github.com/mysteriumnetwork/node@v0.0.0-20240516044423-365054f76801/dns/handler_whitelist.go

github.com/mysteriumnetwork/node@v0.0.0-20240516044423-365054f76801/dns/handler_whitelist.go (about)

     1  /*
     2   * Copyright (C) 2020 The "MysteriumNetwork/node" Authors.
     3   *
     4   * This program is free software: you can redistribute it and/or modify
     5   * it under the terms of the GNU General Public License as published by
     6   * the Free Software Foundation, either version 3 of the License, or
     7   * (at your option) any later version.
     8   *
     9   * This program is distributed in the hope that it will be useful,
    10   * but WITHOUT ANY WARRANTY; without even the implied warranty of
    11   * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    12   * GNU General Public License for more details.
    13   *
    14   * You should have received a copy of the GNU General Public License
    15   * along with this program.  If not, see <http://www.gnu.org/licenses/>.
    16   */
    17  
    18  package dns
    19  
    20  import (
    21  	"strings"
    22  
    23  	"github.com/mysteriumnetwork/node/core/policy"
    24  
    25  	"github.com/miekg/dns"
    26  	"github.com/mysteriumnetwork/node/firewall"
    27  	"github.com/rs/zerolog/log"
    28  )
    29  
    30  // WhitelistAnswers creates a DNS handler that whitelist resolved queries to firewall.
    31  func WhitelistAnswers(
    32  	resolver dns.Handler,
    33  	trafficBlocker firewall.IncomingTrafficFirewall,
    34  	policies policy.Provider,
    35  ) dns.Handler {
    36  	return &whitelistHandler{
    37  		resolver:       resolver,
    38  		trafficBlocker: trafficBlocker,
    39  		policies:       policies,
    40  	}
    41  }
    42  
    43  type whitelistHandler struct {
    44  	resolver       dns.Handler
    45  	trafficBlocker firewall.IncomingTrafficFirewall
    46  	policies       policy.Provider
    47  }
    48  
    49  func (wh *whitelistHandler) ServeDNS(writer dns.ResponseWriter, req *dns.Msg) {
    50  	resolverWriter := &recordingWriter{writer: writer}
    51  	wh.resolver.ServeDNS(resolverWriter, req)
    52  	resp := resolverWriter.responseMsg
    53  
    54  	if err := wh.whitelistByAnswer(resp); err != nil {
    55  		log.Warn().Err(err).Msgf("Error updating firewall by DNS query: %s", resp.String())
    56  
    57  		resp := &dns.Msg{}
    58  		resp.SetRcode(req, dns.RcodeNameError)
    59  		writer.WriteMsg(resp)
    60  		return
    61  	}
    62  
    63  	writer.WriteMsg(resp)
    64  }
    65  
    66  func (wh *whitelistHandler) whitelistByAnswer(response *dns.Msg) error {
    67  	for _, record := range response.Answer {
    68  		switch recordValue := record.(type) {
    69  		case *dns.A:
    70  			if err := wh.whitelistByARecord(recordValue); err != nil {
    71  				return err
    72  			}
    73  		}
    74  	}
    75  	return nil
    76  }
    77  
    78  func (wh *whitelistHandler) whitelistByARecord(record *dns.A) error {
    79  	host := strings.TrimRight(record.Hdr.Name, ".")
    80  	ip := record.A
    81  
    82  	if wh.policies.IsHostAllowed(host) {
    83  		_, err := wh.trafficBlocker.AllowIPAccess(ip)
    84  		return err
    85  	}
    86  
    87  	return nil
    88  }