AdguardTeam/AdGuardHome

Don't forward queries that can't be answered by public DNS servers

Open

#1,705 创建于 2020年5月19日

在 GitHub 查看
 (13 评论) (15 反应) (0 负责人)Go (34,000 star) (2,333 fork)batch import
P3: Mediumfeature requesthelp wanted

描述

(@ainar-g: updating the top post to summarize the discussion, define the UI, and add the special-use domains; original content is under the <details> tag.)

Currently, AdGuard Home forwards all queries upstream, even ones that can't be answered by public DNS servers like PTR record lookup for private-use IP addresses or for domains like localhost, home.arpa, and lan, to name a few. This presents two issues, one is the added latency of receiving NXDOMAIN response for something public DNS can't answer and the other is leaking queries to a third-party service.

AdGuard Home shouldn't forward queries that can't be answered by upstream DNS servers by default unless there is a manual forward definition defined in Upstream DNS servers section.

Proposed changes:

  • UI:

    • Add a new section to the Settings → DNS settings page (probably right before the Access settings section) with the following checkboxes:

      • Enabled (to enable or disable this feature entirely);
      • Block Special-Use Domain Names (like *.example etc.);
      • Block Undelegated Domain Names (like modem, local, etc.);
      • Block Unqualified Domain Names (domains that consist of only the top-level domain).

  • Internals:

    • See the original post content for great tips on implementation.
    • The unqualified and special-use checks are relatively easy to implement without the need for urlfilter-like rules. The undelegated domains check might require them.
    • The special-use check must work in accordance with RFC 6761.

  • Configuration file:

    • The new object is added to object dns:

      block_special:
    enabled: true
    special_use: true
    undelegated: true
    unqualified: true

      (These are the default values.)

Problem Description

At the moment AGH forwards all queries upstream, even ones that can't be answered by public DNS servers like PTR record lookup for private IP addresses or for domains like localhost, home.arpa, lan to name a few.

This presents two issues, one is the added latency of receiving NXDOMAIN response for something public DNS can't answer and the other is leaking queries to a 3rd party service.

Proposed Solution

Adguard shouldn't forward queries that can't be answered by upstream DNS servers by default unless there is a manual forward definition defined in Upstream DNS servers section.

I am not sure what is the best method of implementation for this, so I will just point out some implementation examples from other projects.

dnscrypt-proxy comes with following optioned enabled by default.

## Immediately respond to A and AAAA queries for host names without a domain name
block_unqualified = true

## Immediately respond to queries for local zones instead of leaking them to
## upstream resolvers (always causing errors or timeouts).
block_undelegated = true

Source: https://github.com/DNSCrypt/dnscrypt-proxy/blob/master/dnscrypt-proxy/example-dnscrypt-proxy.toml

For blocking unqualified domains, this seems to be the plugin that handles it - https://github.com/DNSCrypt/dnscrypt-proxy/blob/master/dnscrypt-proxy/plugin_block_unqualified.go

And the plugin for undelegated domains and PTR records - https://github.com/DNSCrypt/dnscrypt-proxy/blob/master/dnscrypt-proxy/plugin_block_undelegated.go

Some of those PTR records are from https://www.iana.org/assignments/locally-served-dns-zones/locally-served-dns-zones.xhtml

DNSMasq has the following option.

-f, --filterwin2k
    Later versions of windows make periodic DNS requests which don't get sensible answers from the public DNS and can cause problems by triggering dial-on-demand links. This flag turns on an option to filter such requests. The requests blocked are for records of types SOA and SRV, and type ANY where the requested name has underscores, to catch LDAP requests.

Openwrt uses the above option along with filtering private IP address in the dnsmasq that they ship - https://github.com/openwrt/luci/blob/aac1a8d512643e3864843d2c2b3c6ee7f7f2a3d2/modules/luci-mod-network/htdocs/luci-static/resources/view/network/dhcp.js#L212-L219

Alternatives Considered

Write rules to block queries that can't be answered upstream with exceptions for internal domains & PTR for internal IP range which are forwarded to router's DNS server.

Additional Information

While undelegated domains & PTR records can be handled by creating rules to block requests with some exceptions to ones you use, it would be good have this feature built into AGH and enabled by default so it benefits all users not just the ones who can write their own rules.

贡献者指南

技术栈
go
领域
backendsecurity
议题类型
feature
难度面向新贡献者的预计实现难度,1 表示很小改动,5 表示专家级工作。
3
预计时间有经验贡献者完成调查、实现、测试并准备 pull request 的粗略时间范围。
3-5 days
活动状态议题当前的可参与程度:新鲜、活跃、陈旧、阻塞或等待维护者输入。
active
清晰度议题是否清楚说明期望改动、验收标准和下一步。
clear
前置要求
Go programmingDNS protocol basicsAdGuard Home architecture
新手友好度1-100 的估计分数,表示该议题对首次贡献者的友好程度。
60
研究方向
Start by reading the dnscrypt proxy plugin implementations for blocking unqualified and undelegated domains (see links in the issue). Then, examine AdGuard Home's DNS query handling code in the internal/dns and internal/aghos directories. Implement the checks as described in the 'Internals' section, ensuring special use domain names follow RFC 6761. Finally, add the configuration options and UI checkboxes as outlined in the issue.