def query(self, query, src_ip):
"""
Check if the query should be answered dynamically, otherwise dispatch to
the fallback resolver.
"""
IS_NX_DOMAIN = True in [
query.name.name.lower().endswith(d) for d in settings.NXDOMAINS
]
if (not True in [
query.name.name.lower().endswith(d)
for d in self.canary_domains
] and not IS_NX_DOMAIN):
return defer.fail(error.DNSQueryRefusedError())
if query.type == dns.NS:
return defer.succeed(self._do_ns_response(name=query.name.name))
if query.type == dns.SOA:
return defer.succeed(self._do_soa_response(name=query.name.name))
if query.type != dns.A:
return defer.succeed(self._do_no_response(query=query))
try:
token = Canarytoken(value=query.name.name)
canarydrop = Canarydrop(**get_canarydrop(
canarytoken=token.value()))
src_data = self.look_for_source_data(token=token.value(),
value=query.name.name)
if canarydrop._drop['type'] == 'my_sql':
d = deferLater(reactor,
10,
self.dispatch,
canarydrop=canarydrop,
src_ip=src_ip,
src_data=src_data)
d.addErrback(self._handleMySqlErr)
else:
self.dispatch(canarydrop=canarydrop,
src_ip=src_ip,
src_data=src_data)
except (NoCanarytokenPresent, NoCanarytokenFound):
# If we dont find a canarytoken, lets just continue. No need to log.
pass
except Exception as e:
log.error(e)
if IS_NX_DOMAIN:
return defer.fail(error.DomainError())
return defer.succeed(self._do_dynamic_response(name=query.name.name))
def query(self, query, timeout=0):
"""
Either return our fake response, or let it on through to the next resolver
in the chain
"""
# Disable the warning that timeout is unused. We have to
# accept the argument.
# pylint: disable=W0613
# ACL:
try:
if not self.ACL.check_acl(self.acl_map[query.type],
self.peer_address.host):
# Failed the ACL, refuse to answer
self.run_hook("failed_acl", self.peer_address, query)
return defer.fail(error.DNSQueryRefusedError())
except KeyError:
# Refuse to answer if we have no ACL for this type.
# All non A, AAAA, MX, and SRV records fall here
self.run_hook("no_acl", self.peer_address, query)
return defer.fail(error.DNSQueryRefusedError())
# FogHorn Greylisting:
if self.list_check(query):
# We've passed Foghorn! Now we actually resolve the request
self.run_hook("passed", self.peer_address, query)
orig = log.msg
try:
log.msg = ignoremsg
return self.resolver.query(query, timeout)
except:
self.run_hook("upstream_error", self.peer_address, query)
log.msg = orig
elif self.sinkholeable(query):
# We've been requested to sinkhole this query
self.run_hook("sinkhole", self.peer_address, query)
return self.build_response(query)
else:
# No sinkhole defined, refuse to answer
self.run_hook("refused", self.peer_address, query)
return defer.fail(error.DNSQueryRefusedError())
def query(self, query, src_ip):
"""
Check if the query should be answered dynamically, otherwise dispatch to
the fallback resolver.
"""
self.logfile.write('%r\n' % query)
self.logfile.flush()
if not True in [query.name.name.lower().endswith(d) for d in self.canary_domains]:
return defer.fail(error.DNSQueryRefusedError())
if query.type == dns.NS:
return defer.succeed(self._do_ns_response(name=query.name.name))
if query.type == dns.SOA:
return defer.succeed(self._do_soa_response(name=query.name.name))
if query.type != dns.A:
return defer.succeed(self._do_no_response(query=query))
try:
token = Canarytoken(value=query.name.name)
canarydrop = Canarydrop(**get_canarydrop(canarytoken=token.value()))
src_data = self.look_for_source_data(token=token.value(), value=query.name.name)
self.dispatch(canarydrop=canarydrop, src_ip=src_ip, src_data=src_data)
except (NoCanarytokenPresent, NoCanarytokenFound):
# If we dont find a canarytoken, lets just continue. No need to log.
pass
except Exception as e:
log.err(e)
if query.name.name in settings.NXDOMAINS:
return defer.fail(error.DomainError())
return defer.succeed(self._do_dynamic_response(name=query.name.name))
def _lookup(self, name, cls, type, timeout):
return defer.fail(error.DNSQueryRefusedError())