Merge pull request 'bugfixes' (#1) from develop into master

Reviewed-on: #1

.drone.yml

@@ -5,7 +5,7 @@ steps:
 - name: build
   image: golang
   commands:
-  - go build
+  - go build cmd/cooldns.go
 
 - name: gitea_release
   image: plugins/gitea-release
@@ -14,17 +14,23 @@ steps:
       from_secret: GITEA_API_KEY
     base_url: https://git.kapelle.org
     files:
-    - cool-dns
+    - cooldns
     checksum:
     - md5
     - sha1
     - sha256
-    title: v0.1
+    title: ${DRONE_TAG}
     prerelease: true
   when:
     event: 
     - tag
 
+- name: docker
+  image: plugins/docker
+  settings:
+    repo: docker.kapelle.org/cooldns
+    registry: docker.kapelle.org
+
 trigger:
   event:
   - tag

Dockerfile

@@ -0,0 +1,16 @@
+FROM golang:alpine AS build
+
+WORKDIR /build
+
+COPY [ "go.mod", "go.sum", "./"]
+COPY internal ./internal
+COPY cmd ./cmd
+
+RUN go build -o cooldns cmd/cooldns.go
+
+FROM alpine:latest
+WORKDIR /app
+
+COPY --from=build /build/cooldns .
+
+ENTRYPOINT ["/app/cooldns"]

README.md

@@ -23,10 +23,29 @@ acl:                        # List of ip filter rules
 - name: local
   cidr: 127.0.0.1/32
 
+tls:
+  enable: true              # Enable DNS over TLS
+  address: 0.0.0.0:8853     # What address and port to liste for tls connections
+  cert: cert.crt            # Path to the certificate file
+  key: private.key          # Path to the private key file
+
 forward:
   acl:                      # What IPs are allowed
     - vpn
   server: "8.8.8.8:53"      # DNS server to forward to
 
 address: 0.0.0.0:8053       # What address and port to listen on
+
+blacklist:                  # What domains to block when forwarding
+                            # URL of the blacklist
+  - url: https://raw.githubusercontent.com/anudeepND/blacklist/master/adservers.txt
+    format: host            # Format of the blacklist: Hostfile
+  - url: https://blocklistproject.github.io/Lists/alt-version/ads-nl.txt
+    format: line            # Format: One domain per line
+
+lego:                       # Support for Lego http provider. See https://go-acme.github.io/lego/dns/httpreq/
+  enable: true
+  address: :8080
+  username: lego
+  secret: "133742069ab"
 ```

cmd/cooldns.go

@@ -0,0 +1,24 @@
+package main
+
+import (
+	"flag"
+	"log"
+	"os"
+	"os/signal"
+	"syscall"
+
+	cooldns "git.kapelle.org/niklas/cool-dns/internal"
+)
+
+func main() {
+	configPath := flag.String("c", "/etc/cool-dns/config.yaml", "path to the config file")
+	flag.Parse()
+
+	cooldns.Start(*configPath)
+
+	sig := make(chan os.Signal)
+	signal.Notify(sig, syscall.SIGINT, syscall.SIGTERM)
+	s := <-sig
+	log.Printf("Signal (%v) received, stopping\n", s)
+	os.Exit(0)
+}

coolDns.go

@@ -1,364 +0,0 @@
-package main
-
-import (
-	"flag"
-	"io/ioutil"
-	"log"
-	"net"
-	"os"
-	"os/signal"
-	"strings"
-	"syscall"
-
-	"github.com/miekg/dns"
-	"gopkg.in/yaml.v3"
-)
-
-type zoneView struct {
-	rr  rrMap
-	acl []string
-}
-
-type zoneMap map[string][]zoneView
-
-type rrMap map[uint16]map[string][]dns.RR
-
-type config struct {
-	Zones     []configZone      `yaml:"zones"`
-	ACL       []configACL       `yaml:"acl"`
-	Forward   configForward     `yaml:"forward"`
-	Address   string            `yaml:"address"`
-	Blacklist []configBlacklist `yaml:"blacklist"`
-}
-
-type configForward struct {
-	ACL    []string `yaml:"acl"`
-	Server string   `yaml:"server"`
-}
-
-type configACL struct {
-	Name string `yaml:"name"`
-	CIDR string `yaml:"cidr"`
-}
-
-type configZone struct {
-	Zone string   `yaml:"zone"`
-	File string   `yaml:"file"`
-	ACL  []string `yaml:"acl"`
-}
-
-type configBlacklist struct {
-	URL    string `yaml:"url"`
-	Format string `yaml:"format"`
-}
-
-var anyRecordTypes = []uint16{
-	dns.TypeSOA,
-	dns.TypeA,
-	dns.TypeAAAA,
-	dns.TypeNS,
-	dns.TypeCNAME,
-	dns.TypeMX,
-	dns.TypeTXT,
-	dns.TypeSRV,
-	dns.TypeCAA,
-}
-
-func loadConfig(configPath string) (*config, error) {
-	file, err := ioutil.ReadFile(configPath)
-	if err != nil {
-		return nil, err
-	}
-
-	var loadedConfig config
-
-	err = yaml.Unmarshal(file, &loadedConfig)
-	if err != nil {
-		return nil, err
-	}
-
-	return &loadedConfig, nil
-}
-
-func loadZones(configZones []configZone) (zoneMap, error) {
-	zones := make(zoneMap)
-	for _, z := range configZones {
-		rrs, err := loadZonefile(z.File, z.Zone)
-		if err != nil {
-			return nil, err
-		}
-		if zones[z.Zone] == nil {
-			zones[z.Zone] = make([]zoneView, 0)
-		}
-		zones[z.Zone] = append(zones[z.Zone], zoneView{
-			rr:  createRRMap(rrs),
-			acl: z.ACL,
-		})
-
-		log.Printf("Loaded zone %s\n", z.Zone)
-	}
-
-	return zones, nil
-}
-
-func createRRMap(rrs []dns.RR) rrMap {
-	rrMap := make(rrMap)
-	for _, rr := range rrs {
-		if rrMap[rr.Header().Rrtype] == nil {
-			rrMap[rr.Header().Rrtype] = make(map[string][]dns.RR)
-		}
-
-		if rrMap[rr.Header().Rrtype][rr.Header().Name] == nil {
-			rrMap[rr.Header().Rrtype][rr.Header().Name] = make([]dns.RR, 0)
-		}
-		rrMap[rr.Header().Rrtype][rr.Header().Name] = append(rrMap[rr.Header().Rrtype][rr.Header().Name], rr)
-	}
-
-	return rrMap
-}
-
-func loadZonefile(filepath, origin string) ([]dns.RR, error) {
-	file, err := os.Open(filepath)
-
-	if err != nil {
-		return nil, err
-	}
-
-	parser := dns.NewZoneParser(file, origin, filepath)
-
-	var rrs = make([]dns.RR, 0)
-
-	for rr, ok := parser.Next(); ok; rr, ok = parser.Next() {
-		rrs = append(rrs, rr)
-	}
-
-	if err := parser.Err(); err != nil {
-		log.Println(err)
-	}
-
-	return rrs, nil
-}
-
-func createACLList(config []configACL) (map[string]*net.IPNet, error) {
-	acls := make(map[string]*net.IPNet)
-
-	for _, aclRule := range config {
-		_, mask, err := net.ParseCIDR(aclRule.CIDR)
-
-		if err != nil {
-			return nil, err
-		}
-
-		acls[aclRule.Name] = mask
-	}
-
-	return acls, nil
-}
-
-func createServer(zones zoneMap, config config, aclList map[string]*net.IPNet, blacklist map[string]bool) *dns.ServeMux {
-	srv := dns.NewServeMux()
-	c := new(dns.Client)
-
-	for zoneName, zones := range zones {
-		srv.HandleFunc(zoneName, func(w dns.ResponseWriter, r *dns.Msg) {
-
-			// Parse IP
-			remoteIP, _, err := net.SplitHostPort(w.RemoteAddr().String())
-			ip := net.ParseIP(remoteIP)
-			if err != nil && ip != nil {
-				log.Printf("Faild to parse remote IP WTF? :%s\n", err.Error())
-				return
-			}
-
-			// find out what view to handle the request
-			zoneIndex := -1
-
-			for i, zone := range zones {
-				if (len(zone.acl) == 0 && zoneIndex == -1) || checkACL(zone.acl, aclList, ip) {
-					zoneIndex = i
-				}
-			}
-
-			if zoneIndex == -1 {
-				rcodeRequest(w, r, dns.RcodeRefused)
-				return
-			}
-
-			handleRequest(w, r, zones[zoneIndex])
-		})
-	}
-
-	// Handle any other request
-	srv.HandleFunc(".", func(w dns.ResponseWriter, r *dns.Msg) {
-		remoteIP, _, err := net.SplitHostPort(w.RemoteAddr().String())
-		ip := net.ParseIP(remoteIP)
-
-		if err != nil && ip != nil {
-			log.Printf("Faild to parse remote IP WTF? :%s\n", err.Error())
-			return
-		}
-
-		// Check ACL rules
-		if !checkACL(config.Forward.ACL, aclList, ip) {
-			rcodeRequest(w, r, dns.RcodeRefused)
-			return
-		}
-
-		if _, ok := blacklist[r.Question[0].Name]; ok {
-			handleBlockedDomain(w, r)
-		} else {
-			// Forward request
-			in, _, err := c.Exchange(r, config.Forward.Server)
-
-			if err != nil {
-				rcodeRequest(w, r, dns.RcodeServerFailure)
-				return
-			}
-			w.WriteMsg(in)
-		}
-
-	})
-
-	return srv
-}
-
-func listenAndServer(server *dns.ServeMux, address string) {
-	go func() {
-		if err := dns.ListenAndServe(address, "udp", server); err != nil {
-			log.Fatalf("Failed to set udp listener %s\n", err.Error())
-		}
-	}()
-
-	go func() {
-		if err := dns.ListenAndServe(address, "tcp", server); err != nil {
-			log.Fatalf("Failed to set tcp listener %s\n", err.Error())
-		}
-	}()
-}
-
-func checkACL(alcRules []string, aclList map[string]*net.IPNet, ip net.IP) bool {
-	if len(alcRules) != 0 {
-		passed := false
-		for _, rule := range alcRules {
-
-			if aclList[rule].Contains(ip) {
-				passed = true
-			}
-		}
-		return passed
-	}
-	return true
-}
-
-func rcodeRequest(w dns.ResponseWriter, r *dns.Msg, rcode int) {
-	m := new(dns.Msg)
-	m.SetReply(r)
-	m.SetRcode(r, rcode)
-	w.WriteMsg(m)
-}
-
-func handleRequest(w dns.ResponseWriter, r *dns.Msg, zone zoneView) {
-	m := new(dns.Msg)
-	m.SetReply(r)
-	m.Authoritative = true
-
-	// maybe only support one question per query like most servers do it ???
-	for _, q := range r.Question {
-		rrs := zone.rr[q.Qtype]
-
-		// Handle ANY
-		if q.Qtype == dns.TypeANY {
-			for _, rrType := range anyRecordTypes {
-				m.Answer = append(m.Answer, zone.rr[rrType][q.Name]...)
-			}
-		} else {
-			// Handle any other type
-			m.Answer = append(m.Answer, rrs[q.Name]...)
-
-			// Check for wildcard
-			if len(m.Answer) == 0 {
-				parts := dns.SplitDomainName(q.Name)[1:]
-				searchDomain := "*." + dns.Fqdn(strings.Join(parts, "."))
-				foundDomain := rrs[searchDomain]
-				for _, rr := range foundDomain {
-					newRR := rr
-					newRR.Header().Name = q.Name
-					m.Answer = append(m.Answer, newRR)
-				}
-			}
-		}
-
-		// Handle extras
-		switch q.Qtype {
-		// Dont handle extra stuff when answering ANY request
-		// case dns.TypeANY:
-		// 	fallthrough
-		case dns.TypeMX:
-			// Resolve MX domains
-			for _, mxRR := range m.Answer {
-				if t, ok := mxRR.(*dns.MX); ok {
-					m.Extra = append(m.Extra, zone.rr[dns.TypeA][t.Mx]...)
-					m.Extra = append(m.Extra, zone.rr[dns.TypeAAAA][t.Mx]...)
-				}
-			}
-		case dns.TypeA, dns.TypeAAAA:
-			if len(m.Answer) == 0 {
-				// no A or AAAA found. Look for CNAME
-				m.Answer = append(m.Answer, zone.rr[dns.TypeCNAME][q.Name]...)
-				if len(m.Answer) != 0 {
-					// Resolve CNAME
-					for _, nameRR := range m.Answer {
-						if t, ok := nameRR.(*dns.CNAME); ok {
-							m.Answer = append(m.Answer, zone.rr[q.Qtype][t.Target]...)
-						}
-					}
-				}
-			}
-		case dns.TypeNS:
-			// Resove NS records
-			for _, nsRR := range m.Answer {
-				if t, ok := nsRR.(*dns.NS); ok {
-					m.Extra = append(m.Extra, zone.rr[dns.TypeA][t.Ns]...)
-					m.Extra = append(m.Extra, zone.rr[dns.TypeAAAA][t.Ns]...)
-				}
-			}
-		}
-	}
-
-	w.WriteMsg(m)
-}
-
-func main() {
-
-	configPath := flag.String("c", "/etc/cool-dns/config.yaml", "path to the config file")
-	flag.Parse()
-
-	config, err := loadConfig(*configPath)
-	if err != nil {
-		log.Fatalf("Failed to load config: %s\n", err.Error())
-	}
-
-	zones, err := loadZones(config.Zones)
-	if err != nil {
-		log.Fatalf("Failed to load zones: %s\n", err.Error())
-	}
-
-	aclList, err := createACLList(config.ACL)
-	if err != nil {
-		log.Fatalf("Failed to parse ACL rules: %s\n", err.Error())
-	}
-
-	blacklist := loadBlacklist(config.Blacklist)
-
-	server := createServer(zones, *config, aclList, blacklist)
-
-	listenAndServer(server, config.Address)
-
-	log.Printf("Start listening on udp %s and tcp %s\n", config.Address, config.Address)
-
-	sig := make(chan os.Signal)
-	signal.Notify(sig, syscall.SIGINT, syscall.SIGTERM)
-	s := <-sig
-	log.Printf("Signal (%v) received, stopping\n", s)
-	os.Exit(0)
-}

docker-compose.yml

@@ -0,0 +1,11 @@
+version: "3"
+services:
+  cool-dns:
+    build: .
+    ports:
+      - "53:53"
+      - "53:53/udp"
+      - "853:853"
+      - "80:80"
+    volumes:
+      - ./docker:/etc/cool-dns/

exampleConfig.yml

@@ -5,7 +5,7 @@ zones:
 - zone: example.com.
   file: zonefile2.txt
   acl:
-    - lan
+    - vpn
 
 acl:
 - name: vpn
@@ -22,6 +22,20 @@ forward:
 
 address: 0.0.0.0:8053
 
+tls:
+  enable: false
+  address: 0.0.0.0:8853
+  cert: cert.crt
+  key: private.key
+
 blacklist:
   - url: https://raw.githubusercontent.com/anudeepND/blacklist/master/adservers.txt
     format: host
+  - url: https://blocklistproject.github.io/Lists/alt-version/ads-nl.txt
+    format: line
+
+lego:
+  enable: true
+  address: :8080
+  username: lego
+  secret: "133742069ab"

internal/authoritative.go

@@ -0,0 +1,136 @@
+package cooldns
+
+import (
+	"strings"
+
+	"github.com/miekg/dns"
+)
+
+type rrMap map[uint16]map[string][]dns.RR
+
+// All record types to send when a ANY request is send
+var anyRecordTypes = []uint16{
+	dns.TypeSOA,
+	dns.TypeA,
+	dns.TypeAAAA,
+	dns.TypeNS,
+	dns.TypeCNAME,
+	dns.TypeMX,
+	dns.TypeTXT,
+	dns.TypeSRV,
+	dns.TypeCAA,
+}
+
+// handleRequest find the right RR(s) in the view and send them back
+func handleRequest(w dns.ResponseWriter, r *dns.Msg, zone zoneView) {
+	m := new(dns.Msg)
+	m.SetReply(r)
+	m.Authoritative = true
+
+	// Only support one question per query because all the other server also does that
+	if len(r.Question) != 1 {
+		rcodeRequest(w, r, dns.RcodeServerFailure)
+	}
+
+	q := r.Question[0]
+
+	rrs := zone.rr[q.Qtype]
+
+	// Handle ANY
+	if q.Qtype == dns.TypeANY {
+		for _, rrType := range anyRecordTypes {
+			m.Answer = append(m.Answer, zone.rr[rrType][q.Name]...)
+		}
+	} else {
+		// Handle any other type
+		m.Answer = append(m.Answer, rrs[q.Name]...)
+
+		// if no rr found yet
+		if len(m.Answer) == 0 {
+			// Check for wildcard
+			parts := dns.SplitDomainName(q.Name)[1:]
+			searchDomain := "*." + dns.Fqdn(strings.Join(parts, "."))
+			foundDomain := rrs[searchDomain]
+			for _, rr := range foundDomain {
+				newRR := rr
+				newRR.Header().Name = q.Name
+				m.Answer = append(m.Answer, newRR)
+			}
+		}
+	}
+
+	// Handle extras
+	switch q.Qtype {
+	// Dont handle extra stuff when answering ANY request
+	// case dns.TypeANY:
+	// 	fallthrough
+	case dns.TypeMX:
+		// Resolve MX domains
+		for _, mxRR := range m.Answer {
+			if t, ok := mxRR.(*dns.MX); ok {
+				m.Extra = append(m.Extra, zone.rr[dns.TypeA][t.Mx]...)
+				m.Extra = append(m.Extra, zone.rr[dns.TypeAAAA][t.Mx]...)
+			}
+		}
+	case dns.TypeA, dns.TypeAAAA:
+		if len(m.Answer) == 0 {
+			// no A or AAAA found. Look for CNAME
+			m.Answer = append(m.Answer, zone.rr[dns.TypeCNAME][q.Name]...)
+			if len(m.Answer) != 0 {
+				// Resolve CNAME
+				for _, nameRR := range m.Answer {
+					if t, ok := nameRR.(*dns.CNAME); ok {
+						m.Answer = append(m.Answer, zone.rr[q.Qtype][t.Target]...)
+					}
+				}
+			} else {
+				// No direct A/AAAA or CNAME found. Check for CNAME wildcard
+				parts := dns.SplitDomainName(q.Name)[1:]
+				searchDomain := "*." + dns.Fqdn(strings.Join(parts, "."))
+				foundDomain := zone.rr[dns.TypeCNAME][searchDomain]
+				for _, rr := range foundDomain {
+					// Add CNAME to answer section
+					newRR := rr
+					newRR.Header().Name = q.Name
+					m.Answer = append(m.Answer, newRR)
+
+					// Add resolved CNAME to *also* to the answer section (bind does the same soo)
+					if t, ok := rr.(*dns.CNAME); ok {
+						m.Answer = append(m.Answer, zone.rr[dns.TypeA][t.Target]...)
+						m.Answer = append(m.Answer, zone.rr[dns.TypeAAAA][t.Target]...)
+					}
+				}
+			}
+		}
+	case dns.TypeNS:
+		// Resove NS records
+		for _, nsRR := range m.Answer {
+			if t, ok := nsRR.(*dns.NS); ok {
+				m.Extra = append(m.Extra, zone.rr[dns.TypeA][t.Ns]...)
+				m.Extra = append(m.Extra, zone.rr[dns.TypeAAAA][t.Ns]...)
+			}
+		}
+	case dns.TypeCNAME:
+		// Resolve CNAME
+		for _, cnameRR := range m.Answer {
+			if t, ok := cnameRR.(*dns.CNAME); ok {
+				m.Extra = append(m.Extra, zone.rr[dns.TypeA][t.Target]...)
+				m.Extra = append(m.Extra, zone.rr[dns.TypeAAAA][t.Target]...)
+			}
+		}
+	}
+
+	if len(m.Answer) == 0 {
+		var soa dns.RR
+		for _, v := range zone.rr[dns.TypeSOA] {
+			if len(v) == 1 {
+				soa = v[0]
+			}
+		}
+		if soa != nil {
+			m.Extra = append(m.Extra, soa)
+		}
+	}
+
+	w.WriteMsg(m)
+}

internal/blacklist.go

@@ -1,16 +1,18 @@
-package main
+package cooldns
 
 import (
+	"errors"
 	"io/ioutil"
 	"log"
 	"net"
 	"net/http"
 	"regexp"
+	"strings"
 
 	"github.com/miekg/dns"
 )
 
-const blockTTL uint32 = 300
+const blockTTL uint32 = 604800
 
 var nullIPv4 = net.IPv4(0, 0, 0, 0)
 var nullIPv6 = net.ParseIP("::/0")
@@ -26,12 +28,10 @@ func loadBlacklist(config []configBlacklist) map[string]bool {
 		}
 
 		domains := parseRawBlacklist(element, *raw)
+		log.Printf("Added %d blocked domains", len(domains))
 		list = append(list, domains...)
 	}
 
-	// list = removeDuplicates(list)
-	// sort.Strings(list)
-
 	domainMap := make(map[string]bool)
 	for _, e := range list {
 		domainMap[e] = true
@@ -40,56 +40,81 @@ func loadBlacklist(config []configBlacklist) map[string]bool {
 	return domainMap
 }
 
-func removeDuplicates(elements []string) []string {
-	encountered := map[string]bool{}
-	result := []string{}
-
-	for v := range elements {
-		if !encountered[elements[v]] {
-			encountered[elements[v]] = true
-
-			result = append(result, elements[v])
-		}
+func requestBacklist(blacklist configBlacklist) (*string, error) {
+	if blacklist.URL != "" {
+		return getBlacklistFromURL(blacklist.URL)
 	}
 
-	return result
+	return nil, errors.New("No blacklist provided")
 }
 
-func requestBacklist(blacklist configBlacklist) (*string, error) {
+func getBlacklistFromURL(url string) (*string, error) {
 	// Request list
-	resp, err := http.Get(blacklist.URL)
+	resp, err := http.Get(url)
 	if err != nil {
 		return nil, err
 	}
 
 	defer resp.Body.Close()
+
+	if resp.StatusCode != 200 {
+		log.Printf("Got %d status code. Continueing anyway.", resp.StatusCode)
+	}
+
 	body, err := ioutil.ReadAll(resp.Body)
 	bodyString := string(body)
 
-	log.Printf("Downloaded blacklist %s", blacklist.URL)
+	log.Printf("Downloaded blacklist %s", url)
 
 	return &bodyString, err
 }
 
+// parseRawBlacklist parse the raw string depending on the given format
 func parseRawBlacklist(blacklist configBlacklist, raw string) []string {
+	switch blacklist.Format {
+	case "host":
+		return parseHostFormat(raw)
+	case "line":
+		return parseLineFormat(raw)
+	default:
+		log.Printf("Failed to parse blacklist. Format not supported: %s", blacklist.Format)
+		log.Println("Supported types are: host, line")
+		return make([]string, 0)
+	}
+}
+
+// parseHostFormat parse the string in the format of a hostfile
+func parseHostFormat(raw string) []string {
 	finalList := make([]string, 0)
-	reg := regexp.MustCompile(`(?mi)^\s*(#*)\s*(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\s+([a-zA-Z0-9\.\- ]+)$`)
+	reg := regexp.MustCompile(`(?m)^\s*(0\.0\.0\.0) ([a-zA-Z0-9-.]*)`)
 	matches := reg.FindAllStringSubmatch(raw, -1)
 	for _, match := range matches {
-		if match[1] != "#" {
-			finalList = append(finalList, dns.Fqdn(match[3]))
-		}
+		finalList = append(finalList, dns.Fqdn(match[2]))
 	}
 
 	return finalList
 }
 
+// parseLineFormat one domain per line, ignore comments
+func parseLineFormat(raw string) []string {
+	list := make([]string, 0)
+
+	for _, line := range strings.Split(raw, "\n") {
+		if !strings.HasPrefix(line, "#") {
+			list = append(list, line)
+		}
+	}
+
+	return list
+}
+
 func handleBlockedDomain(w dns.ResponseWriter, r *dns.Msg) {
 	q := r.Question[0]
 
 	m := new(dns.Msg)
 	m.SetReply(r)
 	if q.Qtype == dns.TypeA {
+		// Respond with 0.0.0.0
 		m.Answer = append(m.Answer, &dns.A{
 			Hdr: dns.RR_Header{
 				Name:   q.Name,
@@ -100,6 +125,7 @@ func handleBlockedDomain(w dns.ResponseWriter, r *dns.Msg) {
 			A: nullIPv4,
 		})
 	} else if q.Qtype == dns.TypeAAAA {
+		// Respond with ::/0
 		m.Answer = append(m.Answer, &dns.AAAA{
 			Hdr: dns.RR_Header{
 				Name:   q.Name,

internal/config.go

@@ -0,0 +1,144 @@
+package cooldns
+
+import (
+	"io/ioutil"
+	"log"
+	"net"
+	"os"
+
+	"github.com/miekg/dns"
+	"gopkg.in/yaml.v3"
+)
+
+// config format of the config file
+type config struct {
+	Zones     []configZone      `yaml:"zones"`
+	ACL       []configACL       `yaml:"acl"`
+	Forward   configForward     `yaml:"forward"`
+	Address   string            `yaml:"address"`
+	Blacklist []configBlacklist `yaml:"blacklist"`
+	TLS       configTLS         `yaml:"tls"`
+	Lego      configLego        `yaml:"lego"`
+}
+
+type configForward struct {
+	Enable bool     `yaml:"enable"`
+	ACL    []string `yaml:"acl"`
+	Server string   `yaml:"server"`
+}
+
+type configACL struct {
+	Name string `yaml:"name"`
+	CIDR string `yaml:"cidr"`
+}
+
+type configZone struct {
+	Zone string   `yaml:"zone"`
+	File string   `yaml:"file"`
+	ACL  []string `yaml:"acl"`
+}
+
+type configBlacklist struct {
+	URL    string `yaml:"url"`
+	Format string `yaml:"format"`
+}
+
+type configTLS struct {
+	Enable  bool   `yaml:"enable"`
+	Address string `yaml:"address"`
+	Cert    string `yaml:"cert"`
+	Key     string `yaml:"key"`
+}
+
+func loadConfig(configPath string) (*config, error) {
+	file, err := ioutil.ReadFile(configPath)
+	if err != nil {
+		return nil, err
+	}
+
+	var loadedConfig config
+
+	err = yaml.Unmarshal(file, &loadedConfig)
+	if err != nil {
+		return nil, err
+	}
+
+	return &loadedConfig, nil
+}
+
+func loadZones(configZones []configZone) (zoneMap, error) {
+	zones := make(zoneMap)
+	for _, z := range configZones {
+		rrs, err := loadZonefile(z.File, z.Zone)
+		if err != nil {
+			return nil, err
+		}
+		if zones[z.Zone] == nil {
+			zones[z.Zone] = make([]zoneView, 0)
+		}
+		zones[z.Zone] = append(zones[z.Zone], zoneView{
+			rr:  createRRMap(rrs),
+			acl: z.ACL,
+		})
+
+		log.Printf("Loaded zone %s\n", z.Zone)
+	}
+
+	return zones, nil
+}
+
+// createRRMap order the rr into a structure that is more easy to use
+func createRRMap(rrs []dns.RR) rrMap {
+	rrMap := make(rrMap)
+	for _, rr := range rrs {
+		if rrMap[rr.Header().Rrtype] == nil {
+			rrMap[rr.Header().Rrtype] = make(map[string][]dns.RR)
+		}
+
+		if rrMap[rr.Header().Rrtype][rr.Header().Name] == nil {
+			rrMap[rr.Header().Rrtype][rr.Header().Name] = make([]dns.RR, 0)
+		}
+		rrMap[rr.Header().Rrtype][rr.Header().Name] = append(rrMap[rr.Header().Rrtype][rr.Header().Name], rr)
+	}
+
+	return rrMap
+}
+
+func loadZonefile(filepath, origin string) ([]dns.RR, error) {
+	file, err := os.Open(filepath)
+
+	if err != nil {
+		return nil, err
+	}
+
+	parser := dns.NewZoneParser(file, origin, filepath)
+
+	var rrs = make([]dns.RR, 0)
+
+	for rr, ok := parser.Next(); ok; rr, ok = parser.Next() {
+		rrs = append(rrs, rr)
+	}
+
+	if err := parser.Err(); err != nil {
+		log.Println(err)
+	}
+
+	return rrs, nil
+}
+
+// createACLList create a map with the CIDR and the name of the rule
+func createACLList(config []configACL) (map[string]*net.IPNet, error) {
+	acls := make(map[string]*net.IPNet)
+
+	for _, aclRule := range config {
+		_, mask, err := net.ParseCIDR(aclRule.CIDR)
+
+		if err != nil {
+			return nil, err
+		}
+
+		acls[aclRule.Name] = mask
+	}
+
+	return acls, nil
+}

internal/cooldns.go

@@ -0,0 +1,192 @@
+package cooldns
+
+import (
+	"log"
+	"net"
+	"os"
+	"path/filepath"
+
+	"github.com/miekg/dns"
+)
+
+type zoneView struct {
+	rr  rrMap
+	acl []string
+}
+
+type zoneMap map[string][]zoneView
+
+// Start starts cooldns
+func Start(configPath string) {
+	config, err := loadConfig(configPath)
+	if err != nil {
+		log.Fatalf("Failed to load config: %s\n", err.Error())
+	}
+
+	err = os.Chdir(filepath.Dir(configPath))
+	if err != nil {
+		log.Fatalf("Failed to goto config dir: %s", err.Error())
+	}
+
+	zones, err := loadZones(config.Zones)
+	if err != nil {
+		log.Fatalf("Failed to load zones: %s\n", err.Error())
+	}
+
+	aclList, err := createACLList(config.ACL)
+	if err != nil {
+		log.Fatalf("Failed to parse ACL rules: %s\n", err.Error())
+	}
+
+	blacklist := loadBlacklist(config.Blacklist)
+
+	var acmeMap *legoMap
+	if config.Lego.Enable {
+		acmeMap = startLEGOWebSever(config.Lego)
+	}
+
+	server := createServer(zones, *config, aclList, blacklist, acmeMap)
+
+	listenAndServer(server, config.Address)
+
+	if config.TLS.Enable {
+		listenAndServerTLS(server, config.TLS.Address, config.TLS.Cert, config.TLS.Key)
+
+		log.Printf("Start listening on tcp %s for tls", config.TLS.Address)
+	}
+
+	log.Printf("Start listening on udp %s and tcp %s\n", config.Address, config.Address)
+}
+
+// createServer creates a new serve mux. Adds all the logic to handle the request
+func createServer(zones zoneMap, config config, aclList map[string]*net.IPNet, blacklist map[string]bool, acmeList *legoMap) *dns.ServeMux {
+	srv := dns.NewServeMux()
+	c := new(dns.Client)
+
+	// For all zones set from the config
+	for zoneName, zones := range zones {
+		srv.HandleFunc(zoneName, createHandler(zones, config, aclList, acmeList))
+	}
+
+	// Handle any other request for forwarding
+	srv.HandleFunc(".", func(w dns.ResponseWriter, r *dns.Msg) {
+
+		// Parse IP
+		remoteIP, _, err := net.SplitHostPort(w.RemoteAddr().String())
+		ip := net.ParseIP(remoteIP)
+
+		if err != nil && ip != nil {
+			log.Printf("Faild to parse remote IP WTF? :%s\n", err.Error())
+			return
+		}
+
+		// Check if it is a ACME DNS-01 challange
+		if config.Lego.Enable && handleACMERequest(w, r, acmeList) {
+			return
+		}
+
+		// Check ACL rules
+		if config.Forward.Enable && !checkACL(config.Forward.ACL, aclList, ip) {
+			rcodeRequest(w, r, dns.RcodeRefused)
+			return
+		}
+
+		// Check if the domain is bocked
+		if _, ok := blacklist[r.Question[0].Name]; ok {
+			handleBlockedDomain(w, r)
+		} else {
+			// Forward request
+			in, _, err := c.Exchange(r, config.Forward.Server)
+
+			if err != nil {
+				rcodeRequest(w, r, dns.RcodeServerFailure)
+				return
+			}
+
+			w.WriteMsg(in)
+		}
+	})
+
+	return srv
+}
+
+func listenAndServer(server *dns.ServeMux, address string) {
+	// Start UDP listner
+	go func() {
+		if err := dns.ListenAndServe(address, "udp", server); err != nil {
+			log.Fatalf("Failed to set udp listener %s\n", err.Error())
+		}
+	}()
+
+	// Start TCP listner
+	go func() {
+		if err := dns.ListenAndServe(address, "tcp", server); err != nil {
+			log.Fatalf("Failed to set tcp listener %s\n", err.Error())
+		}
+	}()
+}
+
+func listenAndServerTLS(server *dns.ServeMux, address, cert, key string) {
+	// Start TLS listner
+	go func() {
+		if err := dns.ListenAndServeTLS(address, cert, key, server); err != nil {
+			log.Fatalf("Failed to set DoT listener %s", err.Error())
+		}
+	}()
+}
+
+func checkACL(alcRules []string, aclList map[string]*net.IPNet, ip net.IP) bool {
+	if len(alcRules) != 0 {
+		passed := false
+		for _, rule := range alcRules {
+
+			if aclList[rule].Contains(ip) {
+				passed = true
+			}
+		}
+		return passed
+	}
+	return true
+}
+
+// rcodeRequest respond to a request with a response code
+func rcodeRequest(w dns.ResponseWriter, r *dns.Msg, rcode int) {
+	m := new(dns.Msg)
+	m.SetReply(r)
+	m.SetRcode(r, rcode)
+	w.WriteMsg(m)
+}
+
+func createHandler(zones []zoneView, config config, aclList map[string]*net.IPNet, acmeList *legoMap) func(w dns.ResponseWriter, r *dns.Msg) {
+	return func(w dns.ResponseWriter, r *dns.Msg) {
+		// Parse IP
+		remoteIP, _, err := net.SplitHostPort(w.RemoteAddr().String())
+		ip := net.ParseIP(remoteIP)
+		if err != nil && ip != nil {
+			log.Printf("Faild to parse remote IP WTF? :%s\n", err.Error())
+			return
+		}
+
+		// Check if it is a ACME DNS-01 challange
+		if config.Lego.Enable && handleACMERequest(w, r, acmeList) {
+			return
+		}
+
+		// find out what view to handle the request
+		zoneIndex := -1
+
+		for i, zone := range zones {
+			if (len(zone.acl) == 0 && zoneIndex == -1) || checkACL(zone.acl, aclList, ip) {
+				zoneIndex = i
+			}
+		}
+
+		// No view found that can handle the request
+		if zoneIndex == -1 {
+			rcodeRequest(w, r, dns.RcodeRefused)
+			return
+		}
+
+		handleRequest(w, r, zones[zoneIndex])
+	}
+}

internal/lego.go

@@ -0,0 +1,118 @@
+package cooldns
+
+import (
+	"encoding/json"
+	"log"
+	"net/http"
+
+	"github.com/miekg/dns"
+)
+
+// See https://go-acme.github.io/lego/dns/httpreq/
+
+type configLego struct {
+	Enable   bool   `yaml:"enable"`
+	Address  string `yaml:"address"`
+	Username string `yaml:"username"`
+	Secret   string `yaml:"secret"`
+}
+
+type legoPresent struct {
+	Fqdn  string `json:"fqdn"`
+	Value string `json:"value"`
+}
+
+type legoMap map[string]string
+
+func startLEGOWebSever(config configLego) *legoMap {
+	mux := http.NewServeMux()
+
+	acmeMap := make(legoMap)
+
+	mux.HandleFunc("/present", func(rw http.ResponseWriter, r *http.Request) {
+
+		if !checkBasicAuth(r, config) {
+			rw.WriteHeader(http.StatusUnauthorized)
+			return
+		}
+
+		var presentData legoPresent
+		err := json.NewDecoder(r.Body).Decode(&presentData)
+		defer r.Body.Close()
+
+		if err != nil {
+			log.Printf("Failed to parse request for ACME: %s", err.Error())
+		}
+
+		acmeMap[presentData.Fqdn] = presentData.Value
+
+		rw.WriteHeader(http.StatusOK)
+	})
+
+	mux.HandleFunc("/cleanup", func(rw http.ResponseWriter, r *http.Request) {
+		if !checkBasicAuth(r, config) {
+			rw.WriteHeader(http.StatusUnauthorized)
+			return
+		}
+
+		for k := range acmeMap {
+			delete(acmeMap, k)
+		}
+
+		rw.WriteHeader(http.StatusOK)
+	})
+
+	go func() {
+		if err := http.ListenAndServe(config.Address, mux); err != nil {
+			log.Fatalf("Failed to start Webserver for LEGO: %s\n", err.Error())
+		}
+	}()
+
+	log.Printf("Startet webserver on %s", config.Address)
+
+	return &acmeMap
+}
+
+func checkBasicAuth(r *http.Request, config configLego) bool {
+	if config.Username != "" && config.Secret != "" {
+		u, p, ok := r.BasicAuth()
+		if !ok {
+			return false
+		}
+
+		if u == config.Username && p == config.Secret {
+			return true
+		}
+
+		log.Printf("Failed lego authentication")
+
+		return false
+	}
+	return true
+}
+
+func handleACMERequest(w dns.ResponseWriter, r *dns.Msg, acmeMap *legoMap) bool {
+	if len(r.Question) == 1 {
+		if r.Question[0].Qtype == dns.TypeTXT && r.Question[0].Qclass == dns.ClassINET {
+			if value, ok := (*acmeMap)[r.Question[0].Name]; ok {
+				m := new(dns.Msg)
+				m.SetReply(r)
+
+				m.Answer = append(m.Answer, &dns.TXT{
+					Hdr: dns.RR_Header{
+						Name:   r.Question[0].Name,
+						Rrtype: dns.TypeTXT,
+						Class:  dns.ClassINET,
+						Ttl:    0,
+					},
+					Txt: []string{value},
+				})
+
+				w.WriteMsg(m)
+				return true
+			}
+		}
+	}
+
+	return false
+}

zonefile.txt

@@ -1,20 +0,0 @@
-$ORIGIN example.com.     ; designates the start of this zone file in the namespace
-$TTL 3600                ; default expiration time (in seconds) of all RRs without their own TTL value
-example.com.  IN  SOA   ns.example.com. username.example.com. ( 2020091025 7200 3600 1209600 3600 )
-example.com.  IN  NS    ns                    ; ns.example.com is a nameserver for example.com
-example.com.  IN  NS    ns.somewhere.example. ; ns.somewhere.example is a backup nameserver for example.com
-example.com.  IN  MX    10 mail.example.com.  ; mail.example.com is the mailserver for example.com
-@             IN  MX    20 mail2.example.com. ; equivalent to above line, "@" represents zone origin
-@             IN  MX    50 mail3              ; equivalent to above line, but using a relative host name
-example.com.  IN  A     192.0.2.1             ; IPv4 address for example.com
-example.com.  IN  A     192.0.3.1             ; IPv4 address for example.com
-              IN  AAAA  2001:db8:10::1        ; IPv6 address for example.com
-ns            IN  A     192.0.2.2             ; IPv4 address for ns.example.com
-              IN  AAAA  2001:db8:10::2        ; IPv6 address for ns.example.com
-www           IN  CNAME example.com.          ; www.example.com is an alias for example.com
-wwwtest       IN  CNAME www                   ; wwwtest.example.com is another alias for www.example.com
-mail          IN  A     192.0.2.3             ; IPv4 address for mail.example.com
-mail2         IN  A     192.0.2.4             ; IPv4 address for mail2.example.com
-mail3         IN  A     192.0.2.5             ; IPv4 address for mail3.example.com
-*.www         IN  A     192.1.0.1
-a.www         IN  A     192.1.0.11