fergalmoran/DnsServer
1
0
Fork 0
mirror of https://github.com/fergalmoran/DnsServer.git synced 2025-12-22 09:29:50 +00:00
Code Issues Packages Projects Releases Wiki Activity

DnsRebindingProtection: added new option to configure bypass networks.

Browse Source
This commit is contained in:
Shreyas Zare
2024-11-09 19:39:14 +05:30
parent dfb62b172d
commit 2d4853d23c
1 changed files with 23 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

25
Apps/DnsRebindingProtectionApp/App.cs
View File

@@ -19,6 +19,7 @@ along with this program. If not, see <http://www.gnu.org/licenses/>.
using DnsServerCore.ApplicationCommon; using DnsServerCore.ApplicationCommon;
using System.Collections.Generic; using System.Collections.Generic;
using System.IO;
using System.Net; using System.Net;
using System.Text.Json; using System.Text.Json;
using System.Threading.Tasks; using System.Threading.Tasks;
@@ -34,6 +35,7 @@ namespace DnsRebindingProtection
#region variables #region variables
bool _enableProtection; bool _enableProtection;
NetworkAddress[] _bypassNetworks;
HashSet<NetworkAddress> _privateNetworks; HashSet<NetworkAddress> _privateNetworks;
HashSet<string> _privateDomains; HashSet<string> _privateDomains;
@@ -144,7 +146,7 @@ namespace DnsRebindingProtection
#region public #region public
public Task InitializeAsync(IDnsServer dnsServer, string config) public async Task InitializeAsync(IDnsServer dnsServer, string config)
{ {
using JsonDocument jsonDocument = JsonDocument.Parse(config); using JsonDocument jsonDocument = JsonDocument.Parse(config);
JsonElement jsonConfig = jsonDocument.RootElement; JsonElement jsonConfig = jsonDocument.RootElement;
@@ -153,7 +155,18 @@ namespace DnsRebindingProtection
_privateNetworks = new HashSet<NetworkAddress>(jsonConfig.ReadArray("privateNetworks", NetworkAddress.Parse)); _privateNetworks = new HashSet<NetworkAddress>(jsonConfig.ReadArray("privateNetworks", NetworkAddress.Parse));
_privateDomains = new HashSet<string>(jsonConfig.ReadArray("privateDomains")); _privateDomains = new HashSet<string>(jsonConfig.ReadArray("privateDomains"));
return Task.CompletedTask; if (jsonConfig.TryReadArray("bypassNetworks", NetworkAddress.Parse, out NetworkAddress[] bypassNetworks))
{
_bypassNetworks = bypassNetworks;
}
else
{
_bypassNetworks = [];
//update config for new feature
config = config.Replace("\"privateNetworks\"", "\"bypassNetworks\": [\r\n ],\r\n \"privateNetworks\"");
await File.WriteAllTextAsync(Path.Combine(dnsServer.ApplicationFolder, "dnsApp.config"), config);
}
} }
public Task<DnsDatagram> PostProcessAsync(DnsDatagram request, IPEndPoint remoteEP, DnsTransportProtocol protocol, DnsDatagram response) public Task<DnsDatagram> PostProcessAsync(DnsDatagram request, IPEndPoint remoteEP, DnsTransportProtocol protocol, DnsDatagram response)
@@ -162,6 +175,14 @@ namespace DnsRebindingProtection
if (!_enableProtection || response.AuthoritativeAnswer) if (!_enableProtection || response.AuthoritativeAnswer)
return Task.FromResult(response); return Task.FromResult(response);
IPAddress remoteIP = remoteEP.Address;
foreach (NetworkAddress network in _bypassNetworks)
{
if (network.Contains(remoteIP))
return Task.FromResult(response);
}
if (TryDetectRebinding(response.Answer, out List<DnsResourceRecord> protectedAnswer)) if (TryDetectRebinding(response.Answer, out List<DnsResourceRecord> protectedAnswer))
return Task.FromResult(response.Clone(protectedAnswer)); return Task.FromResult(response.Clone(protectedAnswer));