Better private network blocking

2015-09-18 12:19:33 -07:00 · 2015-09-18 12:19:33 -07:00 · 7369fb89e1
parent e201632f60
commit 7369fb89e1
1 changed files with 100 additions and 25 deletions
--- a/core/dns.go
+++ b/core/dns.go
@ -16,30 +16,100 @@ import (
 )

 var (
-	// Private CIDRs to ignore per RFC1918 and RFC5735
-
-	// RFC1918
-	// 10.0.0.0/8
-	rfc1918_10 = net.IPNet{
-		IP:   []byte{10, 0, 0, 0},
-		Mask: []byte{255, 0, 0, 0},
-	}
-	// 172.16.0.0/12
-	rfc1918_172_16 = net.IPNet{
-		IP:   []byte{172, 16, 0, 0},
-		Mask: []byte{255, 240, 0, 0},
-	}
-	// 192.168.0.0/16
-	rfc1918_192_168 = net.IPNet{
-		IP:   []byte{192, 168, 0, 0},
-		Mask: []byte{255, 255, 0, 0},
-	}
-
-	// RFC5735
-	// 127.0.0.0/8
-	rfc5735_127 = net.IPNet{
-		IP:   []byte{127, 0, 0, 0},
-		Mask: []byte{255, 0, 0, 0},
+	// Private CIDRs to ignore
+	privateNetworks = []net.IPNet{
+		// RFC1918
+		// 10.0.0.0/8
+		net.IPNet{
+			IP:   []byte{10, 0, 0, 0},
+			Mask: []byte{255, 0, 0, 0},
+		},
+		// 172.16.0.0/12
+		net.IPNet{
+			IP:   []byte{172, 16, 0, 0},
+			Mask: []byte{255, 240, 0, 0},
+		},
+		// 192.168.0.0/16
+		net.IPNet{
+			IP:   []byte{192, 168, 0, 0},
+			Mask: []byte{255, 255, 0, 0},
+		},
+		// RFC5735
+		// 127.0.0.0/8
+		net.IPNet{
+			IP:   []byte{127, 0, 0, 0},
+			Mask: []byte{255, 0, 0, 0},
+		},
+		// RFC1122 Section 3.2.1.3
+		// 0.0.0.0/8
+		net.IPNet{
+			IP:   []byte{0, 0, 0, 0},
+			Mask: []byte{255, 0, 0, 0},
+		},
+		// RFC3927
+		// 169.254.0.0/16
+		net.IPNet{
+			IP:   []byte{169, 254, 0, 0},
+			Mask: []byte{255, 255, 0, 0},
+		},
+		// RFC 5736
+		// 192.0.0.0/24
+		net.IPNet{
+			IP:   []byte{192, 0, 0, 0},
+			Mask: []byte{255, 255, 255, 0},
+		},
+		// RFC 5737
+		// 192.0.2.0/24
+		net.IPNet{
+			IP:   []byte{192, 0, 2, 0},
+			Mask: []byte{255, 255, 255, 0},
+		},
+		// 198.51.100.0/24
+		net.IPNet{
+			IP:   []byte{192, 51, 100, 0},
+			Mask: []byte{255, 255, 255, 0},
+		},
+		// 203.0.113.0/24
+		net.IPNet{
+			IP:   []byte{203, 0, 113, 0},
+			Mask: []byte{255, 255, 255, 0},
+		},
+		// RFC 3068
+		// 192.88.99.0/24
+		net.IPNet{
+			IP:   []byte{192, 88, 99, 0},
+			Mask: []byte{255, 255, 255, 0},
+		},
+		// RFC 2544
+		// 192.18.0.0/15
+		net.IPNet{
+			IP:   []byte{192, 18, 0, 0},
+			Mask: []byte{255, 254, 0, 0},
+		},
+		// RFC 3171
+		// 224.0.0.0/4
+		net.IPNet{
+			IP:   []byte{224, 0, 0, 0},
+			Mask: []byte{240, 0, 0, 0},
+		},
+		// RFC 1112
+		// 240.0.0.0/4
+		net.IPNet{
+			IP:   []byte{240, 0, 0, 0},
+			Mask: []byte{240, 0, 0, 0},
+		},
+		// RFC 919 Section 7
+		// 255.255.255.255/32
+		net.IPNet{
+			IP:   []byte{255, 255, 255, 255},
+			Mask: []byte{255, 255, 255, 255},
+		},
+		// RFC 6598
+		// 100.64.0.0./10
+		net.IPNet{
+			IP:   []byte{100, 64, 0, 0},
+			Mask: []byte{255, 192, 0, 0},
+		},
 	}
 )

@ -121,7 +191,12 @@ func (dnsResolver *DNSResolverImpl) LookupTXT(hostname string) ([]string, time.D
 }

 func isPrivateV4(ip net.IP) bool {
-	return rfc1918_10.Contains(ip) || rfc1918_172_16.Contains(ip) || rfc1918_192_168.Contains(ip) || rfc5735_127.Contains(ip)
+	for _, net := range privateNetworks {
+		if net.Contains(ip) {
+			return true
+		}
+	}
+	return false
 }

 // LookupHost sends a DNS query to find all A records associated with the provided