From 2d4853d23cf6736d3ca363c23ac8f7e21db8cc85 Mon Sep 17 00:00:00 2001
From: Shreyas Zare <shreyas@technitium.com>
Date: Sat, 9 Nov 2024 19:39:14 +0530
Subject: [PATCH] DnsRebindingProtection: added new option to configure bypass
 networks.

---
 Apps/DnsRebindingProtectionApp/App.cs | 25 +++++++++++++++++++++++--
 1 file changed, 23 insertions(+), 2 deletions(-)

diff --git a/Apps/DnsRebindingProtectionApp/App.cs b/Apps/DnsRebindingProtectionApp/App.cs
index f3b938c5..4b7e3dc0 100644
--- a/Apps/DnsRebindingProtectionApp/App.cs
+++ b/Apps/DnsRebindingProtectionApp/App.cs
@@ -19,6 +19,7 @@ along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
 using DnsServerCore.ApplicationCommon;
 using System.Collections.Generic;
+using System.IO;
 using System.Net;
 using System.Text.Json;
 using System.Threading.Tasks;
@@ -34,6 +35,7 @@ namespace DnsRebindingProtection
         #region variables
 
         bool _enableProtection;
+        NetworkAddress[] _bypassNetworks;
         HashSet<NetworkAddress> _privateNetworks;
         HashSet<string> _privateDomains;
 
@@ -144,7 +146,7 @@ namespace DnsRebindingProtection
 
         #region public
 
-        public Task InitializeAsync(IDnsServer dnsServer, string config)
+        public async Task InitializeAsync(IDnsServer dnsServer, string config)
         {
             using JsonDocument jsonDocument = JsonDocument.Parse(config);
             JsonElement jsonConfig = jsonDocument.RootElement;
@@ -153,7 +155,18 @@ namespace DnsRebindingProtection
             _privateNetworks = new HashSet<NetworkAddress>(jsonConfig.ReadArray("privateNetworks", NetworkAddress.Parse));
             _privateDomains = new HashSet<string>(jsonConfig.ReadArray("privateDomains"));
 
-            return Task.CompletedTask;
+            if (jsonConfig.TryReadArray("bypassNetworks", NetworkAddress.Parse, out NetworkAddress[] bypassNetworks))
+            {
+                _bypassNetworks = bypassNetworks;
+            }
+            else
+            {
+                _bypassNetworks = [];
+
+                //update config for new feature
+                config = config.Replace("\"privateNetworks\"", "\"bypassNetworks\": [\r\n  ],\r\n  \"privateNetworks\"");
+                await File.WriteAllTextAsync(Path.Combine(dnsServer.ApplicationFolder, "dnsApp.config"), config);
+            }
         }
 
         public Task<DnsDatagram> PostProcessAsync(DnsDatagram request, IPEndPoint remoteEP, DnsTransportProtocol protocol, DnsDatagram response)
@@ -162,6 +175,14 @@ namespace DnsRebindingProtection
             if (!_enableProtection || response.AuthoritativeAnswer)
                 return Task.FromResult(response);
 
+            IPAddress remoteIP = remoteEP.Address;
+
+            foreach (NetworkAddress network in _bypassNetworks)
+            {
+                if (network.Contains(remoteIP))
+                    return Task.FromResult(response);
+            }
+
             if (TryDetectRebinding(response.Answer, out List<DnsResourceRecord> protectedAnswer))
                 return Task.FromResult(response.Clone(protectedAnswer));