(conn *network.Connection, pkt packet.Packet)
| 653 | } |
| 654 | |
| 655 | func inspectDNSPacket(conn *network.Connection, pkt packet.Packet) { |
| 656 | // Ignore info-only packets in this handler. |
| 657 | if pkt.InfoOnly() { |
| 658 | return |
| 659 | } |
| 660 | |
| 661 | dnsPacket := new(dns.Msg) |
| 662 | err := pkt.LoadPacketData() |
| 663 | if err != nil { |
| 664 | _ = pkt.Block() |
| 665 | log.Errorf("filter: failed to load packet payload: %s", err) |
| 666 | return |
| 667 | } |
| 668 | |
| 669 | // Parse and block invalid packets. |
| 670 | err = dnsPacket.Unpack(pkt.Payload()) |
| 671 | if err != nil { |
| 672 | err = pkt.PermanentBlock() |
| 673 | if err != nil { |
| 674 | log.Errorf("filter: failed to block packet: %s", err) |
| 675 | } |
| 676 | _ = conn.SetVerdict(network.VerdictBlock, "none DNS data on DNS port", "", nil) |
| 677 | conn.VerdictPermanent = true |
| 678 | conn.Save() |
| 679 | return |
| 680 | } |
| 681 | |
| 682 | // Packet was parsed. |
| 683 | // Allow it but only after the answer was added to the cache. |
| 684 | defer func() { |
| 685 | err = pkt.Accept() |
| 686 | if err != nil { |
| 687 | log.Errorf("filter: failed to accept dns packet: %s", err) |
| 688 | } |
| 689 | }() |
| 690 | |
| 691 | // Check if packet has a question. |
| 692 | if len(dnsPacket.Question) == 0 { |
| 693 | return |
| 694 | } |
| 695 | |
| 696 | // Read create structs with the needed data. |
| 697 | question := dnsPacket.Question[0] |
| 698 | fqdn := dns.Fqdn(question.Name) |
| 699 | |
| 700 | // Check for compat check dns request. |
| 701 | if strings.HasSuffix(fqdn, compat.DNSCheckInternalDomainScope) { |
| 702 | subdomain := strings.TrimSuffix(fqdn, compat.DNSCheckInternalDomainScope) |
| 703 | _ = compat.SubmitDNSCheckDomain(subdomain) |
| 704 | log.Infof("packet_handler: self-check domain received") |
| 705 | // No need to parse the answer. |
| 706 | return |
| 707 | } |
| 708 | |
| 709 | // Check if there is an answer. |
| 710 | if len(dnsPacket.Answer) == 0 { |
| 711 | return |
| 712 | } |
no test coverage detected