diff options
Diffstat (limited to 'modules/refuse_nord')
-rw-r--r-- | modules/refuse_nord/.packaging/test.config | 3 | ||||
-rw-r--r-- | modules/refuse_nord/README.rst | 16 | ||||
-rw-r--r-- | modules/refuse_nord/meson.build | 22 | ||||
-rw-r--r-- | modules/refuse_nord/refuse_nord.c | 38 | ||||
-rw-r--r-- | modules/refuse_nord/test.integr/deckard.yaml | 12 | ||||
-rw-r--r-- | modules/refuse_nord/test.integr/kresd_config.j2 | 56 | ||||
-rw-r--r-- | modules/refuse_nord/test.integr/refuse_nord.rpl | 24 |
7 files changed, 171 insertions, 0 deletions
diff --git a/modules/refuse_nord/.packaging/test.config b/modules/refuse_nord/.packaging/test.config new file mode 100644 index 0000000..8679e26 --- /dev/null +++ b/modules/refuse_nord/.packaging/test.config @@ -0,0 +1,3 @@ +-- SPDX-License-Identifier: GPL-3.0-or-later +assert(modules.load('refuse_nord') == true) +quit() diff --git a/modules/refuse_nord/README.rst b/modules/refuse_nord/README.rst new file mode 100644 index 0000000..c093518 --- /dev/null +++ b/modules/refuse_nord/README.rst @@ -0,0 +1,16 @@ +.. SPDX-License-Identifier: GPL-3.0-or-later + +.. _mod-refuse_nord: + +Refuse queries without RD bit +============================= + +This module ensures all queries without RD (recursion desired) bit set in query +are answered with REFUSED. This prevents snooping on the resolver's cache content. + +The module is loaded by default. If you'd like to disable this behavior, you can +unload it: + +.. code-block:: lua + + modules.unload('refuse_nord') diff --git a/modules/refuse_nord/meson.build b/modules/refuse_nord/meson.build new file mode 100644 index 0000000..5142ded --- /dev/null +++ b/modules/refuse_nord/meson.build @@ -0,0 +1,22 @@ +# SPDX-License-Identifier: GPL-3.0-or-later +# C module: refuse_nord + +integr_tests += [ + ['refuse_nord', meson.current_source_dir() / 'test.integr'], +] + +refuse_nord_src = files([ + 'refuse_nord.c', +]) +c_src_lint += refuse_nord_src + +refuse_nord_mod = shared_module( + 'refuse_nord', + refuse_nord_src, + dependencies: libknot, + include_directories: mod_inc_dir, + name_prefix: '', + install: true, + install_dir: modules_dir, + link_with: kresd, +) diff --git a/modules/refuse_nord/refuse_nord.c b/modules/refuse_nord/refuse_nord.c new file mode 100644 index 0000000..607ff61 --- /dev/null +++ b/modules/refuse_nord/refuse_nord.c @@ -0,0 +1,38 @@ +/* Copyright (C) Knot Resolver contributors. + * SPDX-License-Identifier: GPL-3.0-or-later + * + * This module responds to all queries without RD bit set with REFUSED. */ + +#include <libknot/consts.h> +#include <libknot/packet/pkt.h> +#include "daemon/worker.h" +#include "lib/module.h" +#include "lib/layer.h" + +static int refuse_nord_query(kr_layer_t *ctx) +{ + struct kr_request *req = ctx->req; + uint8_t rd = knot_wire_get_rd(req->qsource.packet->wire); + if (rd) + return ctx->state; + + knot_pkt_t *answer = kr_request_ensure_answer(req); + if (!answer) + return ctx->state; + knot_wire_set_rcode(answer->wire, KNOT_RCODE_REFUSED); + knot_wire_clear_ad(answer->wire); + kr_request_set_extended_error(req, KNOT_EDNS_EDE_NOTAUTH, "ABC4"); + ctx->state = KR_STATE_DONE; + return ctx->state; +} + +KR_EXPORT int refuse_nord_init(struct kr_module *module) +{ + static const kr_layer_api_t layer = { + .begin = &refuse_nord_query, + }; + module->layer = &layer; + return kr_ok(); +} + +KR_MODULE_EXPORT(refuse_nord) diff --git a/modules/refuse_nord/test.integr/deckard.yaml b/modules/refuse_nord/test.integr/deckard.yaml new file mode 100644 index 0000000..60bf040 --- /dev/null +++ b/modules/refuse_nord/test.integr/deckard.yaml @@ -0,0 +1,12 @@ +# SPDX-License-Identifier: GPL-3.0-or-later +programs: +- name: kresd + binary: kresd + additional: + - --noninteractive + templates: + - modules/refuse_nord/test.integr/kresd_config.j2 + - tests/integration/hints_zone.j2 + configs: + - config + - hints diff --git a/modules/refuse_nord/test.integr/kresd_config.j2 b/modules/refuse_nord/test.integr/kresd_config.j2 new file mode 100644 index 0000000..1abe4e4 --- /dev/null +++ b/modules/refuse_nord/test.integr/kresd_config.j2 @@ -0,0 +1,56 @@ +-- SPDX-License-Identifier: GPL-3.0-or-later +{% raw %} +-- make sure DNSSEC is turned off for tests +trust_anchors.remove('.') + +-- Disable RFC5011 TA update +if ta_update then + modules.unload('ta_update') +end + +-- Disable RFC8145 signaling, scenario doesn't provide expected answers +if ta_signal_query then + modules.unload('ta_signal_query') +end + +-- Disable RFC8109 priming, scenario doesn't provide expected answers +if priming then + modules.unload('priming') +end + +-- Disable this module because it make one priming query +if detect_time_skew then + modules.unload('detect_time_skew') +end + +_hint_root_file('hints') +cache.size = 2*MB +log_level('debug') +{% endraw %} + +net = { '{{SELF_ADDR}}' } + + +{% if QMIN == "false" %} +option('NO_MINIMIZE', true) +{% else %} +option('NO_MINIMIZE', false) +{% endif %} + + +-- Self-checks on globals +assert(help() ~= nil) +assert(worker.id ~= nil) +-- Self-checks on facilities +assert(cache.count() == 0) +assert(cache.stats() ~= nil) +assert(cache.backends() ~= nil) +assert(worker.stats() ~= nil) +assert(net.interfaces() ~= nil) +-- Self-checks on loaded stuff +assert(net.list()[1].transport.ip == '{{SELF_ADDR}}') +assert(#modules.list() > 0) +-- Self-check timers +ev = event.recurrent(1 * sec, function (ev) return 1 end) +event.cancel(ev) +ev = event.after(0, function (ev) return 1 end) diff --git a/modules/refuse_nord/test.integr/refuse_nord.rpl b/modules/refuse_nord/test.integr/refuse_nord.rpl new file mode 100644 index 0000000..5515b3a --- /dev/null +++ b/modules/refuse_nord/test.integr/refuse_nord.rpl @@ -0,0 +1,24 @@ +; SPDX-License-Identifier: GPL-3.0-or-later +; config options + stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET. +CONFIG_END + +SCENARIO_BEGIN Test refuse queries without RD bit + +STEP 10 QUERY +ENTRY_BEGIN +; RD bit is cleared +SECTION QUESTION +www.example.com IN A +ENTRY_END + +STEP 20 CHECK_ANSWER +ENTRY_BEGIN +MATCH all answer +REPLY QR RA REFUSED +SECTION QUESTION +www.example.com IN A +SECTION ANSWER +ENTRY_END + +SCENARIO_END |