Improve SRV record handling

Author: rtpt-erikgeiser

README.md

@@ -182,6 +182,7 @@ vendorDontSpoof
 vendorSpoofFor
 vendorDontSpoofFor
 vendorSpoofTypes
+vendorSpoofSRV
 vendorIgnoreDHCPv6NoFQDN
 vendorIgnoreNonMicrosoftDHCP
 vendorDelegateIgnoredTo

cli.go

@@ -47,6 +47,7 @@ type Config struct {
 	SpoofFor                     []*hostMatcher
 	DontSpoofFor                 []*hostMatcher
 	SpoofTypes                   *spoofTypes
+	SpoofSRV                     srvMatchers
 	IgnoreDHCPv6NoFQDN           bool
 	IgnoreNonMicrosoftDHCP       bool
 	DelegateIgnoredTo            string
@@ -70,6 +71,7 @@ type Config struct {
 	spoofFor                    []string
 	dontSpoofFor                []string
 	spoofTypes                  []string
+	spoofSRV                    []string
 	spoofingTemporarilyDisabled bool
 }
 
@@ -128,6 +130,10 @@ func (c Config) PrintSummary() {
 		if len(c.spoofTypes) != 0 {
 			fmt.Println("Answering only queries of type: " + strings.Join(toUpper(c.spoofTypes), ", "))
 		}
+
+		if len(c.spoofSRV) > 0 {
+			fmt.Println("Spoofing SRV records: " + c.SpoofSRV.String())
+		}
 	}
 
 	if c.DelegateIgnoredTo != "" {
@@ -225,7 +231,7 @@ func (c *Config) setRedundantOptions() {
 	}
 }
 
-//nolint:forbidigo,maintidx,gocognit
+//nolint:forbidigo,maintidx,gocognit,gocyclo
 func configFromCLI() (config *Config, logger *Logger, err error) {
 	var (
 		interfaceName string
@@ -274,6 +280,9 @@ func configFromCLI() (config *Config, logger *Logger, err error) {
 			"and subdomains are included when the hostname\nstarts with a dot, supports * globbing (blocklist)")
 	pflag.StringSliceVar(&config.spoofTypes, "spoof-types", defaultSpoofTypes,
 		"Only spoof these query `types` (A, AAA, ANY, SOA, all types are spoofed\nif it is empty)")
+	pflag.StringSliceVar(&config.spoofSRV, "spoof-srv", defaultSpoofSRV,
+		"Spoof SRV records for these services (format is `service:port`, "+
+			"the port can be omitted of Kerberos, HTTP, LDAP and LDAPS)")
 	pflag.BoolVar(&config.IgnoreDHCPv6NoFQDN, "ignore-nofqdn", defaultIgnoreDHCPv6NoFQDN,
 		"Ignore DHCPv6 messages where the client did not include its\nFQDN (useful with allowlist or blocklists)")
 	pflag.BoolVar(&config.IgnoreNonMicrosoftDHCP, "ignore-non-microsoft-dhcp", defaultIgnoreNonMicrosoftDHCP,
@@ -450,6 +459,11 @@ func configFromCLI() (config *Config, logger *Logger, err error) {
 		return config, logger, fmt.Errorf("parsing --spoof-types: %w", err)
 	}
 
+	config.SpoofSRV, err = asSRVMatchers(config.spoofSRV)
+	if err != nil {
+		return config, logger, fmt.Errorf("parsing --spoof-srv: %w", err)
+	}
+
 	config.PrintSummary()
 
 	return config, logger, nil

defaults.go

@@ -36,6 +36,7 @@ var (
 	vendorSpoofFor                     = ""
 	vendorDontSpoofFor                 = ""
 	vendorSpoofTypes                   = ""
+	vendorSpoofSRV                     = ""
 	vendorIgnoreDHCPv6NoFQDN           = ""
 	vendorIgnoreNonMicrosoftDHCP       = ""
 	vendorDelegateIgnoredTo            = ""
@@ -85,6 +86,7 @@ var (
 	defaultSpoofFor                     = forceStrings(vendorSpoofFor)
 	defaultDontSpoofFor                 = forceStrings(vendorDontSpoofFor)
 	defaultSpoofTypes                   = forceStrings(vendorSpoofTypes)
+	defaultSpoofSRV                     = forceStrings(vendorSpoofSRV)
 	defaultIgnoreDHCPv6NoFQDN           = forceBool(vendorIgnoreDHCPv6NoFQDN, false)
 	defaultIgnoreNonMicrosoftDHCP       = forceBool(vendorIgnoreNonMicrosoftDHCP, false)
 	defaultDelegateIgnoredTo            = vendorDelegateIgnoredTo

dns.go

@@ -23,6 +23,8 @@ const (
 	// NIMLOC in the DNS spec. In this case we don't expect actual NIMLOC
 	// messages, so we assume type 32 messages to be NetBIOS requests.
 	typeNetBios = dns.TypeNIMLOC
+
+	srvWeight = 100
 )
 
 // HandlerType specifies the type of name resolution query that is currently being handled.
@@ -145,15 +147,27 @@ func createDNSReplyFromRequest(
 				Locator: encodeNetBIOSLocator(config.RelayIPv4.To4()),
 			})
 		case dns.TypeSRV:
-			answer := dns.SRV{Hdr: rrHeader(answerName, dns.TypeSRV, config.TTL), Target: answerName}
-			reply.Answer = append(reply.Answer, &answer)
+			srv := config.SpoofSRV.Get(answerName)
+			if srv == nil {
+				logger.Errorf("could not get SRV record for %q", q.Name)
+
+				continue
+			}
+
+			target := removeServiceAndPort(answerName)
+
+			reply.Answer = append(reply.Answer, &dns.SRV{
+				Hdr:    rrHeader(target, dns.TypeSRV, config.TTL),
+				Target: target,
+				Port:   srv.Port, Weight: srvWeight,
+			})
 
 			if config.RelayIPv4 != nil {
-				reply.Extra = append(reply.Extra, rr(config.RelayIPv4, answerName, config.TTL))
+				reply.Extra = append(reply.Extra, rr(config.RelayIPv4, target, config.TTL))
 			}
 
 			if config.RelayIPv6 != nil {
-				reply.Extra = append(reply.Extra, rr(config.RelayIPv6, answerName, config.TTL))
+				reply.Extra = append(reply.Extra, rr(config.RelayIPv6, target, config.TTL))
 			}
 		default:
 			answers := handleIgnored(logger, q, questionName, queryType(q, request.Opcode), peer, IgnoreReasonQueryTypeUnhandled,
@@ -472,3 +486,15 @@ func delegateToDNSServer(dnsServer string, timeout time.Duration) delegateQuesti
 		return reply.Answer, nil
 	}
 }
+
+func removeServiceAndPort(host string) string {
+	var parts []string
+
+	for _, part := range strings.Split(host, ".") {
+		if !strings.HasPrefix(part, "_") {
+			parts = append(parts, part)
+		}
+	}
+
+	return strings.Join(parts, ".")
+}

dns_test.go

@@ -408,6 +408,98 @@ func TestDelegatedQueryTCP(t *testing.T) {
 	}
 }
 
+func TestSRVQuery(t *testing.T) {
+	t.Run("default_port", func(t *testing.T) { testSRVQuery(t, "ldap", 389) })
+	t.Run("custom_port", func(t *testing.T) { testSRVQuery(t, "ldap:123", 123) })
+}
+
+func testSRVQuery(tb testing.TB, matcher string, port uint16) {
+	tb.Helper()
+
+	serviceName := "_ldap._tcp.some.host"
+
+	srvQuery := &dns.Msg{}
+	srvQuery.SetQuestion(serviceName, dns.TypeSRV)
+
+	relayIPv4 := mustParseIP(tb, "10.0.0.2")
+	relayIPv6 := mustParseIP(tb, "fe80::1")
+	mockRW := mockResonseWriter{Remote: &net.UDPAddr{IP: mustParseIP(tb, "10.0.0.1")}}
+
+	cfg := &Config{
+		RelayIPv4: relayIPv4,
+		RelayIPv6: relayIPv6,
+		SpoofSRV:  testSRVMatchers(tb, []string{matcher}),
+	}
+
+	reply := createDNSReplyFromRequest(mockRW, srvQuery, nil, cfg, HandlerTypeDNS, nil)
+	if reply == nil {
+		tb.Fatalf("no reply")
+
+		return
+	}
+
+	if len(reply.Answer) == 0 {
+		tb.Fatalf("no answer in reply")
+	}
+
+	srvRecord, ok := reply.Answer[0].(*dns.SRV)
+	if !ok {
+		tb.Fatalf("answer is not an A record but a %T", reply.Answer[0])
+	}
+
+	if srvRecord.Port != port {
+		tb.Fatalf("port is %d instead of 389", srvRecord.Port)
+	}
+
+	if srvRecord.Hdr.Name != removeServiceAndPort(serviceName) {
+		tb.Fatalf("reply name is %q instead of %q", srvRecord.Hdr.Name, removeServiceAndPort(serviceName))
+	}
+
+	if srvRecord.Target != removeServiceAndPort(serviceName) {
+		tb.Fatalf("target name is %q instead of %q", srvRecord.Target, removeServiceAndPort(serviceName))
+	}
+
+	if len(reply.Extra) != 2 {
+		tb.Fatalf("reply contains %d extra records instead of 2", len(reply.Extra))
+	}
+
+	var checkedA, checkedAAAA bool
+
+	for _, extra := range reply.Extra {
+		switch e := extra.(type) {
+		case *dns.A:
+			checkedA = true
+
+			if e.Hdr.Name != removeServiceAndPort(serviceName) {
+				tb.Fatalf("A extra record name is %s instead of %s", e.Hdr.Name, removeServiceAndPort(serviceName))
+			}
+
+			if !e.A.Equal(relayIPv4) {
+				tb.Fatalf("A extra record contains %s instead of %s", e.A, relayIPv4)
+			}
+		case *dns.AAAA:
+			checkedAAAA = true
+
+			if e.Hdr.Name != removeServiceAndPort(serviceName) {
+				tb.Fatalf("AAAA extra record name is %s instead of %s", e.Hdr.Name, removeServiceAndPort(serviceName))
+			}
+
+			if !e.AAAA.Equal(relayIPv6) {
+				tb.Fatalf("AAAA extra record contains %s instead of %s", e.AAAA, relayIPv6)
+			}
+		default:
+			tb.Fatalf("unexpected extra record: %#v", extra)
+		}
+	}
+
+	switch {
+	case !checkedA:
+		tb.Fatalf("A extra record missing")
+	case !checkedAAAA:
+		tb.Fatalf("AAAA extra record missing")
+	}
+}
+
 func testReply(tb testing.TB, requestFileName string, replyFileName string) {
 	tb.Helper()
 

filter.go

@@ -5,6 +5,7 @@ import (
 	"fmt"
 	"net"
 	"regexp"
+	"strconv"
 	"strings"
 	"time"
 
@@ -19,6 +20,13 @@ const (
 func shouldRespondToNameResolutionQuery(config *Config, host string, queryType uint16,
 	from net.IP, fromHostnames []string, handlerType HandlerType,
 ) (bool, string) {
+	var hostWithService string
+
+	if queryType == dns.TypeSRV {
+		hostWithService = host
+		host = removeServiceAndPort(host)
+	}
+
 	if config.spoofingTemporarilyDisabled {
 		return false, "spoofing is temporarily disabled"
 	}
@@ -63,7 +71,13 @@ func shouldRespondToNameResolutionQuery(config *Config, host string, queryType u
 	}
 
 	if !config.SpoofTypes.ShouldSpoof(queryType) {
-		return false, fmt.Sprintf("type %s is not in spoof-types", dnsQueryType(queryType))
+		return false, fmt.Sprintf("type %s is not in spoof-types list", dnsQueryType(queryType))
+	}
+
+	if queryType == dns.TypeSRV && !config.SpoofSRV.Contains(hostWithService) {
+		service, _, _ := strings.Cut(hostWithService, ".")
+
+		return false, fmt.Sprintf("service %s is not in spoof-srv list", strings.TrimPrefix(service, "_"))
 	}
 
 	switch {
@@ -369,3 +383,104 @@ func starToRegex(s string) (*regexp.Regexp, error) {
 
 	return regexp.Compile("^" + starReplacerRE.ReplaceAllString(regexp.QuoteMeta(s), ".*") + "$")
 }
+
+type srvMatchers []*srvMatcher
+
+func asSRVMatchers(matcherStrings []string) (srvMatchers, error) {
+	matchers := make(srvMatchers, 0, len(matcherStrings))
+
+	for _, m := range matcherStrings {
+		matcher := &srvMatcher{
+			Service: strings.ToLower(m),
+		}
+
+		switch strings.Count(matcher.Service, ":") {
+		case 0:
+			matcher.isDefaultPort = true
+
+			switch matcher.Service {
+			case "ldap":
+				matcher.Port = 389
+			case "ldaps":
+				matcher.Port = 636
+			case "http":
+				matcher.Port = 80
+			case "https":
+				matcher.Port = 443
+			case "kerberos":
+				matcher.Port = 88
+			default:
+				return nil, fmt.Errorf("missing port in service: %q", m)
+			}
+
+			matchers = append(matchers, matcher)
+		case 1:
+			service, portStr, found := strings.Cut(m, ":")
+			if !found {
+				return nil, fmt.Errorf("cannot parse service: %q", m)
+			}
+
+			port, err := strconv.Atoi(portStr)
+			if err != nil {
+				return nil, fmt.Errorf("parse port %q in service %q", portStr, m)
+			}
+
+			matchers = append(matchers, &srvMatcher{Service: strings.ToLower(service), Port: uint16(port)}) //nolint:gosec
+		default:
+			return nil, fmt.Errorf("SRV matcher contains more than one colon: %q", m)
+		}
+	}
+
+	return matchers, nil
+}
+
+func (matchers srvMatchers) Contains(service string) bool {
+	service, _, _ = strings.Cut(service, ".")
+
+	for _, m := range matchers {
+		if m.Matches(service) {
+			return true
+		}
+	}
+
+	return false
+}
+
+func (matchers srvMatchers) String() string {
+	elements := make([]string, 0, len(matchers))
+
+	for _, m := range matchers {
+		switch {
+		case m.isDefaultPort:
+			elements = append(elements, m.Service)
+		default:
+			elements = append(elements, fmt.Sprintf("%s:%d", m.Service, m.Port))
+		}
+	}
+
+	return strings.Join(elements, ", ")
+}
+
+func (matchers srvMatchers) Get(service string) *srvMatcher {
+	service, _, _ = strings.Cut(service, ".")
+
+	for _, m := range matchers {
+		if m.Matches(service) {
+			return m
+		}
+	}
+
+	return nil
+}
+
+type srvMatcher struct {
+	Service       string
+	Port          uint16
+	isDefaultPort bool
+}
+
+func (sm *srvMatcher) Matches(service string) bool {
+	service, _, _ = strings.Cut(service, ".")
+
+	return strings.EqualFold(strings.TrimPrefix(sm.Service, "_"), strings.TrimPrefix(service, "_"))
+}