diff --git a/dnsf.py b/dnsf.py index 63d0f95..8be89ca 100644 --- a/dnsf.py +++ b/dnsf.py @@ -75,7 +75,7 @@ int dns_matching(struct __sk_buff *skb) { ''' default_rules = ''' -iptables -F +iptables -X ipset destroy whitelist_hosts ipset destroy static_hosts ipset create whitelist_hosts hash:ip timeout 3600 @@ -90,6 +90,7 @@ iptables -A OUTPUT -j REJECT iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT DROP +systemd-resolve --flush-caches ''' for c in default_rules.splitlines(False): @@ -106,10 +107,9 @@ fcntl.fcntl(socket_fd, fcntl.F_SETFL, fl & ~os.O_NONBLOCK) rules = {} cnames = {} - +blocked = [] def check_hostname(hostname,current_cnames,allow_list): - import re for wl in allow_list: match = re.fullmatch(wl, hostname) if match: @@ -120,10 +120,10 @@ def check_hostname(hostname,current_cnames,allow_list): if hostname == current_cnames[c]["cname"] and current_cnames[c]["exp"] > datetime.now(): print(' hostname: '+str(hostname) + ' in cname') return True + print(' hostname: '+str(hostname) + ' not permitted.') + blocked.append(hostname) return False - - import socket @@ -137,7 +137,6 @@ def valid_ip(address): dns_list = watch_file('dns_whitelist.conf') host_list = watch_file('host_whitelist.conf') -import time while True: time.sleep(.05) commands = [] @@ -145,7 +144,14 @@ while True: dns_list.check_change() if dns_list.contents: dns_regex = dns_list.contents - + for block in blocked: + add_rule = 'nslookup '+str(block) + commands.append(add_rule) + threaded(commands) + blocked = [] + commands = [] + + host_list.check_change() if host_list.contents: threaded(['ipset flush static_hosts']) @@ -153,7 +159,7 @@ while True: for host in hosts: commands.append('ipset add static_hosts '+host) print(host) - threaded(commands) + threaded(commands) import select r, w, e = select.select([ socket_fd ], [], [], 0) if socket_fd in r: @@ -176,9 +182,8 @@ while True: payload_offset = ETH_HLEN + ip_header_length + UDP_HLEN payload = packet_bytearray[payload_offset:] dnsrec = dnslib.DNSRecord.parse(payload) - if dnsrec.rr: - if check_hostname(hostname=str(dnsrec.questions[0].qname),current_cnames=cnames,allow_list=dns_regex): + if True: for i in range(0, len(dnsrec.rr)): if str(dnsrec.rr[i].rtype) in ['5']: cnames[str(dnsrec.questions[0].qname)] = {"cname":str(dnsrec.rr[i].rdata),"exp":datetime.now() + timedelta(seconds=dnsrec.rr[i].ttl)} @@ -186,11 +191,10 @@ while True: if str(dnsrec.rr[i].rtype) in ['1']: #rtype 28 is v6 #print(str(dnsrec.rr[i].rtype)) - add_rule = 'ipset -exist add whitelist_hosts '+str(dnsrec.rr[i].rdata)+' timeout '+str(int(dnsrec.rr[i].ttl)+360) - del_rule = 'ipset del whitelist_hosts '+str(dnsrec.rr[i].rdata) - print(add_rule) - commands.append(add_rule) - + if check_hostname(hostname=str(dnsrec.questions[0].qname),current_cnames=cnames,allow_list=dns_regex): + add_rule = 'ipset -exist add whitelist_hosts '+str(dnsrec.rr[i].rdata)+' timeout '+str(int(dnsrec.rr[i].ttl)+360) + print(add_rule) + commands.append(add_rule) threaded(commands) else: pass