Article delegate-en/3107 of [1-5169] on the server localhost:119
  upper oldest olders older1 this newer1 newers latest
search
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]
[Reference:<_A3101@delegate-en.ML_>]
Newsgroups: mail-lists.delegate-en

[DeleGate-En] Re: filter DNS queries
17 Jan 2006 06:05:18 GMT feedback@delegate.org (Yutaka Sato)
The DeleGate Project


Hi,

In message <_A3101@delegate-en.ML_> on 01/15/06(22:15:46)
you Patrick Useldinger <pdugabdyi-ecr676uuso5r.ml@ml.delegate.org> wrote:
 |I am looking for a DNS proxy that allows me to filter which DNS
 |requests are answered and which ones are dropped.
 |
 |The software should allow me to specify something like this:
 |192.168.1.5 "www.yahoo.com","www.google.com"
 |192.168.1.6 "www.google.com"
 |
 |meaning that the first machine is allowed to resolve the specified 2
 |names, and the second only "www.google.com".
 |
 |Reverse lookups, zone transfers and all kind of "browsing" must be blocked.
 |
 |Would this be possible with delegate?

DeleGate as a DNS server (or a resolver) can select an upstream server
(resolver) depending on the hostname or address pattern in each query.
It is specified with the RESOLV parameter of syntax
RESOLV="resType:resAddr:hostList" like this:

  RESOLV="dns:DnsServer1:{*.com,*.net},dns:DnsServer2:{*.org,*.edu,*.gov}"

This means using DnsServer1 for *.com and *.net, and using DnsServer2
for *.org, *.edu and *.gov.
Unfortunately, there was not a way to select a resolver depending on
on the client-host of each query.  But in general, parameters of DeleGate
can be controlled with the combination of destination server and source
client.  So I think RESOLV should be controlled depending on the client too.
The enclosed patch for DeleGate/9.0.5 extends the RESOLV parameter as this:

  RESOLV=resType:resAddr:hostList:clientList[,...]

With this extended format, your example can be specified like this:

  RESOLV="dns:DnsServer:{*.yahoo.com,*.google.com}:192.168.1.5,dns:DnsServer:{*.google.com:192.168.1.6}"

Or it can be represented by a combination of parameters like this:

  RESOLV="dns:DnsServer:hosts1:clients1,dns:DnsServer:hosts2:clients2"
  HOSTLIST="hosts1:*.yahoo.com,*.google.com"
  HOSTLIST="hosts2:*.google.com"
  HOSTLIST="clients1:192.168.1.5"
  HOSTLIST="clients2:192.168.1.6"

A DNS DeleGate server on the port 8053 is invoked like this:

  delegated -v -P8053 SERVER=dns RESOLV=...

Cheers,
Yutaka
--
  D G   Yutaka Sato <y.sato@delegate.org> http://delegate.org/y.sato/
 ( - )  National Institute of Advanced Industrial Science and Technology
_<   >_ 1-1-4 Umezono, Tsukuba, Ibaraki, 305-8568 Japan
Do the more with the less -- B. Fuller


diff -cr ../delegate9.0.5/src/domain.c ./src/domain.c
*** ../delegate9.0.5/src/domain.c	Wed Sep 21 12:17:38 2005
--- ./src/domain.c	Tue Jan 17 14:51:15 2006
***************
*** 88,93 ****
--- 88,95 ----
  	}
  	return 0;
  }
+ extern const char *RES_client;
+ extern int RES_client_dependent;
  int service_domain1(Connection *Conn,int sock)
  {	CStr(ib,2048);
  	CStr(ob,2048);
***************
*** 143,149 ****
--- 145,157 ----
  			occ = prevrlen;
  			sv1log("## QUERY repeated * %d\n",++repeated);
  		}else{
+ 			RES_client_dependent = 0;
+ 			RES_client = froma;
  		occ = (*RES_DNSSEARCH)(AVStr(ob),ib,icc,froma,fromp);
+ 			RES_client = 0;
+ 			if( RES_client_dependent ){
+ 				/* don't cache client dependent result */
+ 			}else
  			if( 0 < occ ){
  				prevTime = Time();
  				bcopy(ib,prevq,icc);
diff -cr ../delegate9.0.5/resolvy/resolv.c ./resolvy/resolv.c
*** ../delegate9.0.5/resolvy/resolv.c	Wed Jun  1 11:39:18 2005
--- ./resolvy/resolv.c	Tue Jan 17 14:57:58 2006
***************
*** 1237,1242 ****
--- 1237,1243 ----
  {
  	return gethostbyNX(name,0,0);
  }
+ extern int RES_client_dependent;
  static char NXDOM[128];
  static int NXDOM_RCU; /* cached RES_CACHED_UNKNOWN for NXDOM */
  extern int RES_CACHED_UNKNOWN;
***************
*** 1299,1304 ****
--- 1300,1308 ----
  		RES_AF = (char*)saf;
  	}
  
+ 	if( RES_client_dependent ){
+ 		/* don't cache client dependent result */
+ 	}else
  	if( ht == NULL ){
  		Xstrcpy(FVStr(NXDOM),name);
  		NXDOM_RCU = RES_CACHED_UNKNOWN;
diff -cr ../delegate9.0.5/src/inets.c ./src/inets.c
*** ../delegate9.0.5/src/inets.c	Mon Oct 31 17:49:39 2005
--- ./src/inets.c	Tue Jan 17 11:55:44 2006
***************
*** 468,485 ****
--- 468,494 ----
  */
  	CStr(typespecb,1024);
  	CStr(argb,256);
+ 	/*
  	const char *av[3];
+ 	*/
+ 	const char *av[4];
  	const char *type;
  	const char *arg;
  	const char *doms;
+ 	const char *clients;
  	int map;
  
  	strcpy(typespecb,typespec);
+ 	/*
  	av[0] = av[1] = av[2] = "";
  	list2vect(typespecb,':',3,av);
+ 	*/
+ 	av[0] = av[1] = av[2] = av[3] = "";
+ 	list2vect(typespecb,':',4,av);
  	type = av[0];
  	arg = av[1];
  	doms = av[2];
+ 	clients = av[3];
  
  	if( strcasecmp(type,"cache") == 0 )
  		strcat(order,"C");
***************
*** 522,527 ****
--- 531,543 ----
  		if( arg[0] == 0 )
  			Xsprintf(TVStr(order),":");
  		Xsprintf(TVStr(order),"#%d",map);
+ 		RES_hlmatch = res_dommatch;
+ 	}
+ 	if( clients[0] ){
+ 		map = makePathList("RESOLV",clients);
+ 		if( clients[0] == 0 )
+ 			Xsprintf(TVStr(order),":");
+ 		Xsprintf(TVStr(order),"<%d",map);
  		RES_hlmatch = res_dommatch;
  	}
  	if( arg[0] || doms[0] ){
diff -cr ../delegate9.0.5/resolvy/reshost.c ./resolvy/reshost.c
*** ../delegate9.0.5/resolvy/reshost.c	Mon Jul 25 16:42:21 2005
--- ./resolvy/reshost.c	Tue Jan 17 14:59:27 2006
***************
*** 155,160 ****
--- 155,178 ----
  
  int RES_next_res(PCStr(where),int ri,PVStr(res),PVStr(arg));
  int (*RES_hlmatch)(PCStr(hlist),PCStr(host));
+ const char *RES_client;
+ int RES_client_dependent;
+ static int clientmatch(PCStr(host),PCStr(where),PCStr(res1),PVStr(arg)){
+ 	int match = 1;
+ 	refQStr(client,arg);
+ 
+ 	client = strchr(arg,'<');
+ 	if( client == 0 ){
+ 		return -1;
+ 	}
+ 	setVStrPtrInc(client,0);
+ 	if( RES_client == 0 ){
+ 		return 0;
+ 	}
+ 	RES_client_dependent = 1;
+ 	match = (*RES_hlmatch)(client,RES_client);
+ 	return match;
+ }
  static int dommatch(PCStr(host),PCStr(where),PCStr(res1),PVStr(arg)){
  	int match = 1;
  	refQStr(dom,arg);
***************
*** 336,341 ****
--- 354,360 ----
  	int with_cache = 0;
  	int leng;
  	int byname = (RES_QTYPE == AF_INET6) ? AF_INET6 : 1;
+ 	int clmatch = 0;
  
  	res_log(0,0,0,0,0);
  
***************
*** 355,360 ****
--- 374,382 ----
  	  debug(DBG_ANY,"        RES[%s] %s\n",res1,where);
  	  res = res1[0];
  
+ 	  if( (clmatch = clientmatch(name,where,res1,AVStr(arg))) == 0 ){
+ 		continue;
+ 	  }
  	  if( !RES_ASIS && res == RT_DNS ){
  		/* will be filtered in dnsrch() after extented with DEFDNAME */
  	  }else
***************
*** 408,413 ****
--- 430,439 ----
  
  	RES_CACHED_UNKNOWN = 0;
  	if( with_cache && lastres )
+ 	if( RES_client_dependent ){
+ 		/* don't cache client dependent result */
+ 	}
+ 	else
  		ac = caching(lastres,ac,name,rv,1,AVStr(cname),UNKNOWN_HOSTADDR,4);
  
  	debug(DBG_NS,"Hit: %d\n",ac);
***************
*** 459,464 ****
--- 485,491 ----
  	CStr(res1,512);
  	CStr(arg,512);
  	int with_cache = 0;
+ 	int clmatch = 0;
  
  	res_log(0,0,0,0,0);
  
***************
*** 469,474 ****
--- 496,504 ----
  
  	for( ri = 0; ri = RES_next_res(where,ri,AVStr(res1),AVStr(arg)); ){
  	  debug(DBG_ANY,"        RES[%s] %s\n",res1,where);
+ 	  if( (clmatch = clientmatch(caddr,where,res1,AVStr(arg))) == 0 ){
+ 		continue;
+ 	  }
  	  if( dommatch(caddr,where,res1,AVStr(arg)) == 0 ){
  		continue;
  	  }
***************
*** 520,525 ****
--- 550,559 ----
  
  	RES_CACHED_UNKNOWN = 0;
  	if( with_cache && lastres )
+ 	if( RES_client_dependent ){
+ 		/* don't cache client dependent result */
+ 	}
+ 	else
  		ac = caching(lastres,ac,caddr,rv,0,VStrNULL,UNKNOWN_HOSTNAME,0);
  
  	debug(DBG_NS,"Hit: %d\n",ac);
***************
*** 791,798 ****
--- 825,841 ----
  	HostFile *hp;
  	const char *lp;
  	int leng;
+ 	int hi;
  
  	hp = &Hosts[0];
+ 	for( hi = 0; hi < elnumof(Hosts)-1; hi++ ){
+ 		hp = &Hosts[hi];
+ 		if( hp->h_path == 0 )
+ 			break;
+ 		if( streq(hp->h_path,path) )
+ 			break;
+ 	}
+ 
  	now = time(0);
  	if( hp->h_buff == NULL || 60 < (now-hp->h_date) ){
  		if( path == NULL || path[0] == 0 )
***************
*** 807,813 ****
--- 850,859 ----
  			return -1;
  		}
  
+ 		/*
  		readhosts1(path,fp,&Hosts[0]);
+ 		*/
+ 		readhosts1(path,fp,hp);
  
  		if( strncmp(path,"sh:",3) == 0 )
  			pclose(fp);

  admin search upper oldest olders older1 this newer1 newers latest
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]
@_@V