DNS outbound: Replace "reject" with "return" (rCode is 0 by default) (#6214)

https://github.com/XTLS/Xray-core/pull/6214#issuecomment-4587988752

Example: https://github.com/XTLS/Xray-core/pull/6214#issue-4553786283

---------

Co-authored-by: Meo597 <197331664+Meo597@users.noreply.github.com>

proxy/dns/config.pb.go

@@ -28,7 +28,7 @@ type RuleAction int32
 const (
 	RuleAction_Direct RuleAction = 0
 	RuleAction_Drop   RuleAction = 1
-	RuleAction_Reject RuleAction = 2
+	RuleAction_Return RuleAction = 2
 	RuleAction_Hijack RuleAction = 3
 )
 
@@ -37,13 +37,13 @@ var (
 	RuleAction_name = map[int32]string{
 		0: "Direct",
 		1: "Drop",
-		2: "Reject",
+		2: "Return",
 		3: "Hijack",
 	}
 	RuleAction_value = map[string]int32{
 		"Direct": 0,
 		"Drop":   1,
-		"Reject": 2,
+		"Return": 2,
 		"Hijack": 3,
 	}
 )
@@ -78,8 +78,9 @@ func (RuleAction) EnumDescriptor() ([]byte, []int) {
 type DNSRuleConfig struct {
 	state         protoimpl.MessageState `protogen:"open.v1"`
 	Action        RuleAction             `protobuf:"varint,1,opt,name=action,proto3,enum=xray.proxy.dns.RuleAction" json:"action,omitempty"`
-	Qtype         []int32                `protobuf:"varint,2,rep,packed,name=qtype,proto3" json:"qtype,omitempty"`
+	QType         []int32                `protobuf:"varint,2,rep,packed,name=q_type,json=qType,proto3" json:"q_type,omitempty"`
 	Domain        []*geodata.DomainRule  `protobuf:"bytes,3,rep,name=domain,proto3" json:"domain,omitempty"`
+	RCode         uint32                 `protobuf:"varint,4,opt,name=r_code,json=rCode,proto3" json:"r_code,omitempty"`
 	unknownFields protoimpl.UnknownFields
 	sizeCache     protoimpl.SizeCache
 }
@@ -121,9 +122,9 @@ func (x *DNSRuleConfig) GetAction() RuleAction {
 	return RuleAction_Direct
 }
 
-func (x *DNSRuleConfig) GetQtype() []int32 {
+func (x *DNSRuleConfig) GetQType() []int32 {
 	if x != nil {
-		return x.Qtype
+		return x.QType
 	}
 	return nil
 }
@@ -135,6 +136,13 @@ func (x *DNSRuleConfig) GetDomain() []*geodata.DomainRule {
 	return nil
 }
 
+func (x *DNSRuleConfig) GetRCode() uint32 {
+	if x != nil {
+		return x.RCode
+	}
+	return 0
+}
+
 type Config struct {
 	state         protoimpl.MessageState `protogen:"open.v1"`
 	UserLevel     uint32                 `protobuf:"varint,1,opt,name=user_level,json=userLevel,proto3" json:"user_level,omitempty"`
@@ -199,11 +207,12 @@ var File_proxy_dns_config_proto protoreflect.FileDescriptor
 
 const file_proxy_dns_config_proto_rawDesc = "" +
 	"\n" +
-	"\x16proxy/dns/config.proto\x12\x0exray.proxy.dns\x1a\x1ccommon/net/destination.proto\x1a\x1bcommon/geodata/geodat.proto\"\x92\x01\n" +
+	"\x16proxy/dns/config.proto\x12\x0exray.proxy.dns\x1a\x1ccommon/net/destination.proto\x1a\x1bcommon/geodata/geodat.proto\"\xaa\x01\n" +
 	"\rDNSRuleConfig\x122\n" +
-	"\x06action\x18\x01 \x01(\x0e2\x1a.xray.proxy.dns.RuleActionR\x06action\x12\x14\n" +
-	"\x05qtype\x18\x02 \x03(\x05R\x05qtype\x127\n" +
-	"\x06domain\x18\x03 \x03(\v2\x1f.xray.common.geodata.DomainRuleR\x06domain\"\x9c\x01\n" +
+	"\x06action\x18\x01 \x01(\x0e2\x1a.xray.proxy.dns.RuleActionR\x06action\x12\x15\n" +
+	"\x06q_type\x18\x02 \x03(\x05R\x05qType\x127\n" +
+	"\x06domain\x18\x03 \x03(\v2\x1f.xray.common.geodata.DomainRuleR\x06domain\x12\x15\n" +
+	"\x06r_code\x18\x04 \x01(\rR\x05rCode\"\x9c\x01\n" +
 	"\x06Config\x12\x1d\n" +
 	"\n" +
 	"user_level\x18\x01 \x01(\rR\tuserLevel\x121\n" +
@@ -215,7 +224,7 @@ const file_proxy_dns_config_proto_rawDesc = "" +
 	"\x06Direct\x10\x00\x12\b\n" +
 	"\x04Drop\x10\x01\x12\n" +
 	"\n" +
-	"\x06Reject\x10\x02\x12\n" +
+	"\x06Return\x10\x02\x12\n" +
 	"\n" +
 	"\x06Hijack\x10\x03BL\n" +
 	"\x12com.xray.proxy.dnsP\x01Z#github.com/xtls/xray-core/proxy/dns\xaa\x02\x0eXray.Proxy.Dnsb\x06proto3"

proxy/dns/config.proto

@@ -12,14 +12,15 @@ import "common/geodata/geodat.proto";
 enum RuleAction {
   Direct = 0;
   Drop = 1;
-  Reject = 2;
+  Return = 2;
   Hijack = 3;
 }
 
 message DNSRuleConfig {
   RuleAction action = 1;
-  repeated int32 qtype = 2;
+  repeated int32 q_type = 2;
   repeated xray.common.geodata.DomainRule domain = 3;
+  uint32 r_code = 4;
 }
 
 message Config {

proxy/dns/dns.go

@@ -45,6 +45,7 @@ type DNSRule struct {
 	action  RuleAction
 	qTypes  []uint16
 	domains geodata.DomainMatcher
+	rCode   dnsmessage.RCode
 }
 
 func (r *DNSRule) matchQType(qType uint16) bool {
@@ -95,9 +96,10 @@ func (h *Handler) Init(config *Config, dnsClient dns.Client, policyManager polic
 	for _, r := range config.Rule {
 		rule := &DNSRule{
 			action: r.Action,
-			qTypes: make([]uint16, 0, len(r.Qtype)),
+			qTypes: make([]uint16, 0, len(r.QType)),
+			rCode:  dnsmessage.RCode(r.RCode),
 		}
-		for _, t := range r.Qtype {
+		for _, t := range r.QType {
 			rule.qTypes = append(rule.qTypes, uint16(t))
 		}
 		if len(r.Domain) > 0 {
@@ -136,17 +138,17 @@ func parseQuery(b []byte) (id uint16, qType dnsmessage.Type, domain string, ok b
 	return
 }
 
-func (h *Handler) applyRules(qType dnsmessage.Type, domain string) RuleAction {
+func (h *Handler) applyRules(qType dnsmessage.Type, domain string) (RuleAction, dnsmessage.RCode) {
 	qCode := uint16(qType)
 	for _, r := range h.rules {
 		if r.Apply(qCode, domain) {
-			return r.action
+			return r.action, r.rCode
 		}
 	}
 	if qType == dnsmessage.TypeA || qType == dnsmessage.TypeAAAA {
-		return RuleAction_Hijack
+		return RuleAction_Hijack, dnsmessage.RCodeSuccess
 	}
-	return RuleAction_Reject
+	return RuleAction_Return, dnsmessage.RCodeSuccess
 }
 
 // Process implements proxy.Outbound.
@@ -213,7 +215,7 @@ func (h *Handler) Process(ctx context.Context, link *transport.Link, d internet.
 	}
 
 	if session.TimeoutOnlyFromContext(ctx) {
-		ctx, _ = context.WithCancel(context.Background())
+		ctx = context.Background()
 	}
 
 	ctx, cancel := context.WithCancel(ctx)
@@ -250,21 +252,22 @@ func (h *Handler) Process(ctx context.Context, link *transport.Link, d internet.
 				continue
 			}
 
-			switch h.applyRules(qType, domain) {
+			action, rCode := h.applyRules(qType, domain)
+			switch action {
 			case RuleAction_Drop:
 				b.Release()
 				errors.LogInfo(ctx, "blocked type ", qType, " query for domain ", domain)
-			case RuleAction_Reject:
+			case RuleAction_Return:
 				b.Release()
 				errors.LogInfo(ctx, "rejected type ", qType, " query for domain ", domain)
-				if err := h.rejectNonIPQuery(id, qType, domain, writer); err != nil {
+				if err := h.rejectNonIPQuery(id, qType, domain, writer, rCode); err != nil {
 					return err
 				}
 			case RuleAction_Hijack:
 				b.Release()
 				if qType != dnsmessage.TypeA && qType != dnsmessage.TypeAAAA {
 					errors.LogError(ctx, "can only hijack A/AAAA records")
-					if err := h.rejectNonIPQuery(id, qType, domain, writer); err != nil {
+					if err := h.rejectNonIPQuery(id, qType, domain, writer, rCode); err != nil {
 						return err
 					}
 				} else {
@@ -309,48 +312,35 @@ func (h *Handler) Process(ctx context.Context, link *transport.Link, d internet.
 
 func (h *Handler) handleIPQuery(id uint16, qType dnsmessage.Type, domain string, writer dns_proto.MessageWriter, timer *signal.ActivityTimer) {
 	var ips []net.IP
+	var ttl uint32
 	var err error
 
-	var ttl4 uint32
-	var ttl6 uint32
-
 	switch qType {
 	case dnsmessage.TypeA:
-		ips, ttl4, err = h.client.LookupIP(domain, dns.IPOption{
+		ips, ttl, err = h.client.LookupIP(domain, dns.IPOption{
 			IPv4Enable: true,
 			IPv6Enable: false,
 			FakeEnable: true,
 		})
 	case dnsmessage.TypeAAAA:
-		ips, ttl6, err = h.client.LookupIP(domain, dns.IPOption{
+		ips, ttl, err = h.client.LookupIP(domain, dns.IPOption{
 			IPv4Enable: false,
 			IPv6Enable: true,
 			FakeEnable: true,
 		})
 	}
 
-	rcode := dns.RCodeFromError(err)
-	if rcode == 0 && len(ips) == 0 && !go_errors.Is(err, dns.ErrEmptyResponse) {
+	rCode := dns.RCodeFromError(err)
+	if rCode == 0 && len(ips) == 0 && !go_errors.Is(err, dns.ErrEmptyResponse) {
 		errors.LogInfoInner(context.Background(), err, "ip query")
 		return
 	}
 
-	switch qType {
-	case dnsmessage.TypeA:
-		for i, ip := range ips {
-			ips[i] = ip.To4()
-		}
-	case dnsmessage.TypeAAAA:
-		for i, ip := range ips {
-			ips[i] = ip.To16()
-		}
-	}
-
 	b := buf.New()
 	rawBytes := b.Extend(buf.Size)
 	builder := dnsmessage.NewBuilder(rawBytes[:0], dnsmessage.Header{
 		ID:                 id,
-		RCode:              dnsmessage.RCode(rcode),
+		RCode:              dnsmessage.RCode(rCode),
 		RecursionAvailable: true,
 		RecursionDesired:   true,
 		Response:           true,
@@ -365,17 +355,25 @@ func (h *Handler) handleIPQuery(id uint16, qType dnsmessage.Type, domain string,
 	}))
 	common.Must(builder.StartAnswers())
 
-	rHeader4 := dnsmessage.ResourceHeader{Name: dnsmessage.MustNewName(domain), Class: dnsmessage.ClassINET, TTL: ttl4}
-	rHeader6 := dnsmessage.ResourceHeader{Name: dnsmessage.MustNewName(domain), Class: dnsmessage.ClassINET, TTL: ttl6}
-	for _, ip := range ips {
-		if len(ip) == net.IPv4len {
-			var r dnsmessage.AResource
-			copy(r.A[:], ip)
-			common.Must(builder.AResource(rHeader4, r))
-		} else {
-			var r dnsmessage.AAAAResource
-			copy(r.AAAA[:], ip)
-			common.Must(builder.AAAAResource(rHeader6, r))
+	rHeader := dnsmessage.ResourceHeader{Name: dnsmessage.MustNewName(domain), Class: dnsmessage.ClassINET, TTL: ttl}
+	switch qType {
+	case dnsmessage.TypeA:
+		for _, ip := range ips {
+			ip = ip.To4()
+			if len(ip) == net.IPv4len {
+				var r dnsmessage.AResource
+				copy(r.A[:], ip)
+				common.Must(builder.AResource(rHeader, r))
+			}
+		}
+	case dnsmessage.TypeAAAA:
+		for _, ip := range ips {
+			ip = ip.To16()
+			if len(ip) == net.IPv6len {
+				var r dnsmessage.AAAAResource
+				copy(r.AAAA[:], ip)
+				common.Must(builder.AAAAResource(rHeader, r))
+			}
 		}
 	}
 	msgBytes, err := builder.Finish()
@@ -392,7 +390,7 @@ func (h *Handler) handleIPQuery(id uint16, qType dnsmessage.Type, domain string,
 	}
 }
 
-func (h *Handler) rejectNonIPQuery(id uint16, qType dnsmessage.Type, domain string, writer dns_proto.MessageWriter) error {
+func (h *Handler) rejectNonIPQuery(id uint16, qType dnsmessage.Type, domain string, writer dns_proto.MessageWriter, rCode dnsmessage.RCode) error {
 	domainT := strings.TrimSuffix(domain, ".")
 	if domainT == "" {
 		return errors.New("empty domain name")
@@ -401,7 +399,7 @@ func (h *Handler) rejectNonIPQuery(id uint16, qType dnsmessage.Type, domain stri
 	rawBytes := b.Extend(buf.Size)
 	builder := dnsmessage.NewBuilder(rawBytes[:0], dnsmessage.Header{
 		ID:                 id,
-		RCode:              dnsmessage.RCodeRefused,
+		RCode:              rCode,
 		RecursionAvailable: true,
 		RecursionDesired:   true,
 		Response:           true,

proxy/dns/dns_test.go

@@ -424,7 +424,7 @@ func TestDNSRules(t *testing.T) {
 				ProxySettings: serial.ToTypedMessage(&dns_proxy.Config{
 					Rule: []*dns_proxy.DNSRuleConfig{
 						{
-							Qtype: []int32{int32(dns.TypeA)},
+							QType: []int32{int32(dns.TypeA)},
 							Domain: []*geodata.DomainRule{
 								{
 									Value: &geodata.DomainRule_Custom{
@@ -438,7 +438,7 @@ func TestDNSRules(t *testing.T) {
 							Action: dns_proxy.RuleAction_Direct,
 						},
 						{
-							Qtype: []int32{int32(dns.TypeA)},
+							QType: []int32{int32(dns.TypeA)},
 							Domain: []*geodata.DomainRule{
 								{
 									Value: &geodata.DomainRule_Custom{
@@ -449,7 +449,8 @@ func TestDNSRules(t *testing.T) {
 									},
 								},
 							},
-							Action: dns_proxy.RuleAction_Reject,
+							Action: dns_proxy.RuleAction_Return,
+							RCode:  5,
 						},
 					},
 				}),