Changeset 923

Timestamp:

11/16/06 22:10:54 (2 years ago)

Author:

ahu

Message:

implement 'dont-query', and enable it by default, which means we no longer query rfc1918 space, nor 127.0.0.1

Files:

• trunk/pdns/pdns/docs/pdns.sgml (modified) (1 diff)
• trunk/pdns/pdns/iputils.hh (modified) (3 diffs)
• trunk/pdns/pdns/lwres.cc (modified) (1 diff)
• trunk/pdns/pdns/pdns_recursor.cc (modified) (3 diffs)
• trunk/pdns/pdns/syncres.cc (modified) (1 diff)

trunk/pdns/pdns/docs/pdns.sgml

@@ -6790 +6790 @@
-              <para>
-                A Verisign special.
+              </para>
+            </listitem>
+          </varlistentry>
+          <varlistentry>
+            <term>dont-query</term>
+            <listitem>
+              <para>
+                The DNS is a public database, but sometimes contains delegations to private IP addresses, like for example 127.0.0.1. This can have odd effects, 
+                depending on your network, and may even be a security risk. Therefore, since version 3.1.5, the PowerDNS recursor by default does not query
+                private space IP addresses. This setting can be used to expand or reduce the limitations.
-              </para>
-            </listitem>

trunk/pdns/pdns/iputils.hh

@@ -120 +120 @@
-  }
-
-
+const
-  {
-    if(sin4.sin_family!=AF_INET6)
@@ -138 +138 @@
-  }
-  
- 
+const
-  {
-    if(!isMappedIPv4())
@@ -267 +267 @@
-public:
-  //! If this IP address is matched by any of the classes within
-
+const 
-  {
-    for(container_t::const_iterator i=d_masks.begin();i!=d_masks.end();++i)

trunk/pdns/pdns/lwres.cc

@@ -52 +52 @@
-  delete[] d_buf;
-}
-
-
-//! returns -2 for OS limits error, -1 for permanent error that has to do with remote, 0 for timeout, 1 for success

trunk/pdns/pdns/pdns_recursor.cc

@@ -77 +77 @@
-bool g_quiet;
-NetmaskGroup* g_allowFrom;
+NetmaskGroup* g_dontQuery;
-string s_programname="pdns_recursor";
-typedef vector<int> g_tcpListenSockets_t;
@@ -1490 +1491 @@
-    L<<Logger::Error<<"WARNING: Allowing queries from all IP addresses - this can be a security risk!"<<endl;
-  
+  if(!::arg()["dont-query"].empty()) {
+    g_dontQuery=new NetmaskGroup;
+    vector<string> ips;
+    stringtok(ips, ::arg()["dont-query"], ", ");
+    L<<Logger::Warning<<"Will not send queries to: ";
+    for(vector<string>::const_iterator i = ips.begin(); i!= ips.end(); ++i) {
+      g_dontQuery->addMask(*i);
+      if(i!=ips.begin())
+        L<<Logger::Warning<<", ";
+      L<<Logger::Warning<<*i;
+    }
+    L<<Logger::Warning<<endl;
+  }
+
-  g_quiet=::arg().mustDo("quiet");
-  if(::arg().mustDo("trace")) {
@@ -1698 +1713 @@
-    ::arg().set("version-string", "string reported on version.pdns or version.bind")="PowerDNS Recursor "VERSION" $Id$";
-    ::arg().set("allow-from", "If set, only allow these comma separated netmasks to recurse")="127.0.0.0/8, 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, ::1/128, fe80::/10";
+    ::arg().set("dont-query", "If set, do not query these netmasks for DNS data")="127.0.0.0/8, 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, ::1/128, fe80::/10";
-    ::arg().set("max-tcp-per-client", "If set, maximum number of TCP sessions per client (IP address)")="0";
-    ::arg().set("fork", "If set, fork the daemon for possible double performance")="no";

trunk/pdns/pdns/syncres.cc

@@ -661 +661 @@
-        for(remoteIP = remoteIPs.begin(); remoteIP != remoteIPs.end(); ++remoteIP) {
-          LOG<<prefix<<qname<<": Trying IP "<< remoteIP->toString() <<", asking '"<<qname<<"|"<<qtype.getName()<<"'"<<endl;
+          extern NetmaskGroup* g_dontQuery;
-          
-          if(s_throttle.shouldThrottle(d_now.tv_sec, make_tuple(*remoteIP, qname, qtype.getCode()))) {
-            LOG<<prefix<<qname<<": query throttled "<<endl;
-            s_throttledqueries++; d_throttledqueries++;
+            continue;
+          } 
+          else if(g_dontQuery && g_dontQuery->match(&*remoteIP)) {
+            LOG<<prefix<<qname<<": not sending query to " << remoteIP->toString() << ", blocked by 'dont-query' setting" << endl;
-            continue;
-          }