Block DNS requests with IPs 0.0.0.17 and ::17

2025-09-01 10:09:11 +00:00 · 2020-11-04 15:51:30 +01:00 · 2020-11-04 15:51:30 +01:00 · 057d167221
commit 057d167221
parent 24d21341fd
2 changed files with 13 additions and 4 deletions
--- a/firewall/interception.go
+++ b/firewall/interception.go
@ -2,6 +2,7 @@ package firewall

 import (
 	"context"
+	"net"
 	"os"
 	"sync/atomic"
 	"time"
@ -29,6 +30,9 @@ var (
 	packetsBlocked  = new(uint64)
 	packetsDropped  = new(uint64)
 	packetsFailed   = new(uint64)
+
+	blockedIPv4 = net.IPv4(0, 0, 0, 17)
+	blockedIPv6 = net.ParseIP("::17")
 )

 func init() {
@ -84,6 +88,11 @@ func handlePacket(ctx context.Context, pkt packet.Packet) {
 func fastTrackedPermit(pkt packet.Packet) (handled bool) {
 	meta := pkt.Info()

+	// Check for blocked IP
+	if meta.Dst.Equal(blockedIPv4) || meta.Dst.Equal(blockedIPv6) {
+		_ = pkt.PermanentBlock()
+	}
+
 	switch meta.Protocol {
 	case packet.ICMP:
 		// Always permit ICMP.
--- a/nameserver/nsutil/nsutil.go
+++ b/nameserver/nsutil/nsutil.go
@ -58,9 +58,9 @@ func ZeroIP(msgs ...string) ResponderFunc {

 			switch question.Qtype {
 			case dns.TypeA:
-				rr, err = dns.NewRR(question.Name + " 0 IN A 0.0.0.0")
+				rr, err = dns.NewRR(question.Name + " 1 IN A 0.0.0.17")
 			case dns.TypeAAAA:
-				rr, err = dns.NewRR(question.Name + " 0 IN AAAA ::")
+				rr, err = dns.NewRR(question.Name + " 1 IN AAAA ::17")
 			}

 			switch {
@ -100,9 +100,9 @@ func Localhost(msgs ...string) ResponderFunc {

 			switch question.Qtype {
 			case dns.TypeA:
-				rr, err = dns.NewRR("localhost. 0 IN A 127.0.0.1")
+				rr, err = dns.NewRR("localhost. 1 IN A 127.0.0.1")
 			case dns.TypeAAAA:
-				rr, err = dns.NewRR("localhost. 0 IN AAAA ::1")
+				rr, err = dns.NewRR("localhost. 1 IN AAAA ::1")
 			}

 			switch {