Maintenance: upgrade to qdm12/dns v1.7.0

- Fix rebinding protection for IPv6 mapped IPv4 networks - Use netaddr package for DNS blacklisting
2021-05-14 17:54:35 +00:00
parent 0c9bd8aaa0
commit 13e75aaf20
5 changed files with 38 additions and 26 deletions
--- a/internal/configuration/dnsblacklist.go
+++ b/internal/configuration/dnsblacklist.go
@@ -3,9 +3,9 @@ package configuration
 import (
 	"errors"
 	"fmt"
-	"net"

 	"github.com/qdm12/golibs/params"
+	"inet.af/netaddr"
 )

 func (settings *DNS) readBlacklistBuilding(r reader) (err error) {
@@ -48,19 +48,19 @@ func (settings *DNS) readPrivateAddresses(env params.Env) (err error) {
 		return nil
 	}

-	ips := make([]net.IP, 0, len(privateAddresses))
-	ipNets := make([]*net.IPNet, 0, len(privateAddresses))
+	ips := make([]netaddr.IP, 0, len(privateAddresses))
+	ipPrefixes := make([]netaddr.IPPrefix, 0, len(privateAddresses))

 	for _, address := range privateAddresses {
-		ip := net.ParseIP(address)
-		if ip != nil {
+		ip, err := netaddr.ParseIP(address)
+		if err == nil {
 			ips = append(ips, ip)
 			continue
 		}

-		_, ipNet, err := net.ParseCIDR(address)
-		if err == nil && ipNet != nil {
-			ipNets = append(ipNets, ipNet)
+		ipPrefix, err := netaddr.ParseIPPrefix(address)
+		if err == nil {
+			ipPrefixes = append(ipPrefixes, ipPrefix)
 			continue
 		}

@@ -68,7 +68,7 @@ func (settings *DNS) readPrivateAddresses(env params.Env) (err error) {
 	}

 	settings.BlacklistBuild.AddBlockedIPs = append(settings.BlacklistBuild.AddBlockedIPs, ips...)
-	settings.BlacklistBuild.AddBlockedIPNets = append(settings.BlacklistBuild.AddBlockedIPNets, ipNets...)
+	settings.BlacklistBuild.AddBlockedIPPrefixes = append(settings.BlacklistBuild.AddBlockedIPPrefixes, ipPrefixes...)

 	return nil
 }
--- a/internal/configuration/unbound.go
+++ b/internal/configuration/unbound.go
@@ -3,11 +3,11 @@ package configuration
 import (
 	"errors"
 	"fmt"
-	"net"
 	"strings"

 	"github.com/qdm12/dns/pkg/provider"
 	"github.com/qdm12/golibs/params"
+	"inet.af/netaddr"
 )

 func (settings *DNS) readUnbound(r reader) (err error) {
@@ -47,15 +47,9 @@ func (settings *DNS) readUnbound(r reader) (err error) {
 	}
 	settings.Unbound.ValidationLogLevel = uint8(validationLogLevel)

-	settings.Unbound.AccessControl.Allowed = []net.IPNet{
-		{
-			IP:   net.IPv4zero,
-			Mask: net.IPv4Mask(0, 0, 0, 0),
-		},
-		{
-			IP:   net.IPv6zero,
-			Mask: net.IPMask{0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0},
-		},
+	settings.Unbound.AccessControl.Allowed = []netaddr.IPPrefix{
+		{IP: netaddr.IPv4(0, 0, 0, 0)},
+		{IP: netaddr.IPv6Raw([16]byte{})},
 	}

 	return nil