isForbiddenARPA returns true if dctx contains a PTR, SOA, or NS request for some private address and client's address is not within the private network. Otherwise, it sets [DNSContext.RequestedPrivateRDNS] for future use.
(privateNets netutil.SubnetSet, l *slog.Logger)
| 108 | // some private address and client's address is not within the private network. |
| 109 | // Otherwise, it sets [DNSContext.RequestedPrivateRDNS] for future use. |
| 110 | func (dctx *DNSContext) isForbiddenARPA(privateNets netutil.SubnetSet, l *slog.Logger) (ok bool) { |
| 111 | q := dctx.Req.Question[0] |
| 112 | switch q.Qtype { |
| 113 | case dns.TypePTR, dns.TypeSOA, dns.TypeNS: |
| 114 | // Go on. |
| 115 | // |
| 116 | // TODO(e.burkov): Reconsider the list of types involved to private |
| 117 | // address space. Perhaps, use the logic for any type. See |
| 118 | // https://www.rfc-editor.org/rfc/rfc6761.html#section-6.1. |
| 119 | default: |
| 120 | return false |
| 121 | } |
| 122 | |
| 123 | requestedPref, err := netutil.ExtractReversedAddr(q.Name) |
| 124 | if err != nil { |
| 125 | l.Debug("parsing reversed subnet", slogutil.KeyError, err) |
| 126 | |
| 127 | return false |
| 128 | } |
| 129 | |
| 130 | if privateNets.Contains(requestedPref.Addr()) { |
| 131 | dctx.RequestedPrivateRDNS = requestedPref |
| 132 | |
| 133 | return !dctx.IsPrivateClient |
| 134 | } |
| 135 | |
| 136 | return false |
| 137 | } |
| 138 | |
| 139 | // respond writes the specified response to the client (or does nothing if d.Res is empty) |
| 140 | func (p *Proxy) respond(ctx context.Context, d *DNSContext) { |