Preparing for DNS flag day

laolm · Feb 1, 2019 · f5bcdd2 · f5bcdd2
1 parent 90a3a0e
commit f5bcdd2
Show file tree

Hide file tree

Showing 2 changed files with 39 additions and 0 deletions.
diff --git a/responder/dns_common.go b/responder/dns_common.go
@@ -40,6 +40,22 @@ const (
 	StatsQueryUniqueIps  = "resolver:queries:remote_ips"
 )
 
+var EDNSOptions = map[uint16]bool{
+	dns.EDNS0LLQ:          true,
+	dns.EDNS0UL:           true,
+	dns.EDNS0NSID:         true,
+	dns.EDNS0DAU:          true,
+	dns.EDNS0DHU:          true,
+	dns.EDNS0N3U:          true,
+	dns.EDNS0SUBNET:       true,
+	dns.EDNS0EXPIRE:       true,
+	dns.EDNS0COOKIE:       true,
+	dns.EDNS0TCPKEEPALIVE: true,
+	dns.EDNS0PADDING:      true,
+	dns.EDNS0LOCALSTART:   true,
+	dns.EDNS0LOCALEND:     true,
+}
+
 type StackAddedPanic struct {
 	trc []byte
 	rcv interface{}

diff --git a/responder/snitch_dns.go b/responder/snitch_dns.go
@@ -311,6 +311,29 @@ func handleSnitch(cfg runtime.NSnitchConfig, rt *runtime.Runtime, d *runtime.Ser
 			}
 			skipdb = true
 		}
+		/// handle EDNS0 properly
+		if opt := r.IsEdns0(); opt != nil {
+
+			m.SetEdns0(512, false)
+			/// check for supported EDNS version (0)
+			if opt.Version() != 0 {
+				m.MsgHdr.Authoritative = true
+				m.Compress = true
+				m.IsEdns0().SetExtendedRcode(dns.RcodeBadVers)
+				if err := w.WriteMsg(m); err != nil {
+					lgr.Errorf("Cannot write response [%s]", err.Error())
+				}
+				return
+			}
+
+			/// check for invalid EDNS0 options
+			for _, o := range opt.Option {
+
+				if EDNSOptions[o.Option()] == false {
+					lgr.Warnf("Bogus EDNS0 Option code received [%d]. Ignoring", o.Option())
+				}
+			}
+		}
 
 		switch r.Question[0].Qtype {
 		case dns.TypeANY: