plugin/acl : add support for Extended DNS Errors

Signed-off-by: Ondřej Benkovský <ondrej.benkovsky@jamf.com>

plugin/acl : add support for Extended DNS Errors
Signed-off-by: Ondřej Benkovský <ondrej.benkovsky@jamf.com>
c136f392 · Ondřej Benkovský · edbe02c0 · c136f392 · c136f392
Commit c136f392 authored Jul 23, 2022 by Ondřej Benkovský
Hide whitespace changes
Inline Side-by-side

Showing with 243 additions and 231 deletions

plugin/acl/acl.go plugin/acl/acl.go +6 -0

plugin/acl/acl_test.go plugin/acl/acl_test.go +237 -231

No files found.
--- a/plugin/acl/acl.go
+++ b/plugin/acl/acl.go
@@ -71,6 +71,9 @@ RulesCheckLoop:
 			{
 				m := new(dns.Msg)
 				m.SetRcode(r, dns.RcodeRefused)
+				m = m.SetEdns0(4096, true)
+				ede := dns.EDNS0_EDE{InfoCode: dns.ExtendedErrorCodeBlocked}
+				m.IsEdns0().Option = append(m.IsEdns0().Option, &ede)
 				w.WriteMsg(m)
 				RequestBlockCount.WithLabelValues(metrics.WithServer(ctx), zone).Inc()
 				return dns.RcodeSuccess, nil
@@ -83,6 +86,9 @@ RulesCheckLoop:
 			{
 				m := new(dns.Msg)
 				m.SetRcode(r, dns.RcodeSuccess)
+				m = m.SetEdns0(4096, true)
+				ede := dns.EDNS0_EDE{InfoCode: dns.ExtendedErrorCodeFiltered}
+				m.IsEdns0().Option = append(m.IsEdns0().Option, &ede)
 				w.WriteMsg(m)
 				RequestFilterCount.WithLabelValues(metrics.WithServer(ctx), zone).Inc()
 				return dns.RcodeSuccess, nil

--- a/plugin/acl/acl_test.go
+++ b/plugin/acl/acl_test.go
@@ -13,6 +13,7 @@ import (
 type testResponseWriter struct {
 	test.ResponseWriter
 	Rcode int
+	Msg   *dns.Msg
 }
 func (t *testResponseWriter) setRemoteIP(ip string) {
@@ -26,6 +27,7 @@ func (t *testResponseWriter) setZone(zone string) {
 // WriteMsg implement dns.ResponseWriter interface.
 func (t *testResponseWriter) WriteMsg(m *dns.Msg) error {
 	t.Rcode = m.Rcode
+	t.Msg = m
 	return nil
 }
@@ -42,373 +44,363 @@ func TestACLServeDNS(t *testing.T) {
 		qtype    uint16
 	}
 	tests := []struct {
-		name      string
+		name                  string
-		config    string
+		config                string
-		zones     []string
+		zones                 []string
-		args      args
+		args                  args
-		wantRcode int
+		wantRcode             int
-		wantErr   bool
+		wantErr               bool
+		wantExtendedErrorCode uint16
 	}{
 		// IPv4 tests.
 		{
-			"Blacklist 1 BLOCKED",
+			name: "Blacklist 1 BLOCKED",
-			`acl example.org {
+			config: `acl example.org {
 				block type A net 192.168.0.0/16
 			}`,
-			[]string{},
+			zones: []string{},
-			args{
+			args: args{
-				"www.example.org.",
+				domain:   "www.example.org.",
-				"192.168.0.2",
+				sourceIP: "192.168.0.2",
-				dns.TypeA,
+				qtype:    dns.TypeA,
 			},
-			dns.RcodeRefused,
+			wantRcode:             dns.RcodeRefused,
-			false,
+			wantExtendedErrorCode: dns.ExtendedErrorCodeBlocked,
 		},
 		{
-			"Blacklist 1 ALLOWED",
+			name: "Blacklist 1 ALLOWED",
-			`acl example.org {
+			config: `acl example.org {
 				block type A net 192.168.0.0/16
 			}`,
-			[]string{},
+			zones: []string{},
-			args{
+			args: args{
-				"www.example.org.",
+				domain:   "www.example.org.",
-				"192.167.0.2",
+				sourceIP: "192.167.0.2",
-				dns.TypeA,
+				qtype:    dns.TypeA,
 			},
-			dns.RcodeSuccess,
+			wantRcode: dns.RcodeSuccess,
-			false,
 		},
 		{
-			"Blacklist 2 BLOCKED",
+			name: "Blacklist 2 BLOCKED",
-			`
+			config: `
 			acl example.org {
 				block type * net 192.168.0.0/16
 			}`,
-			[]string{},
+			zones: []string{},
-			args{
+			args: args{
-				"www.example.org.",
+				domain:   "www.example.org.",
-				"192.168.0.2",
+				sourceIP: "192.168.0.2",
-				dns.TypeAAAA,
+				qtype:    dns.TypeAAAA,
 			},
-			dns.RcodeRefused,
+			wantRcode:             dns.RcodeRefused,
-			false,
+			wantExtendedErrorCode: dns.ExtendedErrorCodeBlocked,
 		},
 		{
-			"Blacklist 3 BLOCKED",
+			name: "Blacklist 3 BLOCKED",
-			`acl example.org {
+			config: `acl example.org {
 				block type A
 			}`,
-			[]string{},
+			zones: []string{},
-			args{
+			args: args{
-				"www.example.org.",
+				domain:   "www.example.org.",
-				"10.1.0.2",
+				sourceIP: "10.1.0.2",
-				dns.TypeA,
+				qtype:    dns.TypeA,
 			},
-			dns.RcodeRefused,
+			wantRcode:             dns.RcodeRefused,
-			false,
+			wantExtendedErrorCode: dns.ExtendedErrorCodeBlocked,
 		},
 		{
-			"Blacklist 3 ALLOWED",
+			name: "Blacklist 3 ALLOWED",
-			`acl example.org {
+			config: `acl example.org {
 				block type A
 			}`,
-			[]string{},
+			zones: []string{},
-			args{
+			args: args{
-				"www.example.org.",
+				domain:   "www.example.org.",
-				"10.1.0.2",
+				sourceIP: "10.1.0.2",
-				dns.TypeAAAA,
+				qtype:    dns.TypeAAAA,
 			},
-			dns.RcodeSuccess,
+			wantRcode: dns.RcodeSuccess,
-			false,
 		},
 		{
-			"Blacklist 4 Single IP BLOCKED",
+			name: "Blacklist 4 Single IP BLOCKED",
-			`acl example.org {
+			config: `acl example.org {
 				block type A net 192.168.1.2
 			}`,
-			[]string{},
+			zones: []string{},
-			args{
+			args: args{
-				"www.example.org.",
+				domain:   "www.example.org.",
-				"192.168.1.2",
+				sourceIP: "192.168.1.2",
-				dns.TypeA,
+				qtype:    dns.TypeA,
 			},
-			dns.RcodeRefused,
+			wantRcode:             dns.RcodeRefused,
-			false,
+			wantExtendedErrorCode: dns.ExtendedErrorCodeBlocked,
 		},
 		{
-			"Blacklist 4 Single IP ALLOWED",
+			name: "Blacklist 4 Single IP ALLOWED",
-			`acl example.org {
+			config: `acl example.org {
 				block type A net 192.168.1.2
 			}`,
-			[]string{},
+			zones: []string{},
-			args{
+			args: args{
-				"www.example.org.",
+				domain:   "www.example.org.",
-				"192.168.1.3",
+				sourceIP: "192.168.1.3",
-				dns.TypeA,
+				qtype:    dns.TypeA,
 			},
-			dns.RcodeSuccess,
+			wantRcode: dns.RcodeSuccess,
-			false,
 		},
 		{
-			"Filter 1 FILTERED",
+			name: "Filter 1 FILTERED",
-			`acl example.org {
+			config: `acl example.org {
 				filter type A net 192.168.0.0/16
 			}`,
-			[]string{},
+			zones: []string{},
-			args{
+			args: args{
-				"www.example.org.",
+				domain:   "www.example.org.",
-				"192.168.0.2",
+				sourceIP: "192.168.0.2",
-				dns.TypeA,
+				qtype:    dns.TypeA,
 			},
-			dns.RcodeSuccess,
+			wantRcode:             dns.RcodeSuccess,
-			false,
+			wantExtendedErrorCode: dns.ExtendedErrorCodeFiltered,
 		},
 		{
-			"Filter 1 ALLOWED",
+			name: "Filter 1 ALLOWED",
-			`acl example.org {
+			config: `acl example.org {
 				filter type A net 192.168.0.0/16
 			}`,
-			[]string{},
+			zones: []string{},
-			args{
+			args: args{
-				"www.example.org.",
+				domain:   "www.example.org.",
-				"192.167.0.2",
+				sourceIP: "192.167.0.2",
-				dns.TypeA,
+				qtype:    dns.TypeA,
 			},
-			dns.RcodeSuccess,
+			wantRcode: dns.RcodeSuccess,
-			false,
 		},
 		{
-			"Whitelist 1 ALLOWED",
+			name: "Whitelist 1 ALLOWED",
-			`acl example.org {
+			config: `acl example.org {
 				allow net 192.168.0.0/16
 				block
 			}`,
-			[]string{},
+			zones: []string{},
-			args{
+			args: args{
-				"www.example.org.",
+				domain:   "www.example.org.",
-				"192.168.0.2",
+				sourceIP: "192.168.0.2",
-				dns.TypeA,
+				qtype:    dns.TypeA,
 			},
-			dns.RcodeSuccess,
+			wantRcode: dns.RcodeSuccess,
-			false,
 		},
 		{
-			"Whitelist 1 REFUSED",
+			name: "Whitelist 1 REFUSED",
-			`acl example.org {
+			config: `acl example.org {
 				allow type * net 192.168.0.0/16
 				block
 			}`,
-			[]string{},
+			zones: []string{},
-			args{
+			args: args{
-				"www.example.org.",
+				domain:   "www.example.org.",
-				"10.1.0.2",
+				sourceIP: "10.1.0.2",
-				dns.TypeA,
+				qtype:    dns.TypeA,
 			},
-			dns.RcodeRefused,
+			wantRcode:             dns.RcodeRefused,
-			false,
+			wantExtendedErrorCode: dns.ExtendedErrorCodeBlocked,
 		},
 		{
-			"Fine-Grained 1 REFUSED",
+			name: "Fine-Grained 1 REFUSED",
-			`acl a.example.org {
+			config: `acl a.example.org {
 				block type * net 192.168.1.0/24
 			}`,
-			[]string{"example.org"},
+			zones: []string{"example.org"},
-			args{
+			args: args{
-				"a.example.org.",
+				domain:   "a.example.org.",
-				"192.168.1.2",
+				sourceIP: "192.168.1.2",
-				dns.TypeA,
+				qtype:    dns.TypeA,
 			},
-			dns.RcodeRefused,
+			wantRcode:             dns.RcodeRefused,
-			false,
+			wantExtendedErrorCode: dns.ExtendedErrorCodeBlocked,
 		},
 		{
-			"Fine-Grained 1 ALLOWED",
+			name: "Fine-Grained 1 ALLOWED",
-			`acl a.example.org {
+			config: `acl a.example.org {
 				block net 192.168.1.0/24
 			}`,
-			[]string{"example.org"},
+			zones: []string{"example.org"},
-			args{
+			args: args{
-				"www.example.org.",
+				domain:   "www.example.org.",
-				"192.168.1.2",
+				sourceIP: "192.168.1.2",
-				dns.TypeA,
+				qtype:    dns.TypeA,
 			},
-			dns.RcodeSuccess,
+			wantRcode: dns.RcodeSuccess,
-			false,
 		},
 		{
-			"Fine-Grained 2 REFUSED",
+			name: "Fine-Grained 2 REFUSED",
-			`acl example.org {
+			config: `acl example.org {
 				block net 192.168.1.0/24
 			}`,
-			[]string{"example.org"},
+			zones: []string{"example.org"},
-			args{
+			args: args{
-				"a.example.org.",
+				domain:   "a.example.org.",
-				"192.168.1.2",
+				sourceIP: "192.168.1.2",
-				dns.TypeA,
+				qtype:    dns.TypeA,
 			},
-			dns.RcodeRefused,
+			wantRcode:             dns.RcodeRefused,
-			false,
+			wantExtendedErrorCode: dns.ExtendedErrorCodeBlocked,
 		},
 		{
-			"Fine-Grained 2 ALLOWED",
+			name: "Fine-Grained 2 ALLOWED",
-			`acl {
+			config: `acl {
 				block net 192.168.1.0/24
 			}`,
-			[]string{"example.org"},
+			zones: []string{"example.org"},
-			args{
+			args: args{
-				"a.example.com.",
+				domain:   "a.example.com.",
-				"192.168.1.2",
+				sourceIP: "192.168.1.2",
-				dns.TypeA,
+				qtype:    dns.TypeA,
 			},
-			dns.RcodeSuccess,
+			wantRcode: dns.RcodeSuccess,
-			false,
 		},
 		{
-			"Fine-Grained 3 REFUSED",
+			name: "Fine-Grained 3 REFUSED",
-			`acl a.example.org {
+			config: `acl a.example.org {
 				block net 192.168.1.0/24
 			}
 			acl b.example.org {
 				block type * net 192.168.2.0/24
 			}`,
-			[]string{"example.org"},
+			zones: []string{"example.org"},
-			args{
+			args: args{
-				"b.example.org.",
+				domain:   "b.example.org.",
-				"192.168.2.2",
+				sourceIP: "192.168.2.2",
-				dns.TypeA,
+				qtype:    dns.TypeA,
 			},
-			dns.RcodeRefused,
+			wantRcode:             dns.RcodeRefused,
-			false,
+			wantExtendedErrorCode: dns.ExtendedErrorCodeBlocked,
 		},
 		{
-			"Fine-Grained 3 ALLOWED",
+			name: "Fine-Grained 3 ALLOWED",
-			`acl a.example.org {
+			config: `acl a.example.org {
 				block net 192.168.1.0/24
 			}
 			acl b.example.org {
 				block net 192.168.2.0/24
 			}`,
-			[]string{"example.org"},
+			zones: []string{"example.org"},
-			args{
+			args: args{
-				"b.example.org.",
+				domain:   "b.example.org.",
-				"192.168.1.2",
+				sourceIP: "192.168.1.2",
-				dns.TypeA,
+				qtype:    dns.TypeA,
 			},
-			dns.RcodeSuccess,
+			wantRcode: dns.RcodeSuccess,
-			false,
 		},
 		// IPv6 tests.
 		{
-			"Blacklist 1 BLOCKED IPv6",
+			name: "Blacklist 1 BLOCKED IPv6",
-			`acl example.org {
+			config: `acl example.org {
 				block type A net 2001:db8:abcd:0012::0/64
 			}`,
-			[]string{},
+			zones: []string{},
-			args{
+			args: args{
-				"www.example.org.",
+				domain:   "www.example.org.",
-				"2001:db8:abcd:0012::1230",
+				sourceIP: "2001:db8:abcd:0012::1230",
-				dns.TypeA,
+				qtype:    dns.TypeA,
 			},
-			dns.RcodeRefused,
+			wantRcode:             dns.RcodeRefused,
-			false,
+			wantExtendedErrorCode: dns.ExtendedErrorCodeBlocked,
 		},
 		{
-			"Blacklist 1 ALLOWED IPv6",
+			name: "Blacklist 1 ALLOWED IPv6",
-			`acl example.org {
+			config: `acl example.org {
 				block type A net 2001:db8:abcd:0012::0/64
 			}`,
-			[]string{},
+			zones: []string{},
-			args{
+			args: args{
-				"www.example.org.",
+				domain:   "www.example.org.",
-				"2001:db8:abcd:0013::0",
+				sourceIP: "2001:db8:abcd:0013::0",
-				dns.TypeA,
+				qtype:    dns.TypeA,
 			},
-			dns.RcodeSuccess,
+			wantRcode: dns.RcodeSuccess,
-			false,
 		},
 		{
-			"Blacklist 2 BLOCKED IPv6",
+			name: "Blacklist 2 BLOCKED IPv6",
-			`acl example.org {
+			config: `acl example.org {
 				block type A
 			}`,
-			[]string{},
+			zones: []string{},
-			args{
+			args: args{
-				"www.example.org.",
+				domain:   "www.example.org.",
-				"2001:0db8:85a3:0000:0000:8a2e:0370:7334",
+				sourceIP: "2001:0db8:85a3:0000:0000:8a2e:0370:7334",
-				dns.TypeA,
+				qtype:    dns.TypeA,
 			},
-			dns.RcodeRefused,
+			wantRcode:             dns.RcodeRefused,
-			false,
+			wantExtendedErrorCode: dns.ExtendedErrorCodeBlocked,
 		},
 		{
-			"Blacklist 3 Single IP BLOCKED IPv6",
+			name: "Blacklist 3 Single IP BLOCKED IPv6",
-			`acl example.org {
+			config: `acl example.org {
 				block type A net 2001:0db8:85a3:0000:0000:8a2e:0370:7334
 			}`,
-			[]string{},
+			zones: []string{},
-			args{
+			args: args{
-				"www.example.org.",
+				domain:   "www.example.org.",
-				"2001:0db8:85a3:0000:0000:8a2e:0370:7334",
+				sourceIP: "2001:0db8:85a3:0000:0000:8a2e:0370:7334",
-				dns.TypeA,
+				qtype:    dns.TypeA,
 			},
-			dns.RcodeRefused,
+			wantRcode:             dns.RcodeRefused,
-			false,
+			wantExtendedErrorCode: dns.ExtendedErrorCodeBlocked,
 		},
 		{
-			"Blacklist 3 Single IP ALLOWED IPv6",
+			name: "Blacklist 3 Single IP ALLOWED IPv6",
-			`acl example.org {
+			config: `acl example.org {
 				block type A net 2001:0db8:85a3:0000:0000:8a2e:0370:7334
 			}`,
-			[]string{},
+			zones: []string{},
-			args{
+			args: args{
-				"www.example.org.",
+				domain:   "www.example.org.",
-				"2001:0db8:85a3:0000:0000:8a2e:0370:7335",
+				sourceIP: "2001:0db8:85a3:0000:0000:8a2e:0370:7335",
-				dns.TypeA,
+				qtype:    dns.TypeA,
 			},
-			dns.RcodeSuccess,
+			wantRcode: dns.RcodeSuccess,
-			false,
 		},
 		{
-			"Fine-Grained 1 REFUSED IPv6",
+			name: "Fine-Grained 1 REFUSED IPv6",
-			`acl a.example.org {
+			config: `acl a.example.org {
 				block type * net 2001:db8:abcd:0012::0/64
 			}`,
-			[]string{"example.org"},
+			zones: []string{"example.org"},
-			args{
+			args: args{
-				"a.example.org.",
+				domain:   "a.example.org.",
-				"2001:db8:abcd:0012:2019::0",
+				sourceIP: "2001:db8:abcd:0012:2019::0",
-				dns.TypeA,
+				qtype:    dns.TypeA,
 			},
-			dns.RcodeRefused,
+			wantRcode:             dns.RcodeRefused,
-			false,
+			wantExtendedErrorCode: dns.ExtendedErrorCodeBlocked,
 		},
 		{
-			"Fine-Grained 1 ALLOWED IPv6",
+			name: "Fine-Grained 1 ALLOWED IPv6",
-			`acl a.example.org {
+			config: `acl a.example.org {
 				block net 2001:db8:abcd:0012::0/64
 			}`,
-			[]string{"example.org"},
+			zones: []string{"example.org"},
-			args{
+			args: args{
-				"www.example.org.",
+				domain:   "www.example.org.",
-				"2001:db8:abcd:0012:2019::0",
+				sourceIP: "2001:db8:abcd:0012:2019::0",
-				dns.TypeA,
+				qtype:    dns.TypeA,
 			},
-			dns.RcodeSuccess,
+			wantRcode: dns.RcodeSuccess,
-			false,
 		},
 		{
-			"Blacklist Address%ifname",
+			name: "Blacklist Address%ifname",
-			`acl example.org {
+			config: `acl example.org {
 				block type AAAA net 2001:0db8:85a3:0000:0000:8a2e:0370:7334
 			}`,
-			[]string{"eth0"},
+			zones: []string{"eth0"},
-			args{
+			args: args{
-				"www.example.org.",
+				domain:   "www.example.org.",
-				"2001:0db8:85a3:0000:0000:8a2e:0370:7334",
+				sourceIP: "2001:0db8:85a3:0000:0000:8a2e:0370:7334",
-				dns.TypeAAAA,
+				qtype:    dns.TypeAAAA,
 			},
-			dns.RcodeRefused,
+			wantRcode:             dns.RcodeRefused,
-			false,
+			wantExtendedErrorCode: dns.ExtendedErrorCodeBlocked,
 		},
 	}
@@ -438,6 +430,20 @@ func TestACLServeDNS(t *testing.T) {
 			if w.Rcode != tt.wantRcode {
 				t.Errorf("Error: acl.ServeDNS() Rcode = %v, want %v", w.Rcode, tt.wantRcode)
 			}
+			if tt.wantExtendedErrorCode != 0 {
+				matched := false
+				for _, opt := range w.Msg.IsEdns0().Option {
+					if ede, ok := opt.(*dns.EDNS0_EDE); ok {
+						if ede.InfoCode != tt.wantExtendedErrorCode {
+							t.Errorf("Error: acl.ServeDNS() Extended DNS Error = %v, want %v", ede.InfoCode, tt.wantExtendedErrorCode)
+						}
+						matched = true
+					}
+				}
+				if !matched {
+					t.Error("Error: acl.ServeDNS() missing Extended DNS Error option")
+				}
+			}
 		})
 	}
 }