dnsforward/msg.go b/internal/dnsforward/msg.go
@@ -59,12 +59,12 @@ func (s *Server) genDNSFilterMessage(
 ) (resp *dns.Msg) {
 	req := dctx.Req
 	qt := req.Question[0].Qtype
-	if qt != dns.TypeA && qt != dns.TypeAAAA && qt != dns.TypeHTTPS {
+	if qt != dns.TypeA && qt != dns.TypeAAAA {
 		if s.conf.BlockingMode == BlockingModeNullIP {
 			return s.makeResponse(req)
 		}
 
-		return s.genNXDomain(req)
+		return s.newMsgNODATA(req)
 	}
 
 	switch res.Reason {
@@ -93,8 +93,6 @@ func (s *Server) genForBlockingMode(req *dns.Msg, ips []net.IP) (resp *dns.Msg)
 			return s.genARecord(req, s.conf.BlockingIPv4)
 		case dns.TypeAAAA:
 			return s.genAAAARecord(req, s.conf.BlockingIPv6)
-		case dns.TypeHTTPS:
-			return s.genARecord(req, s.conf.BlockingIPv4)
 		default:
 			// Generally shouldn't happen, since the types are checked in
 			// genDNSFilterMessage.
@@ -223,10 +221,6 @@ func (s *Server) genResponseWithIPs(req *dns.Msg, ips []net.IP) (resp *dns.Msg)
 		for _, ip := range ips {
 			ans = append(ans, s.genAnswerAAAA(req, ip.To16()))
 		}
-	case dns.TypeHTTPS:
-		for _, ip := range ips {
-			ans = append(ans, s.genAnswerA(req, ip))
-		}
 	default:
 		// Go on and return an empty response.
 	}
@@ -249,8 +243,6 @@ func (s *Server) makeResponseNullIP(req *dns.Msg) (resp *dns.Msg) {
 		resp = s.genResponseWithIPs(req, []net.IP{{0, 0, 0, 0}})
 	case dns.TypeAAAA:
 		resp = s.genResponseWithIPs(req, []net.IP{net.IPv6zero})
-	case dns.TypeHTTPS:
-		resp = s.genResponseWithIPs(req, []net.IP{{0, 0, 0, 0}})
 	default:
 		resp = s.makeResponse(req)
 	}
@@ -323,6 +315,17 @@ func (s *Server) makeResponseREFUSED(request *dns.Msg) *dns.Msg {
 	return &resp
 }
 
+// newMsgNODATA returns a properly initialized NODATA response.
+//
+// See https://www.rfc-editor.org/rfc/rfc2308#section-2.2.
+func (s *Server) newMsgNODATA(req *dns.Msg) (resp *dns.Msg) {
+	resp = (&dns.Msg{}).SetRcode(req, dns.RcodeSuccess)
+	resp.RecursionAvailable = true
+	resp.Ns = s.genSOA(req)
+
+	return resp
+}
+
 func (s *Server) genNXDomain(request *dns.Msg) *dns.Msg {
 	resp := dns.Msg{}
 	resp.SetRcode(request, dns.RcodeNameError)