Giter VIP home page Giter VIP logo

coredns-filter's Introduction

coredns-filter's People

Contributors

wranders avatar

Stargazers

avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar

coredns-filter's Issues

[BUG]: wildcard list containing invalid non-domain-name lines may compile to valid regex

Bug Description / What Happened

Parsing lists currently do not check for valid domain names while iterating.

Example: OISD recently updated their publishing to exclusively release in the AdBlock Plus format. The files published by OISD contain a header that causes unexpected behavior when parsed as a wildcard list.

[Adblock Plus]
! Version: 202302141735
! Description: Block. Don't break.
! Title: oisd big
! Last modified: 2023-02-14T17:35:48+0000
! Expires: 1 days (update frequency)
! Homepage: https://oisd.nl

The current parsing process causes the first line ([Adblock Plus]) to be compiled as valid regex (^.*\.[Adblock Plus]|^[Adblock Plus]), resulting in most domain names being blocked if they contain any letter in the phrase "AdBlock Plus".

This bug is also applicable, but less noticed, if a list containing a similar header is used as an allow list, as most traffic would be allowed to pass instead of only what matches the expected domains.

Expected Behavior

Only domains in a block list are blocked / only domains in an allow list are allowed.

Steps to reproduce

  1. Configure filter to use https://big.oisd.nl/ as a wildcard list
  2. Start CoreDNS

Additional Info

A pull-request is in-progress. Only a revision bump is expected.

OS

linux

Version

0.2.3

Logs

No response

[BUG]: listresolver tls does not work

Bug Description / What Happened

listresolver directives using tls:// do not work, resulting in the Client using the next available resolver. If CoreDNS is on a server that uses itself as the resolver, then no lists will be resolved.

Expected Behavior

listresolver directives using tls:// to actually use TLS and resolve lists

Steps to reproduce

  1. Use regular DNS
. {
    filter {
        listresolver 9.9.9.9
        block list domain https://example.com/list
    }
}

With the above Corefile, the list is resolved using Quad9, downloaded, then loaded.

. {
    filter {
        listresolver tls://9.9.9.9
        block list domain https://example.com/list
    }
}

With the above Corefile, TLS connections fail resulting in the HTTP client trying the next available resolver, usually the system.

Additional Info

A solution has been worked out and a pull request will follow shortly.

OS

Linux

Version

0.2.2

Logs

Oct 02 19:12:12 ns2 systemd[1]: Started CoreDNS.
Oct 02 19:12:13 ns2 coredns[29448]: [ERROR] plugin/filter: there was a problem fetching block domain list "https://s3.amazonaws.com/lists.disconnect.me/simple_tracking.txt"; error fetching list "https://s3.amazonaws.com/lists.disconnect.me/simple_tracking.txt"; Get "https://s3.amazonaws.com/lists.disconnect.me/simple_tracking.txt": dial tcp: lookup s3.amazonaws.com on 127.0.0.1:53: EOF
Oct 02 19:12:13 ns2 coredns[29448]: [ERROR] plugin/filter: there was a problem fetching block domain list "https://s3.amazonaws.com/lists.disconnect.me/simple_ad.txt"; error fetching list "https://s3.amazonaws.com/lists.disconnect.me/simple_ad.txt"; Get "https://s3.amazonaws.com/lists.disconnect.me/simple_ad.txt": dial tcp: lookup s3.amazonaws.com on 127.0.0.1:53: EOF
Oct 02 19:12:13 ns2 coredns[29448]: [ERROR] plugin/filter: there was a problem fetching block domain list "https://raw.githubusercontent.com/ookangzheng/dbl-oisd-nl/master/dbl.txt"; error fetching list "https://raw.githubusercontent.com/ookangzheng/dbl-oisd-nl/master/dbl.txt"; Get "https://raw.githubusercontent.com/ookangzheng/dbl-oisd-nl/master/dbl.txt": dial tcp: lookup raw.githubusercontent.com on 127.0.0.1:53: EOF
Oct 02 19:12:14 ns2 coredns[29448]: [ERROR] plugin/filter: there was a problem fetching block hosts list "https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts"; error fetching list "https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts"; Get "https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts": dial tcp: lookup raw.githubusercontent.com on 127.0.0.1:53: EOF
Oct 02 19:12:14 ns2 coredns[29448]: [ERROR] plugin/filter: there was a problem fetching block hosts list "http://sysctl.org/cameleon/hosts"; error fetching list "http://sysctl.org/cameleon/hosts"; Get "http://sysctl.org/cameleon/hosts": dial tcp: lookup sysctl.org on 127.0.0.1:53: EOF
Oct 02 19:12:14 ns2 coredns[29448]: [INFO] plugin/filter: Successfully updated filter; 1 allowed domains, 0 allowed regular expressions; 0 blocked domains, 0 blocked regular expressions
Oct 02 19:12:14 ns2 coredns[29448]: .:53
Oct 02 19:12:14 ns2 coredns[29448]: CoreDNS-1.10.0
Oct 02 19:12:14 ns2 coredns[29448]: linux/arm, go1.19.1, 596a9f9-dirty
Oct 02 19:12:22 ns2 coredns[29448]: [INFO] SIGTERM: Shutting down servers then terminating
Oct 02 19:12:22 ns2 systemd[1]: Stopping CoreDNS...
Oct 02 19:12:22 ns2 systemd[1]: coredns.service: Succeeded.
Oct 02 19:12:22 ns2 systemd[1]: Stopped CoreDNS.

[BUG]: address wildcard list performance

Bug Description / What Happened

Each entry in wildcard lists are currently loaded as a regular expression. With large lists, this is resulting in essentially a self-imposed Denial of Service (DoS) situation where every request is being checked and pegging CPU usage, causing clients to perceive DNS services to be unavailable.

The current RegEx for each wildcard entry is as follows:

coredns-filter/action.go

Line 166 in 0f142c8

out = fmt.Sprintf("^.*\\.%s|^%s", out, out) // format to match root and sub domains

This could be can be slightly optimized to:

(^|\\.)%s

but would still probably result in the same problem.

Another solution must be explored.

Perhaps unifying the disparate slices into a trie where wildcards could be identified as a dedicated field. Reversing domains such as com.example.* and returning a block result if a node contains a block field. This would incur a drastically higher memory footprint, but that seems preferable to a situation where CPU usage renders the entire DNS server unresponsive.

Another potential solution would be to just run HasSuffix for wildcard entries, though I don't know how this would compare to current CPU usage.

Example:

if strings.HasSuffix(request, ".example.com" {
    # Block request
}

Expected Behavior

Responsive DNS services with large block lists

Steps to reproduce

  1. Use a large wildcard blocklist
  2. ???
  3. lose DNS services

Additional Info

The v0.2.4 release has functional RegEx/wildcard support, but should only be used with very small lists.

OS

Raspberry Pi OS 11, Linux 5.10.103-v7l, armv7l

Version

v0.2.4

Logs

Sep 24 23:12:56 dns1 coredns[18610]: [ERROR] plugin/errors: 2 settings-win.data.microsoft.com. A: EOF
Sep 24 23:12:56 dns1 coredns[18610]: [ERROR] plugin/errors: 2 connectivitycheck.gstatic.com. A: EOF
Sep 24 23:12:56 dns1 coredns[18610]: [ERROR] plugin/errors: 2 www.gstatic.com. A: EOF
Sep 24 23:12:57 dns1 coredns[18610]: [ERROR] plugin/errors: 2 updates.coreos.fedoraproject.org. AAAA: EOF
Sep 24 23:12:57 dns1 coredns[18610]: [ERROR] plugin/errors: 2 www.gstatic.com. A: EOF
Sep 24 23:12:57 dns1 coredns[18610]: [ERROR] plugin/errors: 2 unagi-na.amazon.com. A: EOF
Sep 24 23:12:58 dns1 coredns[18610]: [ERROR] plugin/errors: 2 connectivitycheck.gstatic.com. A: EOF
Sep 24 23:12:59 dns1 coredns[18610]: [ERROR] plugin/errors: 2 unagi-na.amazon.com. AAAA: EOF
Sep 24 23:13:01 dns1 coredns[18610]: [ERROR] plugin/errors: 2 unagi-na.amazon.com. AAAA: EOF
Sep 24 23:13:02 dns1 coredns[18610]: [ERROR] plugin/errors: 2 updates.coreos.fedoraproject.org. A: EOF
Sep 24 23:13:03 dns1 coredns[18610]: [ERROR] plugin/errors: 2 connectivitycheck.gstatic.com. A: EOF
Sep 24 23:13:03 dns1 coredns[18610]: [ERROR] plugin/errors: 2 connectivitycheck.gstatic.com. A: EOF
Sep 24 23:13:03 dns1 coredns[18610]: [ERROR] plugin/errors: 2 connectivitycheck.gstatic.com. A: EOF
Sep 24 23:13:03 dns1 coredns[18610]: [ERROR] plugin/errors: 2 ab992t7ewg8z.na.api.amazonvideo.com. A: EOF
Sep 24 23:13:03 dns1 coredns[18610]: [ERROR] plugin/errors: 2 unagi-na.amazon.com. AAAA: EOF
Sep 24 23:13:03 dns1 coredns[18610]: [ERROR] plugin/errors: 2 clients4.google.com. HTTPS: EOF
Sep 24 23:13:03 dns1 coredns[18610]: [ERROR] plugin/errors: 2 unagi-na.amazon.com. AAAA: EOF
Sep 24 23:13:04 dns1 coredns[18610]: [ERROR] plugin/errors: 2 connectivitycheck.gstatic.com. A: EOF

and so on, due to inability to respond to requests.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.