dnsmasq: add refresh filter-https+unknown patch

This commit is contained in:
Lienol 2023-03-01 16:11:18 +08:00
parent d854402f06
commit 368d7d7c2e
3 changed files with 118 additions and 0 deletions

View File

@ -25,6 +25,8 @@ config dnsmasq
option filter_aaaa 0
option filter_a 0
#list addnmount /some/path # read-only mount path to expose it to dnsmasq
option filter_https 1
option filter_unknown 1
config dhcp lan
option interface lan

View File

@ -966,6 +966,9 @@ dnsmasq_start()
append_bool "$cfg" filter_aaaa "--filter-AAAA"
append_bool "$cfg" filter_a "--filter-A"
append_bool "$cfg" filter_https "--filter-https"
append_bool "$cfg" filter_unknown "--filter-unknown"
append_parm "$cfg" logfacility "--log-facility"
config_get logfacility "$cfg" "logfacility"
append_parm "$cfg" cachesize "--cache-size"

View File

@ -0,0 +1,113 @@
--- a/src/cache.c
+++ b/src/cache.c
@@ -1934,6 +1934,20 @@ char *record_source(unsigned int index)
return "<unknown>";
}
+// patch: function returns integer 1 if query type is unknown.
+// known types are defined in cache.c:typestr:36.
+int is_query_type_unknown(unsigned short type)
+{
+ unsigned int i;
+ for (i = 0; i < (sizeof(typestr)/sizeof(typestr[0])); i++)
+ if (typestr[i].type == type)
+ {
+ return 0;
+ }
+ return 1;
+}
+// end of patch
+
static char *querystr(char *desc, unsigned short type)
{
unsigned int i;
--- a/src/dns-protocol.h
+++ b/src/dns-protocol.h
@@ -71,6 +71,7 @@
#define T_NSEC 47
#define T_DNSKEY 48
#define T_NSEC3 50
+#define T_HTTPS 65
#define T_TKEY 249
#define T_TSIG 250
#define T_AXFR 252
--- a/src/dnsmasq.h
+++ b/src/dnsmasq.h
@@ -282,7 +282,9 @@ struct event_desc {
#define OPT_STRIP_MAC 70
#define OPT_NORR 71
#define OPT_NO_IDENT 72
-#define OPT_LAST 73
+#define OPT_FILTER_HTTPS 73
+#define OPT_FILTER_UNKNOWN 74
+#define OPT_LAST 75
#define OPTION_BITS (sizeof(unsigned int)*8)
#define OPTION_SIZE ( (OPT_LAST/OPTION_BITS)+((OPT_LAST%OPTION_BITS)!=0) )
@@ -1307,6 +1309,10 @@ void cache_init(void);
void next_uid(struct crec *crecp);
void log_query(unsigned int flags, char *name, union all_addr *addr, char *arg, unsigned short type);
char *record_source(unsigned int index);
+// patch: function returns integer 1 if query type is unknown
+// known types are defined in cache.c:typestr:36.
+int is_query_type_unknown(unsigned short type);
+// end of patch
int cache_find_non_terminal(char *name, time_t now);
struct crec *cache_find_by_addr(struct crec *crecp,
union all_addr *addr, time_t now,
--- a/src/option.c
+++ b/src/option.c
@@ -186,6 +186,8 @@ struct myoption {
#define LOPT_STALE_CACHE 377
#define LOPT_NORR 378
#define LOPT_NO_IDENT 379
+#define LOPT_FILTER_HTTPS 380
+#define LOPT_FILTER_UNKNOWN 381
#ifdef HAVE_GETOPT_LONG
static const struct option opts[] =
@@ -376,6 +378,8 @@ static const struct myoption opts[] =
{ "fast-dns-retry", 2, 0, LOPT_FAST_RETRY },
{ "use-stale-cache", 2, 0 , LOPT_STALE_CACHE },
{ "no-ident", 0, 0, LOPT_NO_IDENT },
+ { "filter-https", 0, 0, LOPT_FILTER_HTTPS },
+ { "filter-unknown", 0, 0, LOPT_FILTER_UNKNOWN },
{ NULL, 0, 0, 0 }
};
@@ -573,6 +577,8 @@ static struct {
{ LOPT_QUIET_TFTP, OPT_QUIET_TFTP, NULL, gettext_noop("Do not log routine TFTP."), NULL },
{ LOPT_NORR, OPT_NORR, NULL, gettext_noop("Suppress round-robin ordering of DNS records."), NULL },
{ LOPT_NO_IDENT, OPT_NO_IDENT, NULL, gettext_noop("Do not add CHAOS TXT records."), NULL },
+ { LOPT_FILTER_HTTPS, OPT_FILTER_HTTPS, NULL, gettext_noop("Filter all HTTPS/query type 65 requests."), NULL },
+ { LOPT_FILTER_UNKNOWN, OPT_FILTER_UNKNOWN, NULL, gettext_noop("Filter all unknown query types (known are defined in cache.c)."), NULL },
{ 0, 0, NULL, NULL, NULL }
};
--- a/src/rfc1035.c
+++ b/src/rfc1035.c
@@ -2149,6 +2149,24 @@ size_t answer_request(struct dns_header
}
}
+ //patch to filter https/query type 65 forwards
+ if (qtype == T_HTTPS && option_bool(OPT_FILTER_HTTPS) ){
+ //return a null reply
+ ans = 1;
+ if (!dryrun) log_query(F_CONFIG | F_IPV4 | F_NEG, name, &addr, NULL, 0);
+ break;
+ }
+ //end of patch
+ //patch to filter all unknown query types
+ //known types are defined in cache.c:typestr:36.
+ if (is_query_type_unknown(qtype) && option_bool(OPT_FILTER_UNKNOWN)) {
+ //return a null reply
+ ans = 1;
+ if (!dryrun) log_query(F_CONFIG | F_NEG, name, NULL, NULL, 0);
+ break;
+ }
+ //end of patch
+
if (!ans)
return 0; /* failed to answer a question */
}