anope/modules/dnsbl.cpp

// Anope IRC Services <https://www.anope.org/>
//
// Copyright (C) 2003-2026 Anope Contributors
//
// Anope is free software. You can use, modify, and/or distribute it under the
// terms of version 2 of the GNU General Public License. See docs/LICENSE.txt
// for the complete terms of this license and docs/AUTHORS.txt for a list of
// contributors.
//
// Based on the original code of Epona by Lara
// Based on the original code of Services by Andy Church
//
// SPDX-License-Identifier: GPL-2.0-only

#include "module.h"
#include "modules/dns.h"

using namespace DNS;

static ServiceReference<XLineManager> akills("XLineManager", "xlinemanager/sgline");
static ServiceReference<Manager> dnsmanager("DNS::Manager", "dns/manager");

struct Blacklist final
{
	struct Reply final
	{
		int code = 0;
		Anope::string reason;
		bool allow_account = false;

		Reply() = default;
	};

	Anope::string name;
	time_t bantime = 0;
	Anope::string reason;
	std::vector<Reply> replies;

	const Reply *Find(int code)
	{
		for (const auto &reply : replies)
			if (reply.code == code)
				return &reply;
		return NULL;
	}
};

class DNSBLResolver final
	: public Request
{
	Reference<User> user;
	Blacklist blacklist;
	bool add_to_akill;

public:
	DNSBLResolver(Module *c, User *u, const Blacklist &b, const Anope::string &host, bool add_akill) : Request(dnsmanager, c, host, QUERY_A, true), user(u), blacklist(b), add_to_akill(add_akill) { }

	void OnLookupComplete(const Query *record) override
	{
		if (!user || user->Quitting())
			return;

		const ResourceRecord &ans_record = record->answers[0];
		// Replies should be in 127.0.0.0/8
		if (ans_record.rdata.find("127.") != 0)
			return;

		sockaddrs sresult;
		sresult.pton(AF_INET, ans_record.rdata);
		int result = sresult.sa4.sin_addr.s_addr >> 24;

		const Blacklist::Reply *reply = blacklist.Find(result);
		if (!blacklist.replies.empty() && !reply)
			return;

		if (reply && reply->allow_account && user->IsIdentified())
			return;

		auto addr = user->ip.addr();
		auto reason = Anope::Template(this->blacklist.reason, {
			{ "nick",    user->nick                                                              },
			{ "user",    user->GetIdent()                                                        },
			{ "real",    user->realname                                                          },
			{ "host",    user->host                                                              },
			{ "ip",      addr                                                                    },
			{ "reply",   reply ? reply->reason : ""                                              },
			{ "network", Config->GetBlock("networkinfo").Get<const Anope::string>("networkname") },
		});

		BotInfo *OperServ = Config->GetClient("OperServ");
		Log(creator, "dnsbl", OperServ) << user->GetMask() << " (" << addr << ") appears in " << this->blacklist.name;
		auto *x = new XLine("*@" + addr, OperServ ? OperServ->nick : "dnsbl", Anope::CurTime + this->blacklist.bantime, reason, XLineManager::GenerateUID());
		if (this->add_to_akill && akills)
		{
			akills->AddXLine(x);
			akills->Send(NULL, x);
		}
		else
		{
			IRCD->SendAkill(NULL, x);
			delete x;
		}
	}
};

class ModuleDNSBL final
	: public Module
{
	std::vector<Blacklist> blacklists;
	std::set<cidr> exempts;
	bool check_on_connect;
	bool check_on_netburst;
	bool add_to_akill;

public:
	ModuleDNSBL(const Anope::string &modname, const Anope::string &creator) : Module(modname, creator, VENDOR | EXTRA)
	{

	}

	void OnReload(Configuration::Conf &conf) override
	{
		const auto &block = conf.GetModule(this);
		this->check_on_connect = block.Get<bool>("check_on_connect");
		this->check_on_netburst = block.Get<bool>("check_on_netburst");
		this->add_to_akill = block.Get<bool>("add_to_akill", "yes");

		this->blacklists.clear();
		for (int i = 0; i < block.CountBlock("blacklist"); ++i)
		{
			const auto &bl = block.GetBlock("blacklist", i);
			Blacklist blacklist;

			blacklist.name = bl.Get<Anope::string>("name");
			if (blacklist.name.empty())
				continue;
			blacklist.bantime = bl.Get<time_t>("time", "4h");
			blacklist.reason = bl.Get<Anope::string>("reason");

			for (int j = 0; j < bl.CountBlock("reply"); ++j)
			{
				const auto &reply = bl.GetBlock("reply", j);
				Blacklist::Reply r;

				r.code = reply.Get<int>("code");
				r.reason = reply.Get<Anope::string>("reason");
				r.allow_account = reply.Get<bool>("allow_account");

				blacklist.replies.push_back(r);
			}

			this->blacklists.push_back(blacklist);
		}

		this->exempts.clear();
		for (int i = 0; i < block.CountBlock("exempt"); ++i)
		{
			const auto &bl = block.GetBlock("exempt", i);
			this->exempts.insert(bl.Get<Anope::string>("ip"));
		}
	}

	void OnUserConnect(User *user, bool &exempt) override
	{
		if (exempt || user->Quitting() || (!this->check_on_connect && !Me->IsSynced()) || !dnsmanager)
			return;

		if (!this->check_on_netburst && !user->server->IsSynced())
			return;

		if (!user->ip.valid())
			/* User doesn't have a valid IP (spoof/etc) */
			return;

		if (this->blacklists.empty())
			return;

		if (this->exempts.count(user->ip.addr()))
		{
			Log(LOG_DEBUG) << "User " << user->nick << " is exempt from dnsbl check - ip: " << user->ip.addr();
			return;
		}

		Anope::string reverse = user->ip.reverse();

		for (const auto &b : this->blacklists)
		{
			Anope::string dnsbl_host = reverse + "." + b.name;
			DNSBLResolver *res = NULL;
			try
			{
				res = new DNSBLResolver(this, user, b, dnsbl_host, this->add_to_akill);
				dnsmanager->Process(res);
			}
			catch (const SocketException &ex)
			{
				delete res;
				Log(this) << ex.GetReason();
			}
		}
	}
};

MODULE_INIT(ModuleDNSBL)