Hi, In message <_A3101@delegate-en.ML_> on 01/15/06(22:15:46) you Patrick Useldinger <pdugabdyi-mxhgu4yeb33w.ml@delegate.org> wrote: |I am looking for a DNS proxy that allows me to filter which DNS |requests are answered and which ones are dropped. | |The software should allow me to specify something like this: |192.168.1.5 "www.yahoo.com","www.google.com" |192.168.1.6 "www.google.com" | |meaning that the first machine is allowed to resolve the specified 2 |names, and the second only "www.google.com". | |Reverse lookups, zone transfers and all kind of "browsing" must be blocked. | |Would this be possible with delegate? DeleGate as a DNS server (or a resolver) can select an upstream server (resolver) depending on the hostname or address pattern in each query. It is specified with the RESOLV parameter of syntax RESOLV="resType:resAddr:hostList" like this: RESOLV="dns:DnsServer1:{*.com,*.net},dns:DnsServer2:{*.org,*.edu,*.gov}" This means using DnsServer1 for *.com and *.net, and using DnsServer2 for *.org, *.edu and *.gov. Unfortunately, there was not a way to select a resolver depending on on the client-host of each query. But in general, parameters of DeleGate can be controlled with the combination of destination server and source client. So I think RESOLV should be controlled depending on the client too. The enclosed patch for DeleGate/9.0.5 extends the RESOLV parameter as this: RESOLV=resType:resAddr:hostList:clientList[,...] With this extended format, your example can be specified like this: RESOLV="dns:DnsServer:{*.yahoo.com,*.google.com}:192.168.1.5,dns:DnsServer:{*.google.com:192.168.1.6}" Or it can be represented by a combination of parameters like this: RESOLV="dns:DnsServer:hosts1:clients1,dns:DnsServer:hosts2:clients2" HOSTLIST="hosts1:*.yahoo.com,*.google.com" HOSTLIST="hosts2:*.google.com" HOSTLIST="clients1:192.168.1.5" HOSTLIST="clients2:192.168.1.6" A DNS DeleGate server on the port 8053 is invoked like this: delegated -v -P8053 SERVER=dns RESOLV=... Cheers, Yutaka -- D G Yutaka Sato <pfqcabdyi-mxhgu4yeb33w.ml@delegate.org> http://delegate.org/y.sato/ ( - ) National Institute of Advanced Industrial Science and Technology _< >_ 1-1-4 Umezono, Tsukuba, Ibaraki, 305-8568 Japan Do the more with the less -- B. Fuller diff -cr ../delegate9.0.5/src/domain.c ./src/domain.c *** ../delegate9.0.5/src/domain.c Wed Sep 21 12:17:38 2005 --- ./src/domain.c Tue Jan 17 14:51:15 2006 *************** *** 88,93 **** --- 88,95 ---- } return 0; } + extern const char *RES_client; + extern int RES_client_dependent; int service_domain1(Connection *Conn,int sock) { CStr(ib,2048); CStr(ob,2048); *************** *** 143,149 **** --- 145,157 ---- occ = prevrlen; sv1log("## QUERY repeated * %d\n",++repeated); }else{ + RES_client_dependent = 0; + RES_client = froma; occ = (*RES_DNSSEARCH)(AVStr(ob),ib,icc,froma,fromp); + RES_client = 0; + if( RES_client_dependent ){ + /* don't cache client dependent result */ + }else if( 0 < occ ){ prevTime = Time(); bcopy(ib,prevq,icc); diff -cr ../delegate9.0.5/resolvy/resolv.c ./resolvy/resolv.c *** ../delegate9.0.5/resolvy/resolv.c Wed Jun 1 11:39:18 2005 --- ./resolvy/resolv.c Tue Jan 17 14:57:58 2006 *************** *** 1237,1242 **** --- 1237,1243 ---- { return gethostbyNX(name,0,0); } + extern int RES_client_dependent; static char NXDOM[128]; static int NXDOM_RCU; /* cached RES_CACHED_UNKNOWN for NXDOM */ extern int RES_CACHED_UNKNOWN; *************** *** 1299,1304 **** --- 1300,1308 ---- RES_AF = (char*)saf; } + if( RES_client_dependent ){ + /* don't cache client dependent result */ + }else if( ht == NULL ){ Xstrcpy(FVStr(NXDOM),name); NXDOM_RCU = RES_CACHED_UNKNOWN; diff -cr ../delegate9.0.5/src/inets.c ./src/inets.c *** ../delegate9.0.5/src/inets.c Mon Oct 31 17:49:39 2005 --- ./src/inets.c Tue Jan 17 11:55:44 2006 *************** *** 468,485 **** --- 468,494 ---- */ CStr(typespecb,1024); CStr(argb,256); + /* const char *av[3]; + */ + const char *av[4]; const char *type; const char *arg; const char *doms; + const char *clients; int map; strcpy(typespecb,typespec); + /* av[0] = av[1] = av[2] = ""; list2vect(typespecb,':',3,av); + */ + av[0] = av[1] = av[2] = av[3] = ""; + list2vect(typespecb,':',4,av); type = av[0]; arg = av[1]; doms = av[2]; + clients = av[3]; if( strcasecmp(type,"cache") == 0 ) strcat(order,"C"); *************** *** 522,527 **** --- 531,543 ---- if( arg[0] == 0 ) Xsprintf(TVStr(order),":"); Xsprintf(TVStr(order),"#%d",map); + RES_hlmatch = res_dommatch; + } + if( clients[0] ){ + map = makePathList("RESOLV",clients); + if( clients[0] == 0 ) + Xsprintf(TVStr(order),":"); + Xsprintf(TVStr(order),"<%d",map); RES_hlmatch = res_dommatch; } if( arg[0] || doms[0] ){ diff -cr ../delegate9.0.5/resolvy/reshost.c ./resolvy/reshost.c *** ../delegate9.0.5/resolvy/reshost.c Mon Jul 25 16:42:21 2005 --- ./resolvy/reshost.c Tue Jan 17 14:59:27 2006 *************** *** 155,160 **** --- 155,178 ---- int RES_next_res(PCStr(where),int ri,PVStr(res),PVStr(arg)); int (*RES_hlmatch)(PCStr(hlist),PCStr(host)); + const char *RES_client; + int RES_client_dependent; + static int clientmatch(PCStr(host),PCStr(where),PCStr(res1),PVStr(arg)){ + int match = 1; + refQStr(client,arg); + + client = strchr(arg,'<'); + if( client == 0 ){ + return -1; + } + setVStrPtrInc(client,0); + if( RES_client == 0 ){ + return 0; + } + RES_client_dependent = 1; + match = (*RES_hlmatch)(client,RES_client); + return match; + } static int dommatch(PCStr(host),PCStr(where),PCStr(res1),PVStr(arg)){ int match = 1; refQStr(dom,arg); *************** *** 336,341 **** --- 354,360 ---- int with_cache = 0; int leng; int byname = (RES_QTYPE == AF_INET6) ? AF_INET6 : 1; + int clmatch = 0; res_log(0,0,0,0,0); *************** *** 355,360 **** --- 374,382 ---- debug(DBG_ANY," RES[%s] %s\n",res1,where); res = res1[0]; + if( (clmatch = clientmatch(name,where,res1,AVStr(arg))) == 0 ){ + continue; + } if( !RES_ASIS && res == RT_DNS ){ /* will be filtered in dnsrch() after extented with DEFDNAME */ }else *************** *** 408,413 **** --- 430,439 ---- RES_CACHED_UNKNOWN = 0; if( with_cache && lastres ) + if( RES_client_dependent ){ + /* don't cache client dependent result */ + } + else ac = caching(lastres,ac,name,rv,1,AVStr(cname),UNKNOWN_HOSTADDR,4); debug(DBG_NS,"Hit: %d\n",ac); *************** *** 459,464 **** --- 485,491 ---- CStr(res1,512); CStr(arg,512); int with_cache = 0; + int clmatch = 0; res_log(0,0,0,0,0); *************** *** 469,474 **** --- 496,504 ---- for( ri = 0; ri = RES_next_res(where,ri,AVStr(res1),AVStr(arg)); ){ debug(DBG_ANY," RES[%s] %s\n",res1,where); + if( (clmatch = clientmatch(caddr,where,res1,AVStr(arg))) == 0 ){ + continue; + } if( dommatch(caddr,where,res1,AVStr(arg)) == 0 ){ continue; } *************** *** 520,525 **** --- 550,559 ---- RES_CACHED_UNKNOWN = 0; if( with_cache && lastres ) + if( RES_client_dependent ){ + /* don't cache client dependent result */ + } + else ac = caching(lastres,ac,caddr,rv,0,VStrNULL,UNKNOWN_HOSTNAME,0); debug(DBG_NS,"Hit: %d\n",ac); *************** *** 791,798 **** --- 825,841 ---- HostFile *hp; const char *lp; int leng; + int hi; hp = &Hosts[0]; + for( hi = 0; hi < elnumof(Hosts)-1; hi++ ){ + hp = &Hosts[hi]; + if( hp->h_path == 0 ) + break; + if( streq(hp->h_path,path) ) + break; + } + now = time(0); if( hp->h_buff == NULL || 60 < (now-hp->h_date) ){ if( path == NULL || path[0] == 0 ) *************** *** 807,813 **** --- 850,859 ---- return -1; } + /* readhosts1(path,fp,&Hosts[0]); + */ + readhosts1(path,fp,hp); if( strncmp(path,"sh:",3) == 0 ) pclose(fp);
V