Blocklist also blocks by CIDR

- `metrics.status.sslip.io` now returns information on the blocklist

bosh-release/src/sslip.io-dns-server/integration_metrics_test.go

@@ -164,6 +164,7 @@ func getMetrics() (m xip.Metrics) {
 	_, err = fmt.Sscanf(string(stdout),
 		"\"Uptime (seconds): %d\"\n"+
 			"\"Key-value store: %s\n"+ // %s "swallows" the double-quote at the end
+			"\"Blocklist: %s %s %s\n"+
 			"\"Queries: %d\"\n"+
 			"\"Queries/second: %s\n"+
 			"\"AnsQueries: %d\"\n"+
@@ -176,6 +177,7 @@ func getMetrics() (m xip.Metrics) {
 			"\"Blocked: %d\"\n",
 		&uptime,
 		&junk,
+		&junk, &junk, &junk,
 		&m.Queries,
 		&junk,
 		&m.AnsweredQueries,

bosh-release/src/sslip.io-dns-server/integration_test.go

@@ -363,6 +363,14 @@ var _ = Describe("sslip.io-dns-server", func() {
 				"@localhost _acme-challenge.raiffeisen.fe80--.sslip.io ns +short",
 				`\Ans-aws.sslip.io.\nns-azure.sslip.io.\nns-gce.sslip.io.\n\z`,
 				`TypeNS _acme-challenge.raiffeisen.fe80--.sslip.io. \? ns-aws.sslip.io., ns-azure.sslip.io., ns-gce.sslip.io.\n$`),
+			Entry("an A record with a forbidden CIDR is redirected",
+				"@localhost nf.43.134.66.67.sslip.io +short",
+				`\A52.0.56.137\n\z`,
+				`TypeA nf.43.134.66.67.sslip.io. \? 52.0.56.137\n$`),
+			Entry("an AAAA record with a forbidden CIDR is redirected",
+				"@localhost 2601-646-100-69f7-cafe-bebe-cafe-baba.sslip.io aaaa +short",
+				`\A2600:1f18:aaf:6900::a\n\z`,
+				`TypeAAAA 2601-646-100-69f7-cafe-bebe-cafe-baba.sslip.io. \? 2600:1f18:aaf:6900::a\n$`),
 		)
 	})
 })

bosh-release/src/sslip.io-dns-server/main.go

@@ -99,6 +99,7 @@ func readFrom(conn *net.UDPConn, wg *sync.WaitGroup, x *xip.Xip, blocklistURL st
 	//
 	// We also want to have fun playing with channels
 	dnsAmplificationAttackDelay := make(chan struct{}, xip.MetricsBufferSize)
+	x.DnsAmplificationAttackDelay = dnsAmplificationAttackDelay
 	go func() {
 		// fill up the channel's buffer so that our tests aren't slowed down (~85 tests)
 		for i := 0; i < xip.MetricsBufferSize; i++ {
@@ -118,13 +119,12 @@ func readFrom(conn *net.UDPConn, wg *sync.WaitGroup, x *xip.Xip, blocklistURL st
 			} else {
 				log.Printf("Successfully downloaded blocklist from %s: %v, %v", blocklistURL, blocklistStrings, blocklistCDIRs)
 				x.BlocklistStrings = blocklistStrings
-				x.BlocklistCDIRS = blocklistCDIRs
+				x.BlocklistCDIRs = blocklistCDIRs
 				x.BlocklistUpdated = time.Now()
 			}
 			time.Sleep(1 * time.Hour)
 		}
 	}()
-	x.DnsAmplificationAttackDelay = dnsAmplificationAttackDelay
 	for {
 		query := make([]byte, 512)
 		_, addr, err := conn.ReadFromUDP(query)

bosh-release/src/sslip.io-dns-server/xip/xip.go

@@ -37,7 +37,7 @@ type Xip struct {
 	DnsAmplificationAttackDelay chan struct{} // for throttling metrics.status.sslip.io
 	Metrics                     Metrics       // DNS server metrics
 	BlocklistStrings            []string      // list of blacklisted strings that shouldn't appear in public hostnames
-	BlocklistCDIRS              []net.IPNet   // list of blacklisted strings that shouldn't appear in public hostnames
+	BlocklistCDIRs              []net.IPNet   // list of blacklisted strings that shouldn't appear in public hostnames
 	BlocklistUpdated            time.Time     // The most recent time the Blocklist was updated
 }
 
@@ -742,6 +742,10 @@ func metricsSslipIo(x *Xip, _ net.IP) (txtResources []dnsmessage.TXTResource, er
 		keyValueStore = "builtin"
 	}
 	metrics = append(metrics, "Key-value store: "+keyValueStore)
+	metrics = append(metrics, fmt.Sprintf("Blocklist: %s %d,%d",
+		x.BlocklistUpdated.Format("2006-01-02 15:04:05-07"),
+		len(x.BlocklistStrings),
+		len(x.BlocklistCDIRs)))
 	metrics = append(metrics, fmt.Sprintf("Queries: %d", x.Metrics.Queries))
 	metrics = append(metrics, fmt.Sprintf("Queries/second: %.1f", float64(x.Metrics.Queries)/uptime.Seconds()))
 	metrics = append(metrics, fmt.Sprintf("AnsQueries: %d", x.Metrics.AnsweredQueries))
@@ -948,6 +952,11 @@ func (x *Xip) blocklist(hostname string) bool {
 			return true
 		}
 	}
+	for _, blockCDIR := range x.BlocklistCDIRs {
+		if blockCDIR.Contains(ip) {
+			return true
+		}
+	}
 	return false
 }