You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
 
 
 

412 lines
14 KiB

  1. /*
  2. * This file is part of PowerDNS or dnsdist.
  3. * Copyright -- PowerDNS.COM B.V. and its contributors
  4. *
  5. * This program is free software; you can redistribute it and/or modify
  6. * it under the terms of version 2 of the GNU General Public License as
  7. * published by the Free Software Foundation.
  8. *
  9. * In addition, for the avoidance of any doubt, permission is granted to
  10. * link this program with OpenSSL and to (re)distribute the binaries
  11. * produced as the result of such linking.
  12. *
  13. * This program is distributed in the hope that it will be useful,
  14. * but WITHOUT ANY WARRANTY; without even the implied warranty of
  15. * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  16. * GNU General Public License for more details.
  17. *
  18. * You should have received a copy of the GNU General Public License
  19. * along with this program; if not, write to the Free Software
  20. * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
  21. */
  22. #pragma once
  23. #include "iputils.hh"
  24. #include "dns.hh"
  25. #include "dnsname.hh"
  26. #include "dnsparser.hh"
  27. #include <map>
  28. #include <unordered_map>
  29. #include <limits>
  30. /* This class implements a filtering policy that is able to fully implement RPZ, but is not bound to it.
  31. In other words, it is generic enough to support RPZ, but could get its data from other places.
  32. We know the following actions:
  33. No action - just pass it on
  34. Drop - drop a query, no response
  35. NXDOMAIN - fake up an NXDOMAIN for the query
  36. NODATA - just return no data for this qtype
  37. Truncate - set TC bit
  38. Modified - "we fake an answer for you"
  39. These actions can be caused by the following triggers:
  40. qname - the query name
  41. client-ip - the IP address of the requestor
  42. response-ip - an IP address in the response
  43. ns-name - the name of a server used in the delegation
  44. ns-ip - the IP address of a server used in the delegation
  45. This means we get several hook points:
  46. 1) when the query comes in: qname & client-ip
  47. 2) during processing: ns-name & ns-ip
  48. 3) after processing: response-ip
  49. Triggers meanwhile can apply to:
  50. Verbatim domain names
  51. Wildcard versions (*.domain.com does NOT match domain.com)
  52. Netmasks (IPv4 and IPv6)
  53. Finally, triggers are grouped in different zones. The "first" zone that has a match
  54. is consulted. Then within that zone, rules again have precedences.
  55. */
  56. class DNSFilterEngine
  57. {
  58. public:
  59. enum class PolicyKind : uint8_t { NoAction, Drop, NXDOMAIN, NODATA, Truncate, Custom};
  60. enum class PolicyType : uint8_t { None, QName, ClientIP, ResponseIP, NSDName, NSIP };
  61. typedef uint16_t Priority;
  62. static const Priority maximumPriority = std::numeric_limits<Priority>::max();
  63. static std::string getKindToString(PolicyKind kind);
  64. static std::string getTypeToString(PolicyType type);
  65. struct PolicyZoneData
  66. {
  67. /* shared by all the policies from a single zone */
  68. std::unordered_set<std::string> d_tags;
  69. std::string d_name;
  70. Priority d_priority{maximumPriority};
  71. bool d_policyOverridesGettag{true};
  72. };
  73. struct Policy
  74. {
  75. Policy(): d_ttl(0), d_kind(PolicyKind::NoAction), d_type(PolicyType::None)
  76. {
  77. }
  78. Policy(PolicyKind kind, PolicyType type, int32_t ttl=0, std::shared_ptr<PolicyZoneData> data=nullptr, const std::vector<std::shared_ptr<DNSRecordContent>>& custom={}): d_custom(custom), d_zoneData(data), d_ttl(ttl), d_kind(kind), d_type(type)
  79. {
  80. }
  81. bool operator==(const Policy& rhs) const
  82. {
  83. return d_kind == rhs.d_kind && d_type == rhs.d_type && d_ttl == rhs.d_ttl && d_custom == rhs.d_custom;
  84. }
  85. const std::string& getName() const
  86. {
  87. static const std::string notSet;
  88. if (d_zoneData) {
  89. return d_zoneData->d_name;
  90. }
  91. return notSet;
  92. }
  93. void setName(const std::string& name)
  94. {
  95. /* until now the PolicyZoneData was shared,
  96. we now need to copy it, then write to it */
  97. std::shared_ptr<PolicyZoneData> newZoneData;
  98. if (d_zoneData) {
  99. newZoneData = std::make_shared<PolicyZoneData>(*d_zoneData);
  100. }
  101. else {
  102. newZoneData = std::make_shared<PolicyZoneData>();
  103. }
  104. newZoneData->d_name = name;
  105. d_zoneData = newZoneData;
  106. }
  107. const std::unordered_set<std::string>& getTags() const
  108. {
  109. static const std::unordered_set<std::string> notSet;
  110. if (d_zoneData) {
  111. return d_zoneData->d_tags;
  112. }
  113. return notSet;
  114. }
  115. Priority getPriority() const
  116. {
  117. static Priority notSet = maximumPriority;
  118. if (d_zoneData) {
  119. return d_zoneData->d_priority;
  120. }
  121. return notSet;
  122. }
  123. bool policyOverridesGettag() const {
  124. if (d_zoneData) {
  125. return d_zoneData->d_policyOverridesGettag;
  126. }
  127. return true;
  128. }
  129. bool wasHit() const
  130. {
  131. return (d_type != DNSFilterEngine::PolicyType::None && d_kind != DNSFilterEngine::PolicyKind::NoAction);
  132. }
  133. std::string getLogString() const;
  134. std::vector<DNSRecord> getCustomRecords(const DNSName& qname, uint16_t qtype) const;
  135. std::vector<DNSRecord> getRecords(const DNSName& qname) const;
  136. std::vector<std::shared_ptr<DNSRecordContent>> d_custom;
  137. std::shared_ptr<PolicyZoneData> d_zoneData{nullptr};
  138. DNSName d_trigger;
  139. string d_hit;
  140. /* Yup, we are currently using the same TTL for every record for a given name */
  141. int32_t d_ttl;
  142. PolicyKind d_kind;
  143. PolicyType d_type;
  144. private:
  145. DNSRecord getRecordFromCustom(const DNSName& qname, const std::shared_ptr<DNSRecordContent>& custom) const;
  146. };
  147. class Zone {
  148. public:
  149. Zone(): d_zoneData(std::make_shared<PolicyZoneData>())
  150. {
  151. }
  152. void clear()
  153. {
  154. d_qpolAddr.clear();
  155. d_postpolAddr.clear();
  156. d_propolName.clear();
  157. d_propolNSAddr.clear();
  158. d_qpolName.clear();
  159. }
  160. void reserve(size_t entriesCount)
  161. {
  162. d_qpolName.reserve(entriesCount);
  163. }
  164. void setName(const std::string& name)
  165. {
  166. d_zoneData->d_name = name;
  167. }
  168. void setDomain(const DNSName& domain)
  169. {
  170. d_domain = domain;
  171. }
  172. void setSerial(uint32_t serial)
  173. {
  174. d_serial = serial;
  175. }
  176. void setRefresh(uint32_t refresh)
  177. {
  178. d_refresh = refresh;
  179. }
  180. void setTags(std::unordered_set<std::string>&& tags)
  181. {
  182. d_zoneData->d_tags = std::move(tags);
  183. }
  184. void setPolicyOverridesGettag(bool flag)
  185. {
  186. d_zoneData->d_policyOverridesGettag = flag;
  187. }
  188. const std::string& getName() const
  189. {
  190. return d_zoneData->d_name;
  191. }
  192. DNSName getDomain() const
  193. {
  194. return d_domain;
  195. }
  196. uint32_t getRefresh() const
  197. {
  198. return d_refresh;
  199. }
  200. uint32_t getSerial() const
  201. {
  202. return d_serial;
  203. }
  204. size_t size() const
  205. {
  206. return d_qpolAddr.size() + d_postpolAddr.size() + d_propolName.size() + d_propolNSAddr.size() + d_qpolName.size();
  207. }
  208. void dump(FILE * fp) const;
  209. void addClientTrigger(const Netmask& nm, Policy&& pol, bool ignoreDuplicate = false);
  210. void addQNameTrigger(const DNSName& nm, Policy&& pol, bool ignoreDuplicate = false);
  211. void addNSTrigger(const DNSName& dn, Policy&& pol, bool ignoreDuplicate = false);
  212. void addNSIPTrigger(const Netmask& nm, Policy&& pol, bool ignoreDuplicate = false);
  213. void addResponseTrigger(const Netmask& nm, Policy&& pol, bool ignoreDuplicate = false);
  214. bool rmClientTrigger(const Netmask& nm, const Policy& pol);
  215. bool rmQNameTrigger(const DNSName& nm, const Policy& pol);
  216. bool rmNSTrigger(const DNSName& dn, const Policy& pol);
  217. bool rmNSIPTrigger(const Netmask& nm, const Policy& pol);
  218. bool rmResponseTrigger(const Netmask& nm, const Policy& pol);
  219. bool findExactQNamePolicy(const DNSName& qname, DNSFilterEngine::Policy& pol) const;
  220. bool findExactNSPolicy(const DNSName& qname, DNSFilterEngine::Policy& pol) const;
  221. bool findNSIPPolicy(const ComboAddress& addr, DNSFilterEngine::Policy& pol) const;
  222. bool findResponsePolicy(const ComboAddress& addr, DNSFilterEngine::Policy& pol) const;
  223. bool findClientPolicy(const ComboAddress& addr, DNSFilterEngine::Policy& pol) const;
  224. bool hasClientPolicies() const
  225. {
  226. return !d_qpolAddr.empty();
  227. }
  228. bool hasQNamePolicies() const
  229. {
  230. return !d_qpolName.empty();
  231. }
  232. bool hasNSPolicies() const
  233. {
  234. return !d_propolName.empty();
  235. }
  236. bool hasNSIPPolicies() const
  237. {
  238. return !d_propolNSAddr.empty();
  239. }
  240. bool hasResponsePolicies() const
  241. {
  242. return !d_postpolAddr.empty();
  243. }
  244. Priority getPriority() const {
  245. return d_zoneData->d_priority;
  246. }
  247. void setPriority(Priority p) {
  248. d_zoneData->d_priority = p;
  249. }
  250. static DNSName maskToRPZ(const Netmask& nm);
  251. private:
  252. void addNameTrigger(std::unordered_map<DNSName,Policy>& map, const DNSName& n, Policy&& pol, bool ignoreDuplicate, PolicyType ptype);
  253. void addNetmaskTrigger(NetmaskTree<Policy>& nmt, const Netmask& nm, Policy&& pol, bool ignoreDuplicate, PolicyType ptype);
  254. bool rmNameTrigger(std::unordered_map<DNSName,Policy>& map, const DNSName& n, const Policy& pol);
  255. bool rmNetmaskTrigger(NetmaskTree<Policy>& nmt, const Netmask& nm, const Policy& pol);
  256. private:
  257. static bool findExactNamedPolicy(const std::unordered_map<DNSName, DNSFilterEngine::Policy>& polmap, const DNSName& qname, DNSFilterEngine::Policy& pol);
  258. static bool findNamedPolicy(const std::unordered_map<DNSName, DNSFilterEngine::Policy>& polmap, const DNSName& qname, DNSFilterEngine::Policy& pol);
  259. static void dumpNamedPolicy(FILE* fp, const DNSName& name, const Policy& pol);
  260. static void dumpAddrPolicy(FILE* fp, const Netmask& nm, const DNSName& name, const Policy& pol);
  261. std::unordered_map<DNSName, Policy> d_qpolName; // QNAME trigger (RPZ)
  262. NetmaskTree<Policy> d_qpolAddr; // Source address
  263. std::unordered_map<DNSName, Policy> d_propolName; // NSDNAME (RPZ)
  264. NetmaskTree<Policy> d_propolNSAddr; // NSIP (RPZ)
  265. NetmaskTree<Policy> d_postpolAddr; // IP trigger (RPZ)
  266. DNSName d_domain;
  267. std::shared_ptr<PolicyZoneData> d_zoneData{nullptr};
  268. uint32_t d_serial{0};
  269. uint32_t d_refresh{0};
  270. };
  271. DNSFilterEngine();
  272. void clear()
  273. {
  274. for(auto& z : d_zones) {
  275. z->clear();
  276. }
  277. }
  278. void clearZones()
  279. {
  280. d_zones.clear();
  281. }
  282. const std::shared_ptr<Zone> getZone(size_t zoneIdx) const
  283. {
  284. std::shared_ptr<Zone> result{nullptr};
  285. if (zoneIdx < d_zones.size()) {
  286. result = d_zones[zoneIdx];
  287. }
  288. return result;
  289. }
  290. const std::shared_ptr<Zone> getZone(const std::string& name) const
  291. {
  292. for (const auto& zone : d_zones) {
  293. const auto& zName = zone->getName();
  294. if (zName == name) {
  295. return zone;
  296. }
  297. }
  298. return nullptr;
  299. }
  300. size_t addZone(std::shared_ptr<Zone> newZone)
  301. {
  302. newZone->setPriority(d_zones.size());
  303. d_zones.push_back(newZone);
  304. return (d_zones.size() - 1);
  305. }
  306. void setZone(size_t zoneIdx, std::shared_ptr<Zone> newZone)
  307. {
  308. if (newZone) {
  309. assureZones(zoneIdx);
  310. newZone->setPriority(zoneIdx);
  311. d_zones[zoneIdx] = newZone;
  312. }
  313. }
  314. bool getQueryPolicy(const DNSName& qname, const std::unordered_map<std::string,bool>& discardedPolicies, Policy& policy) const;
  315. bool getClientPolicy(const ComboAddress& ca, const std::unordered_map<std::string,bool>& discardedPolicies, Policy& policy) const;
  316. bool getProcessingPolicy(const DNSName& qname, const std::unordered_map<std::string,bool>& discardedPolicies, Policy& policy) const;
  317. bool getProcessingPolicy(const ComboAddress& address, const std::unordered_map<std::string,bool>& discardedPolicies, Policy& policy) const;
  318. bool getPostPolicy(const vector<DNSRecord>& records, const std::unordered_map<std::string,bool>& discardedPolicies, Policy& policy) const;
  319. bool getPostPolicy(const DNSRecord& record, const std::unordered_map<std::string,bool>& discardedPolicies, Policy& policy) const;
  320. // A few convenience methods for the unit test code
  321. Policy getQueryPolicy(const DNSName& qname, const std::unordered_map<std::string,bool>& discardedPolicies, Priority p) const {
  322. Policy policy;
  323. policy.d_zoneData = std::make_shared<PolicyZoneData>();
  324. policy.d_zoneData->d_priority = p;
  325. getQueryPolicy(qname, discardedPolicies, policy);
  326. return policy;
  327. }
  328. Policy getClientPolicy(const ComboAddress& ca, const std::unordered_map<std::string,bool>& discardedPolicies, Priority p) const {
  329. Policy policy;
  330. policy.d_zoneData = std::make_shared<PolicyZoneData>();
  331. policy.d_zoneData->d_priority = p;
  332. getClientPolicy(ca, discardedPolicies, policy);
  333. return policy;
  334. }
  335. Policy getProcessingPolicy(const DNSName& qname, const std::unordered_map<std::string,bool>& discardedPolicies, Priority p) const {
  336. Policy policy;
  337. policy.d_zoneData = std::make_shared<PolicyZoneData>();
  338. policy.d_zoneData->d_priority = p;
  339. getProcessingPolicy(qname, discardedPolicies, policy);
  340. return policy;
  341. }
  342. Policy getProcessingPolicy(const ComboAddress& address, const std::unordered_map<std::string,bool>& discardedPolicies, Priority p) const {
  343. Policy policy;
  344. policy.d_zoneData = std::make_shared<PolicyZoneData>();
  345. policy.d_zoneData->d_priority = p;
  346. getProcessingPolicy(address, discardedPolicies, policy);
  347. return policy;
  348. }
  349. Policy getPostPolicy(const vector<DNSRecord>& records, const std::unordered_map<std::string,bool>& discardedPolicies, Priority p) const {
  350. Policy policy;
  351. policy.d_zoneData = std::make_shared<PolicyZoneData>();
  352. policy.d_zoneData->d_priority = p;
  353. getPostPolicy(records, discardedPolicies, policy);
  354. return policy;
  355. }
  356. size_t size() const {
  357. return d_zones.size();
  358. }
  359. private:
  360. void assureZones(size_t zone);
  361. vector<std::shared_ptr<Zone>> d_zones;
  362. };
  363. void mergePolicyTags(std::unordered_set<std::string>& tags, const std::unordered_set<std::string>& newTags);