summaryrefslogtreecommitdiffstats
path: root/modules/refuse_nord
diff options
context:
space:
mode:
Diffstat (limited to 'modules/refuse_nord')
-rw-r--r--modules/refuse_nord/.packaging/test.config3
-rw-r--r--modules/refuse_nord/README.rst16
-rw-r--r--modules/refuse_nord/meson.build22
-rw-r--r--modules/refuse_nord/refuse_nord.c38
-rw-r--r--modules/refuse_nord/test.integr/deckard.yaml12
-rw-r--r--modules/refuse_nord/test.integr/kresd_config.j256
-rw-r--r--modules/refuse_nord/test.integr/refuse_nord.rpl24
7 files changed, 171 insertions, 0 deletions
diff --git a/modules/refuse_nord/.packaging/test.config b/modules/refuse_nord/.packaging/test.config
new file mode 100644
index 0000000..8679e26
--- /dev/null
+++ b/modules/refuse_nord/.packaging/test.config
@@ -0,0 +1,3 @@
+-- SPDX-License-Identifier: GPL-3.0-or-later
+assert(modules.load('refuse_nord') == true)
+quit()
diff --git a/modules/refuse_nord/README.rst b/modules/refuse_nord/README.rst
new file mode 100644
index 0000000..c093518
--- /dev/null
+++ b/modules/refuse_nord/README.rst
@@ -0,0 +1,16 @@
+.. SPDX-License-Identifier: GPL-3.0-or-later
+
+.. _mod-refuse_nord:
+
+Refuse queries without RD bit
+=============================
+
+This module ensures all queries without RD (recursion desired) bit set in query
+are answered with REFUSED. This prevents snooping on the resolver's cache content.
+
+The module is loaded by default. If you'd like to disable this behavior, you can
+unload it:
+
+.. code-block:: lua
+
+ modules.unload('refuse_nord')
diff --git a/modules/refuse_nord/meson.build b/modules/refuse_nord/meson.build
new file mode 100644
index 0000000..5142ded
--- /dev/null
+++ b/modules/refuse_nord/meson.build
@@ -0,0 +1,22 @@
+# SPDX-License-Identifier: GPL-3.0-or-later
+# C module: refuse_nord
+
+integr_tests += [
+ ['refuse_nord', meson.current_source_dir() / 'test.integr'],
+]
+
+refuse_nord_src = files([
+ 'refuse_nord.c',
+])
+c_src_lint += refuse_nord_src
+
+refuse_nord_mod = shared_module(
+ 'refuse_nord',
+ refuse_nord_src,
+ dependencies: libknot,
+ include_directories: mod_inc_dir,
+ name_prefix: '',
+ install: true,
+ install_dir: modules_dir,
+ link_with: kresd,
+)
diff --git a/modules/refuse_nord/refuse_nord.c b/modules/refuse_nord/refuse_nord.c
new file mode 100644
index 0000000..607ff61
--- /dev/null
+++ b/modules/refuse_nord/refuse_nord.c
@@ -0,0 +1,38 @@
+/* Copyright (C) Knot Resolver contributors.
+ * SPDX-License-Identifier: GPL-3.0-or-later
+ *
+ * This module responds to all queries without RD bit set with REFUSED. */
+
+#include <libknot/consts.h>
+#include <libknot/packet/pkt.h>
+#include "daemon/worker.h"
+#include "lib/module.h"
+#include "lib/layer.h"
+
+static int refuse_nord_query(kr_layer_t *ctx)
+{
+ struct kr_request *req = ctx->req;
+ uint8_t rd = knot_wire_get_rd(req->qsource.packet->wire);
+ if (rd)
+ return ctx->state;
+
+ knot_pkt_t *answer = kr_request_ensure_answer(req);
+ if (!answer)
+ return ctx->state;
+ knot_wire_set_rcode(answer->wire, KNOT_RCODE_REFUSED);
+ knot_wire_clear_ad(answer->wire);
+ kr_request_set_extended_error(req, KNOT_EDNS_EDE_NOTAUTH, "ABC4");
+ ctx->state = KR_STATE_DONE;
+ return ctx->state;
+}
+
+KR_EXPORT int refuse_nord_init(struct kr_module *module)
+{
+ static const kr_layer_api_t layer = {
+ .begin = &refuse_nord_query,
+ };
+ module->layer = &layer;
+ return kr_ok();
+}
+
+KR_MODULE_EXPORT(refuse_nord)
diff --git a/modules/refuse_nord/test.integr/deckard.yaml b/modules/refuse_nord/test.integr/deckard.yaml
new file mode 100644
index 0000000..60bf040
--- /dev/null
+++ b/modules/refuse_nord/test.integr/deckard.yaml
@@ -0,0 +1,12 @@
+# SPDX-License-Identifier: GPL-3.0-or-later
+programs:
+- name: kresd
+ binary: kresd
+ additional:
+ - --noninteractive
+ templates:
+ - modules/refuse_nord/test.integr/kresd_config.j2
+ - tests/integration/hints_zone.j2
+ configs:
+ - config
+ - hints
diff --git a/modules/refuse_nord/test.integr/kresd_config.j2 b/modules/refuse_nord/test.integr/kresd_config.j2
new file mode 100644
index 0000000..1abe4e4
--- /dev/null
+++ b/modules/refuse_nord/test.integr/kresd_config.j2
@@ -0,0 +1,56 @@
+-- SPDX-License-Identifier: GPL-3.0-or-later
+{% raw %}
+-- make sure DNSSEC is turned off for tests
+trust_anchors.remove('.')
+
+-- Disable RFC5011 TA update
+if ta_update then
+ modules.unload('ta_update')
+end
+
+-- Disable RFC8145 signaling, scenario doesn't provide expected answers
+if ta_signal_query then
+ modules.unload('ta_signal_query')
+end
+
+-- Disable RFC8109 priming, scenario doesn't provide expected answers
+if priming then
+ modules.unload('priming')
+end
+
+-- Disable this module because it make one priming query
+if detect_time_skew then
+ modules.unload('detect_time_skew')
+end
+
+_hint_root_file('hints')
+cache.size = 2*MB
+log_level('debug')
+{% endraw %}
+
+net = { '{{SELF_ADDR}}' }
+
+
+{% if QMIN == "false" %}
+option('NO_MINIMIZE', true)
+{% else %}
+option('NO_MINIMIZE', false)
+{% endif %}
+
+
+-- Self-checks on globals
+assert(help() ~= nil)
+assert(worker.id ~= nil)
+-- Self-checks on facilities
+assert(cache.count() == 0)
+assert(cache.stats() ~= nil)
+assert(cache.backends() ~= nil)
+assert(worker.stats() ~= nil)
+assert(net.interfaces() ~= nil)
+-- Self-checks on loaded stuff
+assert(net.list()[1].transport.ip == '{{SELF_ADDR}}')
+assert(#modules.list() > 0)
+-- Self-check timers
+ev = event.recurrent(1 * sec, function (ev) return 1 end)
+event.cancel(ev)
+ev = event.after(0, function (ev) return 1 end)
diff --git a/modules/refuse_nord/test.integr/refuse_nord.rpl b/modules/refuse_nord/test.integr/refuse_nord.rpl
new file mode 100644
index 0000000..5515b3a
--- /dev/null
+++ b/modules/refuse_nord/test.integr/refuse_nord.rpl
@@ -0,0 +1,24 @@
+; SPDX-License-Identifier: GPL-3.0-or-later
+; config options
+ stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.
+CONFIG_END
+
+SCENARIO_BEGIN Test refuse queries without RD bit
+
+STEP 10 QUERY
+ENTRY_BEGIN
+; RD bit is cleared
+SECTION QUESTION
+www.example.com IN A
+ENTRY_END
+
+STEP 20 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all answer
+REPLY QR RA REFUSED
+SECTION QUESTION
+www.example.com IN A
+SECTION ANSWER
+ENTRY_END
+
+SCENARIO_END