Add ResponseRules support for checkDomain (domain-based lookups)

Copilot · thisisjaymehta · Copilot · commit c29208c95d75 · 2026-01-11T05:21:16.000Z
Co-authored-by: thisisjaymehta &lt;31812582+thisisjaymehta@users.noreply.github.com&gt;
diff --git a/docs/reference/checks/dnsbl.md b/docs/reference/checks/dnsbl.md
@@ -207,6 +207,9 @@ Defines per-response-code rules for scoring and custom messages. This is useful
 for combined DNSBLs like Spamhaus ZEN that return different codes for different
 listing types.
 
+This works for both IP-based lookups (client_ipv4, client_ipv6) and domain-based
+lookups (ehlo, mailfrom).
+
 Each `response` block takes one or more IP addresses or CIDR ranges as arguments
 and contains the following directives:
 
diff --git a/internal/check/dnsbl/common.go b/internal/check/dnsbl/common.go
@@ -72,25 +72,54 @@ func checkDomain(ctx context.Context, resolver dns.Resolver, cfg List, domain st
 		return nil
 	}
 
-	// Attempt to extract explanation string.
-	txts, err := resolver.LookupTXT(context.Background(), query)
-	if err != nil || len(txts) == 0 {
-		// Not significant, include addresses as reason. Usually they are
-		// mapped to some predefined 'reasons' by BL.
-		return ListedErr{
-			Identity: domain,
-			List:     cfg.Zone,
-			Reason:   strings.Join(addrs, "; "),
+	var score int
+	var customMessage string
+	var filteredAddrs []string
+
+	// If ResponseRules is configured, use new behavior
+	if len(cfg.ResponseRules) > 0 {
+		// Convert string addresses to IPAddr for matching
+		ipAddrs := make([]net.IPAddr, 0, len(addrs))
+		for _, addr := range addrs {
+			if ip := net.ParseIP(addr); ip != nil {
+				ipAddrs = append(ipAddrs, net.IPAddr{IP: ip})
+			}
 		}
+
+		matchedScore, matchedMessages, matchedReasons, matched := matchResponseRules(ipAddrs, cfg.ResponseRules)
+		if !matched {
+			return nil
+		}
+		score = matchedScore
+
+		// Use first matched message if available
+		if len(matchedMessages) > 0 {
+			customMessage = matchedMessages[0]
+		}
+
+		filteredAddrs = matchedReasons
+	} else {
+		// Legacy behavior: accept all addresses
+		filteredAddrs = addrs
 	}
 
-	// Some BLs provide multiple reasons (meta-BLs such as Spamhaus Zen) so
-	// don't mangle them by joining with "", instead join with "; ".
+	// Attempt to extract explanation string from TXT records (shared by both paths)
+	txts, err := resolver.LookupTXT(ctx, query)
+	var reason string
+	if err == nil && len(txts) > 0 {
+		reason = strings.Join(txts, "; ")
+	} else {
+		// Not significant, include addresses as reason. Usually they are
+		// mapped to some predefined 'reasons' by BL.
+		reason = strings.Join(filteredAddrs, "; ")
+	}
 
 	return ListedErr{
 		Identity: domain,
 		List:     cfg.Zone,
-		Reason:   strings.Join(txts, "; "),
+		Reason:   reason,
+		Score:    score,
+		Message:  customMessage,
 	}
 }
 
diff --git a/internal/check/dnsbl/common_test.go b/internal/check/dnsbl/common_test.go
@@ -236,3 +236,104 @@ func TestCheckIP(t *testing.T) {
 		Reason:   "127.0.0.1",
 	})
 }
+
+func TestCheckDomainWithResponseRules(t *testing.T) {
+	test := func(zones map[string]mockdns.Zone, cfg List, domain string, expectedErr error) {
+		t.Helper()
+		resolver := mockdns.Resolver{Zones: zones}
+		err := checkDomain(context.Background(), &resolver, cfg, domain)
+		if expectedErr == nil {
+			if err != nil {
+				t.Errorf("expected no error, got '%#v'", err)
+			}
+		} else {
+			if err == nil {
+				t.Errorf("expected err to be '%#v', got nil", expectedErr)
+			} else {
+				expectedLE, okExpected := expectedErr.(ListedErr)
+				actualLE, okActual := err.(ListedErr)
+				if !okExpected || !okActual {
+					t.Errorf("expected err to be '%#v', got '%#v'", expectedErr, err)
+				} else {
+					if expectedLE.Identity != actualLE.Identity ||
+						expectedLE.List != actualLE.List ||
+						expectedLE.Score != actualLE.Score ||
+						expectedLE.Message != actualLE.Message {
+						t.Errorf("expected err to be '%#v', got '%#v'", expectedErr, err)
+					}
+				}
+			}
+		}
+	}
+
+	// Test domain with single response code and custom message
+	test(map[string]mockdns.Zone{
+		"spam.example.com.dnsbl.example.org.": {
+			A: []string{"127.0.0.2"},
+		},
+	}, List{
+		Zone: "dnsbl.example.org",
+		ResponseRules: []ResponseRule{
+			{
+				Networks: []net.IPNet{
+					{IP: net.IPv4(127, 0, 0, 2), Mask: net.IPv4Mask(255, 255, 255, 255)},
+				},
+				Score:   10,
+				Message: "Domain listed as spam source",
+			},
+		},
+	}, "spam.example.com", ListedErr{
+		Identity: "spam.example.com",
+		List:     "dnsbl.example.org",
+		Score:    10,
+		Message:  "Domain listed as spam source",
+	})
+
+	// Test domain with multiple response codes - scores should sum
+	test(map[string]mockdns.Zone{
+		"multi.example.com.dnsbl.example.org.": {
+			A: []string{"127.0.0.2", "127.0.0.11"},
+		},
+	}, List{
+		Zone: "dnsbl.example.org",
+		ResponseRules: []ResponseRule{
+			{
+				Networks: []net.IPNet{
+					{IP: net.IPv4(127, 0, 0, 2), Mask: net.IPv4Mask(255, 255, 255, 255)},
+				},
+				Score:   10,
+				Message: "High severity",
+			},
+			{
+				Networks: []net.IPNet{
+					{IP: net.IPv4(127, 0, 0, 11), Mask: net.IPv4Mask(255, 255, 255, 255)},
+				},
+				Score:   5,
+				Message: "Low severity",
+			},
+		},
+	}, "multi.example.com", ListedErr{
+		Identity: "multi.example.com",
+		List:     "dnsbl.example.org",
+		Score:    15, // 10 + 5
+		Message:  "High severity",
+	})
+
+	// Test domain with no matching response codes
+	test(map[string]mockdns.Zone{
+		"unknown.example.com.dnsbl.example.org.": {
+			A: []string{"127.0.0.99"},
+		},
+	}, List{
+		Zone: "dnsbl.example.org",
+		ResponseRules: []ResponseRule{
+			{
+				Networks: []net.IPNet{
+					{IP: net.IPv4(127, 0, 0, 2), Mask: net.IPv4Mask(255, 255, 255, 255)},
+				},
+				Score:   10,
+				Message: "Listed",
+			},
+		},
+	}, "unknown.example.com", nil)
+}
