Add sinkhole IP address

varunsh-coder · varunsh-coder · commit 8c5b238b7c89 · 2021-12-20T14:40:58.000-08:00
diff --git a/dnsproxy.go b/dnsproxy.go
@@ -39,6 +39,8 @@ type Answer struct {
 	Data string `json:"data"`
 }
 
+const StepSecuritySinkHoleIPAddress = "54.185.253.63"
+
 func (proxy *DNSProxy) getResponse(requestMsg *dns.Msg) (*dns.Msg, error) {
 
 	responseMsg := new(dns.Msg)
@@ -98,7 +100,12 @@ func (proxy *DNSProxy) getIPByDomain(domain string) (string, error) {
 		if !proxy.isAllowedDomain(domain) {
 			go WriteLog(fmt.Sprintf("domain not allowed: %s", domain))
 			go WriteAnnotation(fmt.Sprintf("DNS resolution for domain %s was blocked", domain))
-			return "", fmt.Errorf("domain not allowed %s", domain)
+
+			// return an ip address, so calling process calls the ip address
+			// the call will be blocked by the firewall
+			proxy.Cache.Set(domain, StepSecuritySinkHoleIPAddress)
+
+			return StepSecuritySinkHoleIPAddress, nil
 		}
 	}
 
diff --git a/dnsproxy_test.go b/dnsproxy_test.go
@@ -1,6 +1,7 @@
 package main
 
 import (
+	"fmt"
 	"net/http"
 	"reflect"
 	"testing"
@@ -21,6 +22,7 @@ func TestDNSProxy_getResponse(t *testing.T) {
 	Cache := InitCache(60 * 1000000000)
 	rrDnsGoogle, _ := dns.NewRR("dns.google. IN A 8.8.8.8")
 	rrDnsTest, _ := dns.NewRR("test.com. IN A 67.225.146.248")
+	rrDnsNotAllowed, _ := dns.NewRR(fmt.Sprintf("notallowed.com. IN A %s", StepSecuritySinkHoleIPAddress))
 	rrDnsAllowed, _ := dns.NewRR("allowed.com. IN A 67.225.146.248")
 
 	apiclient := &ApiClient{Client: &http.Client{}, APIURL: agentApiBaseUrl}
@@ -61,8 +63,8 @@ func TestDNSProxy_getResponse(t *testing.T) {
 		{name: "type A notallowed.com",
 			fields:  fields{Cache: &Cache, EgressPolicy: EgressPolicyBlock, AllowedEndpoints: []Endpoint{{domainName: "allowed.com"}}},
 			args:    args{requestMsg: &dns.Msg{Question: []dns.Question{{Name: "notallowed.com.", Qtype: dns.TypeA}}}},
-			want:    &dns.Msg{},
-			wantErr: true,
+			want:    &dns.Msg{Answer: []dns.RR{rrDnsNotAllowed}},
+			wantErr: false,
 		},
 		{name: "type A test.com egress policy cached",
 			fields:  fields{Cache: &Cache, EgressPolicy: EgressPolicyBlock, AllowedEndpoints: []Endpoint{{domainName: "test.com"}}},

Original file line number	Diff line number	Diff line change
`@@ -39,6 +39,8 @@ type Answer struct {`
`39`	`39`	Data string `json:"data"`
`40`	`40`	`}`
`41`	`41`
	`42`	`+const StepSecuritySinkHoleIPAddress = "54.185.253.63"`
	`43`	`+`
`42`	`44`	`func (proxy DNSProxy) getResponse(requestMsg dns.Msg) (*dns.Msg, error) {`
`43`	`45`
`44`	`46`	`responseMsg := new(dns.Msg)`
`@@ -98,7 +100,12 @@ func (proxy *DNSProxy) getIPByDomain(domain string) (string, error) {`
`98`	`100`	`if !proxy.isAllowedDomain(domain) {`
`99`	`101`	`go WriteLog(fmt.Sprintf("domain not allowed: %s", domain))`
`100`	`102`	`go WriteAnnotation(fmt.Sprintf("DNS resolution for domain %s was blocked", domain))`
`101`		`- return "", fmt.Errorf("domain not allowed %s", domain)`
	`103`	`+`
	`104`	`+ // return an ip address, so calling process calls the ip address`
	`105`	`+ // the call will be blocked by the firewall`
	`106`	`+ proxy.Cache.Set(domain, StepSecuritySinkHoleIPAddress)`
	`107`	`+`
	`108`	`+ return StepSecuritySinkHoleIPAddress, nil`
`102`	`109`	`}`
`103`	`110`	`}`
`104`	`111`