khls27

khls27

关注
发信
关注(28)粉丝(399)

dns报文解析

关于dns报文格式和一些基础知识本文不表,网上一堆。
https://blog.csdn.net/liao152/article/details/45252387

下面来点干货,是一个项目中,需要对请求的dns进行黑白名单划分,并且对解析结果(ip地址)同样进行黑白名单划分。
1, 系统中预置一个黑名单列表,一个白名单列表(采用字典树);
2, 系统中预置一个黑名单ipset,一个白名单ipset;
3, 解析dns请求报文,并对解析的dns进行匹配,如果匹配黑名单,则重定向该域名请求到特定的dns服务器;同理,如果匹配到白名单,则重定向到另一个dns服务器。
4,解析dns的应答报文,对解析的dns进行匹配,如果匹配到黑/白名单,那么:1,如果应答记录中是cname,那么将此cname域名添加到对应的域名记录中;2,如果应答记录中是ip地址,那么将该IP地址添加到对应的ipset中。
5, 业务报文到达时,通过匹配黑白名单的ipset可以进行进一步分流。

下面的代码是该实现中,dns解析部分:
dns.c

点击(此处)折叠或打开

  1. /*********************************************************************************************
  2. * Description: kernel module to parse dns request and replay packages
  3. *
  4. * Author: Husker <huskerTang@gmail.com>
  5. *
  6. * Date: 2019-2-12
  7. ***********************************************************************************************/

  9. #include <linux/fs.h>
  10. #include <linux/module.h>
  11. #include <linux/proc_fs.h>
  12. #include <linux/seq_file.h>
  13. #include <linux/types.h>
  14. #include <linux/version.h>
  15. #include <linux/timer.h>
  16. #include <linux/ip.h>
  17. #include <linux/slab.h>
  18. #include <linux/list.h>
  19. #include "dns.h"

  21. static struct kmem_cache* dns_pkg_cache; //__read_mostly;
  22. static struct kmem_cache* dns_query_cache; // __read_mostly;
  23. static struct kmem_cache* dns_record_cache; // __read_mostly;

  25. void DNS_finit(void)
  26. {
  27.     if (dns_pkg_cache)
  28.     {
  29.         kmem_cache_destroy(dns_pkg_cache);
  30.     }
  31.     if (dns_query_cache)
  32.     {
  33.         kmem_cache_destroy(dns_query_cache);
  34.     }
  35.     if (dns_record_cache)
  36.     {
  37.         kmem_cache_destroy(dns_record_cache);
  38.     }
  39. }

  41. int DNS_init(void)
  42. {
  43.     dns_pkg_cache = kmem_cache_create("dns_pkg_cache",
  44.      sizeof(struct dns_package),
  45.      0, 0, NULL);
  46.     if (dns_pkg_cache == NULL)
  47.     {
  48.         printk(KERN_ERR "[DNS] failed to create dns package cache\n");
  49.         goto ERROR_OUT;
  50.     }
  51.     dns_query_cache = kmem_cache_create("dns_query_cache",
  52.      sizeof(struct dns_query),
  53.      0, 0, NULL);
  54.     if (dns_query_cache == NULL)
  55.     {
  56.         printk(KERN_ERR "[DNS] failed to create dns query node cache\n");
  57.         goto ERROR_OUT;
  58.     }

  60.     dns_record_cache = kmem_cache_create("dns_record_cache",
  61.      sizeof(struct dns_resource),
  62.      0, 0, NULL);
  63.     if (dns_record_cache == NULL)
  64.     {
  65.         printk(KERN_ERR "[DNS] failed to create dns resource recorder cache\n");
  66.         goto ERROR_OUT;
  67.     }
  68.     return 0;

  70. ERROR_OUT:
  71.     DNS_finit();
  72.     return -1;
  73. }


  76. static int parse_domain_name(uint8_t* pkg, uint16_t pkglen, uint8_t* pstart, uint8_t* name, uint16_t* nmlen)
  77. {
  78.     int ret;
  79.     uint8_t tnm[128] = {0};
  80.     uint16_t tnm_len = 128;
  81.     int cnt = 0;
  82.     int total = 0;
  83.     uint16_t offset = 0;

  85.     uint8_t* ptr;
  86.     uint16_t len = 0;

  88.     if (DNS_HDR_LEN >= pkglen || pstart < pkg || pstart >= (pkg + pkglen) || !name || !nmlen || *nmlen <= 0)
  89.     {
  90.         return -1;
  91.     }

  93.     total = pstart - pkg;
  94.     ptr = tnm;

  96.     while (*pstart != 0)
  97.     {
  98.         if (*pstart >= DNS_COMMPRESS_FLAG)
  99.         {
  100.             offset = (*pstart) * 256 + *(pstart + 1) - 0xc000;
  101.             if (offset >= pkglen)
  102.             {
  103.                 return -1;
  104.             }

  106.             tnm_len -= len;
  107.             ret = parse_domain_name(pkg, pkglen, pkg + offset, ptr, &tnm_len);
  108.             if (ret < 0 )
  109.             {
  110.                 return ret;
  111.             }
  112.             cnt += 2;
  113.             len += tnm_len;
  114.             goto success_out;
  115.         }
  116.         else
  117.         {
  118.             uint16_t dm_part_len = *pstart;

  120.             if ( (pstart + dm_part_len >= pkg + pkglen) || (128 - len <= 0))
  121.             {
  122.                 return -1;
  123.             }

  125.             memcpy(ptr, pstart + 1, dm_part_len);
  126.             ptr += dm_part_len;
  127.             len += dm_part_len;

  129.             // add '.' to every part of domain
  130.             *ptr = '.';
  131.             ptr++;
  132.             len++;

  134.             cnt += dm_part_len + 1;
  135.             pstart += dm_part_len + 1;
  136.         }
  137.     }

  139.     if (*pstart == 0)
  140.     {
  141.         cnt++;
  142.     }

  144. success_out:
  145.     if (tnm[len - 1] == '.' )
  146.     {
  147.         tnm[len - 1] = 0;
  148.         len--;
  149.     }
  150.     if (*nmlen <= len )
  151.     {
  152.         return -1;
  153.     }

  155.     memcpy(name, tnm, len);
  156.     name[len] = 0;
  157.     *nmlen = len;
  158.     return cnt;
  159. }

  161. static int parse_query(uint8_t* pkg, uint16_t pkglen, uint8_t* pstart, struct dns_query* query)
  162. {
  163.     int ret;
  164.     uint16_t nmlen = 128;
  165.     uint8_t* ptr = pstart;
  166.     int cnt = 0;

  168.     // parse name
  169.     ret = parse_domain_name(pkg, pkglen, ptr, query->name, &nmlen);
  170.     if (ret < 0 )
  171.     {
  172.         return ret;
  173.     }
  174.     ptr += ret;
  175.     cnt += ret;


  178.     // parse domain type
  179.     if (ptr + 1 >= pkg + pkglen )
  180.     {
  181.         return -1;
  182.     }
  183.     query->type = (*ptr) * 256 + *(ptr + 1);
  184.     ptr += 2;
  185.     cnt += 2;

  187.     // parse domain class
  188.     if (ptr + 1 >= pkg + pkglen )
  189.     {
  190.         return -1;
  191.     }
  192.     query->class = (*ptr) * 256 + *(ptr + 1);
  193.     ptr += 2;
  194.     cnt += 2;
  195.     return cnt;
  196. }

  198. static int parse_resource(uint8_t* pkg, uint16_t pkglen, uint8_t* pstart, struct dns_resource* res)
  199. {
  200.     int ret;
  201.     uint16_t nmlen = 128;
  202.     uint8_t* ptr = pstart;
  203.     int cnt = 0;

  205.     // parse name
  206.     ret = parse_domain_name(pkg, pkglen, ptr, res->name, &nmlen);
  207.     if (ret < 0 )
  208.     {
  209.         return ret;
  210.     }
  211.     ptr += ret;
  212.     cnt += ret;


  215.     // parse domain type
  216.     if (ptr + 1 >= pkg + pkglen )
  217.     {
  218.         return -1;
  219.     }
  220.     res->type = (*ptr) * 256 + *(ptr + 1);
  221.     ptr += 2;
  222.     cnt += 2;

  224.     // parse domain class
  225.     if (ptr + 1 >= pkg + pkglen )
  226.     {
  227.         return -1;
  228.     }
  229.     res->class = (*ptr) * 256 + *(ptr + 1);
  230.     ptr += 2;
  231.     cnt += 2;

  233.     // parse ttl
  234.     if (ptr + 3 >= pkg + pkglen )
  235.     {
  236.         return -1;
  237.     }
  238.     res->ttl = ((*ptr) << 24) + (*(ptr + 1) << 16) + (*(ptr + 2) << 8) + (*(ptr + 3));
  239.     ptr += 4;
  240.     cnt += 4;

  242.     // parse date len
  243.     if (ptr + 1 >= pkg + pkglen)
  244.     {
  245.         return -1;
  246.     }
  247.     res->data_len = (*ptr) * 256 + *(ptr + 1);
  248.     if (res->data_len > 256)
  249.     {
  250.         return -1;
  251.     }
  252.     ptr += 2;
  253.     cnt += 2;

  255.     // parse date
  256.     if (ptr + res->data_len > pkg + pkglen)
  257.     {
  258.         return -1;
  259.     }
  260.     if (res->type == TYPE_CNAME)
  261.     {
  262.         uint16_t cnlen = 256;
  263.         int offset = 0;
  264.         offset = parse_domain_name(pkg, pkglen, ptr, res->data, &cnlen);
  265.         if (offset < 0)
  266.         {
  267.             return -1;
  268.         }
  269.         ptr += offset;
  270.         cnt += offset;
  271.     }
  272.     else
  273.     {
  274.         memcpy(res->data, ptr, res->data_len);
  275.         ptr += res->data_len;
  276.         cnt += res->data_len;
  277.     }
  278.     return cnt;
  279. }

  281. static void free_pkg_recoders(struct list_head* hd)
  282. {
  283.     struct dns_resource* rcd;
  284.     struct dns_resource* tmp;

  286.     if (list_empty(hd))
  287.     {
  288.         return;
  289.     }
  290.     list_for_each_entry_safe(rcd, tmp, hd, list)
  291.     {
  292.         list_del(&rcd->list);
  293.         kmem_cache_free(dns_record_cache, rcd);

  295.     }
  296. }
  297. static void free_pkg_querys(struct list_head* hd)
  298. {
  299.     struct dns_query* query;
  300.     struct dns_query* tmp;
  301.     if (list_empty(hd))
  302.     {
  303.         return;
  304.     }
  305.     list_for_each_entry_safe(query, tmp, hd, list)
  306.     {
  307.         list_del(&query->list);
  308.         kmem_cache_free(dns_query_cache, query);
  309.     }
  310. }

  312. void DNS_free_package(struct dns_package* spkg)
  313. {
  314.     free_pkg_querys(&spkg->query_hd);
  315.     free_pkg_recoders(&spkg->answer_hd);
  316.     free_pkg_recoders(&spkg->auth_hd);
  317.     free_pkg_recoders(&spkg->addit_hd);
  318.     kmem_cache_free(dns_pkg_cache, spkg);
  319. }

  321. struct dns_package* DNS_new_package(void)
  322. {
  323.     struct dns_package* spkg = NULL;
  324.     spkg = (struct dns_package*)kmem_cache_alloc(dns_pkg_cache, GFP_ATOMIC);
  325.     if (NULL == spkg)
  326.     {
  327.         return NULL;
  328.     }
  329.     memset(spkg, 0, sizeof(struct dns_package));
  330.     INIT_LIST_HEAD(&spkg->query_hd);
  331.     INIT_LIST_HEAD(&spkg->answer_hd);
  332.     INIT_LIST_HEAD(&spkg->auth_hd);
  333.     INIT_LIST_HEAD(&spkg->addit_hd);
  334.     return spkg;
  335. }

  337. int DNS_parse_package(uint8_t* pkg, uint16_t pkglen, struct dns_package* spkg)
  338. {
  339.     struct dns_header* dnshdr;
  340.     struct dns_query* query;
  341.     struct dns_resource* rcd;
  342.     uint8_t* ptr;
  343.     int offset = 0;
  344.     int i;

  346.     if (!pkg || pkglen <= DNS_HDR_LEN)
  347.     {
  348.         return -1;
  349.     }

  351.     memcpy(&spkg->hdr, pkg, sizeof(struct dns_header));
  352.     dnshdr = &spkg->hdr;
  353.     dnshdr->id = ntohs(dnshdr->id);
  354.     dnshdr->q_count = ntohs(dnshdr->q_count);
  355.     dnshdr->ans_count = ntohs(dnshdr->ans_count);
  356.     dnshdr->auth_count = ntohs(dnshdr->auth_count);
  357.     dnshdr->add_count = ntohs(dnshdr->add_count);

  359.     if (dnshdr->q_count > 64 || dnshdr->add_count > 64 || dnshdr->ans_count > 64 || dnshdr->auth_count > 64)
  360.     {
  361.         printk( KERN_DEBUG "too much recoders, query, add, ans, auth\n",
  362.          dnshdr->q_count, dnshdr->add_count, dnshdr->ans_count, dnshdr->auth_count);
  363.         return -1;
  364.     }
  365.     ptr = pkg + DNS_HDR_LEN;

  367.     // parse querys
  368.     for(i = 0; i < dnshdr->q_count; i++)
  369.     {
  370.         query = (struct dns_query*)kmem_cache_alloc(dns_query_cache, GFP_ATOMIC);
  371.         if (NULL == query)
  372.         {
  373.             return -1;
  374.         }

  376.         offset = parse_query(pkg, pkglen, ptr, query);
  377.         if (offset <= 0 )
  378.         {
  379.             printk(KERN_DEBUG "fail to parse query recorder,err:%d, %d\n", offset, i);
  380.             return offset;
  381.         }
  382.         ptr += offset;
  383.         list_add(&query->list, &spkg->query_hd);
  384.     }

  386.     // parse answers
  387.     for (i = 0; i < dnshdr->ans_count; i++)
  388.     {
  389.         rcd = (struct dns_resource*)kmem_cache_alloc(dns_record_cache, GFP_ATOMIC);
  390.         if (NULL == rcd)
  391.         {
  392.             return -1;
  393.         }

  395.         offset = parse_resource(pkg, pkglen, ptr, rcd);
  396.         if (offset <= 0 )
  397.         {
  398.             printk(KERN_DEBUG "fail to parse answers, %d\n", i);
  399.             return offset;
  400.         }
  401.         ptr += offset;
  402.         list_add(&rcd->list, &spkg->answer_hd);
  403.     }

  405.     // parse auth
  406.     for (i = 0; i < dnshdr->auth_count; i++)
  407.     {
  408.         rcd = (struct dns_resource*)kmem_cache_alloc(dns_record_cache, GFP_ATOMIC);
  409.         if (NULL == rcd)
  410.         {
  411.             return -1;
  412.         }

  414.         offset = parse_resource(pkg, pkglen, ptr, rcd);
  415.         if (offset <= 0 )
  416.         {
  417.             printk(KERN_DEBUG "fail to parse auths, %d\n", i);
  418.             return offset;
  419.         }
  420.         ptr += offset;
  421.         list_add(&rcd->list, &spkg->auth_hd);
  422.     }

  424.     for (i = 0; i < dnshdr->add_count; i++)
  425.     {
  426.         rcd = (struct dns_resource*)kmem_cache_alloc(dns_record_cache, GFP_ATOMIC);
  427.         if (NULL == rcd)
  428.         {
  429.             return -1;
  430.         }
  431.         offset = parse_resource(pkg, pkglen, ptr, rcd);
  432.         if (offset <= 0 )
  433.         {
  434.             printk( KERN_DEBUG "fail to parse additions, %d\n", i);
  435.             return offset;
  436.         }
  437.         ptr += offset;
  438.         list_add(&rcd->list, &spkg->addit_hd);
  439.     }
  440.     return 0;
  441. }

dns.h

点击(此处)折叠或打开

  1. /*********************************************************************************************
  2. * Description: kernel module to parse a dns request or replay
  3. *
  4. * Author: Husker <huskerTang@gmail.com>
  5. *
  6. * Date: 2018-10-8
  7. ***********************************************************************************************/

  9. #ifndef __DNS_H__
  10. #define __DNS_H__

  12. typedef enum
  13. {
  14.     TYPE_A = 1,    // Ipv4 address
  15.     TYPE_NS = 2,    // Authoritative name server
  16.     TYPE_MD        = 3,    // Mail destination (Obsolete - use MX)
  17.     TYPE_MF        = 4,    // Mail forwarder (Obsolete - use MX)
  18.     TYPE_CNAME = 5,    // Canonical name for an alias
  19.     TYPE_SOA    = 6,    // Marks the start of a zone of authority
  20.     TYPE_MB        = 7,    // Mailbox domain name (EXPERIMENTAL)
  21.     TYPE_PTR = 12,    // domain name pointer
  22.     TYPE_MX = 15,    // Mail server
  23.     TYPE_TXT = 16,
  24.     TYPE_AAAA = 28,
  25.     TYPE_SRV = 33,
  26.     TYPE_SPF = 99,
  27. } qtype_t;

  29. #define DNS_HDR_LEN 12
  30. #define DNS_COMMPRESS_FLAG 0xc0

  32. #pragma pack(push, 1)
  33. struct dns_header
  34. {
  35.     uint16_t id;    // identification number
  36. #ifdef __BIG_ENDIAN
  37.     uint8_t qr: 1;
  38.     uint8_t opcode: 4;
  39.     uint8_t aa: 1;
  40.     uint8_t tc: 1;
  41.     uint8_t rd: 1;
  42.     uint8_t ra: 1;
  43.     uint8_t z: 3;
  44.     uint8_t rcode: 4;
  45. #else
  46.     uint8_t rd: 1;
  47.     uint8_t tc: 1;
  48.     uint8_t aa: 1;
  49.     uint8_t opcode: 4;
  50.     uint8_t qr: 1;
  51.     uint8_t rcode: 4;
  52.     uint8_t z: 3;
  53.     uint8_t ra: 1;
  54. #endif
  55.     uint16_t q_count;
  56.     uint16_t ans_count;
  57.     uint16_t auth_count;
  58.     uint16_t add_count;
  59. };
  60. #pragma pack(pop)

  62. struct dns_query
  63. {
  64.     struct list_head list;
  65.     uint8_t name[128];
  66.     uint16_t type;
  67.     uint16_t class;
  68. };

  70. struct dns_resource
  71. {
  72.     struct list_head list;
  73.     uint8_t name[128];
  74.     uint16_t type;
  75.     uint16_t class;
  76.     uint32_t ttl;
  77.     uint16_t data_len;
  78.     uint8_t data[256];
  79. };

  81. struct dns_package
  82. {
  83.     struct dns_header hdr;
  84.     struct list_head query_hd;
  85.     struct list_head answer_hd;
  86.     struct list_head auth_hd;
  87.     struct list_head addit_hd;
  88. };

  90. void DNS_free_package(struct dns_package* spkg);
  91. struct dns_package* DNS_new_package(void);
  92. int DNS_parse_package(uint8_t* pkg, uint16_t pkglen, struct dns_package* spkg);
  93. int DNS_init(void);
  94. void DNS_finit(void);

  96. #endif /* _DNS_H_ */

10-27 15:45
Powered by LMLPHP ©2024 khls27 0.063145