Merge branch 'master' of github.com:dnsviz/dnsviz

4 files changed, 32 insertions, 7 deletions

diff --git a/dnsviz/analysis/online.py b/dnsviz/analysis/online.py
index 8724007..1827402 100644
--- a/dnsviz/analysis/online.py
+++ b/dnsviz/analysis/online.py
@@ -996,8 +996,8 @@ class Analyst(object):
             self.th_factories = (self.default_th_factory,)
         else:
             self.th_factories = th_factories
-        self.allow_loopback_query = bool([x for x in self.th_factories if x.cls.allow_loopback_query])
-        self.allow_private_query = bool([x for x in self.th_factories if x.cls.allow_private_query])
+        self.allow_loopback_query = not bool([x for x in self.th_factories if not x.cls.allow_loopback_query])
+        self.allow_private_query = not bool([x for x in self.th_factories if not x.cls.allow_private_query])
 
         self.name = name
         self.dlv_domain = dlv_domain
@@ -1340,7 +1340,7 @@ class Analyst(object):
             servers = [x for x in servers if not LOOPBACK_IPV4_RE.match(x) and not x == LOOPBACK_IPV6]
         if not self.allow_private_query:
             servers = [x for x in servers if not RFC_1918_RE.match(x) and not LINK_LOCAL_RE.match(x) and not UNIQ_LOCAL_RE.match(x)]
-        return servers
+        return [x for x in servers if ZERO_SLASH8_RE.search(x) is None]
 
     def _filter_servers(self, servers, no_raise=False):
         filtered_servers = self._filter_servers_network(servers)
diff --git a/dnsviz/commands/probe.py b/dnsviz/commands/probe.py
index 6aff3e0..a03df2c 100644
--- a/dnsviz/commands/probe.py
+++ b/dnsviz/commands/probe.py
@@ -64,7 +64,7 @@ from dnsviz.analysis import WILDCARD_EXPLICIT_DELEGATION, PrivateAnalyst, Privat
 import dnsviz.format as fmt
 from dnsviz.ipaddr import IPAddr
 from dnsviz.query import StandardRecursiveQueryCD
-from dnsviz.resolver import DNSAnswer, Resolver, FullResolver
+from dnsviz.resolver import DNSAnswer, Resolver, PrivateFullResolver
 from dnsviz import transport
 from dnsviz.util import get_client_address, get_root_hints
 lb2s = fmt.latin1_binary_to_string
@@ -120,7 +120,7 @@ def _init_full_resolver():
     hints = get_root_hints()
     for key in explicit_delegations:
         hints[key] = explicit_delegations[key]
-    resolver = FullResolver(hints, odd_ports=odd_ports, transport_manager=tm)
+    resolver = PrivateFullResolver(hints, odd_ports=odd_ports, transport_manager=tm)
 
 def _init_interrupt_handler():
     signal.signal(signal.SIGINT, _raise_eof)
diff --git a/dnsviz/ipaddr.py b/dnsviz/ipaddr.py
index a1e9af9..18a4e9a 100644
--- a/dnsviz/ipaddr.py
+++ b/dnsviz/ipaddr.py
@@ -85,6 +85,7 @@ LOOPBACK_IPV6 = IPAddr('::1')
 RFC_1918_RE = re.compile(r'^(0?10|172\.0?(1[6-9]|2[0-9]|3[0-1])|192\.168)\.')
 LINK_LOCAL_RE = re.compile(r'^fe[89ab][0-9a-f]:', re.IGNORECASE)
 UNIQ_LOCAL_RE = re.compile(r'^fd[0-9a-f]{2}:', re.IGNORECASE)
+ZERO_SLASH8_RE = re.compile(r'^0\.')
 
 ANY_IPV6 = IPAddr('::')
 ANY_IPV4 = IPAddr('0.0.0.0')
diff --git a/dnsviz/resolver.py b/dnsviz/resolver.py
index 3e3921a..bd0a556 100644
--- a/dnsviz/resolver.py
+++ b/dnsviz/resolver.py
@@ -29,7 +29,7 @@ import threading
 import time
 
 from . import query
-from .ipaddr import IPAddr
+from .ipaddr import *
 from . import response as Response
 from . import transport
 from . import util
@@ -292,6 +292,8 @@ class FullResolver:
     MIN_TTL = 60
     MAX_CHAIN = 20
 
+    default_th_factory = transport.DNSQueryTransportHandlerDNSFactory()
+
     def __init__(self, hints=util.get_root_hints(), query_cls=(query.QuickDNSSECQuery, query.RobustDNSSECQuery), client_ipv4=None, client_ipv6=None, odd_ports=None, transport_manager=None, th_factories=None, max_ttl=None):
 
         self._hints = hints
@@ -302,13 +304,28 @@ class FullResolver:
             odd_ports = {}
         self._odd_ports = odd_ports
         self._transport_manager = transport_manager
-        self._th_factories = th_factories
+        if th_factories is None:
+            self._th_factories = (self.default_th_factory,)
+        else:
+            self._th_factories = th_factories
+        self.allow_loopback_query = not bool([x for x in self._th_factories if not x.cls.allow_loopback_query])
+        self.allow_private_query = not bool([x for x in self._th_factories if not x.cls.allow_private_query])
+
         self._max_ttl = max_ttl
 
         self._cache = {}
         self._expirations = []
         self._cache_lock = threading.Lock()
 
+    def _allow_server(self, server):
+        if not self.allow_loopback_query and (LOOPBACK_IPV4_RE.search(server) is not None or server == LOOPBACK_IPV6):
+            return False
+        if not self.allow_private_query and (RFC_1918_RE.search(server) is not None or LINK_LOCAL_RE.search(server) is not None or UNIQ_LOCAL_RE.search(server) is not None):
+            return False
+        if ZERO_SLASH8_RE.search(server) is not None:
+            return False
+        return True
+
     def flush_cache(self):
         with self._cache_lock:
             self._cache = {}
@@ -539,6 +556,10 @@ class FullResolver:
                                     ns_names[ns_name].add(IPAddr(rdata.address))
 
                     for server in ns_names[ns_name]:
+                        # server disallowed by policy
+                        if not self._allow_server(server):
+                            continue
+
                         q = query_cls(qname, rdtype, rdclass, (server,), bailiwick, self._client_ipv4, self._client_ipv6, self._odd_ports.get((bailiwick, server), 53))
                         q.execute(tm=self._transport_manager, th_factories=self._th_factories)
                         is_referral = False
@@ -710,6 +731,9 @@ class FullResolver:
 
         raise ServFail('SERVFAIL - no valid responses')
 
+class PrivateFullResolver(FullResolver):
+    default_th_factory = transport.DNSQueryTransportHandlerDNSPrivateFactory()
+
 def main():
     import sys
     import getopt