mirror of
https://github.com/safing/portmaster
synced 2025-09-01 10:09:11 +00:00
245 lines
6.4 KiB
Go
245 lines
6.4 KiB
Go
package resolver
|
|
|
|
import (
|
|
"context"
|
|
"errors"
|
|
"strings"
|
|
|
|
"github.com/safing/portmaster/netenv"
|
|
|
|
"github.com/miekg/dns"
|
|
"github.com/safing/portbase/log"
|
|
)
|
|
|
|
// Domain Scopes
|
|
var (
|
|
// Localhost Domain
|
|
// Handling: Respond with 127.0.0.1 and ::1 to A and AAAA queries, respectively.
|
|
// RFC6761
|
|
localhostDomain = ".localhost."
|
|
|
|
// Invalid Domain
|
|
// Handling: Always respond with NXDOMAIN.
|
|
// RFC6761
|
|
invalidDomain = ".invalid."
|
|
|
|
// Internal Special-Use Domain
|
|
// Used by Portmaster for special addressing.
|
|
internalSpecialUseDomainScope = "." + internalSpecialUseDomain
|
|
|
|
// Multicast DNS
|
|
// Handling: Send to nameservers with matching search scope, then MDNS
|
|
// RFC6762
|
|
multicastDomains = []string{
|
|
".local.",
|
|
".254.169.in-addr.arpa.",
|
|
".8.e.f.ip6.arpa.",
|
|
".9.e.f.ip6.arpa.",
|
|
".a.e.f.ip6.arpa.",
|
|
".b.e.f.ip6.arpa.",
|
|
}
|
|
|
|
// Special-Use Domain Names
|
|
// Handling: Send to nameservers with matching search scope, then local and system assigned nameservers
|
|
// IANA Ref: https://www.iana.org/assignments/special-use-domain-names
|
|
specialUseDomains = []string{
|
|
// RFC8375: Designated for non-unique use in residential home networks.
|
|
".home.arpa.",
|
|
|
|
// RFC6762 (Appendix G): Non-official, but officially listed, private use domains.
|
|
".intranet.",
|
|
".internal.",
|
|
".private.",
|
|
".corp.",
|
|
".home.",
|
|
".lan.",
|
|
|
|
// RFC6761: IPv4 private-address reverse-mapping domains.
|
|
".10.in-addr.arpa.",
|
|
".16.172.in-addr.arpa.",
|
|
".17.172.in-addr.arpa.",
|
|
".18.172.in-addr.arpa.",
|
|
".19.172.in-addr.arpa.",
|
|
".20.172.in-addr.arpa.",
|
|
".21.172.in-addr.arpa.",
|
|
".22.172.in-addr.arpa.",
|
|
".23.172.in-addr.arpa.",
|
|
".24.172.in-addr.arpa.",
|
|
".25.172.in-addr.arpa.",
|
|
".26.172.in-addr.arpa.",
|
|
".27.172.in-addr.arpa.",
|
|
".28.172.in-addr.arpa.",
|
|
".29.172.in-addr.arpa.",
|
|
".30.172.in-addr.arpa.",
|
|
".31.172.in-addr.arpa.",
|
|
".168.192.in-addr.arpa.",
|
|
|
|
// RFC4193: IPv6 private-address reverse-mapping domains.
|
|
".d.f.ip6.arpa",
|
|
".c.f.ip6.arpa",
|
|
|
|
// RFC6761: Special use domains for documentation and testing.
|
|
".example.",
|
|
".example.com.",
|
|
".example.net.",
|
|
".example.org.",
|
|
".test.",
|
|
}
|
|
|
|
// Special-Service Domain Names
|
|
// Handling: Send to nameservers with matching search scope, then local and system assigned nameservers
|
|
specialServiceDomains = []string{
|
|
// RFC7686: Tor Hidden Services
|
|
".onion.",
|
|
|
|
// Namecoin: Blockchain based nameservice, https://www.namecoin.org/
|
|
".bit.",
|
|
}
|
|
)
|
|
|
|
func domainInScope(dotPrefixedFQDN string, scopeList []string) bool {
|
|
for _, scope := range scopeList {
|
|
if strings.HasSuffix(dotPrefixedFQDN, scope) {
|
|
return true
|
|
}
|
|
}
|
|
return false
|
|
}
|
|
|
|
// GetResolversInScope returns all resolvers that are in scope the resolve the given query and options.
|
|
func GetResolversInScope(ctx context.Context, q *Query) (selected []*Resolver, tryAll bool) { //nolint:gocognit // TODO
|
|
resolversLock.RLock()
|
|
defer resolversLock.RUnlock()
|
|
|
|
// Internal use domains
|
|
if strings.HasSuffix(q.dotPrefixedFQDN, internalSpecialUseDomainScope) {
|
|
return envResolvers, false
|
|
}
|
|
|
|
// Special connectivity domains
|
|
if netenv.IsConnectivityDomain(q.FQDN) && len(systemResolvers) > 0 {
|
|
// Do not do compliance checks for connectivity domains.
|
|
selected = append(selected, systemResolvers...) // dhcp assigned resolvers
|
|
return selected, false
|
|
}
|
|
|
|
// Prioritize search scopes
|
|
for _, scope := range localScopes {
|
|
if strings.HasSuffix(q.dotPrefixedFQDN, scope.Domain) {
|
|
selected = addResolvers(ctx, q, selected, scope.Resolvers)
|
|
}
|
|
}
|
|
|
|
// Handle multicast domains
|
|
if domainInScope(q.dotPrefixedFQDN, multicastDomains) {
|
|
selected = addResolvers(ctx, q, selected, mDNSResolvers)
|
|
// Add local resolvers if no resolvers were selected.
|
|
if len(selected) == 0 {
|
|
selected = addResolvers(ctx, q, selected, localResolvers)
|
|
}
|
|
return selected, true
|
|
}
|
|
|
|
// Special use domains
|
|
if domainInScope(q.dotPrefixedFQDN, specialUseDomains) ||
|
|
domainInScope(q.dotPrefixedFQDN, specialServiceDomains) {
|
|
selected = addResolvers(ctx, q, selected, localResolvers)
|
|
selected = addResolvers(ctx, q, selected, systemResolvers)
|
|
return selected, true
|
|
}
|
|
|
|
// Global domains
|
|
selected = addResolvers(ctx, q, selected, globalResolvers)
|
|
return selected, false
|
|
}
|
|
|
|
func addResolvers(ctx context.Context, q *Query, selected []*Resolver, addResolvers []*Resolver) []*Resolver {
|
|
addNextResolver:
|
|
for _, resolver := range addResolvers {
|
|
// check for compliance
|
|
if err := resolver.checkCompliance(ctx, q); err != nil {
|
|
log.Tracer(ctx).Tracef("skipping non-compliant resolver %s: %s", resolver.GetName(), err)
|
|
continue
|
|
}
|
|
|
|
// deduplicate
|
|
for _, selectedResolver := range selected {
|
|
if selectedResolver.Server == resolver.Server {
|
|
continue addNextResolver
|
|
}
|
|
}
|
|
|
|
// add compliant and unique resolvers to selected resolvers
|
|
selected = append(selected, resolver)
|
|
}
|
|
return selected
|
|
}
|
|
|
|
var (
|
|
errInsecureProtocol = errors.New("insecure protocols disabled")
|
|
errAssignedServer = errors.New("assigned (dhcp) nameservers disabled")
|
|
errMulticastDNS = errors.New("multicast DNS disabled")
|
|
errSkip = errors.New("this fqdn cannot resolved by this resolver")
|
|
)
|
|
|
|
func (q *Query) checkCompliance() error {
|
|
// RFC6761 - always respond with nxdomain
|
|
if strings.HasSuffix(q.dotPrefixedFQDN, invalidDomain) {
|
|
return ErrNotFound
|
|
}
|
|
|
|
// RFC6761 - respond with 127.0.0.1 and ::1 to A and AAAA queries respectively, else nxdomain
|
|
if strings.HasSuffix(q.dotPrefixedFQDN, localhostDomain) {
|
|
switch uint16(q.QType) {
|
|
case dns.TypeA, dns.TypeAAAA:
|
|
return ErrLocalhost
|
|
default:
|
|
return ErrNotFound
|
|
}
|
|
}
|
|
|
|
// special TLDs
|
|
if dontResolveSpecialDomains(q.SecurityLevel) &&
|
|
domainInScope(q.dotPrefixedFQDN, specialServiceDomains) {
|
|
return ErrSpecialDomainsDisabled
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
func (resolver *Resolver) checkCompliance(_ context.Context, q *Query) error {
|
|
if q.FQDN == resolver.SkipFQDN {
|
|
return errSkip
|
|
}
|
|
|
|
if noInsecureProtocols(q.SecurityLevel) {
|
|
switch resolver.ServerType {
|
|
case ServerTypeDNS:
|
|
return errInsecureProtocol
|
|
case ServerTypeTCP:
|
|
return errInsecureProtocol
|
|
case ServerTypeDoT:
|
|
// compliant
|
|
case ServerTypeDoH:
|
|
// compliant
|
|
case ServerTypeEnv:
|
|
// compliant (data is sources from local network only and is highly limited)
|
|
default:
|
|
return errInsecureProtocol
|
|
}
|
|
}
|
|
|
|
if noAssignedNameservers(q.SecurityLevel) {
|
|
if resolver.Source == ServerSourceOperatingSystem {
|
|
return errAssignedServer
|
|
}
|
|
}
|
|
|
|
if noMulticastDNS(q.SecurityLevel) {
|
|
if resolver.Source == ServerSourceMDNS {
|
|
return errMulticastDNS
|
|
}
|
|
}
|
|
|
|
return nil
|
|
}
|