1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124
|
/*
* This file is part of PowerDNS or dnsdist.
* Copyright -- PowerDNS.COM B.V. and its contributors
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of version 2 of the GNU General Public License as
* published by the Free Software Foundation.
*
* In addition, for the avoidance of any doubt, permission is granted to
* link this program with OpenSSL and to (re)distribute the binaries
* produced as the result of such linking.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
#pragma once
#include "iputils.hh"
#include "dns.hh"
#include "dnsparser.hh"
#include <map>
#include <unordered_map>
/* This class implements a filtering policy that is able to fully implement RPZ, but is not bound to it.
In other words, it is generic enough to support RPZ, but could get its data from other places.
We know the following actions:
No action - just pass it on
Drop - drop a query, no response
NXDOMAIN - fake up an NXDOMAIN for the query
NODATA - just return no data for this qtype
Truncate - set TC bit
Modified - "we fake an answer for you"
These actions can be caused by the following triggers:
qname - the query name
client-ip - the IP address of the requestor
response-ip - an IP address in the response
ns-name - the name of a server used in the delegation
ns-ip - the IP address of a server used in the delegation
This means we get several hook points:
1) when the query comes in: qname & client-ip
2) during processing: ns-name & ns-ip
3) after processing: response-ip
Triggers meanwhile can apply to:
Verbatim domain names
Wildcard versions (*.domain.com does NOT match domain.com)
Netmasks (IPv4 and IPv6)
Finally, triggers are grouped in different zones. The "first" zone that has a match
is consulted. Then within that zone, rules again have precedences.
*/
class DNSFilterEngine
{
public:
enum class PolicyKind { NoAction, Drop, NXDOMAIN, NODATA, Truncate, Custom};
struct Policy
{
Policy(): d_kind(PolicyKind::NoAction), d_custom(nullptr), d_name(nullptr), d_ttl(0)
{
}
bool operator==(const Policy& rhs) const
{
return d_kind == rhs.d_kind; // XXX check d_custom too!
}
PolicyKind d_kind;
std::shared_ptr<DNSRecordContent> d_custom;
std::shared_ptr<std::string> d_name;
int d_ttl;
};
DNSFilterEngine();
void clear();
void clear(size_t zone);
void addClientTrigger(const Netmask& nm, Policy pol, size_t zone);
void addQNameTrigger(const DNSName& nm, Policy pol, size_t zone);
void addNSTrigger(const DNSName& dn, Policy pol, size_t zone);
void addNSIPTrigger(const Netmask& nm, Policy pol, size_t zone);
void addResponseTrigger(const Netmask& nm, Policy pol, size_t zone);
bool rmClientTrigger(const Netmask& nm, Policy pol, size_t zone);
bool rmQNameTrigger(const DNSName& nm, Policy pol, size_t zone);
bool rmNSTrigger(const DNSName& dn, Policy pol, size_t zone);
bool rmNSIPTrigger(const Netmask& nm, Policy pol, size_t zone);
bool rmResponseTrigger(const Netmask& nm, Policy pol, size_t zone);
Policy getQueryPolicy(const DNSName& qname, const ComboAddress& nm, const std::unordered_map<std::string,bool>& discardedPolicies) const;
Policy getProcessingPolicy(const DNSName& qname, const std::unordered_map<std::string,bool>& discardedPolicies) const;
Policy getProcessingPolicy(const ComboAddress& address, const std::unordered_map<std::string,bool>& discardedPolicies) const;
Policy getPostPolicy(const vector<DNSRecord>& records, const std::unordered_map<std::string,bool>& discardedPolicies) const;
size_t size() {
return d_zones.size();
}
void setPolicyName(size_t zoneIdx, std::string name)
{
assureZones(zoneIdx);
d_zones[zoneIdx].name = std::make_shared<std::string>(name);
}
private:
void assureZones(size_t zone);
struct Zone {
std::map<DNSName, Policy> qpolName; // QNAME trigger (RPZ)
NetmaskTree<Policy> qpolAddr; // Source address
std::map<DNSName, Policy> propolName; // NSDNAME (RPZ)
NetmaskTree<Policy> propolNSAddr; // NSIP (RPZ)
NetmaskTree<Policy> postpolAddr; // IP trigger (RPZ)
std::shared_ptr<std::string> name;
};
vector<Zone> d_zones;
};
|