niklas/cool-dns
1
0
Fork 0
Code Issues Pull Requests Projects Releases 4 Wiki Activity

Compare commits

base: niklas:master
Branches Tags
niklas:master
niklas:develop
niklas:0.4
niklas:0.3
niklas:v0.2
niklas:v0.1
..
compare: niklas:v0.1
Branches Tags
niklas:master
niklas:develop
niklas:0.4
niklas:0.3
niklas:v0.2
niklas:v0.1

No commits in common. "master" and "v0.1" have entirely different histories.
master ... v0.1

13 changed files with 411 additions and 733 deletions
Show Stats Expand all files Collapse all files

12
.drone.yml
View File

@ -5,7 +5,7 @@ steps:
- name: build
image: golang
commands:
- go build cmd/cooldns.go
- go build
- name: gitea_release
image: plugins/gitea-release
@ -14,23 +14,17 @@ steps:
from_secret: GITEA_API_KEY
base_url: https://git.kapelle.org
files:
- cooldns
- cool-dns
checksum:
- md5
- sha1
- sha256
title: ${DRONE_TAG}
title: v0.1
prerelease: true
when:
event:
- tag
- name: docker
image: plugins/docker
settings:
repo: docker.kapelle.org/cooldns
registry: docker.kapelle.org
trigger:
event:
- tag

16
Dockerfile
View File

@ -1,16 +0,0 @@
FROM golang:alpine AS build
WORKDIR /build
COPY [ "go.mod", "go.sum", "./"]
COPY internal ./internal
COPY cmd ./cmd
RUN go build -o cooldns cmd/cooldns.go
FROM alpine:latest
WORKDIR /app
COPY --from=build /build/cooldns .
ENTRYPOINT ["/app/cooldns"]

19
README.md
View File

@ -23,29 +23,10 @@ acl: # List of ip filter rules
- name: local
cidr: 127.0.0.1/32
tls:
enable: true # Enable DNS over TLS
address: 0.0.0.0:8853 # What address and port to liste for tls connections
cert: cert.crt # Path to the certificate file
key: private.key # Path to the private key file
forward:
acl: # What IPs are allowed
- vpn
server: "8.8.8.8:53" # DNS server to forward to
address: 0.0.0.0:8053 # What address and port to listen on
blacklist: # What domains to block when forwarding
# URL of the blacklist
- url: https://raw.githubusercontent.com/anudeepND/blacklist/master/adservers.txt
format: host # Format of the blacklist: Hostfile
- url: https://blocklistproject.github.io/Lists/alt-version/ads-nl.txt
format: line # Format: One domain per line
lego: # Support for Lego http provider. See https://go-acme.github.io/lego/dns/httpreq/
enable: true
address: :8080
username: lego
secret: "133742069ab"
```

72
internal/blacklist.go → blacklist.go
View File

@ -1,18 +1,16 @@
package cooldns
package main
import (
"errors"
"io/ioutil"
"log"
"net"
"net/http"
"regexp"
"strings"
"github.com/miekg/dns"
)
const blockTTL uint32 = 604800
const blockTTL uint32 = 300
var nullIPv4 = net.IPv4(0, 0, 0, 0)
var nullIPv6 = net.ParseIP("::/0")
@ -28,10 +26,12 @@ func loadBlacklist(config []configBlacklist) map[string]bool {
}
domains := parseRawBlacklist(element, *raw)
log.Printf("Added %d blocked domains", len(domains))
list = append(list, domains...)
}
// list = removeDuplicates(list)
// sort.Strings(list)
domainMap := make(map[string]bool)
for _, e := range list {
domainMap[e] = true
@ -40,81 +40,56 @@ func loadBlacklist(config []configBlacklist) map[string]bool {
return domainMap
}
func requestBacklist(blacklist configBlacklist) (*string, error) {
if blacklist.URL != "" {
return getBlacklistFromURL(blacklist.URL)
func removeDuplicates(elements []string) []string {
encountered := map[string]bool{}
result := []string{}
for v := range elements {
if !encountered[elements[v]] {
encountered[elements[v]] = true
result = append(result, elements[v])
}
}
return nil, errors.New("No blacklist provided")
return result
}
func getBlacklistFromURL(url string) (*string, error) {
func requestBacklist(blacklist configBlacklist) (*string, error) {
// Request list
resp, err := http.Get(url)
resp, err := http.Get(blacklist.URL)
if err != nil {
return nil, err
}
defer resp.Body.Close()
if resp.StatusCode != 200 {
log.Printf("Got %d status code. Continueing anyway.", resp.StatusCode)
}
body, err := ioutil.ReadAll(resp.Body)
bodyString := string(body)
log.Printf("Downloaded blacklist %s", url)
log.Printf("Downloaded blacklist %s", blacklist.URL)
return &bodyString, err
}
// parseRawBlacklist parse the raw string depending on the given format
func parseRawBlacklist(blacklist configBlacklist, raw string) []string {
switch blacklist.Format {
case "host":
return parseHostFormat(raw)
case "line":
return parseLineFormat(raw)
default:
log.Printf("Failed to parse blacklist. Format not supported: %s", blacklist.Format)
log.Println("Supported types are: host, line")
return make([]string, 0)
}
}
// parseHostFormat parse the string in the format of a hostfile
func parseHostFormat(raw string) []string {
finalList := make([]string, 0)
reg := regexp.MustCompile(`(?m)^\s*(0\.0\.0\.0) ([a-zA-Z0-9-.]*)`)
reg := regexp.MustCompile(`(?mi)^\s*(#*)\s*(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\s+([a-zA-Z0-9\.\- ]+)$`)
matches := reg.FindAllStringSubmatch(raw, -1)
for _, match := range matches {
finalList = append(finalList, dns.Fqdn(match[2]))
if match[1] != "#" {
finalList = append(finalList, dns.Fqdn(match[3]))
}
}
return finalList
}
// parseLineFormat one domain per line, ignore comments
func parseLineFormat(raw string) []string {
list := make([]string, 0)
for _, line := range strings.Split(raw, "\n") {
if !strings.HasPrefix(line, "#") {
list = append(list, line)
}
}
return list
}
func handleBlockedDomain(w dns.ResponseWriter, r *dns.Msg) {
q := r.Question[0]
m := new(dns.Msg)
m.SetReply(r)
if q.Qtype == dns.TypeA {
// Respond with 0.0.0.0
m.Answer = append(m.Answer, &dns.A{
Hdr: dns.RR_Header{
Name: q.Name,
@ -125,7 +100,6 @@ func handleBlockedDomain(w dns.ResponseWriter, r *dns.Msg) {
A: nullIPv4,
})
} else if q.Qtype == dns.TypeAAAA {
// Respond with ::/0
m.Answer = append(m.Answer, &dns.AAAA{
Hdr: dns.RR_Header{
Name: q.Name,

24
cmd/cooldns.go
View File

@ -1,24 +0,0 @@
package main
import (
"flag"
"log"
"os"
"os/signal"
"syscall"
cooldns "git.kapelle.org/niklas/cool-dns/internal"
)
func main() {
configPath := flag.String("c", "/etc/cool-dns/config.yaml", "path to the config file")
flag.Parse()
cooldns.Start(*configPath)
sig := make(chan os.Signal)
signal.Notify(sig, syscall.SIGINT, syscall.SIGTERM)
s := <-sig
log.Printf("Signal (%v) received, stopping\n", s)
os.Exit(0)
}

16
exampleConfig.yml → config.yml
View File

@ -5,7 +5,7 @@ zones:
- zone: example.com.
file: zonefile2.txt
acl:
- vpn
- lan
acl:
- name: vpn
@ -22,20 +22,6 @@ forward:
address: 0.0.0.0:8053
tls:
enable: false
address: 0.0.0.0:8853
cert: cert.crt
key: private.key
blacklist:
- url: https://raw.githubusercontent.com/anudeepND/blacklist/master/adservers.txt
format: host
- url: https://blocklistproject.github.io/Lists/alt-version/ads-nl.txt
format: line
lego:
enable: true
address: :8080
username: lego
secret: "133742069ab"

364
coolDns.go Normal file
View File

@ -0,0 +1,364 @@
package main
import (
"flag"
"io/ioutil"
"log"
"net"
"os"
"os/signal"
"strings"
"syscall"
"github.com/miekg/dns"
"gopkg.in/yaml.v3"
)
type zoneView struct {
rr rrMap
acl []string
}
type zoneMap map[string][]zoneView
type rrMap map[uint16]map[string][]dns.RR
type config struct {
Zones []configZone `yaml:"zones"`
ACL []configACL `yaml:"acl"`
Forward configForward `yaml:"forward"`
Address string `yaml:"address"`
Blacklist []configBlacklist `yaml:"blacklist"`
}
type configForward struct {
ACL []string `yaml:"acl"`
Server string `yaml:"server"`
}
type configACL struct {
Name string `yaml:"name"`
CIDR string `yaml:"cidr"`
}
type configZone struct {
Zone string `yaml:"zone"`
File string `yaml:"file"`
ACL []string `yaml:"acl"`
}
type configBlacklist struct {
URL string `yaml:"url"`
Format string `yaml:"format"`
}
var anyRecordTypes = []uint16{
dns.TypeSOA,
dns.TypeA,
dns.TypeAAAA,
dns.TypeNS,
dns.TypeCNAME,
dns.TypeMX,
dns.TypeTXT,
dns.TypeSRV,
dns.TypeCAA,
}
func loadConfig(configPath string) (*config, error) {
file, err := ioutil.ReadFile(configPath)
if err != nil {
return nil, err
}
var loadedConfig config
err = yaml.Unmarshal(file, &loadedConfig)
if err != nil {
return nil, err
}
return &loadedConfig, nil
}
func loadZones(configZones []configZone) (zoneMap, error) {
zones := make(zoneMap)
for _, z := range configZones {
rrs, err := loadZonefile(z.File, z.Zone)
if err != nil {
return nil, err
}
if zones[z.Zone] == nil {
zones[z.Zone] = make([]zoneView, 0)
}
zones[z.Zone] = append(zones[z.Zone], zoneView{
rr: createRRMap(rrs),
acl: z.ACL,
})
log.Printf("Loaded zone %s\n", z.Zone)
}
return zones, nil
}
func createRRMap(rrs []dns.RR) rrMap {
rrMap := make(rrMap)
for _, rr := range rrs {
if rrMap[rr.Header().Rrtype] == nil {
rrMap[rr.Header().Rrtype] = make(map[string][]dns.RR)
}
if rrMap[rr.Header().Rrtype][rr.Header().Name] == nil {
rrMap[rr.Header().Rrtype][rr.Header().Name] = make([]dns.RR, 0)
}
rrMap[rr.Header().Rrtype][rr.Header().Name] = append(rrMap[rr.Header().Rrtype][rr.Header().Name], rr)
}
return rrMap
}
func loadZonefile(filepath, origin string) ([]dns.RR, error) {
file, err := os.Open(filepath)
if err != nil {
return nil, err
}
parser := dns.NewZoneParser(file, origin, filepath)
var rrs = make([]dns.RR, 0)
for rr, ok := parser.Next(); ok; rr, ok = parser.Next() {
rrs = append(rrs, rr)
}
if err := parser.Err(); err != nil {
log.Println(err)
}
return rrs, nil
}
func createACLList(config []configACL) (map[string]*net.IPNet, error) {
acls := make(map[string]*net.IPNet)
for _, aclRule := range config {
_, mask, err := net.ParseCIDR(aclRule.CIDR)
if err != nil {
return nil, err
}
acls[aclRule.Name] = mask
}
return acls, nil
}
func createServer(zones zoneMap, config config, aclList map[string]*net.IPNet, blacklist map[string]bool) *dns.ServeMux {
srv := dns.NewServeMux()
c := new(dns.Client)
for zoneName, zones := range zones {
srv.HandleFunc(zoneName, func(w dns.ResponseWriter, r *dns.Msg) {
// Parse IP
remoteIP, _, err := net.SplitHostPort(w.RemoteAddr().String())
ip := net.ParseIP(remoteIP)
if err != nil && ip != nil {
log.Printf("Faild to parse remote IP WTF? :%s\n", err.Error())
return
}
// find out what view to handle the request
zoneIndex := -1
for i, zone := range zones {
if (len(zone.acl) == 0 && zoneIndex == -1) || checkACL(zone.acl, aclList, ip) {
zoneIndex = i
}
}
if zoneIndex == -1 {
rcodeRequest(w, r, dns.RcodeRefused)
return
}
handleRequest(w, r, zones[zoneIndex])
})
}
// Handle any other request
srv.HandleFunc(".", func(w dns.ResponseWriter, r *dns.Msg) {
remoteIP, _, err := net.SplitHostPort(w.RemoteAddr().String())
ip := net.ParseIP(remoteIP)
if err != nil && ip != nil {
log.Printf("Faild to parse remote IP WTF? :%s\n", err.Error())
return
}
// Check ACL rules
if !checkACL(config.Forward.ACL, aclList, ip) {
rcodeRequest(w, r, dns.RcodeRefused)
return
}
if _, ok := blacklist[r.Question[0].Name]; ok {
handleBlockedDomain(w, r)
} else {
// Forward request
in, _, err := c.Exchange(r, config.Forward.Server)
if err != nil {
rcodeRequest(w, r, dns.RcodeServerFailure)
return
}
w.WriteMsg(in)
}
})
return srv
}
func listenAndServer(server *dns.ServeMux, address string) {
go func() {
if err := dns.ListenAndServe(address, "udp", server); err != nil {
log.Fatalf("Failed to set udp listener %s\n", err.Error())
}
}()
go func() {
if err := dns.ListenAndServe(address, "tcp", server); err != nil {
log.Fatalf("Failed to set tcp listener %s\n", err.Error())
}
}()
}
func checkACL(alcRules []string, aclList map[string]*net.IPNet, ip net.IP) bool {
if len(alcRules) != 0 {
passed := false
for _, rule := range alcRules {
if aclList[rule].Contains(ip) {
passed = true
}
}
return passed
}
return true
}
func rcodeRequest(w dns.ResponseWriter, r *dns.Msg, rcode int) {
m := new(dns.Msg)
m.SetReply(r)
m.SetRcode(r, rcode)
w.WriteMsg(m)
}
func handleRequest(w dns.ResponseWriter, r *dns.Msg, zone zoneView) {
m := new(dns.Msg)
m.SetReply(r)
m.Authoritative = true
// maybe only support one question per query like most servers do it ???
for _, q := range r.Question {
rrs := zone.rr[q.Qtype]
// Handle ANY
if q.Qtype == dns.TypeANY {
for _, rrType := range anyRecordTypes {
m.Answer = append(m.Answer, zone.rr[rrType][q.Name]...)
}
} else {
// Handle any other type
m.Answer = append(m.Answer, rrs[q.Name]...)
// Check for wildcard
if len(m.Answer) == 0 {
parts := dns.SplitDomainName(q.Name)[1:]
searchDomain := "*." + dns.Fqdn(strings.Join(parts, "."))
foundDomain := rrs[searchDomain]
for _, rr := range foundDomain {
newRR := rr
newRR.Header().Name = q.Name
m.Answer = append(m.Answer, newRR)
}
}
}
// Handle extras
switch q.Qtype {
// Dont handle extra stuff when answering ANY request
// case dns.TypeANY:
// fallthrough
case dns.TypeMX:
// Resolve MX domains
for _, mxRR := range m.Answer {
if t, ok := mxRR.(*dns.MX); ok {
m.Extra = append(m.Extra, zone.rr[dns.TypeA][t.Mx]...)
m.Extra = append(m.Extra, zone.rr[dns.TypeAAAA][t.Mx]...)
}
}
case dns.TypeA, dns.TypeAAAA:
if len(m.Answer) == 0 {
// no A or AAAA found. Look for CNAME
m.Answer = append(m.Answer, zone.rr[dns.TypeCNAME][q.Name]...)
if len(m.Answer) != 0 {
// Resolve CNAME
for _, nameRR := range m.Answer {
if t, ok := nameRR.(*dns.CNAME); ok {
m.Answer = append(m.Answer, zone.rr[q.Qtype][t.Target]...)
}
}
}
}
case dns.TypeNS:
// Resove NS records
for _, nsRR := range m.Answer {
if t, ok := nsRR.(*dns.NS); ok {
m.Extra = append(m.Extra, zone.rr[dns.TypeA][t.Ns]...)
m.Extra = append(m.Extra, zone.rr[dns.TypeAAAA][t.Ns]...)
}
}
}
}
w.WriteMsg(m)
}
func main() {
configPath := flag.String("c", "/etc/cool-dns/config.yaml", "path to the config file")
flag.Parse()
config, err := loadConfig(*configPath)
if err != nil {
log.Fatalf("Failed to load config: %s\n", err.Error())
}
zones, err := loadZones(config.Zones)
if err != nil {
log.Fatalf("Failed to load zones: %s\n", err.Error())
}
aclList, err := createACLList(config.ACL)
if err != nil {
log.Fatalf("Failed to parse ACL rules: %s\n", err.Error())
}
blacklist := loadBlacklist(config.Blacklist)
server := createServer(zones, *config, aclList, blacklist)
listenAndServer(server, config.Address)
log.Printf("Start listening on udp %s and tcp %s\n", config.Address, config.Address)
sig := make(chan os.Signal)
signal.Notify(sig, syscall.SIGINT, syscall.SIGTERM)
s := <-sig
log.Printf("Signal (%v) received, stopping\n", s)
os.Exit(0)
}

11
docker-compose.yml
View File

@ -1,11 +0,0 @@
version: "3"
services:
cool-dns:
build: .
ports:
- "53:53"
- "53:53/udp"
- "853:853"
- "80:80"
volumes:
- ./docker:/etc/cool-dns/

136
internal/authoritative.go
View File

@ -1,136 +0,0 @@
package cooldns
import (
"strings"
"github.com/miekg/dns"
)
type rrMap map[uint16]map[string][]dns.RR
// All record types to send when a ANY request is send
var anyRecordTypes = []uint16{
dns.TypeSOA,
dns.TypeA,
dns.TypeAAAA,
dns.TypeNS,
dns.TypeCNAME,
dns.TypeMX,
dns.TypeTXT,
dns.TypeSRV,
dns.TypeCAA,
}
// handleRequest find the right RR(s) in the view and send them back
func handleRequest(w dns.ResponseWriter, r *dns.Msg, zone zoneView) {
m := new(dns.Msg)
m.SetReply(r)
m.Authoritative = true
// Only support one question per query because all the other server also does that
if len(r.Question) != 1 {
rcodeRequest(w, r, dns.RcodeServerFailure)
}
q := r.Question[0]
rrs := zone.rr[q.Qtype]
// Handle ANY
if q.Qtype == dns.TypeANY {
for _, rrType := range anyRecordTypes {
m.Answer = append(m.Answer, zone.rr[rrType][q.Name]...)
}
} else {
// Handle any other type
m.Answer = append(m.Answer, rrs[q.Name]...)
// if no rr found yet
if len(m.Answer) == 0 {
// Check for wildcard
parts := dns.SplitDomainName(q.Name)[1:]
searchDomain := "*." + dns.Fqdn(strings.Join(parts, "."))
foundDomain := rrs[searchDomain]
for _, rr := range foundDomain {
newRR := rr
newRR.Header().Name = q.Name
m.Answer = append(m.Answer, newRR)
}
}
}
// Handle extras
switch q.Qtype {
// Dont handle extra stuff when answering ANY request
// case dns.TypeANY:
// fallthrough
case dns.TypeMX:
// Resolve MX domains
for _, mxRR := range m.Answer {
if t, ok := mxRR.(*dns.MX); ok {
m.Extra = append(m.Extra, zone.rr[dns.TypeA][t.Mx]...)
m.Extra = append(m.Extra, zone.rr[dns.TypeAAAA][t.Mx]...)
}
}
case dns.TypeA, dns.TypeAAAA:
if len(m.Answer) == 0 {
// no A or AAAA found. Look for CNAME
m.Answer = append(m.Answer, zone.rr[dns.TypeCNAME][q.Name]...)
if len(m.Answer) != 0 {
// Resolve CNAME
for _, nameRR := range m.Answer {
if t, ok := nameRR.(*dns.CNAME); ok {
m.Answer = append(m.Answer, zone.rr[q.Qtype][t.Target]...)
}
}
} else {
// No direct A/AAAA or CNAME found. Check for CNAME wildcard
parts := dns.SplitDomainName(q.Name)[1:]
searchDomain := "*." + dns.Fqdn(strings.Join(parts, "."))
foundDomain := zone.rr[dns.TypeCNAME][searchDomain]
for _, rr := range foundDomain {
// Add CNAME to answer section
newRR := rr
newRR.Header().Name = q.Name
m.Answer = append(m.Answer, newRR)
// Add resolved CNAME to *also* to the answer section (bind does the same soo)
if t, ok := rr.(*dns.CNAME); ok {
m.Answer = append(m.Answer, zone.rr[dns.TypeA][t.Target]...)
m.Answer = append(m.Answer, zone.rr[dns.TypeAAAA][t.Target]...)
}
}
}
}
case dns.TypeNS:
// Resove NS records
for _, nsRR := range m.Answer {
if t, ok := nsRR.(*dns.NS); ok {
m.Extra = append(m.Extra, zone.rr[dns.TypeA][t.Ns]...)
m.Extra = append(m.Extra, zone.rr[dns.TypeAAAA][t.Ns]...)
}
}
case dns.TypeCNAME:
// Resolve CNAME
for _, cnameRR := range m.Answer {
if t, ok := cnameRR.(*dns.CNAME); ok {
m.Extra = append(m.Extra, zone.rr[dns.TypeA][t.Target]...)
m.Extra = append(m.Extra, zone.rr[dns.TypeAAAA][t.Target]...)
}
}
}
if len(m.Answer) == 0 {
var soa dns.RR
for _, v := range zone.rr[dns.TypeSOA] {
if len(v) == 1 {
soa = v[0]
}
}
if soa != nil {
m.Extra = append(m.Extra, soa)
}
}
w.WriteMsg(m)
}

144
internal/config.go
View File

@ -1,144 +0,0 @@
package cooldns
import (
"io/ioutil"
"log"
"net"
"os"
"github.com/miekg/dns"
"gopkg.in/yaml.v3"
)
// config format of the config file
type config struct {
Zones []configZone `yaml:"zones"`
ACL []configACL `yaml:"acl"`
Forward configForward `yaml:"forward"`
Address string `yaml:"address"`
Blacklist []configBlacklist `yaml:"blacklist"`
TLS configTLS `yaml:"tls"`
Lego configLego `yaml:"lego"`
}
type configForward struct {
Enable bool `yaml:"enable"`
ACL []string `yaml:"acl"`
Server string `yaml:"server"`
}
type configACL struct {
Name string `yaml:"name"`
CIDR string `yaml:"cidr"`
}
type configZone struct {
Zone string `yaml:"zone"`
File string `yaml:"file"`
ACL []string `yaml:"acl"`
}
type configBlacklist struct {
URL string `yaml:"url"`
Format string `yaml:"format"`
}
type configTLS struct {
Enable bool `yaml:"enable"`
Address string `yaml:"address"`
Cert string `yaml:"cert"`
Key string `yaml:"key"`
}
func loadConfig(configPath string) (*config, error) {
file, err := ioutil.ReadFile(configPath)
if err != nil {
return nil, err
}
var loadedConfig config
err = yaml.Unmarshal(file, &loadedConfig)
if err != nil {
return nil, err
}
return &loadedConfig, nil
}
func loadZones(configZones []configZone) (zoneMap, error) {
zones := make(zoneMap)
for _, z := range configZones {
rrs, err := loadZonefile(z.File, z.Zone)
if err != nil {
return nil, err
}
if zones[z.Zone] == nil {
zones[z.Zone] = make([]zoneView, 0)
}
zones[z.Zone] = append(zones[z.Zone], zoneView{
rr: createRRMap(rrs),
acl: z.ACL,
})
log.Printf("Loaded zone %s\n", z.Zone)
}
return zones, nil
}
// createRRMap order the rr into a structure that is more easy to use
func createRRMap(rrs []dns.RR) rrMap {
rrMap := make(rrMap)
for _, rr := range rrs {
if rrMap[rr.Header().Rrtype] == nil {
rrMap[rr.Header().Rrtype] = make(map[string][]dns.RR)
}
if rrMap[rr.Header().Rrtype][rr.Header().Name] == nil {
rrMap[rr.Header().Rrtype][rr.Header().Name] = make([]dns.RR, 0)
}
rrMap[rr.Header().Rrtype][rr.Header().Name] = append(rrMap[rr.Header().Rrtype][rr.Header().Name], rr)
}
return rrMap
}
func loadZonefile(filepath, origin string) ([]dns.RR, error) {
file, err := os.Open(filepath)
if err != nil {
return nil, err
}
parser := dns.NewZoneParser(file, origin, filepath)
var rrs = make([]dns.RR, 0)
for rr, ok := parser.Next(); ok; rr, ok = parser.Next() {
rrs = append(rrs, rr)
}
if err := parser.Err(); err != nil {
log.Println(err)
}
return rrs, nil
}
// createACLList create a map with the CIDR and the name of the rule
func createACLList(config []configACL) (map[string]*net.IPNet, error) {
acls := make(map[string]*net.IPNet)
for _, aclRule := range config {
_, mask, err := net.ParseCIDR(aclRule.CIDR)
if err != nil {
return nil, err
}
acls[aclRule.Name] = mask
}
return acls, nil
}

192
internal/cooldns.go
View File

@ -1,192 +0,0 @@
package cooldns
import (
"log"
"net"
"os"
"path/filepath"
"github.com/miekg/dns"
)
type zoneView struct {
rr rrMap
acl []string
}
type zoneMap map[string][]zoneView
// Start starts cooldns
func Start(configPath string) {
config, err := loadConfig(configPath)
if err != nil {
log.Fatalf("Failed to load config: %s\n", err.Error())
}
err = os.Chdir(filepath.Dir(configPath))
if err != nil {
log.Fatalf("Failed to goto config dir: %s", err.Error())
}
zones, err := loadZones(config.Zones)
if err != nil {
log.Fatalf("Failed to load zones: %s\n", err.Error())
}
aclList, err := createACLList(config.ACL)
if err != nil {
log.Fatalf("Failed to parse ACL rules: %s\n", err.Error())
}
blacklist := loadBlacklist(config.Blacklist)
var acmeMap *legoMap
if config.Lego.Enable {
acmeMap = startLEGOWebSever(config.Lego)
}
server := createServer(zones, *config, aclList, blacklist, acmeMap)
listenAndServer(server, config.Address)
if config.TLS.Enable {
listenAndServerTLS(server, config.TLS.Address, config.TLS.Cert, config.TLS.Key)
log.Printf("Start listening on tcp %s for tls", config.TLS.Address)
}
log.Printf("Start listening on udp %s and tcp %s\n", config.Address, config.Address)
}
// createServer creates a new serve mux. Adds all the logic to handle the request
func createServer(zones zoneMap, config config, aclList map[string]*net.IPNet, blacklist map[string]bool, acmeList *legoMap) *dns.ServeMux {
srv := dns.NewServeMux()
c := new(dns.Client)
// For all zones set from the config
for zoneName, zones := range zones {
srv.HandleFunc(zoneName, createHandler(zones, config, aclList, acmeList))
}
// Handle any other request for forwarding
srv.HandleFunc(".", func(w dns.ResponseWriter, r *dns.Msg) {
// Parse IP
remoteIP, _, err := net.SplitHostPort(w.RemoteAddr().String())
ip := net.ParseIP(remoteIP)
if err != nil && ip != nil {
log.Printf("Faild to parse remote IP WTF? :%s\n", err.Error())
return
}
// Check if it is a ACME DNS-01 challange
if config.Lego.Enable && handleACMERequest(w, r, acmeList) {
return
}
// Check ACL rules
if config.Forward.Enable && !checkACL(config.Forward.ACL, aclList, ip) {
rcodeRequest(w, r, dns.RcodeRefused)
return
}
// Check if the domain is bocked
if _, ok := blacklist[r.Question[0].Name]; ok {
handleBlockedDomain(w, r)
} else {
// Forward request
in, _, err := c.Exchange(r, config.Forward.Server)
if err != nil {
rcodeRequest(w, r, dns.RcodeServerFailure)
return
}
w.WriteMsg(in)
}
})
return srv
}
func listenAndServer(server *dns.ServeMux, address string) {
// Start UDP listner
go func() {
if err := dns.ListenAndServe(address, "udp", server); err != nil {
log.Fatalf("Failed to set udp listener %s\n", err.Error())
}
}()
// Start TCP listner
go func() {
if err := dns.ListenAndServe(address, "tcp", server); err != nil {
log.Fatalf("Failed to set tcp listener %s\n", err.Error())
}
}()
}
func listenAndServerTLS(server *dns.ServeMux, address, cert, key string) {
// Start TLS listner
go func() {
if err := dns.ListenAndServeTLS(address, cert, key, server); err != nil {
log.Fatalf("Failed to set DoT listener %s", err.Error())
}
}()
}
func checkACL(alcRules []string, aclList map[string]*net.IPNet, ip net.IP) bool {
if len(alcRules) != 0 {
passed := false
for _, rule := range alcRules {
if aclList[rule].Contains(ip) {
passed = true
}
}
return passed
}
return true
}
// rcodeRequest respond to a request with a response code
func rcodeRequest(w dns.ResponseWriter, r *dns.Msg, rcode int) {
m := new(dns.Msg)
m.SetReply(r)
m.SetRcode(r, rcode)
w.WriteMsg(m)
}
func createHandler(zones []zoneView, config config, aclList map[string]*net.IPNet, acmeList *legoMap) func(w dns.ResponseWriter, r *dns.Msg) {
return func(w dns.ResponseWriter, r *dns.Msg) {
// Parse IP
remoteIP, _, err := net.SplitHostPort(w.RemoteAddr().String())
ip := net.ParseIP(remoteIP)
if err != nil && ip != nil {
log.Printf("Faild to parse remote IP WTF? :%s\n", err.Error())
return
}
// Check if it is a ACME DNS-01 challange
if config.Lego.Enable && handleACMERequest(w, r, acmeList) {
return
}
// find out what view to handle the request
zoneIndex := -1
for i, zone := range zones {
if (len(zone.acl) == 0 && zoneIndex == -1) || checkACL(zone.acl, aclList, ip) {
zoneIndex = i
}
}
// No view found that can handle the request
if zoneIndex == -1 {
rcodeRequest(w, r, dns.RcodeRefused)
return
}
handleRequest(w, r, zones[zoneIndex])
}
}

118
internal/lego.go
View File

@ -1,118 +0,0 @@
package cooldns
import (
"encoding/json"
"log"
"net/http"
"github.com/miekg/dns"
)
// See https://go-acme.github.io/lego/dns/httpreq/
type configLego struct {
Enable bool `yaml:"enable"`
Address string `yaml:"address"`
Username string `yaml:"username"`
Secret string `yaml:"secret"`
}
type legoPresent struct {
Fqdn string `json:"fqdn"`
Value string `json:"value"`
}
type legoMap map[string]string
func startLEGOWebSever(config configLego) *legoMap {
mux := http.NewServeMux()
acmeMap := make(legoMap)
mux.HandleFunc("/present", func(rw http.ResponseWriter, r *http.Request) {
if !checkBasicAuth(r, config) {
rw.WriteHeader(http.StatusUnauthorized)
return
}
var presentData legoPresent
err := json.NewDecoder(r.Body).Decode(&presentData)
defer r.Body.Close()
if err != nil {
log.Printf("Failed to parse request for ACME: %s", err.Error())
}
acmeMap[presentData.Fqdn] = presentData.Value
rw.WriteHeader(http.StatusOK)
})
mux.HandleFunc("/cleanup", func(rw http.ResponseWriter, r *http.Request) {
if !checkBasicAuth(r, config) {
rw.WriteHeader(http.StatusUnauthorized)
return
}
for k := range acmeMap {
delete(acmeMap, k)
}
rw.WriteHeader(http.StatusOK)
})
go func() {
if err := http.ListenAndServe(config.Address, mux); err != nil {
log.Fatalf("Failed to start Webserver for LEGO: %s\n", err.Error())
}
}()
log.Printf("Startet webserver on %s", config.Address)
return &acmeMap
}
func checkBasicAuth(r *http.Request, config configLego) bool {
if config.Username != "" && config.Secret != "" {
u, p, ok := r.BasicAuth()
if !ok {
return false
}
if u == config.Username && p == config.Secret {
return true
}
log.Printf("Failed lego authentication")
return false
}
return true
}
func handleACMERequest(w dns.ResponseWriter, r *dns.Msg, acmeMap *legoMap) bool {
if len(r.Question) == 1 {
if r.Question[0].Qtype == dns.TypeTXT && r.Question[0].Qclass == dns.ClassINET {
if value, ok := (*acmeMap)[r.Question[0].Name]; ok {
m := new(dns.Msg)
m.SetReply(r)
m.Answer = append(m.Answer, &dns.TXT{
Hdr: dns.RR_Header{
Name: r.Question[0].Name,
Rrtype: dns.TypeTXT,
Class: dns.ClassINET,
Ttl: 0,
},
Txt: []string{value},
})
w.WriteMsg(m)
return true
}
}
}
return false
}

20
zonefile.txt Normal file
View File

@ -0,0 +1,20 @@
$ORIGIN example.com. ; designates the start of this zone file in the namespace
$TTL 3600 ; default expiration time (in seconds) of all RRs without their own TTL value
example.com. IN SOA ns.example.com. username.example.com. ( 2020091025 7200 3600 1209600 3600 )
example.com. IN NS ns ; ns.example.com is a nameserver for example.com
example.com. IN NS ns.somewhere.example. ; ns.somewhere.example is a backup nameserver for example.com
example.com. IN MX 10 mail.example.com. ; mail.example.com is the mailserver for example.com
@ IN MX 20 mail2.example.com. ; equivalent to above line, "@" represents zone origin
@ IN MX 50 mail3 ; equivalent to above line, but using a relative host name
example.com. IN A 192.0.2.1 ; IPv4 address for example.com
example.com. IN A 192.0.3.1 ; IPv4 address for example.com
IN AAAA 2001:db8:10::1 ; IPv6 address for example.com
ns IN A 192.0.2.2 ; IPv4 address for ns.example.com
IN AAAA 2001:db8:10::2 ; IPv6 address for ns.example.com
www IN CNAME example.com. ; www.example.com is an alias for example.com
wwwtest IN CNAME www ; wwwtest.example.com is another alias for www.example.com
mail IN A 192.0.2.3 ; IPv4 address for mail.example.com
mail2 IN A 192.0.2.4 ; IPv4 address for mail2.example.com
mail3 IN A 192.0.2.5 ; IPv4 address for mail3.example.com
*.www IN A 192.1.0.1
a.www IN A 192.1.0.11