plugin/acl: adding ability to drop queries (#5722)

Both block and filter actions write responses to the client based upon the source IP address of the UDP packet containing the query. An attacker spoofing the source IP address to that of their target, can elicit a response to be sent to the victim host, known as DNS Reflection. If an attacker is able to elicit a large response from a relatively small query, with a spoofed source IP address, they are able to increase the amount of data sent to the victim, known as DNS Amplification. Scaling this from one to many queries allows an attacker to perform an effective Denial of Service (DoS) attack against their target. Adding the drop action enables CoreDNS to ignore queries of a given type or network range from being processed and a response written, where an operator knows ahead of time, should not originate or be destined to. Signed-off-by: rsclarke <hey@rsclarke.dev> Signed-off-by: rsclarke <hey@rsclarke.dev>
author: rsclarke <hey@rsclarke.dev> 2022-11-01 17:16:55 +0800
committer: GitHub <noreply@github.com> 2022-11-01 10:16:55 +0100
commit: ead84e1fa8c618e5eef07d6bc5e9d20fc01e4ca7 (patch)
tree: 820558330bc879b157ac413070e1b9a2e0ac5c0b /plugin
parent: faaf2b446e0aa032a68061d82e403a716ec56059 (diff)
download: coredns-ead84e1fa8c618e5eef07d6bc5e9d20fc01e4ca7.tar.gz
coredns-ead84e1fa8c618e5eef07d6bc5e9d20fc01e4ca7.tar.zst
coredns-ead84e1fa8c618e5eef07d6bc5e9d20fc01e4ca7.zip
6 files changed, 194 insertions, 2 deletions
diff --git a/plugin/acl/README.md b/plugin/acl/README.md
index 6e5b827e1..d957d24ec 100644
--- a/plugin/acl/README.md
+++ b/plugin/acl/README.md
@@ -25,7 +25,7 @@ acl [ZONES...] {
 ```
 
 - **ZONES** zones it should be authoritative for. If empty, the zones from the configuration block are used.
-- **ACTION** (*allow*, *block*, or *filter*) defines the way to deal with DNS queries matched by this rule. The default action is *allow*, which means a DNS query not matched by any rules will be allowed to recurse. The difference between *block* and *filter* is that block returns status code of *REFUSED* while filter returns an empty set *NOERROR*
+- **ACTION** (*allow*, *block*, *filter*, or *drop*) defines the way to deal with DNS queries matched by this rule. The default action is *allow*, which means a DNS query not matched by any rules will be allowed to recurse. The difference between *block* and *filter* is that block returns status code of *REFUSED* while filter returns an empty set *NOERROR*. *drop* however returns no response to the client.
 - **QTYPE** is the query type to match for the requests to be allowed or blocked. Common resource record types are supported. `*` stands for all record types. The default behavior for an omitted `type QTYPE...` is to match all kinds of DNS queries (same as `type *`).
 - **SOURCE** is the source IP address to match for the requests to be allowed or blocked. Typical CIDR notation and single IP address are supported. `*` stands for all possible source IP addresses.
 
@@ -85,6 +85,16 @@ example.org {
 }
 ~~~
 
+Drop all DNS queries from 192.0.2.0/24:
+
+~~~ corefile
+. {
+    acl {
+        drop net 192.0.2.0/24
+    }
+}
+~~~
+
 ## Metrics
 
 If monitoring is enabled (via the _prometheus_ plugin) then the following metrics are exported:
@@ -95,4 +105,6 @@ If monitoring is enabled (via the _prometheus_ plugin) then the following metric
 
 - `coredns_acl_allowed_requests_total{server, view}` - counter of DNS requests being allowed.
 
+- `coredns_acl_dropped_requests_total{server, zone, view}` - counter of DNS requests being dropped.
+
 The `server` and `zone` labels are explained in the _metrics_ plugin documentation.
diff --git a/plugin/acl/acl.go b/plugin/acl/acl.go
index 7d7b9d600..263232632 100644
--- a/plugin/acl/acl.go
+++ b/plugin/acl/acl.go
@@ -49,6 +49,8 @@ const (
 	actionBlock
 	// actionFilter returns empty sets for queries towards protected DNS zones.
 	actionFilter
+	// actionDrop does not respond for queries towards the protected DNS zones.
+	actionDrop
 )
 
 var log = clog.NewWithPlugin("acl")
@@ -67,6 +69,11 @@ RulesCheckLoop:
 
 		action := matchWithPolicies(rule.policies, w, r)
 		switch action {
+		case actionDrop:
+			{
+				RequestDropCount.WithLabelValues(metrics.WithServer(ctx), zone, metrics.WithView(ctx)).Inc()
+				return dns.RcodeSuccess, nil
+			}
 		case actionBlock:
 			{
 				m := new(dns.Msg).
diff --git a/plugin/acl/acl_test.go b/plugin/acl/acl_test.go
index d947879c3..f867d1f52 100644
--- a/plugin/acl/acl_test.go
+++ b/plugin/acl/acl_test.go
@@ -51,6 +51,7 @@ func TestACLServeDNS(t *testing.T) {
 		wantRcode             int
 		wantErr               bool
 		wantExtendedErrorCode uint16
+		expectNoResponse      bool
 	}{
 		// IPv4 tests.
 		{
@@ -206,6 +207,79 @@ func TestACLServeDNS(t *testing.T) {
 			wantExtendedErrorCode: dns.ExtendedErrorCodeBlocked,
 		},
 		{
+			name: "Drop 1 DROPPED",
+			config: `acl example.org {
+				drop net 192.168.0.0/16
+			}`,
+			zones: []string{},
+			args: args{
+				domain:   "www.example.org.",
+				sourceIP: "192.168.0.2",
+				qtype:    dns.TypeA,
+			},
+			wantRcode:        dns.RcodeSuccess,
+			expectNoResponse: true,
+		},
+		{
+			name: "Subnet-Order 1 REFUSED",
+			config: `acl example.org {
+				block net 192.168.1.0/24
+				drop net 192.168.0.0/16
+			}`,
+			zones: []string{},
+			args: args{
+				domain:   "www.example.org.",
+				sourceIP: "192.168.1.2",
+				qtype:    dns.TypeA,
+			},
+			wantRcode:             dns.RcodeRefused,
+			wantExtendedErrorCode: dns.ExtendedErrorCodeBlocked,
+		},
+		{
+			name: "Subnet-Order 2 DROPPED",
+			config: `acl example.org {
+				drop net 192.168.0.0/16
+				block net 192.168.1.0/24
+			}`,
+			zones: []string{},
+			args: args{
+				domain:   "www.example.org.",
+				sourceIP: "192.168.1.1",
+				qtype:    dns.TypeA,
+			},
+			wantRcode:        dns.RcodeSuccess,
+			expectNoResponse: true,
+		},
+		{
+			name: "Drop-Type 1 DROPPED",
+			config: `acl example.org {
+				drop type A
+				allow net 192.168.0.0/16
+			}`,
+			zones: []string{},
+			args: args{
+				domain:   "www.example.org.",
+				sourceIP: "192.168.1.1",
+				qtype:    dns.TypeA,
+			},
+			wantRcode:        dns.RcodeSuccess,
+			expectNoResponse: true,
+		},
+		{
+			name: "Drop-Type 2 ALLOWED",
+			config: `acl example.org {
+				drop type A
+				allow net 192.168.0.0/16
+			}`,
+			zones: []string{},
+			args: args{
+				domain:   "www.example.org.",
+				sourceIP: "192.168.1.1",
+				qtype:    dns.TypeAAAA,
+			},
+			wantRcode: dns.RcodeSuccess,
+		},
+		{
 			name: "Fine-Grained 1 REFUSED",
 			config: `acl a.example.org {
 				block type * net 192.168.1.0/24
@@ -402,6 +476,79 @@ func TestACLServeDNS(t *testing.T) {
 			wantRcode:             dns.RcodeRefused,
 			wantExtendedErrorCode: dns.ExtendedErrorCodeBlocked,
 		},
+		{
+			name: "Drop 1 DROPPED IPV6",
+			config: `acl example.org {
+				drop net 2001:0db8:85a3:0000:0000:8a2e:0370:7334
+			}`,
+			zones: []string{},
+			args: args{
+				domain:   "www.example.org.",
+				sourceIP: "2001:0db8:85a3:0000:0000:8a2e:0370:7334",
+				qtype:    dns.TypeAAAA,
+			},
+			wantRcode:        dns.RcodeSuccess,
+			expectNoResponse: true,
+		},
+		{
+			name: "Subnet-Order 1 REFUSED IPv6",
+			config: `acl example.org {
+				block net 2001:db8:abcd:0012:8000::/66
+				drop net 2001:db8:abcd:0012::0/64
+			}`,
+			zones: []string{},
+			args: args{
+				domain:   "www.example.org.",
+				sourceIP: "2001:db8:abcd:0012:8000::1",
+				qtype:    dns.TypeAAAA,
+			},
+			wantRcode:             dns.RcodeRefused,
+			wantExtendedErrorCode: dns.ExtendedErrorCodeBlocked,
+		},
+		{
+			name: "Subnet-Order 2 DROPPED IPv6",
+			config: `acl example.org {
+				drop net 2001:db8:abcd:0012::0/64
+				block net 2001:db8:abcd:0012:8000::/66
+			}`,
+			zones: []string{},
+			args: args{
+				domain:   "www.example.org.",
+				sourceIP: "2001:db8:abcd:0012:8000::1",
+				qtype:    dns.TypeAAAA,
+			},
+			wantRcode:        dns.RcodeSuccess,
+			expectNoResponse: true,
+		},
+		{
+			name: "Drop-Type 1 DROPPED IPv6",
+			config: `acl example.org {
+				drop type A
+				allow net 2001:db8:85a3:0000::0/64
+			}`,
+			zones: []string{},
+			args: args{
+				domain:   "www.example.org.",
+				sourceIP: "2001:0db8:85a3:0000:0000:8a2e:0370:7334",
+				qtype:    dns.TypeA,
+			},
+			wantRcode:        dns.RcodeSuccess,
+			expectNoResponse: true,
+		},
+		{
+			name: "Drop-Type 2 ALLOWED IPv6",
+			config: `acl example.org {
+				drop type A
+				allow net 2001:db8:85a3:0000::0/64
+			}`,
+			zones: []string{},
+			args: args{
+				domain:   "www.example.org.",
+				sourceIP: "2001:0db8:85a3:0000:0000:8a2e:0370:7334",
+				qtype:    dns.TypeAAAA,
+			},
+			wantRcode: dns.RcodeSuccess,
+		},
 	}
 
 	ctx := context.Background()
@@ -430,6 +577,9 @@ func TestACLServeDNS(t *testing.T) {
 			if w.Rcode != tt.wantRcode {
 				t.Errorf("Error: acl.ServeDNS() Rcode = %v, want %v", w.Rcode, tt.wantRcode)
 			}
+			if tt.expectNoResponse && w.Msg != nil {
+				t.Errorf("Error: acl.ServeDNS() responded to client when not expected")
+			}
 			if tt.wantExtendedErrorCode != 0 {
 				matched := false
 				for _, opt := range w.Msg.IsEdns0().Option {
diff --git a/plugin/acl/metrics.go b/plugin/acl/metrics.go
index 04d728bcd..a8d823254 100644
--- a/plugin/acl/metrics.go
+++ b/plugin/acl/metrics.go
@@ -29,4 +29,11 @@ var (
 		Name:      "allowed_requests_total",
 		Help:      "Counter of DNS requests being allowed.",
 	}, []string{"server", "view"})
+	// RequestDropCount is the number of DNS requests being dropped.
+	RequestDropCount = promauto.NewCounterVec(prometheus.CounterOpts{
+		Namespace: plugin.Namespace,
+		Subsystem: pluginName,
+		Name:      "dropped_requests_total",
+		Help:      "Counter of DNS requests being dropped.",
+	}, []string{"server", "zone", "view"})
 )
diff --git a/plugin/acl/setup.go b/plugin/acl/setup.go
index 3adde0aec..189acc6c4 100644
--- a/plugin/acl/setup.go
+++ b/plugin/acl/setup.go
@@ -56,8 +56,10 @@ func parse(c *caddy.Controller) (ACL, error) {
 				p.action = actionBlock
 			} else if action == "filter" {
 				p.action = actionFilter
+			} else if action == "drop" {
+				p.action = actionDrop
 			} else {
-				return a, c.Errf("unexpected token %q; expect 'allow', 'block', or 'filter'", c.Val())
+				return a, c.Errf("unexpected token %q; expect 'allow', 'block', 'filter' or 'drop'", c.Val())
 			}
 
 			p.qtypes = make(map[uint16]struct{})
diff --git a/plugin/acl/setup_test.go b/plugin/acl/setup_test.go
index 1d25dd7af..5cd51bb3a 100644
--- a/plugin/acl/setup_test.go
+++ b/plugin/acl/setup_test.go
@@ -58,6 +58,13 @@ func TestSetup(t *testing.T) {
 			false,
 		},
 		{
+			"Drop 1",
+			`acl {
+				drop type * net 192.168.0.0/16
+			}`,
+			false,
+		},
+		{
 			"fine-grained 1",
 			`acl a.example.org {
 				block type * net 192.168.1.0/24
@@ -176,6 +183,13 @@ func TestSetup(t *testing.T) {
 			false,
 		},
 		{
+			"Drop 1 IPv6",
+			`acl {
+				drop net 2001:db8:abcd:0012::0/64
+			}`,
+			false,
+		},
+		{
 			"fine-grained 1 IPv6",
 			`acl a.example.org {
 				block net 2001:db8:abcd:0012::0/64
author	rsclarke <hey@rsclarke.dev>	2022-11-01 17:16:55 +0800
committer	GitHub <noreply@github.com>	2022-11-01 10:16:55 +0100
commit	ead84e1fa8c618e5eef07d6bc5e9d20fc01e4ca7 (patch)
tree	820558330bc879b157ac413070e1b9a2e0ac5c0b /plugin
parent	faaf2b446e0aa032a68061d82e403a716ec56059 (diff)
download	coredns-ead84e1fa8c618e5eef07d6bc5e9d20fc01e4ca7.tar.gz coredns-ead84e1fa8c618e5eef07d6bc5e9d20fc01e4ca7.tar.zst coredns-ead84e1fa8c618e5eef07d6bc5e9d20fc01e4ca7.zip