From 1ec2b3c5a273512af6e5c7d570b4ba303e3ef8dd Mon Sep 17 00:00:00 2001
From: Mael GRAMAIN <outout@linuxmail.org>
Date: Sun, 3 Jan 2021 15:57:06 -0400
Subject: [PATCH] XFR is now limited to certains IP configured in the config
 file

https://github.com/outout14/sacrebleu-dns/issues/11
https://github.com/outout14/sacrebleu-dns/issues/11#issuecomment-753423572
---
 README.md                |  2 ++
 core/handleDnsRequest.go | 18 +++++++++++++++---
 extra/config.ini.example |  6 +++---
 main.go                  |  6 ++++--
 utils/axfr.go            | 13 +++++++++++++
 utils/structs.go         |  1 +
 6 files changed, 38 insertions(+), 8 deletions(-)

diff --git a/README.md b/README.md
index 250eef1..35d0eee 100644
--- a/README.md
+++ b/README.md
@@ -56,6 +56,8 @@ Variables names are case sensitives.
 |Port|int|``6379``|Redis Database port
 |DB|int|``0``|Redis Database ID
 |TTL|int|``10``|Redis Time To Live (in seconds)
+|DNS|Section
+|XfrIPs|[]string|``*,192.0.2.9,192.0.2.98``|Allowed IPs for XFR transfer (``*`` for any)
 
 ## What is working 
 - Read records (stricts & wildcard) from MySQL
diff --git a/core/handleDnsRequest.go b/core/handleDnsRequest.go
index 97e0499..b9eaaaa 100644
--- a/core/handleDnsRequest.go
+++ b/core/handleDnsRequest.go
@@ -1,24 +1,36 @@
 package core
 
 import (
+	"net"
+
 	"github.com/miekg/dns"
+	"github.com/outout14/sacrebleu-dns/utils"
 )
 
 //HandleDNSRequest : Handle the DNS request using miekg/dns
 //Requires dns.ReponseWriter and dns.Msg args
-func HandleDNSRequest(w dns.ResponseWriter, r *dns.Msg) {
-
+func HandleDNSRequest(w dns.ResponseWriter, r *dns.Msg, conf *utils.Conf) {
 	//dns.Msg object
 	//Will be passed to the parseQuery() function
 	m := new(dns.Msg)
 	m.SetReply(r)
 	m.Compress = false
 
+	ip, _, _ := net.SplitHostPort(w.RemoteAddr().String())
+
 	if r.Question[0].Qtype == dns.TypeAXFR {
-		parseAXFR(m)
+		if utils.XfrAllowed(ip, conf) {
+			parseAXFR(m)
+		} else {
+			m := new(dns.Msg)
+			m.SetRcode(r, dns.RcodeRefused)
+			w.WriteMsg(m)
+		}
+
 	} else if r.Opcode == dns.OpcodeQuery { //Only respond to dns queries
 		parseQuery(m)
 	}
 
 	w.WriteMsg(m) //Write the DNS response
+
 }
diff --git a/extra/config.ini.example b/extra/config.ini.example
index efc13ce..062a2f9 100644
--- a/extra/config.ini.example
+++ b/extra/config.ini.example
@@ -23,6 +23,6 @@ Password = ""
 DB = 0
 TTL = 10  #In seconds 
 
-[Dns]
-XfrIPs = ["*"] #Array of slaves IPs
-Nameservers = ["ns1.example.org", "ns2.example.org", "ns1.example.com"] #Arry of NS urls. (the first one is the master) 
\ No newline at end of file
+[DNS]
+XfrIPs = *, 10.100.0.3 #Array of slaves IPs
+Nameservers = ns1.example.org, ns2.example.org, ns1.example.com #Arry of NS urls. (the first one is the master) 
\ No newline at end of file
diff --git a/main.go b/main.go
index 14122c6..0a35db6 100644
--- a/main.go
+++ b/main.go
@@ -35,7 +35,7 @@ func main() {
 	utils.InitLogger(conf)
 
 	//Attach DNS request handler func for all domains
-	dns.HandleFunc(".", core.HandleDNSRequest)
+	dns.HandleFunc(".", func(w dns.ResponseWriter, r *dns.Msg) { core.HandleDNSRequest(w, r, conf) })
 
 	//Initialize the redis database
 	utils.RedisDatabase(conf)
@@ -49,7 +49,9 @@ func main() {
 	//Start the DNS server
 	server := &dns.Server{Addr: conf.App.IP + ":" + strconv.Itoa(conf.App.Port), Net: "tcp"}             //define the server
 	logrus.WithFields(logrus.Fields{"ip": conf.App.IP, "port": conf.App.Port}).Infof("SERVER : Started") //log
-	err = server.ListenAndServe()                                                                        //start it
+	logrus.WithFields(logrus.Fields{"XfrIPs": conf.DNS.XfrIPs}).Debug("")
+
+	err = server.ListenAndServe() //start it
 	utils.CheckErr(err)
 
 	defer server.Shutdown() //shut down on application closing
diff --git a/utils/axfr.go b/utils/axfr.go
index 3685835..15bcd3a 100644
--- a/utils/axfr.go
+++ b/utils/axfr.go
@@ -4,6 +4,19 @@ import (
 	"github.com/outout14/sacrebleu-api/api/types"
 )
 
+//XfrAllowed : check if the IP is allowed to perform XFR requests
+func XfrAllowed(remoteIP string, conf *Conf) bool {
+	for _, ip := range conf.DNS.XfrIPs {
+		if ip == "*" {
+			return true
+		}
+		if ip == remoteIP {
+			return true
+		}
+	}
+	return false
+}
+
 //GetAllRecords : Retrive all records for a domain
 func GetAllRecords(d types.Domain) []types.Record {
 	results := []types.Record{}
diff --git a/utils/structs.go b/utils/structs.go
index f188909..1b1f932 100644
--- a/utils/structs.go
+++ b/utils/structs.go
@@ -39,4 +39,5 @@ type Conf struct {
 	App
 	Database
 	Redis
+	DNS DNS
 }