Revert "Feat/not forwarded arpa"

junkurihara · Dec 21, 2024 · db1a9bc · db1a9bc
1 parent 05df930
commit db1a9bc
Show file tree

Hide file tree

Showing 11 changed files with 51 additions and 263 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -13,15 +13,7 @@
 You should also include the user name that made the change.
 -->
 
-## 0.4.2 (Unreleased)
-
-## 0.4.1
-
-- Feat: support handling not-forwarded domains and local domains by default. For example, `resolver.arpa` is not forwarded to the upstream resolver, and `localhost` is always resolved to `127.0.0.1` or `::1`.
-- Refactor: Various minor improvements
-- Deps.
-
-## 0.4.0
+## 0.4.0 (Unreleased)
 
 - Feat: Support anonymous token based on blind RSA signatures.
 - Feat: DNS query logging (`qrlog` feature)

diff --git a/Cargo.toml b/Cargo.toml
@@ -4,7 +4,7 @@ members = ["proxy-bin", "proxy-lib"]
 resolver = "2"
 
 [workspace.package]
-version = "0.4.2"
+version = "0.4.1"
 authors = ["Jun Kurihara"]
 homepage = "https://github.com/junkurihara/doh-auth-proxy"
 repository = "https://github.com/junkurihara/doh-auth-proxy"

diff --git a/proxy-lib/src/constants.rs b/proxy-lib/src/constants.rs
@@ -96,10 +96,6 @@ pub const HEALTHCHECK_TARGET_ADDR: &str = "8.8.8.8";
 pub const BLOCK_MESSAGE_HINFO_CPU: &str = "BLOCKED";
 /// Block message for query manipulation (HINFO OS field)
 pub const BLOCK_MESSAGE_HINFO_OS: &str = "POWERED-BY-DOH-AUTH-PROXY";
-/// Not-forwarded message for query manipulation (HINFO CPU field)
-pub const NOT_FORWARDED_MESSAGE_HINFO_CPU: &str = "NOT-FORWARDED-BY-DEFAULT";
-/// Not-forwarded message for query manipulation (HINFO OS field)
-pub const NOT_FORWARDED_MESSAGE_HINFO_OS: &str = "POWERED-BY-DOH-AUTH-PROXY";
 
 // Logging
 /// Query log channel size

diff --git a/proxy-lib/src/doh_client/dns_message.rs b/proxy-lib/src/doh_client/dns_message.rs
@@ -120,14 +120,6 @@ pub fn build_response_nx(msg: &Message) -> Message {
   res
 }
 
-/// Build a DNS response message with REFUSED
-pub fn build_response_refused(msg: &Message) -> Message {
-  let mut res = msg.clone();
-  res.set_message_type(hickory_proto::op::MessageType::Response);
-  res.set_response_code(hickory_proto::op::ResponseCode::Refused);
-  res
-}
-
 /// Build a DNS response message for given QueryKey and IP address
 pub fn build_response_given_ipaddr(msg: &Message, q_key: &QueryKey, ipaddr: &IpAddr, min_ttl: u32) -> anyhow::Result<Message> {
   let mut res = msg.clone();

diff --git a/proxy-lib/src/doh_client/doh_client_main.rs b/proxy-lib/src/doh_client/doh_client_main.rs
@@ -45,7 +45,7 @@ pub struct DoHClient {
   /// health check interval
   pub(super) healthcheck_period_sec: tokio::time::Duration,
   /// Query manipulation pulugins
-  query_manipulators: QueryManipulators,
+  query_manipulators: Option<QueryManipulators>,
   /// Query logging sender
   query_log_tx: crossbeam_channel::Sender<QueryLoggingBase>,
 }
@@ -119,10 +119,10 @@ impl DoHClient {
     let healthcheck_period_sec = globals.proxy_config.healthcheck_period_sec;
 
     // query manipulators
-    let query_manipulators: QueryManipulators = if let Some(q) = &globals.proxy_config.query_manipulation_config {
-      q.as_ref().try_into().unwrap_or_default()
+    let query_manipulators: Option<QueryManipulators> = if let Some(q) = &globals.proxy_config.query_manipulation_config {
+      q.as_ref().try_into().ok()
     } else {
-      QueryManipulators::default()
+      None
     };
 
     Ok(Self {
@@ -186,29 +186,20 @@ impl DoHClient {
     })?;
 
     // Process query plugins from the beginning of vec, e.g., domain filtering, cloaking, etc.
-
-    let execution_result = self.query_manipulators.apply(&query_msg, &req.0[0]).await?;
-    match execution_result {
-      QueryManipulationResult::PassThrough => (),
-      QueryManipulationResult::SyntheticResponseBlocked(response_msg) => {
-        let res = dns_message::encode(&response_msg)?;
-        self.log_dns_message(&res, proto, src, DoHResponseType::Blocked, None, start);
-        return Ok(res);
-      }
-      QueryManipulationResult::SyntheticResponseOverridden(response_msg) => {
-        let res = dns_message::encode(&response_msg)?;
-        self.log_dns_message(&res, proto, src, DoHResponseType::Overridden, None, start);
-        return Ok(res);
-      }
-      QueryManipulationResult::SyntheticResponseNotForwarded(response_msg) => {
-        let res = dns_message::encode(&response_msg)?;
-        self.log_dns_message(&res, proto, src, DoHResponseType::NotForwarded, None, start);
-        return Ok(res);
-      }
-      QueryManipulationResult::SyntheticResponseDefaultHost(response_msg) => {
-        let res = dns_message::encode(&response_msg)?;
-        self.log_dns_message(&res, proto, src, DoHResponseType::DefaultHost, None, start);
-        return Ok(res);
+    if let Some(manipulators) = &self.query_manipulators {
+      let execution_result = manipulators.apply(&query_msg, &req.0[0]).await?;
+      match execution_result {
+        QueryManipulationResult::PassThrough => (),
+        QueryManipulationResult::SyntheticResponseBlocked(response_msg) => {
+          let res = dns_message::encode(&response_msg)?;
+          self.log_dns_message(&res, proto, src, DoHResponseType::Blocked, None, start);
+          return Ok(res);
+        }
+        QueryManipulationResult::SyntheticResponseOverridden(response_msg) => {
+          let res = dns_message::encode(&response_msg)?;
+          self.log_dns_message(&res, proto, src, DoHResponseType::Overridden, None, start);
+          return Ok(res);
+        }
       }
     }
 

diff --git a/proxy-lib/src/doh_client/manipulation/default_rule.rs b/proxy-lib/src/doh_client/manipulation/default_rule.rs
diff --git a/proxy-lib/src/doh_client/manipulation/domain_block.rs b/proxy-lib/src/doh_client/manipulation/domain_block.rs
@@ -3,13 +3,14 @@ use super::{
     dns_message::{build_response_nx, QueryKey},
     error::DohClientError,
   },
-  inspect_query_name, QueryManipulation, QueryManipulationResult,
+  QueryManipulation, QueryManipulationResult,
 };
 use crate::{
   constants::{BLOCK_MESSAGE_HINFO_CPU, BLOCK_MESSAGE_HINFO_OS},
   log::*,
   QueryManipulationConfig,
 };
+use anyhow::bail;
 use async_trait::async_trait;
 use hickory_proto::{op::Message, rr};
 use match_domain::DomainMatchingRule;
@@ -66,8 +67,19 @@ impl TryFrom<&QueryManipulationConfig> for Option<DomainBlockRule> {
 impl DomainBlockRule {
   /// Check if the query key is in blocklist
   pub fn in_blocklist(&self, q_key: &QueryKey) -> anyhow::Result<bool> {
-    // remove final dot and convert to lowercase
-    let nn = inspect_query_name(q_key.query_name.as_str())?;
+    // remove final dot
+    let mut nn = q_key.clone().query_name.to_ascii_lowercase();
+    match nn.pop() {
+      Some(dot) => {
+        if dot != '.' {
+          bail!("Invalid query name as fqdn (missing final dot): {}", nn);
+        }
+      }
+      None => {
+        bail!("Missing query name");
+      }
+    }
+
     Ok(self.inner.is_matched(&nn))
   }
 }

diff --git a/proxy-lib/src/doh_client/manipulation/domain_override.rs b/proxy-lib/src/doh_client/manipulation/domain_override.rs
@@ -3,7 +3,6 @@ use super::{
     dns_message::{build_response_given_ipaddr, QueryKey},
     error::DohClientError,
   },
-  inspect_query_name,
   regexp_vals::*,
   QueryManipulation, QueryManipulationResult,
 };
@@ -96,10 +95,19 @@ impl TryFrom<&QueryManipulationConfig> for Option<DomainOverrideRule> {
 impl DomainOverrideRule {
   pub fn find_mapping(&self, q_key: &QueryKey) -> Option<&MapsTo> {
     let q_type = q_key.query_type;
-
-    // remove final dot and convert to lowercase
-    let nn = inspect_query_name(q_key.query_name.as_str()).ok()?;
-
+    // remove final dot
+    let mut nn = q_key.clone().query_name.to_ascii_lowercase();
+    match nn.pop() {
+      Some(dot) => {
+        if dot != '.' {
+          return None;
+        }
+      }
+      None => {
+        warn!("Null request!");
+        return None;
+      }
+    }
     // find matches
     if let Some(targets) = self.inner.get(&nn) {
       targets.iter().find(|x| match x {