core: block CH queries earlier (#973)

block chaos queries, unless the chaos or proxy middleware is loaded. We respond with REFUSED. This removes the need for each middleware to do this class != ClassINET if-then. Also make config.Registry non-public.
2025-12-04 17:35:13 -05:00 · 2017-08-25 08:55:53 +01:00
parent 932639ac99
commit 55dafe6f59
8 changed files with 18 additions and 29 deletions
--- a/core/dnsserver/config.go
+++ b/core/dnsserver/config.go
@@ -42,7 +42,7 @@ type Config struct {
 	// Middleware interested in announcing that they exist, so other middleware can call methods
 	// on them should register themselves here. The name should be the name as return by the
 	// Handler's Name method.
-	Registry map[string]middleware.Handler
+	registry map[string]middleware.Handler
 }

 // GetConfig gets the Config that corresponds to c.
--- a/core/dnsserver/register.go
+++ b/core/dnsserver/register.go
@@ -127,12 +127,12 @@ func (c *Config) AddMiddleware(m middleware.Middleware) {
 // registerHandler adds a handler to a site's handler registration. Handlers
 //  use this to announce that they exist to other middleware.
 func (c *Config) registerHandler(h middleware.Handler) {
-	if c.Registry == nil {
-		c.Registry = make(map[string]middleware.Handler)
+	if c.registry == nil {
+		c.registry = make(map[string]middleware.Handler)
 	}

 	// Just overwrite...
-	c.Registry[h.Name()] = h
+	c.registry[h.Name()] = h
 }

 // Handler returns the middleware handler that has been added to the config under its name.
@@ -140,10 +140,10 @@ func (c *Config) registerHandler(h middleware.Handler) {
 // Note that this is order dependent and the order is defined in directives.go, i.e. if your middleware
 // comes before the middleware you are checking; it will not be there (yet).
 func (c *Config) Handler(name string) middleware.Handler {
-	if c.Registry == nil {
+	if c.registry == nil {
 		return nil
 	}
-	if h, ok := c.Registry[name]; ok {
+	if h, ok := c.registry[name]; ok {
 		return h
 	}
 	return nil
--- a/core/dnsserver/server.go
+++ b/core/dnsserver/server.go
@@ -37,9 +37,11 @@ type Server struct {
 	connTimeout time.Duration      // the maximum duration of a graceful shutdown
 	trace       trace.Trace        // the trace middleware for the server
 	debug       bool               // disable recover()
+	classChaos  bool               // allow non-INET class queries
 }

-// NewServer returns a new CoreDNS server and compiles all middleware in to it.
+// NewServer returns a new CoreDNS server and compiles all middleware in to it. By default CH class
+// queries are blocked unless the chaos or proxy is loaded.
 func NewServer(addr string, group []*Config) (*Server, error) {

 	s := &Server{
@@ -77,6 +79,9 @@ func NewServer(addr string, group []*Config) (*Server, error) {
 					s.trace = t
 				}
 			}
+			if stack.Name() == "chaos" || stack.Name() == "proxy" {
+				s.classChaos = true
+			}
 		}
 		site.middlewareChain = stack
 	}
@@ -184,6 +189,11 @@ func (s *Server) ServeDNS(ctx context.Context, w dns.ResponseWriter, r *dns.Msg)
 		}()
 	}

+	if !s.classChaos && r.Question[0].Qclass != dns.ClassINET {
+		DefaultErrorFunc(w, r, dns.RcodeRefused)
+		return
+	}
+
 	if m, err := edns.Version(r); err != nil { // Wrong EDNS version, return at once.
 		w.WriteMsg(m)
 		return