From eb5bae862eaa38daa0d49e84ef935406bcaeb721 Mon Sep 17 00:00:00 2001
From: Bert Hubert <bert.hubert@netherlabs.nl>
Date: Thu, 16 Nov 2006 21:10:54 +0000
Subject: [PATCH] implement 'dont-query', and enable it by default, which means
 we no longer query rfc1918 space, nor 127.0.0.1

git-svn-id: svn://svn.powerdns.com/pdns/trunk/pdns@923 d19b8d6e-7fed-0310-83ef-9ca221ded41b
---
 pdns/docs/pdns.sgml   | 10 ++++++++++
 pdns/iputils.hh       |  6 +++---
 pdns/lwres.cc         |  1 -
 pdns/pdns_recursor.cc | 16 ++++++++++++++++
 pdns/syncres.cc       |  5 +++++
 5 files changed, 34 insertions(+), 4 deletions(-)

diff --git a/pdns/docs/pdns.sgml b/pdns/docs/pdns.sgml
index 3a574b1fd..def48d8ec 100644
--- a/pdns/docs/pdns.sgml
+++ b/pdns/docs/pdns.sgml
@@ -6792,6 +6792,16 @@ local0.err                        /var/log/pdns.err
 	      </para>
 	    </listitem>
 	  </varlistentry>
+	  <varlistentry>
+	    <term>dont-query</term>
+	    <listitem>
+	      <para>
+		The DNS is a public database, but sometimes contains delegations to private IP addresses, like for example 127.0.0.1. This can have odd effects, 
+		depending on your network, and may even be a security risk. Therefore, since version 3.1.5, the PowerDNS recursor by default does not query
+		private space IP addresses. This setting can be used to expand or reduce the limitations.
+	      </para>
+	    </listitem>
+	  </varlistentry>
 	  <varlistentry>
 	    <term>export-etc-hosts</term>
 	    <listitem>
diff --git a/pdns/iputils.hh b/pdns/iputils.hh
index d5f18d0da..a562a2f90 100644
--- a/pdns/iputils.hh
+++ b/pdns/iputils.hh
@@ -119,7 +119,7 @@ union ComboAddress {
     }
   }
 
-  bool isMappedIPv4()  
+  bool isMappedIPv4()  const
   {
     if(sin4.sin_family!=AF_INET6)
       return false;
@@ -137,7 +137,7 @@ union ComboAddress {
     return true;
   }
   
-  ComboAddress mapToIPv4()  
+  ComboAddress mapToIPv4() const
   {
     if(!isMappedIPv4())
       throw AhuException("ComboAddress can't map non-mapped IPv6 address back to IPv4");
@@ -266,7 +266,7 @@ class NetmaskGroup
 {
 public:
   //! If this IP address is matched by any of the classes within
-  bool match(ComboAddress *ip)
+  bool match(const ComboAddress *ip)
   {
     for(container_t::const_iterator i=d_masks.begin();i!=d_masks.end();++i)
       if(i->match(ip) || (ip->isMappedIPv4() && i->match(ip->mapToIPv4()) ))
diff --git a/pdns/lwres.cc b/pdns/lwres.cc
index 79637969b..cd0028139 100644
--- a/pdns/lwres.cc
+++ b/pdns/lwres.cc
@@ -52,7 +52,6 @@ LWRes::~LWRes()
   delete[] d_buf;
 }
 
-
 //! returns -2 for OS limits error, -1 for permanent error that has to do with remote, 0 for timeout, 1 for success
 /** Never throws! */
 int LWRes::asyncresolve(const ComboAddress& ip, const string& domain, int type, bool doTCP, struct timeval* now)
diff --git a/pdns/pdns_recursor.cc b/pdns/pdns_recursor.cc
index 35a17f159..bc71226f5 100644
--- a/pdns/pdns_recursor.cc
+++ b/pdns/pdns_recursor.cc
@@ -76,6 +76,7 @@ MemRecursorCache RC;
 RecursorStats g_stats;
 bool g_quiet;
 NetmaskGroup* g_allowFrom;
+NetmaskGroup* g_dontQuery;
 string s_programname="pdns_recursor";
 typedef vector<int> g_tcpListenSockets_t;
 g_tcpListenSockets_t g_tcpListenSockets;
@@ -1489,6 +1490,20 @@ int serviceMain(int argc, char*argv[])
   else if(::arg()["local-address"]!="127.0.0.1" && ::arg().asNum("local-port")==53)
     L<<Logger::Error<<"WARNING: Allowing queries from all IP addresses - this can be a security risk!"<<endl;
   
+  if(!::arg()["dont-query"].empty()) {
+    g_dontQuery=new NetmaskGroup;
+    vector<string> ips;
+    stringtok(ips, ::arg()["dont-query"], ", ");
+    L<<Logger::Warning<<"Will not send queries to: ";
+    for(vector<string>::const_iterator i = ips.begin(); i!= ips.end(); ++i) {
+      g_dontQuery->addMask(*i);
+      if(i!=ips.begin())
+	L<<Logger::Warning<<", ";
+      L<<Logger::Warning<<*i;
+    }
+    L<<Logger::Warning<<endl;
+  }
+
   g_quiet=::arg().mustDo("quiet");
   if(::arg().mustDo("trace")) {
     SyncRes::setLog(true);
@@ -1697,6 +1712,7 @@ int main(int argc, char **argv)
     ::arg().set("remotes-ringbuffer-entries", "maximum number of packets to store statistics for")="0";
     ::arg().set("version-string", "string reported on version.pdns or version.bind")="PowerDNS Recursor "VERSION" $Id$";
     ::arg().set("allow-from", "If set, only allow these comma separated netmasks to recurse")="127.0.0.0/8, 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, ::1/128, fe80::/10";
+    ::arg().set("dont-query", "If set, do not query these netmasks for DNS data")="127.0.0.0/8, 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, ::1/128, fe80::/10";
     ::arg().set("max-tcp-per-client", "If set, maximum number of TCP sessions per client (IP address)")="0";
     ::arg().set("fork", "If set, fork the daemon for possible double performance")="no";
     ::arg().set("spoof-nearmiss-max", "If non-zero, assume spoofing after this many near misses")="20";
diff --git a/pdns/syncres.cc b/pdns/syncres.cc
index 672a8d35a..6af0016c9 100644
--- a/pdns/syncres.cc
+++ b/pdns/syncres.cc
@@ -660,11 +660,16 @@ int SyncRes::doResolveAt(set<string, CIStringCompare> nameservers, string auth,
 	}
 	for(remoteIP = remoteIPs.begin(); remoteIP != remoteIPs.end(); ++remoteIP) {
 	  LOG<<prefix<<qname<<": Trying IP "<< remoteIP->toString() <<", asking '"<<qname<<"|"<<qtype.getName()<<"'"<<endl;
+	  extern NetmaskGroup* g_dontQuery;
 	  
 	  if(s_throttle.shouldThrottle(d_now.tv_sec, make_tuple(*remoteIP, qname, qtype.getCode()))) {
 	    LOG<<prefix<<qname<<": query throttled "<<endl;
 	    s_throttledqueries++; d_throttledqueries++;
 	    continue;
+	  } 
+	  else if(g_dontQuery && g_dontQuery->match(&*remoteIP)) {
+	    LOG<<prefix<<qname<<": not sending query to " << remoteIP->toString() << ", blocked by 'dont-query' setting" << endl;
+	    continue;
 	  }
 	  else {
 	    s_outqueries++; d_outqueries++;
-- 
2.49.0