subject:"\[Dnsmasq\-discuss\] \[RFC PATCH v3\] Add support for blocking A or AAAA queries per domain"

Re: [Dnsmasq-discuss] [RFC PATCH v3] Add support for blocking A or AAAA queries per domain

2023-04-05 Thread Ed W

Ooh. I am a very specialist use case here, but if you were interested to 
develop this a little, I
have a related use case I would like to solve!

I kind of want the reverse. I have (very) expensive bandwidth and want to block 
 queries because
I know that none of my links will support ipv6 in the near future, with the 
exception of VPNs and
internal lan networks. So I kind of want to run  queries for known specific 
domains and then
every other query will go to the default upstream, where I want some 
complicated and as yet known
process to block those queries and return some sensible answer (Current 
thinking is to use IPTables
to block unwanted  on expensive links and then to avoid problems with 
resolvers, to have dnsmasq
turn the BLOCKED response into a NODATA or similar). Nasty, but not got better 
ideas

So I would be interested in a way to positively accept specific , but tag 
all others as undesirable

Cheers

Ed W

On 21/03/2023 11:48, Petr Menšík wrote:
> I would prefer to use --filter- and expand it to accept also /domain/ 
> modifier, just like
> --address or --server. Reusing --address seems confusing, especially with 
> negated ! syntax. I
> think --address serves already too many different purposes. I would not add a 
> new one if we have
> already better option present. Similar way with --filter-A. I think it would 
> be easier to document
> and more intuitive at the same time.
>
> Does this code handle differences between NXDOMAIN and empty NOERROR answers? 
> It seems to me it
> does not. It would make every name under /domain/ existing but empty. Do we 
> want that this way? It
> may confuse some caching software.
>
> Cheers,
> Petr 

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] [RFC PATCH v3] Add support for blocking A or AAAA queries per domain

2023-03-21 Thread Petr Menšík

I would prefer to use --filter- and expand it to accept also 
/domain/ modifier, just like --address or --server. Reusing --address 
seems confusing, especially with negated ! syntax. I think --address 
serves already too many different purposes. I would not add a new one if 
we have already better option present. Similar way with --filter-A. I 
think it would be easier to document and more intuitive at the same time.


Does this code handle differences between NXDOMAIN and empty NOERROR 
answers? It seems to me it does not. It would make every name under 
/domain/ existing but empty. Do we want that this way? It may confuse 
some caching software.


Cheers,
Petr

On 1/20/23 06:26, Peter Tirsek wrote:

This patch extends the `--address` option to accept two new special
address, `!A` and `!`, which will cause the server to block A or
 queries for the specified domain(s), respectively. This can be
useful in situations where IPv6 connectivity is broken, but only to
certain domains.

Signed-off-by: Peter Tirsek 
---

v3: Changed NXDOMAIN to NODATA response, and the !4/!6 config syntax to
 !A/!. Rebased to the newest master branch, and hopefully I
 remembered to send it non-flowed this time.

v2: Fixed a few more u16->int fields.

  man/dnsmasq.8  |  9 +
  src/dbus.c |  2 +-
  src/dnsmasq.h  | 15 ++-
  src/domain-match.c |  8 +---
  src/option.c   | 27 +++
  5 files changed, 48 insertions(+), 13 deletions(-)

diff --git a/man/dnsmasq.8 b/man/dnsmasq.8
index 2495ed1..8ec2d44 100644
--- a/man/dnsmasq.8
+++ b/man/dnsmasq.8
@@ -570,6 +570,15 @@ its subdomains. This is partly syntactic sugar for 
\fB--address=/example.com/0.0
  and \fB--address=/example.com/::\fP but is also more efficient than including 
both
  as separate configuration lines. Note that NULL addresses normally work in 
the same way as localhost, so beware that clients looking up these names are 
likely to end up talking to themselves.

+As a special case, an address specified as \fB!A\fP causes the server to
+return NODATA for all A (IPv4) queries, but  (IPv6) queries are
+processed as normal. Conversely, specifying \fB!\fP as the address
+causes  (IPv6) queries to return NODATA, but A (IPv4) queries are
+processed as normal. This can be useful in situations where IPv6
+connectivity is broken, but only to certain domains. If you want to block
+either A or  records for ALL domains, use the \fB--filter-A\fP or
+\fB--filter-\fP options instead.
+
  Note that the behaviour for queries which don't match the specified address 
literal changed in version 2.86.
  Previous versions, configured with (eg) --address=/example.com/1.2.3.4 and 
then queried for a RR type other than
  A would return a NoData answer. From  2.86, the query is sent upstream. To 
restore the pre-2.86 behaviour,
diff --git a/src/dbus.c b/src/dbus.c
index fd5d1ca..ec550ed 100644
--- a/src/dbus.c
+++ b/src/dbus.c
@@ -289,7 +289,7 @@ static DBusMessage* dbus_read_servers_ex(DBusMessage 
*message, int strings)
  {
const char *str = NULL;
union  mysockaddr addr, source_addr;
-  u16 flags = 0;
+  int flags = 0;
char interface[IF_NAMESIZE];
char *str_addr, *str_domain = NULL;
struct server_details sdetails = { 0 };
diff --git a/src/dnsmasq.h b/src/dnsmasq.h
index aaa6d62..a2e7c6a 100644
--- a/src/dnsmasq.h
+++ b/src/dnsmasq.h
@@ -554,6 +554,7 @@ union mysockaddr {
  #define SERV_LOOP8192  /* server causes forwarding loop */
  #define SERV_DO_DNSSEC  16384  /* Validate DNSSEC when using this server 
*/
  #define SERV_GOT_TCP32768  /* Got some data from the TCP connection */
+#define SERV_NODATA 65536  /* Force a NoData answer */

  struct serverfd {
int fd;
@@ -576,7 +577,8 @@ struct randfd_list {


  struct server {
-  u16 flags, domain_len;
+  int flags;
+  u16 domain_len;
char *domain;
struct server *next;
int serial, arrayposn;
@@ -598,21 +600,24 @@ struct server {

  /* First four fields must match struct server in next three definitions.. */
  struct serv_addr4 {
-  u16 flags, domain_len;
+  int flags;
+  u16 domain_len;
char *domain;
struct server *next;
struct in_addr addr;
  };

  struct serv_addr6 {
-  u16 flags, domain_len;
+  int flags;
+  int domain_len;
char *domain;
struct server *next;
struct in6_addr addr;
  };

  struct serv_local {
-  u16 flags, domain_len;
+  int flags;
+  u16 domain_len;
char *domain;
struct server *next;
  };
@@ -1298,7 +1303,7 @@ struct server_details {
struct addrinfo *hostinfo, *orig_hostinfo;
char *interface, *source, *scope_id, *interface_opt;
int serv_port, source_port, addr_type, scope_index, valid;
-  u16 *flags;
+  int *flags;
  };

  /* cache.c */
diff --git a/src/domain-match.c b/src/domain-match.c
index fe8e25a..4703dff 100644
--- a/src/domain-match.c
+++ b/src/domain-match.c
@@ -21,7 +21

[Dnsmasq-discuss] [RFC PATCH v3] Add support for blocking A or AAAA queries per domain

2023-01-19 Thread Peter Tirsek

This patch extends the `--address` option to accept two new special
address, `!A` and `!`, which will cause the server to block A or
 queries for the specified domain(s), respectively. This can be
useful in situations where IPv6 connectivity is broken, but only to
certain domains.

Signed-off-by: Peter Tirsek 
---

v3: Changed NXDOMAIN to NODATA response, and the !4/!6 config syntax to
!A/!. Rebased to the newest master branch, and hopefully I
remembered to send it non-flowed this time.

v2: Fixed a few more u16->int fields.

 man/dnsmasq.8  |  9 +
 src/dbus.c |  2 +-
 src/dnsmasq.h  | 15 ++-
 src/domain-match.c |  8 +---
 src/option.c   | 27 +++
 5 files changed, 48 insertions(+), 13 deletions(-)

diff --git a/man/dnsmasq.8 b/man/dnsmasq.8
index 2495ed1..8ec2d44 100644
--- a/man/dnsmasq.8
+++ b/man/dnsmasq.8
@@ -570,6 +570,15 @@ its subdomains. This is partly syntactic sugar for 
\fB--address=/example.com/0.0
 and \fB--address=/example.com/::\fP but is also more efficient than including 
both
 as separate configuration lines. Note that NULL addresses normally work in the 
same way as localhost, so beware that clients looking up these names are likely 
to end up talking to themselves.

+As a special case, an address specified as \fB!A\fP causes the server to
+return NODATA for all A (IPv4) queries, but  (IPv6) queries are
+processed as normal. Conversely, specifying \fB!\fP as the address
+causes  (IPv6) queries to return NODATA, but A (IPv4) queries are
+processed as normal. This can be useful in situations where IPv6
+connectivity is broken, but only to certain domains. If you want to block
+either A or  records for ALL domains, use the \fB--filter-A\fP or
+\fB--filter-\fP options instead.
+
 Note that the behaviour for queries which don't match the specified address 
literal changed in version 2.86.
 Previous versions, configured with (eg) --address=/example.com/1.2.3.4 and 
then queried for a RR type other than
 A would return a NoData answer. From  2.86, the query is sent upstream. To 
restore the pre-2.86 behaviour,
diff --git a/src/dbus.c b/src/dbus.c
index fd5d1ca..ec550ed 100644
--- a/src/dbus.c
+++ b/src/dbus.c
@@ -289,7 +289,7 @@ static DBusMessage* dbus_read_servers_ex(DBusMessage 
*message, int strings)
 {
   const char *str = NULL;
   union  mysockaddr addr, source_addr;
-  u16 flags = 0;
+  int flags = 0;
   char interface[IF_NAMESIZE];
   char *str_addr, *str_domain = NULL;
   struct server_details sdetails = { 0 };
diff --git a/src/dnsmasq.h b/src/dnsmasq.h
index aaa6d62..a2e7c6a 100644
--- a/src/dnsmasq.h
+++ b/src/dnsmasq.h
@@ -554,6 +554,7 @@ union mysockaddr {
 #define SERV_LOOP8192  /* server causes forwarding loop */
 #define SERV_DO_DNSSEC  16384  /* Validate DNSSEC when using this server */
 #define SERV_GOT_TCP32768  /* Got some data from the TCP connection */
+#define SERV_NODATA 65536  /* Force a NoData answer */

 struct serverfd {
   int fd;
@@ -576,7 +577,8 @@ struct randfd_list {


 struct server {
-  u16 flags, domain_len;
+  int flags;
+  u16 domain_len;
   char *domain;
   struct server *next;
   int serial, arrayposn;
@@ -598,21 +600,24 @@ struct server {

 /* First four fields must match struct server in next three definitions.. */
 struct serv_addr4 {
-  u16 flags, domain_len;
+  int flags;
+  u16 domain_len;
   char *domain;
   struct server *next;
   struct in_addr addr;
 };

 struct serv_addr6 {
-  u16 flags, domain_len;
+  int flags;
+  int domain_len;
   char *domain;
   struct server *next;
   struct in6_addr addr;
 };

 struct serv_local {
-  u16 flags, domain_len;
+  int flags;
+  u16 domain_len;
   char *domain;
   struct server *next;
 };
@@ -1298,7 +1303,7 @@ struct server_details {
   struct addrinfo *hostinfo, *orig_hostinfo;
   char *interface, *source, *scope_id, *interface_opt;
   int serv_port, source_port, addr_type, scope_index, valid;
-  u16 *flags;
+  int *flags;
 };

 /* cache.c */
diff --git a/src/domain-match.c b/src/domain-match.c
index fe8e25a..4703dff 100644
--- a/src/domain-match.c
+++ b/src/domain-match.c
@@ -21,7 +21,7 @@ static int order_qsort(const void *a, const void *b);
 static int order_servers(struct server *s, struct server *s2);

 /* If the server is USE_RESOLV or LITERAL_ADDRES, it lives on the 
local_domains chain. */
-#define SERV_IS_LOCAL (SERV_USE_RESOLV | SERV_LITERAL_ADDRESS)
+#define SERV_IS_LOCAL (SERV_USE_RESOLV | SERV_LITERAL_ADDRESS | SERV_NODATA)

 void build_server_array(void)
 {
@@ -370,9 +370,11 @@ int is_local_answer(time_t now, int first, char *name)
   int flags = 0;
   int rc = 0;

-  if ((flags = daemon->serverarray[first]->flags) & SERV_LITERAL_ADDRESS)
+  if ((flags = daemon->serverarray[first]->flags) & (SERV_LITERAL_ADDRESS | 
SERV_NODATA))
 {
-  if (flags & SERV_4ADDR)
+  if (flags & SERV_NODATA)
+rc = F_NOERR;
+

Re: [Dnsmasq-discuss] [RFC PATCH v3] Add support for blocking A or AAAA queries per domain

Re: [Dnsmasq-discuss] [RFC PATCH v3] Add support for blocking A or AAAA queries per domain

[Dnsmasq-discuss] [RFC PATCH v3] Add support for blocking A or AAAA queries per domain

3 matches

Site Navigation

Mail list logo

Footer information