diff options
author | Casey Deccio <casey@deccio.net> | 2016-10-27 23:34:46 +0300 |
---|---|---|
committer | Casey Deccio <casey@deccio.net> | 2016-10-27 23:34:46 +0300 |
commit | 6fcc518132f7ffe17dcbccd6bc8efe4c59e21d14 (patch) | |
tree | 5617b2eb8dd14692df8c0ae92311d6dba5bde93e | |
parent | 506b9227f552ae04fc98f6c7c8db49d6ac41ef9c (diff) | |
parent | aa6ca06dffb9194477c2507420c7d3ef170afab2 (diff) |
Merge branch 'master' of github.com:dnsviz/dnsviz
-rw-r--r-- | dnsviz/analysis/online.py | 6 | ||||
-rw-r--r-- | dnsviz/commands/probe.py | 4 | ||||
-rw-r--r-- | dnsviz/ipaddr.py | 1 | ||||
-rw-r--r-- | dnsviz/resolver.py | 28 |
4 files changed, 32 insertions, 7 deletions
diff --git a/dnsviz/analysis/online.py b/dnsviz/analysis/online.py index 8724007..1827402 100644 --- a/dnsviz/analysis/online.py +++ b/dnsviz/analysis/online.py @@ -996,8 +996,8 @@ class Analyst(object): self.th_factories = (self.default_th_factory,) else: self.th_factories = th_factories - self.allow_loopback_query = bool([x for x in self.th_factories if x.cls.allow_loopback_query]) - self.allow_private_query = bool([x for x in self.th_factories if x.cls.allow_private_query]) + self.allow_loopback_query = not bool([x for x in self.th_factories if not x.cls.allow_loopback_query]) + self.allow_private_query = not bool([x for x in self.th_factories if not x.cls.allow_private_query]) self.name = name self.dlv_domain = dlv_domain @@ -1340,7 +1340,7 @@ class Analyst(object): servers = [x for x in servers if not LOOPBACK_IPV4_RE.match(x) and not x == LOOPBACK_IPV6] if not self.allow_private_query: servers = [x for x in servers if not RFC_1918_RE.match(x) and not LINK_LOCAL_RE.match(x) and not UNIQ_LOCAL_RE.match(x)] - return servers + return [x for x in servers if ZERO_SLASH8_RE.search(x) is None] def _filter_servers(self, servers, no_raise=False): filtered_servers = self._filter_servers_network(servers) diff --git a/dnsviz/commands/probe.py b/dnsviz/commands/probe.py index 6aff3e0..a03df2c 100644 --- a/dnsviz/commands/probe.py +++ b/dnsviz/commands/probe.py @@ -64,7 +64,7 @@ from dnsviz.analysis import WILDCARD_EXPLICIT_DELEGATION, PrivateAnalyst, Privat import dnsviz.format as fmt from dnsviz.ipaddr import IPAddr from dnsviz.query import StandardRecursiveQueryCD -from dnsviz.resolver import DNSAnswer, Resolver, FullResolver +from dnsviz.resolver import DNSAnswer, Resolver, PrivateFullResolver from dnsviz import transport from dnsviz.util import get_client_address, get_root_hints lb2s = fmt.latin1_binary_to_string @@ -120,7 +120,7 @@ def _init_full_resolver(): hints = get_root_hints() for key in explicit_delegations: hints[key] = explicit_delegations[key] - resolver = FullResolver(hints, odd_ports=odd_ports, transport_manager=tm) + resolver = PrivateFullResolver(hints, odd_ports=odd_ports, transport_manager=tm) def _init_interrupt_handler(): signal.signal(signal.SIGINT, _raise_eof) diff --git a/dnsviz/ipaddr.py b/dnsviz/ipaddr.py index a1e9af9..18a4e9a 100644 --- a/dnsviz/ipaddr.py +++ b/dnsviz/ipaddr.py @@ -85,6 +85,7 @@ LOOPBACK_IPV6 = IPAddr('::1') RFC_1918_RE = re.compile(r'^(0?10|172\.0?(1[6-9]|2[0-9]|3[0-1])|192\.168)\.') LINK_LOCAL_RE = re.compile(r'^fe[89ab][0-9a-f]:', re.IGNORECASE) UNIQ_LOCAL_RE = re.compile(r'^fd[0-9a-f]{2}:', re.IGNORECASE) +ZERO_SLASH8_RE = re.compile(r'^0\.') ANY_IPV6 = IPAddr('::') ANY_IPV4 = IPAddr('0.0.0.0') diff --git a/dnsviz/resolver.py b/dnsviz/resolver.py index 3e3921a..bd0a556 100644 --- a/dnsviz/resolver.py +++ b/dnsviz/resolver.py @@ -29,7 +29,7 @@ import threading import time from . import query -from .ipaddr import IPAddr +from .ipaddr import * from . import response as Response from . import transport from . import util @@ -292,6 +292,8 @@ class FullResolver: MIN_TTL = 60 MAX_CHAIN = 20 + default_th_factory = transport.DNSQueryTransportHandlerDNSFactory() + def __init__(self, hints=util.get_root_hints(), query_cls=(query.QuickDNSSECQuery, query.RobustDNSSECQuery), client_ipv4=None, client_ipv6=None, odd_ports=None, transport_manager=None, th_factories=None, max_ttl=None): self._hints = hints @@ -302,13 +304,28 @@ class FullResolver: odd_ports = {} self._odd_ports = odd_ports self._transport_manager = transport_manager - self._th_factories = th_factories + if th_factories is None: + self._th_factories = (self.default_th_factory,) + else: + self._th_factories = th_factories + self.allow_loopback_query = not bool([x for x in self._th_factories if not x.cls.allow_loopback_query]) + self.allow_private_query = not bool([x for x in self._th_factories if not x.cls.allow_private_query]) + self._max_ttl = max_ttl self._cache = {} self._expirations = [] self._cache_lock = threading.Lock() + def _allow_server(self, server): + if not self.allow_loopback_query and (LOOPBACK_IPV4_RE.search(server) is not None or server == LOOPBACK_IPV6): + return False + if not self.allow_private_query and (RFC_1918_RE.search(server) is not None or LINK_LOCAL_RE.search(server) is not None or UNIQ_LOCAL_RE.search(server) is not None): + return False + if ZERO_SLASH8_RE.search(server) is not None: + return False + return True + def flush_cache(self): with self._cache_lock: self._cache = {} @@ -539,6 +556,10 @@ class FullResolver: ns_names[ns_name].add(IPAddr(rdata.address)) for server in ns_names[ns_name]: + # server disallowed by policy + if not self._allow_server(server): + continue + q = query_cls(qname, rdtype, rdclass, (server,), bailiwick, self._client_ipv4, self._client_ipv6, self._odd_ports.get((bailiwick, server), 53)) q.execute(tm=self._transport_manager, th_factories=self._th_factories) is_referral = False @@ -710,6 +731,9 @@ class FullResolver: raise ServFail('SERVFAIL - no valid responses') +class PrivateFullResolver(FullResolver): + default_th_factory = transport.DNSQueryTransportHandlerDNSPrivateFactory() + def main(): import sys import getopt |