XFR is now limited to certains IP configured in the config file

https://github.com/outout14/sacrebleu-dns/issues/11 https://github.com/outout14/sacrebleu-dns/issues/11#issuecomment-753423572
2 years ago · 1ec2b3c5a2
parent 384ca40434
commit 1ec2b3c5a2
6 changed files with 38 additions and 8 deletions
--- a/README.md
+++ b/README.md
@ -56,6 +56,8 @@ Variables names are case sensitives.
 |Port|int|``6379``|Redis Database port
 |DB|int|``0``|Redis Database ID
 |TTL|int|``10``|Redis Time To Live (in seconds)
+|DNS|Section
+|XfrIPs|[]string|``*,192.0.2.9,192.0.2.98``|Allowed IPs for XFR transfer (``*`` for any)

 ## What is working 
 - Read records (stricts & wildcard) from MySQL
--- a/core/handleDnsRequest.go
+++ b/core/handleDnsRequest.go
@ -1,24 +1,36 @@
 package core

 import (
+	"net"
+
 	"github.com/miekg/dns"
+	"github.com/outout14/sacrebleu-dns/utils"
 )

 //HandleDNSRequest : Handle the DNS request using miekg/dns
 //Requires dns.ReponseWriter and dns.Msg args
-func HandleDNSRequest(w dns.ResponseWriter, r *dns.Msg) {
-
+func HandleDNSRequest(w dns.ResponseWriter, r *dns.Msg, conf *utils.Conf) {
 	//dns.Msg object
 	//Will be passed to the parseQuery() function
 	m := new(dns.Msg)
 	m.SetReply(r)
 	m.Compress = false

+	ip, _, _ := net.SplitHostPort(w.RemoteAddr().String())
+
 	if r.Question[0].Qtype == dns.TypeAXFR {
-		parseAXFR(m)
+		if utils.XfrAllowed(ip, conf) {
+			parseAXFR(m)
+		} else {
+			m := new(dns.Msg)
+			m.SetRcode(r, dns.RcodeRefused)
+			w.WriteMsg(m)
+		}
+
 	} else if r.Opcode == dns.OpcodeQuery { //Only respond to dns queries
 		parseQuery(m)
 	}

 	w.WriteMsg(m) //Write the DNS response
+
 }
--- a/extra/config.ini.example
+++ b/extra/config.ini.example
@ -23,6 +23,6 @@ Password = ""
 DB = 0
 TTL = 10  #In seconds 

-[Dns]
-XfrIPs = ["*"] #Array of slaves IPs
-Nameservers = ["ns1.example.org", "ns2.example.org", "ns1.example.com"] #Arry of NS urls. (the first one is the master) 
+[DNS]
+XfrIPs = *, 10.100.0.3 #Array of slaves IPs
+Nameservers = ns1.example.org, ns2.example.org, ns1.example.com #Arry of NS urls. (the first one is the master) 
--- a/main.go
+++ b/main.go
@ -35,7 +35,7 @@ func main() {
 	utils.InitLogger(conf)

 	//Attach DNS request handler func for all domains
-	dns.HandleFunc(".", core.HandleDNSRequest)
+	dns.HandleFunc(".", func(w dns.ResponseWriter, r *dns.Msg) { core.HandleDNSRequest(w, r, conf) })

 	//Initialize the redis database
 	utils.RedisDatabase(conf)
@ -49,7 +49,9 @@ func main() {
 	//Start the DNS server
 	server := &dns.Server{Addr: conf.App.IP + ":" + strconv.Itoa(conf.App.Port), Net: "tcp"}             //define the server
 	logrus.WithFields(logrus.Fields{"ip": conf.App.IP, "port": conf.App.Port}).Infof("SERVER : Started") //log
-	err = server.ListenAndServe()                                                                        //start it
+	logrus.WithFields(logrus.Fields{"XfrIPs": conf.DNS.XfrIPs}).Debug("")
+
+	err = server.ListenAndServe() //start it
 	utils.CheckErr(err)

 	defer server.Shutdown() //shut down on application closing
--- a/utils/axfr.go
+++ b/utils/axfr.go
@ -4,6 +4,19 @@ import (
 	"github.com/outout14/sacrebleu-api/api/types"
 )

+//XfrAllowed : check if the IP is allowed to perform XFR requests
+func XfrAllowed(remoteIP string, conf *Conf) bool {
+	for _, ip := range conf.DNS.XfrIPs {
+		if ip == "*" {
+			return true
+		}
+		if ip == remoteIP {
+			return true
+		}
+	}
+	return false
+}
+
 //GetAllRecords : Retrive all records for a domain
 func GetAllRecords(d types.Domain) []types.Record {
 	results := []types.Record{}
--- a/utils/structs.go
+++ b/utils/structs.go
@ -39,4 +39,5 @@ type Conf struct {
 	App
 	Database
 	Redis
+	DNS DNS
 }