don't check source address for eligibility

This change allows IPv6 clients to use native, global addresses or link-local addresses to issue DNS queries through dnsd. It does not pose a security risk when combined with netfilterd since its ruleset blocks DNS traffic from the public internet. However a standalone instance is potentially vulnerable to DNS reflection / amplification unless mitigated externally.

3 files changed, 0 insertions, 36 deletions

diff --git a/Cargo.lock b/Cargo.lock
index 1d06393..6cb13b3 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -671,21 +671,11 @@ dependencies = [
  "dns-message-parser",
  "notify",
  "rsdsl_dhcp4d",
- "rsdsl_he_config",
  "serde_json",
  "thiserror",
 ]
 
 [[package]]
-name = "rsdsl_he_config"
-version = "0.1.0"
-source = "git+https://github.com/rsdsl/he_config.git#602b64314e53db90923a32c93ebe95c12db69d4c"
-dependencies = [
- "ipnet",
- "serde",
-]
-
-[[package]]
 name = "rsdsl_ip_config"
 version = "0.2.2"
 source = "git+https://github.com/rsdsl/ip_config.git#3239a5eeef22de4c50d4d00a9f51bebb5207633c"
diff --git a/Cargo.toml b/Cargo.toml
index 91b70d8..a80b7d9 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -11,6 +11,5 @@ bytes = "1.4.0"
 dns-message-parser = "0.7.0"
 notify = "5.1.0"
 rsdsl_dhcp4d = { git = "https://github.com/rsdsl/dhcp4d.git", version = "0.1.6" }
-rsdsl_he_config = { git = "https://github.com/rsdsl/he_config.git", version = "0.1.0" }
 serde_json = "1.0"
 thiserror = "1.0"
diff --git a/src/main.rs b/src/main.rs
index 890001d..4afba59 100644
--- a/src/main.rs
+++ b/src/main.rs
@@ -15,7 +15,6 @@ use dns_message_parser::{Dns, Flags, Opcode, RCode};
 use notify::event::{AccessKind, AccessMode, CreateKind};
 use notify::{Event, EventKind, RecursiveMode, Watcher};
 use rsdsl_dhcp4d::lease::Lease;
-use rsdsl_he_config::{Config, UsableConfig};
 
 const UPSTREAM: &str = "8.8.8.8:53";
 
@@ -84,10 +83,6 @@ fn read_leases(cache: Arc<RwLock<Vec<Lease>>>) -> Result<()> {
 fn main() -> Result<()> {
     println!("init");
 
-    let mut file = File::open("/data/he6in4.conf")?;
-    let he: Config = serde_json::from_reader(&mut file)?;
-    let he: UsableConfig = he.into();
-
     let leases = Arc::new(RwLock::new(Vec::new()));
     read_leases(leases.clone())?;
 
@@ -104,26 +99,6 @@ fn main() -> Result<()> {
         let (n, raddr) = sock.recv_from(&mut buf)?;
         let buf = &buf[..n];
 
-        let is_local = match raddr.ip() {
-            IpAddr::V4(addr) => addr.is_private() || addr.is_loopback(),
-            IpAddr::V6(addr) => {
-                he.tn64.contains(&addr)
-                    || he.rt64.contains(&addr)
-                    || he.rt48.contains(&addr)
-                    || addr.is_loopback()
-                    || if let Some(addr) = addr.to_ipv4_mapped() {
-                        addr.is_private() || addr.is_loopback()
-                    } else {
-                        false
-                    }
-            }
-        };
-
-        if !is_local {
-            println!("drop wan pkt from {}", raddr);
-            continue;
-        }
-
         let sock2 = sock.try_clone()?;
         let buf = buf.to_vec();
         let leases3 = leases.clone();