wranders / coredns-filter Goto Github PK
View Code? Open in Web Editor NEWSinkholing in CoreDNS
License: MIT License
Sinkholing in CoreDNS
License: MIT License
Parsing lists currently do not check for valid domain names while iterating.
Example: OISD recently updated their publishing to exclusively release in the AdBlock Plus format. The files published by OISD contain a header that causes unexpected behavior when parsed as a wildcard list.
[Adblock Plus]
! Version: 202302141735
! Description: Block. Don't break.
! Title: oisd big
! Last modified: 2023-02-14T17:35:48+0000
! Expires: 1 days (update frequency)
! Homepage: https://oisd.nl
The current parsing process causes the first line ([Adblock Plus]
) to be compiled as valid regex (^.*\.[Adblock Plus]|^[Adblock Plus]
), resulting in most domain names being blocked if they contain any letter in the phrase "AdBlock Plus".
This bug is also applicable, but less noticed, if a list containing a similar header is used as an allow list
, as most traffic would be allowed to pass instead of only what matches the expected domains.
Only domains in a block list are blocked / only domains in an allow list are allowed.
filter
to use https://big.oisd.nl/
as a wildcard listA pull-request is in-progress. Only a revision bump is expected.
linux
0.2.3
No response
Update the version of CoreDNS used in the plugin to the latest version.
No response
Update the Go module version to match the version used by CoreDNS.
No response
The coverage workflow should only run when source files are changed.
No response
listresolver
directives using tls://
do not work, resulting in the Client using the next available resolver. If CoreDNS is on a server that uses itself as the resolver, then no lists will be resolved.
listresolver
directives using tls://
to actually use TLS and resolve lists
. {
filter {
listresolver 9.9.9.9
block list domain https://example.com/list
}
}
With the above Corefile, the list is resolved using Quad9, downloaded, then loaded.
. {
filter {
listresolver tls://9.9.9.9
block list domain https://example.com/list
}
}
With the above Corefile, TLS connections fail resulting in the HTTP client trying the next available resolver, usually the system.
A solution has been worked out and a pull request will follow shortly.
Linux
0.2.2
Oct 02 19:12:12 ns2 systemd[1]: Started CoreDNS.
Oct 02 19:12:13 ns2 coredns[29448]: [ERROR] plugin/filter: there was a problem fetching block domain list "https://s3.amazonaws.com/lists.disconnect.me/simple_tracking.txt"; error fetching list "https://s3.amazonaws.com/lists.disconnect.me/simple_tracking.txt"; Get "https://s3.amazonaws.com/lists.disconnect.me/simple_tracking.txt": dial tcp: lookup s3.amazonaws.com on 127.0.0.1:53: EOF
Oct 02 19:12:13 ns2 coredns[29448]: [ERROR] plugin/filter: there was a problem fetching block domain list "https://s3.amazonaws.com/lists.disconnect.me/simple_ad.txt"; error fetching list "https://s3.amazonaws.com/lists.disconnect.me/simple_ad.txt"; Get "https://s3.amazonaws.com/lists.disconnect.me/simple_ad.txt": dial tcp: lookup s3.amazonaws.com on 127.0.0.1:53: EOF
Oct 02 19:12:13 ns2 coredns[29448]: [ERROR] plugin/filter: there was a problem fetching block domain list "https://raw.githubusercontent.com/ookangzheng/dbl-oisd-nl/master/dbl.txt"; error fetching list "https://raw.githubusercontent.com/ookangzheng/dbl-oisd-nl/master/dbl.txt"; Get "https://raw.githubusercontent.com/ookangzheng/dbl-oisd-nl/master/dbl.txt": dial tcp: lookup raw.githubusercontent.com on 127.0.0.1:53: EOF
Oct 02 19:12:14 ns2 coredns[29448]: [ERROR] plugin/filter: there was a problem fetching block hosts list "https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts"; error fetching list "https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts"; Get "https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts": dial tcp: lookup raw.githubusercontent.com on 127.0.0.1:53: EOF
Oct 02 19:12:14 ns2 coredns[29448]: [ERROR] plugin/filter: there was a problem fetching block hosts list "http://sysctl.org/cameleon/hosts"; error fetching list "http://sysctl.org/cameleon/hosts"; Get "http://sysctl.org/cameleon/hosts": dial tcp: lookup sysctl.org on 127.0.0.1:53: EOF
Oct 02 19:12:14 ns2 coredns[29448]: [INFO] plugin/filter: Successfully updated filter; 1 allowed domains, 0 allowed regular expressions; 0 blocked domains, 0 blocked regular expressions
Oct 02 19:12:14 ns2 coredns[29448]: .:53
Oct 02 19:12:14 ns2 coredns[29448]: CoreDNS-1.10.0
Oct 02 19:12:14 ns2 coredns[29448]: linux/arm, go1.19.1, 596a9f9-dirty
Oct 02 19:12:22 ns2 coredns[29448]: [INFO] SIGTERM: Shutting down servers then terminating
Oct 02 19:12:22 ns2 systemd[1]: Stopping CoreDNS...
Oct 02 19:12:22 ns2 systemd[1]: coredns.service: Succeeded.
Oct 02 19:12:22 ns2 systemd[1]: Stopped CoreDNS.
Each entry in wildcard lists are currently loaded as a regular expression. With large lists, this is resulting in essentially a self-imposed Denial of Service (DoS) situation where every request is being checked and pegging CPU usage, causing clients to perceive DNS services to be unavailable.
The current RegEx for each wildcard entry is as follows:
Line 166 in 0f142c8
This could be can be slightly optimized to:
(^|\\.)%s
but would still probably result in the same problem.
Another solution must be explored.
Perhaps unifying the disparate slices into a trie where wildcards could be identified as a dedicated field. Reversing domains such as com.example.*
and returning a block result if a node contains a block
field. This would incur a drastically higher memory footprint, but that seems preferable to a situation where CPU usage renders the entire DNS server unresponsive.
Another potential solution would be to just run HasSuffix
for wildcard entries, though I don't know how this would compare to current CPU usage.
Example:
if strings.HasSuffix(request, ".example.com" {
# Block request
}
Responsive DNS services with large block lists
The v0.2.4
release has functional RegEx/wildcard support, but should only be used with very small lists.
Raspberry Pi OS 11, Linux 5.10.103-v7l, armv7l
v0.2.4
Sep 24 23:12:56 dns1 coredns[18610]: [ERROR] plugin/errors: 2 settings-win.data.microsoft.com. A: EOF
Sep 24 23:12:56 dns1 coredns[18610]: [ERROR] plugin/errors: 2 connectivitycheck.gstatic.com. A: EOF
Sep 24 23:12:56 dns1 coredns[18610]: [ERROR] plugin/errors: 2 www.gstatic.com. A: EOF
Sep 24 23:12:57 dns1 coredns[18610]: [ERROR] plugin/errors: 2 updates.coreos.fedoraproject.org. AAAA: EOF
Sep 24 23:12:57 dns1 coredns[18610]: [ERROR] plugin/errors: 2 www.gstatic.com. A: EOF
Sep 24 23:12:57 dns1 coredns[18610]: [ERROR] plugin/errors: 2 unagi-na.amazon.com. A: EOF
Sep 24 23:12:58 dns1 coredns[18610]: [ERROR] plugin/errors: 2 connectivitycheck.gstatic.com. A: EOF
Sep 24 23:12:59 dns1 coredns[18610]: [ERROR] plugin/errors: 2 unagi-na.amazon.com. AAAA: EOF
Sep 24 23:13:01 dns1 coredns[18610]: [ERROR] plugin/errors: 2 unagi-na.amazon.com. AAAA: EOF
Sep 24 23:13:02 dns1 coredns[18610]: [ERROR] plugin/errors: 2 updates.coreos.fedoraproject.org. A: EOF
Sep 24 23:13:03 dns1 coredns[18610]: [ERROR] plugin/errors: 2 connectivitycheck.gstatic.com. A: EOF
Sep 24 23:13:03 dns1 coredns[18610]: [ERROR] plugin/errors: 2 connectivitycheck.gstatic.com. A: EOF
Sep 24 23:13:03 dns1 coredns[18610]: [ERROR] plugin/errors: 2 connectivitycheck.gstatic.com. A: EOF
Sep 24 23:13:03 dns1 coredns[18610]: [ERROR] plugin/errors: 2 ab992t7ewg8z.na.api.amazonvideo.com. A: EOF
Sep 24 23:13:03 dns1 coredns[18610]: [ERROR] plugin/errors: 2 unagi-na.amazon.com. AAAA: EOF
Sep 24 23:13:03 dns1 coredns[18610]: [ERROR] plugin/errors: 2 clients4.google.com. HTTPS: EOF
Sep 24 23:13:03 dns1 coredns[18610]: [ERROR] plugin/errors: 2 unagi-na.amazon.com. AAAA: EOF
Sep 24 23:13:04 dns1 coredns[18610]: [ERROR] plugin/errors: 2 connectivitycheck.gstatic.com. A: EOF
and so on, due to inability to respond to requests.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.