return REFUSED for recursive DNS queries by external clients

eucalyptus · May 21, 2015 · b69a13a · b69a13a
1 parent bb6f2fd
commit b69a13a
Show file tree

Hide file tree

Showing 3 changed files with 33 additions and 13 deletions.
diff --git a/clc/modules/dns/src/main/java/com/eucalyptus/cloud/ws/ConnectionHandler.java b/clc/modules/dns/src/main/java/com/eucalyptus/cloud/ws/ConnectionHandler.java
@@ -94,6 +94,7 @@
 package com.eucalyptus.cloud.ws;
 
 import static com.eucalyptus.util.dns.DnsResolvers.DnsRequest;
+
 import java.io.IOException;
 import java.net.InetAddress;
 import java.net.Socket;
@@ -130,6 +131,8 @@
 
 public class ConnectionHandler extends Thread {
 
+  private static Logger LOG = Logger.getLogger( ConnectionHandler.class );
+
 	static final int FLAG_DNSSECOK = 1;
 	static final int FLAG_SIGONLY = 2;
 
@@ -186,8 +189,12 @@ else if (queryOPT != null)
 			  return errorMessage(query, Rcode.NOTIMP);
 
 			 byte rcode = addAnswer(response, name, type, dclass, 0, flags);
-			 if (rcode != Rcode.NOERROR && rcode != Rcode.NXDOMAIN)
-			   return errorMessage(query, Rcode.SERVFAIL);
+			 if (rcode != Rcode.NOERROR && rcode != Rcode.NXDOMAIN) {
+			   if(rcode == Rcode.REFUSED)
+			     return errorMessage(query, Rcode.REFUSED);
+			   else
+			     return errorMessage(query, Rcode.SERVFAIL);
+			 }
 
 			 if (queryOPT != null) {
 				 int optflags = (flags == FLAG_DNSSECOK) ? ExtendedFlags.DO : 0;
@@ -223,12 +230,6 @@ else if (queryOPT != null)
 		  if ( sr == null ) {
 		    return Rcode.SERVFAIL;
 		  } else {
-		    /// EUCA-10719
-		 /* if (type == Type.AAAA) {
-		      response.getHeader().setFlag(Flags.AA);
-		      return (Rcode.NOERROR);
-		    }  */
-		    ///
 		    if (sr.isDelegation()) {
 		      RRset nsRecords = sr.getNS();
 		      addRRset(nsRecords.getName(), response, nsRecords,
@@ -253,15 +254,16 @@ else if (queryOPT != null)
 		        addRRset(name, response, rrset, Section.ANSWER, flags);
 		      }
 		    }
-
+		    
 		    if ( sr.isSuccessful( ) ) {
 		      if (type == Type.AAAA)
 	          response.getHeader().setFlag(Flags.AA);
-
-		      return Rcode.NOERROR;
+	        return Rcode.NOERROR;
 		    } else if ( sr.isNXDOMAIN( )) {
 		      response.getHeader().setRcode(Rcode.NXDOMAIN);
 		      return Rcode.NXDOMAIN;
+		    } else if (response.getHeader().getRcode() == Rcode.REFUSED) {
+		      return Rcode.REFUSED;
 		    } else
 		      return Rcode.SERVFAIL;
 		  }

diff --git a/clc/modules/dns/src/main/java/com/eucalyptus/dns/resolvers/RecursiveDnsResolver.java b/clc/modules/dns/src/main/java/com/eucalyptus/dns/resolvers/RecursiveDnsResolver.java
@@ -164,6 +164,12 @@ public DnsResponse lookupRecords( final DnsRequest request ) {
     final Set<Record> answer = Sets.newLinkedHashSet( );
     final Set<Record> authority = Sets.newLinkedHashSet( );
     final Set<Record> additional = Sets.newLinkedHashSet( );
+    final InetAddress source = request.getRemoteAddress( );
+
+    if (!Subnets.isSystemManagedAddress( source ))
+      return DnsResponse.forName( query.getName( ) )
+      .recursive( )
+      .refused();
 
     boolean iamAuthority = false;
     for ( Record aRec : queriedrrs ) {
@@ -262,7 +268,7 @@ public DnsResponse lookupRecords( final DnsRequest request ) {
   public boolean checkAccepts( final DnsRequest request ) {
     final Record query = request.getQuery( );
     final InetAddress source = request.getRemoteAddress( );
-    if ( !Bootstrap.isOperational( ) || !enabled || !Subnets.isSystemManagedAddress( source )) {
+    if ( !Bootstrap.isOperational( ) || !enabled ) {
       return false;
     } else if ( ( RequestType.A.apply( query ) || RequestType.AAAA.apply( query ) || RequestType.MX.apply(query))
                 && query.getName( ).isAbsolute( )

diff --git a/clc/modules/msgs/src/main/java/com/eucalyptus/util/dns/DnsResolvers.java b/clc/modules/msgs/src/main/java/com/eucalyptus/util/dns/DnsResolvers.java
@@ -308,7 +308,7 @@ public static class DnsResponse {
     private final Name                name;
     private boolean                   recursive = false;
     private boolean                   nxdomain  = false;
-
+    private boolean                   refused = false;
     public static class Builder {
       private final DnsResponse response;
 
@@ -356,6 +356,11 @@ public DnsResponse nxdomain( ) {
         return this.response;
       }
 
+      public DnsResponse refused( ) {
+        this.response.refused = true;
+        return this.response;
+      }
+
       public DnsResponse answer( List<? extends Record> records ) {
         if ( records != null ) {
           this.response.sections.get( ResponseSection.ANSWER ).addAll( records );
@@ -404,6 +409,10 @@ public boolean isNxdomain( ) {
     public boolean isRecursive( ) {
       return this.recursive;
     }
+
+    public boolean isRefused( ) {
+      return this.refused;
+    }
   }
 
   public interface DnsRequest {
@@ -465,6 +474,9 @@ private static SetResponse lookupRecords( final Message response,
           }
           response.getHeader( ).setRcode( Rcode.NXDOMAIN );
           return SetResponse.ofType( SetResponse.NXDOMAIN );
+        } else if (reply.isRefused()) {
+          response.getHeader().setRcode( Rcode.REFUSED );
+          return SetResponse.ofType( SetResponse.UNKNOWN );
         } else if ( reply.hasAnswer( ) ) {
           for ( ResponseSection s : ResponseSection.values( ) ) {
             Record[] records = reply.section( s );