jmg
/
dns-rewrite-proxy
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
79 Commits
2 Branches
129 KiB
 
Branch: main
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'main'
${ noResults }
dns-rewrite-proxy/dnsrewriteproxy.py

221 lines
7.5 KiB
Raw Permalink Blame History 

  1. from asyncio import (

  2.     CancelledError,

  3.     Queue,

  4.     create_task,

  5.     get_running_loop,

  6. )

  7. from enum import (

  8.     IntEnum,

  9. )

  10. import logging

  11. import re

  12. from random import (

  13.     choices,

  14. )

  15. import string

  16. import socket

  17. 

  18. from aiodnsresolver import (

  19.     RESPONSE,

  20.     TYPES,

  21.     DnsRecordDoesNotExist,

  22.     DnsResponseCode,

  23.     Message,

  24.     Resolver,

  25.     ResourceRecord,

  26.     ResolverLoggerAdapter,

  27.     pack,

  28.     parse,

  29.     recvfrom,

  30. )

  31. 

  32. 

  33. def get_socket_default():

  34.     sock = socket.socket(family=socket.AF_INET, type=socket.SOCK_DGRAM)

  35.     sock.setblocking(False)

  36.     sock.bind(('', 53))

  37.     return sock

  38. 

  39. 

  40. def get_resolver_default():

  41.     return Resolver()

  42. 

  43. 

  44. class DnsProxyLoggerAdapter(logging.LoggerAdapter):

  45.     def process(self, msg, kwargs):

  46.         return \

  47.             ('[dnsproxy] %s' % (msg,), kwargs) if not self.extra else \

  48.             ('[dnsproxy:%s] %s' % (','.join(str(v) for v in self.extra.values()), msg), kwargs)

  49. 

  50. 

  51. def get_logger_adapter_default(extra):

  52.     return DnsProxyLoggerAdapter(logging.getLogger('dnsrewriteproxy'), extra)

  53. 

  54. 

  55. def get_resolver_logger_adapter_default(parent_adapter):

  56.     def _get_resolver_logger_adapter_default(dns_extra):

  57.         return ResolverLoggerAdapter(parent_adapter, dns_extra)

  58.     return _get_resolver_logger_adapter_default

  59. 

  60. 

  61. def DnsProxy(

  62.         get_resolver=get_resolver_default,

  63.         get_logger_adapter=get_logger_adapter_default,

  64.         get_resolver_logger_adapter=get_resolver_logger_adapter_default,

  65.         get_socket=get_socket_default, num_workers=1000,

  66.         rules=(),

  67. ):

  68. 

  69.     class ERRORS(IntEnum):

  70.         FORMERR = 1

  71.         SERVFAIL = 2

  72.         NXDOMAIN = 3

  73.         REFUSED = 5

  74. 

  75.     loop = get_running_loop()

  76.     logger = get_logger_adapter({})

  77.     request_id_alphabet = string.ascii_letters + string.digits

  78. 

  79.     # The "main" task of the server: it receives incoming requests and puts

  80.     # them in a queue that is then fetched from and processed by the proxy

  81.     # workers

  82. 

  83.     async def server_worker(sock, resolve, stop):

  84.         upstream_queue = Queue(maxsize=num_workers)

  85. 

  86.         # We have multiple upstream workers to be able to send multiple

  87.         # requests upstream concurrently

  88.         upstream_worker_tasks = [

  89.             create_task(upstream_worker(sock, resolve, upstream_queue))

  90.             for _ in range(0, num_workers)]

  91. 

  92.         try:

  93.             while True:

  94.                 logger.info('Waiting for next request')

  95.                 request_data, addr = await recvfrom(loop, [sock], 512)

  96.                 request_logger = get_logger_adapter(

  97.                     {'dnsrewriteproxy_requestid': ''.join(choices(request_id_alphabet, k=8))})

  98.                 request_logger.info('Received request from %s', addr)

  99.                 await upstream_queue.put((request_logger, request_data, addr))

  100.         finally:

  101.             logger.info('Stopping: waiting for requests to finish')

  102.             await upstream_queue.join()

  103. 

  104.             logger.info('Stopping: cancelling workers...')

  105.             for upstream_task in upstream_worker_tasks:

  106.                 upstream_task.cancel()

  107.             for upstream_task in upstream_worker_tasks:

  108.                 try:

  109.                     await upstream_task

  110.                 except CancelledError:

  111.                     pass

  112.             logger.info('Stopping: cancelling workers... (done)')

  113. 

  114.             logger.info('Stopping: final cleanup')

  115.             await stop()

  116.             logger.info('Stopping: done')

  117. 

  118.     async def upstream_worker(sock, resolve, upstream_queue):

  119.         while True:

  120.             request_logger, request_data, addr = await upstream_queue.get()

  121. 

  122.             try:

  123.                 request_logger.info('Processing request')

  124.                 response_data = await get_response_data(request_logger, resolve, request_data)

  125.                 # Sendto for non-blocking UDP sockets cannot raise a BlockingIOError

  126.                 # https://stackoverflow.com/a/59794872/1319998

  127.                 sock.sendto(response_data, addr)

  128.             except Exception:

  129.                 request_logger.exception('Error processing request')

  130.             finally:

  131.                 request_logger.info('Finished processing request')

  132.                 upstream_queue.task_done()

  133. 

  134.     async def get_response_data(request_logger, resolve, request_data):

  135.         # This may raise an exception, which is handled at a higher level.

  136.         # We can't [and I suspect shouldn't try to] return an error to the

  137.         # client, since we're not able to extract the QID, so the client won't

  138.         # be able to match it with an outgoing request

  139.         query = parse(request_data)

  140. 

  141.         try:

  142.             return pack(await proxy(request_logger, resolve, query))

  143.         except Exception:

  144.             request_logger.exception('Failed to proxy %s', query)

  145.             return pack(error(query, ERRORS.SERVFAIL))

  146. 

  147.     async def proxy(request_logger, resolve, query):

  148.         name_bytes = query.qd[0].name

  149.         request_logger.info('Name: %s', name_bytes)

  150. 

  151.         name_str_lower = query.qd[0].name.lower().decode('idna')

  152.         request_logger.info('Decoded: %s', name_str_lower)

  153. 

  154.         if query.qd[0].qtype != TYPES.A:

  155.             request_logger.info('Unhandled query type: %s', query.qd[0].qtype)

  156.             return error(query, ERRORS.REFUSED)

  157. 

  158.         for pattern, replace in rules:

  159.             rewritten_name_str, num_matches = re.subn(pattern, replace, name_str_lower)

  160.             if num_matches:

  161.                 request_logger.info('Matches rule (%s, %s)', pattern, replace)

  162.                 break

  163.         else:

  164.             # No break was triggered, i.e. no match

  165.             request_logger.info('Does not match a rule')

  166.             return error(query, ERRORS.REFUSED)

  167. 

  168.         try:

  169.             ip_addresses = await resolve(

  170.                 rewritten_name_str, TYPES.A,

  171.                 get_logger_adapter=get_resolver_logger_adapter(request_logger))

  172.         except DnsRecordDoesNotExist:

  173.             request_logger.info('Does not exist')

  174.             return error(query, ERRORS.NXDOMAIN)

  175.         except DnsResponseCode as dns_response_code_error:

  176.             request_logger.info('Received error from upstream: %s',

  177.                                 dns_response_code_error.args[0])

  178.             return error(query, dns_response_code_error.args[0])

  179. 

  180.         request_logger.info('Resolved to %s', ip_addresses)

  181.         now = loop.time()

  182. 

  183.         def ttl(ip_address):

  184.             return int(max(0.0, ip_address.expires_at - now))

  185. 

  186.         reponse_records = tuple(

  187.             ResourceRecord(name=name_bytes, qtype=TYPES.A,

  188.                            qclass=1, ttl=ttl(ip_address), rdata=ip_address.packed)

  189.             for ip_address in ip_addresses

  190.         )

  191.         return Message(

  192.             qid=query.qid, qr=RESPONSE, opcode=0, aa=0, tc=0, rd=0, ra=1, z=0, rcode=0,

  193.             qd=query.qd, an=reponse_records, ns=(), ar=(),

  194.         )

  195. 

  196.     async def start():

  197.         # The socket is created synchronously and passed to the server worker,

  198.         # so if there is an error creating it, this function will raise an

  199.         # exception. If no exeption is raise, we are indeed listening#

  200.         sock = get_socket()

  201. 

  202.         # The resolver is also created synchronously, since it can parse

  203.         # /etc/hosts or /etc/resolve.conf, and can raise an exception if

  204.         # something goes wrong with that

  205.         resolve, clear_cache = get_resolver()

  206. 

  207.         async def stop():

  208.             sock.close()

  209.             await clear_cache()

  210. 

  211.         return create_task(server_worker(sock, resolve, stop))

  212. 

  213.     return start

  214. 

  215. 

  216. def error(query, rcode):

  217.     return Message(

  218.         qid=query.qid, qr=RESPONSE, opcode=0, aa=0, tc=0, rd=0, ra=1, z=0, rcode=rcode,

  219.         qd=query.qd, an=(), ns=(), ar=(),

  220.     )