AdGuardHome icon indicating copy to clipboard operation
AdGuardHome copied to clipboard
verified publisher icon AdguardTeam

Add DNS rebinding protection

Open juniorz opened this issue 5 years ago • 9 comments

The implementation of IP blocking is based on dnsmasq in regard to which CIDRs to block.

Closes #102

juniorz avatar Dec 05 '20 16:12 juniorz

Codecov Report

Merging #2397 (3a4ff66) into master (2298a9e) will increase coverage by 0.52%. The diff coverage is 80.27%.

Impacted file tree graph

@@            Coverage Diff             @@
##           master    #2397      +/-   ##
==========================================
+ Coverage   38.14%   38.67%   +0.52%     
==========================================
  Files          84       85       +1     
  Lines        9593     9723     +130     
==========================================
+ Hits         3659     3760     +101     
- Misses       5475     5498      +23     
- Partials      459      465       +6
Impacted Files Coverage Δ
internal/dnsfilter/dnsfilter.go 59.23% <ø> (ø)
internal/dnsforward/config.go 46.95% <ø> (ø)
internal/dnsforward/stats.go 18.96% <0.00%> (-0.68%) :arrow_down:
internal/querylog/searchcriteria.go 35.13% <0.00%> (-1.49%) :arrow_down:
internal/dnsforward/dnsforward.go 50.92% <25.00%> (-1.00%) :arrow_down:
internal/dnsforward/rebind.go 82.45% <82.45%> (ø)
internal/dnsforward/dns.go 62.10% <100.00%> (-0.12%) :arrow_down:
internal/dnsforward/filter.go 68.88% <100.00%> (ø)
internal/dnsforward/http.go 61.42% <100.00%> (+0.70%) :arrow_up:

Continue to review full report at Codecov.

Legend - Click here to learn more Δ = absolute <relative> (impact), ø = not affected, ? = missing data Powered by Codecov. Last update 2298a9e...3a4ff66. Read the comment docs.

codecov-io avatar Dec 05 '20 17:12 codecov-io

Wow that's massive, thank you!

ameshkov avatar Dec 06 '20 22:12 ameshkov

Great, but there is a need to add some logic to handle the new DNS rebinding protection request in the query log correctly

ArtemBaskal avatar Dec 11 '20 14:12 ArtemBaskal

@ArtemBaskal could you give some pointers on what's missing specifically? Thanks for reviewing.

juniorz avatar Dec 23 '20 21:12 juniorz

@juniorz the problem is that this new status is not handled by the query log.

  1. There's no human-readable name for it.
  2. There's no way I can find it using any search criteria. I suggest reusing "filteringStatusBlockedSafebrowsing" for it -- see searchcriteria.go. Let it find both queries blocked by Safe Browsing web service AND by DNS rebinding protection (and in the future, we may extend it with other security features).
  3. I also suggest reusing the same color indication as for FilteredSafeBrowsing.

ameshkov avatar Dec 28 '20 10:12 ameshkov

Hi @ameshkov , thank you for the feedback. I believe I have found my way through the stats and logging subsystems and I was able to make the requests blocked to be displayed to the end-user.

Could you please review and provide feedback on the choice of colors/categorization?

Responses blocked due to DNS rebinding attempts will contribute to "Blocked by Filters" stats, and in the logs, they are in the "Filtered" category - but I have also added a "Blocked rebinding" category.

juniorz avatar Jan 04 '21 15:01 juniorz

Also, lint failed but the Github check does not give any meaningful output so I don't really know what needs to be fixed. And running make go-deps go-tools go-lint VERBOSE=2 does not show anything either.

juniorz avatar Jan 04 '21 15:01 juniorz

@juniorz got it, thank you! We'll take care of it

ameshkov avatar Jan 06 '21 09:01 ameshkov

When will this be merged?

Dynasty-Dev avatar Oct 30 '22 04:10 Dynasty-Dev