Conversation
Signed-off-by: Maciek <tomczukmaciej@gmail.com>
…ype-mismatched A record Signed-off-by: Maciek <tomczukmaciej@gmail.com>
Signed-off-by: Maciek <tomczukmaciej@gmail.com>
There was a problem hiding this comment.
Pull request overview
Fixes a bypass where HTTPS/SVCB (type 65/64) responses could leak IPs via ipv4hint/ipv6hint, allowing clients to circumvent A/AAAA blocking.
Changes:
- Update blocked-response generation to return NODATA (empty answer) for non-A/AAAA qtypes (e.g., HTTPS/SVCB).
- Extend IP-phase filtering to extract IPs from HTTPS/SVCB hints and apply services/custom-rule matching against those hint IPs.
- Add/extend unit + integration tests to cover HTTPS/SVCB hint extraction and blocked HTTPS response behavior.
Reviewed changes
Copilot reviewed 8 out of 8 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
proxy/server/server.go |
Changes blocked response behavior to synthesize A/AAAA, but return empty answers for HTTPS/SVCB/other qtypes. |
proxy/server/post_resolve_test.go |
Adds coverage asserting blocked HTTPS queries return NODATA (empty answer). |
proxy/filter/services.go |
Adds IP extraction from HTTPS/SVCB hints and uses it for services blocking decisions. |
proxy/filter/custom_rules.go |
Updates IP/ASN custom rule matching to operate on extracted IPs (including hints). |
proxy/filter/services_test.go |
Adds unit tests for hint extraction + services blocking decisions on HTTPS hint IPs. |
proxy/filter/ip_custom_rules_test.go |
Refactors tests to match new matchIPRule signature (now takes net.IP). |
tests/libs/profile_helpers.py |
Adds real-domain constants used by new integration tests. |
tests/dns_tests/test_services.py |
Adds integration tests covering HTTPS blocking behavior and live hint-based blocking. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Signed-off-by: Maciek <tomczukmaciej@gmail.com>
Signed-off-by: Maciek <tomczukmaciej@gmail.com>
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 8 out of 8 changed files in this pull request and generated 1 comment.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 8 out of 8 changed files in this pull request and generated 2 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Signed-off-by: Maciek <tomczukmaciej@gmail.com>
MaciejTe
force-pushed
the
fix/https-record-filtering-bypass
branch
from
a5d669c to
6d3f979
Compare
PR type
What kind of change does this PR introduce?