Re: [Dnsmasq-discuss] [RFC PATCH v3] Add support for blocking A or AAAA queries per domain
Ooh. I am a very specialist use case here, but if you were interested to develop this a little, I have a related use case I would like to solve! I kind of want the reverse. I have (very) expensive bandwidth and want to block queries because I know that none of my links will support ipv6 in the near future, with the exception of VPNs and internal lan networks. So I kind of want to run queries for known specific domains and then every other query will go to the default upstream, where I want some complicated and as yet known process to block those queries and return some sensible answer (Current thinking is to use IPTables to block unwanted on expensive links and then to avoid problems with resolvers, to have dnsmasq turn the BLOCKED response into a NODATA or similar). Nasty, but not got better ideas So I would be interested in a way to positively accept specific , but tag all others as undesirable Cheers Ed W On 21/03/2023 11:48, Petr Menšík wrote: > I would prefer to use --filter- and expand it to accept also /domain/ > modifier, just like > --address or --server. Reusing --address seems confusing, especially with > negated ! syntax. I > think --address serves already too many different purposes. I would not add a > new one if we have > already better option present. Similar way with --filter-A. I think it would > be easier to document > and more intuitive at the same time. > > Does this code handle differences between NXDOMAIN and empty NOERROR answers? > It seems to me it > does not. It would make every name under /domain/ existing but empty. Do we > want that this way? It > may confuse some caching software. > > Cheers, > Petr ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] [RFC PATCH v3] Add support for blocking A or AAAA queries per domain
I would prefer to use --filter- and expand it to accept also /domain/ modifier, just like --address or --server. Reusing --address seems confusing, especially with negated ! syntax. I think --address serves already too many different purposes. I would not add a new one if we have already better option present. Similar way with --filter-A. I think it would be easier to document and more intuitive at the same time. Does this code handle differences between NXDOMAIN and empty NOERROR answers? It seems to me it does not. It would make every name under /domain/ existing but empty. Do we want that this way? It may confuse some caching software. Cheers, Petr On 1/20/23 06:26, Peter Tirsek wrote: This patch extends the `--address` option to accept two new special address, `!A` and `!`, which will cause the server to block A or queries for the specified domain(s), respectively. This can be useful in situations where IPv6 connectivity is broken, but only to certain domains. Signed-off-by: Peter Tirsek --- v3: Changed NXDOMAIN to NODATA response, and the !4/!6 config syntax to !A/!. Rebased to the newest master branch, and hopefully I remembered to send it non-flowed this time. v2: Fixed a few more u16->int fields. man/dnsmasq.8 | 9 + src/dbus.c | 2 +- src/dnsmasq.h | 15 ++- src/domain-match.c | 8 +--- src/option.c | 27 +++ 5 files changed, 48 insertions(+), 13 deletions(-) diff --git a/man/dnsmasq.8 b/man/dnsmasq.8 index 2495ed1..8ec2d44 100644 --- a/man/dnsmasq.8 +++ b/man/dnsmasq.8 @@ -570,6 +570,15 @@ its subdomains. This is partly syntactic sugar for \fB--address=/example.com/0.0 and \fB--address=/example.com/::\fP but is also more efficient than including both as separate configuration lines. Note that NULL addresses normally work in the same way as localhost, so beware that clients looking up these names are likely to end up talking to themselves. +As a special case, an address specified as \fB!A\fP causes the server to +return NODATA for all A (IPv4) queries, but (IPv6) queries are +processed as normal. Conversely, specifying \fB!\fP as the address +causes (IPv6) queries to return NODATA, but A (IPv4) queries are +processed as normal. This can be useful in situations where IPv6 +connectivity is broken, but only to certain domains. If you want to block +either A or records for ALL domains, use the \fB--filter-A\fP or +\fB--filter-\fP options instead. + Note that the behaviour for queries which don't match the specified address literal changed in version 2.86. Previous versions, configured with (eg) --address=/example.com/1.2.3.4 and then queried for a RR type other than A would return a NoData answer. From 2.86, the query is sent upstream. To restore the pre-2.86 behaviour, diff --git a/src/dbus.c b/src/dbus.c index fd5d1ca..ec550ed 100644 --- a/src/dbus.c +++ b/src/dbus.c @@ -289,7 +289,7 @@ static DBusMessage* dbus_read_servers_ex(DBusMessage *message, int strings) { const char *str = NULL; union mysockaddr addr, source_addr; - u16 flags = 0; + int flags = 0; char interface[IF_NAMESIZE]; char *str_addr, *str_domain = NULL; struct server_details sdetails = { 0 }; diff --git a/src/dnsmasq.h b/src/dnsmasq.h index aaa6d62..a2e7c6a 100644 --- a/src/dnsmasq.h +++ b/src/dnsmasq.h @@ -554,6 +554,7 @@ union mysockaddr { #define SERV_LOOP8192 /* server causes forwarding loop */ #define SERV_DO_DNSSEC 16384 /* Validate DNSSEC when using this server */ #define SERV_GOT_TCP32768 /* Got some data from the TCP connection */ +#define SERV_NODATA 65536 /* Force a NoData answer */ struct serverfd { int fd; @@ -576,7 +577,8 @@ struct randfd_list { struct server { - u16 flags, domain_len; + int flags; + u16 domain_len; char *domain; struct server *next; int serial, arrayposn; @@ -598,21 +600,24 @@ struct server { /* First four fields must match struct server in next three definitions.. */ struct serv_addr4 { - u16 flags, domain_len; + int flags; + u16 domain_len; char *domain; struct server *next; struct in_addr addr; }; struct serv_addr6 { - u16 flags, domain_len; + int flags; + int domain_len; char *domain; struct server *next; struct in6_addr addr; }; struct serv_local { - u16 flags, domain_len; + int flags; + u16 domain_len; char *domain; struct server *next; }; @@ -1298,7 +1303,7 @@ struct server_details { struct addrinfo *hostinfo, *orig_hostinfo; char *interface, *source, *scope_id, *interface_opt; int serv_port, source_port, addr_type, scope_index, valid; - u16 *flags; + int *flags; }; /* cache.c */ diff --git a/src/domain-match.c b/src/domain-match.c index fe8e25a..4703dff 100644 --- a/src/domain-match.c +++ b/src/domain-match.c @@ -21,7 +21
[Dnsmasq-discuss] [RFC PATCH v3] Add support for blocking A or AAAA queries per domain
This patch extends the `--address` option to accept two new special address, `!A` and `!`, which will cause the server to block A or queries for the specified domain(s), respectively. This can be useful in situations where IPv6 connectivity is broken, but only to certain domains. Signed-off-by: Peter Tirsek --- v3: Changed NXDOMAIN to NODATA response, and the !4/!6 config syntax to !A/!. Rebased to the newest master branch, and hopefully I remembered to send it non-flowed this time. v2: Fixed a few more u16->int fields. man/dnsmasq.8 | 9 + src/dbus.c | 2 +- src/dnsmasq.h | 15 ++- src/domain-match.c | 8 +--- src/option.c | 27 +++ 5 files changed, 48 insertions(+), 13 deletions(-) diff --git a/man/dnsmasq.8 b/man/dnsmasq.8 index 2495ed1..8ec2d44 100644 --- a/man/dnsmasq.8 +++ b/man/dnsmasq.8 @@ -570,6 +570,15 @@ its subdomains. This is partly syntactic sugar for \fB--address=/example.com/0.0 and \fB--address=/example.com/::\fP but is also more efficient than including both as separate configuration lines. Note that NULL addresses normally work in the same way as localhost, so beware that clients looking up these names are likely to end up talking to themselves. +As a special case, an address specified as \fB!A\fP causes the server to +return NODATA for all A (IPv4) queries, but (IPv6) queries are +processed as normal. Conversely, specifying \fB!\fP as the address +causes (IPv6) queries to return NODATA, but A (IPv4) queries are +processed as normal. This can be useful in situations where IPv6 +connectivity is broken, but only to certain domains. If you want to block +either A or records for ALL domains, use the \fB--filter-A\fP or +\fB--filter-\fP options instead. + Note that the behaviour for queries which don't match the specified address literal changed in version 2.86. Previous versions, configured with (eg) --address=/example.com/1.2.3.4 and then queried for a RR type other than A would return a NoData answer. From 2.86, the query is sent upstream. To restore the pre-2.86 behaviour, diff --git a/src/dbus.c b/src/dbus.c index fd5d1ca..ec550ed 100644 --- a/src/dbus.c +++ b/src/dbus.c @@ -289,7 +289,7 @@ static DBusMessage* dbus_read_servers_ex(DBusMessage *message, int strings) { const char *str = NULL; union mysockaddr addr, source_addr; - u16 flags = 0; + int flags = 0; char interface[IF_NAMESIZE]; char *str_addr, *str_domain = NULL; struct server_details sdetails = { 0 }; diff --git a/src/dnsmasq.h b/src/dnsmasq.h index aaa6d62..a2e7c6a 100644 --- a/src/dnsmasq.h +++ b/src/dnsmasq.h @@ -554,6 +554,7 @@ union mysockaddr { #define SERV_LOOP8192 /* server causes forwarding loop */ #define SERV_DO_DNSSEC 16384 /* Validate DNSSEC when using this server */ #define SERV_GOT_TCP32768 /* Got some data from the TCP connection */ +#define SERV_NODATA 65536 /* Force a NoData answer */ struct serverfd { int fd; @@ -576,7 +577,8 @@ struct randfd_list { struct server { - u16 flags, domain_len; + int flags; + u16 domain_len; char *domain; struct server *next; int serial, arrayposn; @@ -598,21 +600,24 @@ struct server { /* First four fields must match struct server in next three definitions.. */ struct serv_addr4 { - u16 flags, domain_len; + int flags; + u16 domain_len; char *domain; struct server *next; struct in_addr addr; }; struct serv_addr6 { - u16 flags, domain_len; + int flags; + int domain_len; char *domain; struct server *next; struct in6_addr addr; }; struct serv_local { - u16 flags, domain_len; + int flags; + u16 domain_len; char *domain; struct server *next; }; @@ -1298,7 +1303,7 @@ struct server_details { struct addrinfo *hostinfo, *orig_hostinfo; char *interface, *source, *scope_id, *interface_opt; int serv_port, source_port, addr_type, scope_index, valid; - u16 *flags; + int *flags; }; /* cache.c */ diff --git a/src/domain-match.c b/src/domain-match.c index fe8e25a..4703dff 100644 --- a/src/domain-match.c +++ b/src/domain-match.c @@ -21,7 +21,7 @@ static int order_qsort(const void *a, const void *b); static int order_servers(struct server *s, struct server *s2); /* If the server is USE_RESOLV or LITERAL_ADDRES, it lives on the local_domains chain. */ -#define SERV_IS_LOCAL (SERV_USE_RESOLV | SERV_LITERAL_ADDRESS) +#define SERV_IS_LOCAL (SERV_USE_RESOLV | SERV_LITERAL_ADDRESS | SERV_NODATA) void build_server_array(void) { @@ -370,9 +370,11 @@ int is_local_answer(time_t now, int first, char *name) int flags = 0; int rc = 0; - if ((flags = daemon->serverarray[first]->flags) & SERV_LITERAL_ADDRESS) + if ((flags = daemon->serverarray[first]->flags) & (SERV_LITERAL_ADDRESS | SERV_NODATA)) { - if (flags & SERV_4ADDR) + if (flags & SERV_NODATA) +rc = F_NOERR; +