Merge pull request #391 from step-security/fix-wildcard-resolution

varunsh-coder · web-flow · commit 2de636fa97ee · 2023-05-03T22:52:05.000-07:00
Fix bug with wildcard resolution
diff --git a/agent.go b/agent.go
@@ -270,7 +270,7 @@ func refreshDNSEntries(ctx context.Context, iptables *Firewall, allowedEndpoints
 							}
 
 							// add to cache with new TTL
-							dnsProxy.Cache.Set(domainName, answer)
+							dnsProxy.Cache.Set(domainName, answer, false)
 
 							WriteLog(fmt.Sprintf("domain resolved: %s, ip address: %s, TTL: %d", domainName, answer.Data, answer.TTL))
 						}
diff --git a/cache.go b/cache.go
@@ -6,8 +6,9 @@ import (
 )
 
 type Element struct {
-	Value     *Answer
-	TimeAdded int64
+	Value            *Answer
+	TimeAdded        int64
+	IsWildcardDomain bool
 }
 
 type Cache struct {
@@ -32,7 +33,7 @@ func (cache *Cache) Get(k string) (*Element, bool) {
 		return nil, false
 	}
 
-	if cache.egressPolicy == EgressPolicyAudit {
+	if cache.egressPolicy == EgressPolicyAudit || element.IsWildcardDomain {
 		// TTL is in seconds
 		// if now minus time added is greater than TTL, return nil, so new DNS request is made
 		if time.Now().Unix()-element.TimeAdded > int64(element.Value.TTL) {
@@ -51,12 +52,13 @@ func (cache *Cache) Get(k string) (*Element, bool) {
 	}
 }
 
-func (cache *Cache) Set(k string, v *Answer) {
+func (cache *Cache) Set(k string, v *Answer, isWildcardDomain bool) {
 	cache.mutex.Lock()
 
 	cache.elements[k] = Element{
-		Value:     v,
-		TimeAdded: time.Now().Unix(),
+		Value:            v,
+		TimeAdded:        time.Now().Unix(),
+		IsWildcardDomain: isWildcardDomain,
 	}
 
 	cache.mutex.Unlock()
diff --git a/dnsproxy.go b/dnsproxy.go
@@ -206,7 +206,7 @@ func (proxy *DNSProxy) getIPByDomain(domain string) (string, error) {
 
 				// return an ip address, so calling process calls the ip address
 				// the call will be blocked by the firewall
-				proxy.Cache.Set(domain, &Answer{Name: domain, TTL: math.MaxInt32, Data: StepSecuritySinkHoleIPAddress})
+				proxy.Cache.Set(domain, &Answer{Name: domain, TTL: math.MaxInt32, Data: StepSecuritySinkHoleIPAddress}, false)
 
 				go proxy.ApiClient.sendDNSRecord(proxy.CorrelationId, proxy.Repo, domain, StepSecuritySinkHoleIPAddress)
 
@@ -227,7 +227,7 @@ func (proxy *DNSProxy) getIPByDomain(domain string) (string, error) {
 		}
 	}
 
-	proxy.Cache.Set(domain, answer)
+	proxy.Cache.Set(domain, answer, matchesAnyWildcard)
 
 	go WriteLog(fmt.Sprintf("domain resolved: %s, ip address: %s, TTL: %d", domain, answer.Data, answer.TTL))
 
@@ -259,7 +259,7 @@ func (proxy *DNSProxy) processTypeA(q *dns.Question, requestMsg *dns.Msg) (*dns.
 			return nil, err
 		}
 
-		proxy.Cache.Set(q.Name, &Answer{Name: q.Name, TTL: math.MaxInt32, Data: "8.8.8.8"})
+		proxy.Cache.Set(q.Name, &Answer{Name: q.Name, TTL: math.MaxInt32, Data: "8.8.8.8"}, false)
 
 		return &rr, nil
 	}

Original file line number	Diff line number	Diff line change
`@@ -270,7 +270,7 @@ func refreshDNSEntries(ctx context.Context, iptables *Firewall, allowedEndpoints`
`270`	`270`	`}`
`271`	`271`
`272`	`272`	`// add to cache with new TTL`
`273`		`- dnsProxy.Cache.Set(domainName, answer)`
	`273`	`+ dnsProxy.Cache.Set(domainName, answer, false)`
`274`	`274`
`275`	`275`	`WriteLog(fmt.Sprintf("domain resolved: %s, ip address: %s, TTL: %d", domainName, answer.Data, answer.TTL))`
`276`	`276`	`}`
Original file line number	Diff line number	Diff line change
`@@ -6,8 +6,9 @@ import (`
`6`	`6`	`)`
`7`	`7`
`8`	`8`	`type Element struct {`
`9`		`- Value *Answer`
`10`		`- TimeAdded int64`
	`9`	`+ Value *Answer`
	`10`	`+ TimeAdded int64`
	`11`	`+ IsWildcardDomain bool`
`11`	`12`	`}`
`12`	`13`
`13`	`14`	`type Cache struct {`
`@@ -32,7 +33,7 @@ func (cache Cache) Get(k string) (Element, bool) {`
`32`	`33`	`return nil, false`
`33`	`34`	`}`
`34`	`35`
`35`		`- if cache.egressPolicy == EgressPolicyAudit {`
	`36`	`+ if cache.egressPolicy == EgressPolicyAudit \|\| element.IsWildcardDomain {`
`36`	`37`	`// TTL is in seconds`
`37`	`38`	`// if now minus time added is greater than TTL, return nil, so new DNS request is made`
`38`	`39`	`if time.Now().Unix()-element.TimeAdded > int64(element.Value.TTL) {`
`@@ -51,12 +52,13 @@ func (cache Cache) Get(k string) (Element, bool) {`
`51`	`52`	`}`
`52`	`53`	`}`
`53`	`54`
`54`		`-func (cache Cache) Set(k string, v Answer) {`
	`55`	`+func (cache Cache) Set(k string, v Answer, isWildcardDomain bool) {`
`55`	`56`	`cache.mutex.Lock()`
`56`	`57`
`57`	`58`	`cache.elements[k] = Element{`
`58`		`- Value: v,`
`59`		`- TimeAdded: time.Now().Unix(),`
	`59`	`+ Value: v,`
	`60`	`+ TimeAdded: time.Now().Unix(),`
	`61`	`+ IsWildcardDomain: isWildcardDomain,`
`60`	`62`	`}`
`61`	`63`
`62`	`64`	`cache.mutex.Unlock()`
Original file line number	Diff line number	Diff line change
`@@ -206,7 +206,7 @@ func (proxy *DNSProxy) getIPByDomain(domain string) (string, error) {`
`206`	`206`
`207`	`207`	`// return an ip address, so calling process calls the ip address`
`208`	`208`	`// the call will be blocked by the firewall`
`209`		`- proxy.Cache.Set(domain, &Answer{Name: domain, TTL: math.MaxInt32, Data: StepSecuritySinkHoleIPAddress})`
	`209`	`+ proxy.Cache.Set(domain, &Answer{Name: domain, TTL: math.MaxInt32, Data: StepSecuritySinkHoleIPAddress}, false)`
`210`	`210`
`211`	`211`	`go proxy.ApiClient.sendDNSRecord(proxy.CorrelationId, proxy.Repo, domain, StepSecuritySinkHoleIPAddress)`
`212`	`212`
`@@ -227,7 +227,7 @@ func (proxy *DNSProxy) getIPByDomain(domain string) (string, error) {`
`227`	`227`	`}`
`228`	`228`	`}`
`229`	`229`
`230`		`- proxy.Cache.Set(domain, answer)`
	`230`	`+ proxy.Cache.Set(domain, answer, matchesAnyWildcard)`
`231`	`231`
`232`	`232`	`go WriteLog(fmt.Sprintf("domain resolved: %s, ip address: %s, TTL: %d", domain, answer.Data, answer.TTL))`
`233`	`233`
`@@ -259,7 +259,7 @@ func (proxy DNSProxy) processTypeA(q dns.Question, requestMsg dns.Msg) (dns.`
`259`	`259`	`return nil, err`
`260`	`260`	`}`
`261`	`261`
`262`		`- proxy.Cache.Set(q.Name, &Answer{Name: q.Name, TTL: math.MaxInt32, Data: "8.8.8.8"})`
	`262`	`+ proxy.Cache.Set(q.Name, &Answer{Name: q.Name, TTL: math.MaxInt32, Data: "8.8.8.8"}, false)`
`263`	`263`
`264`	`264`	`return &rr, nil`
`265`	`265`	`}`