AdGuardDNS icon indicating copy to clipboard operation
AdGuardDNS copied to clipboard

Published 20 hours ago verified publisher icon AdguardTeam

Do not use 0.0.0.0 as response for adblocked domains

Open ameshkov opened this issue 4 years ago • 5 comments

@iskradelta commented on Thu Oct 17 2019

Let this be a configuration option, which "ip" to return for adblocked domains, or NXERROR.

Example: node_modules/.bin/dnstls @176.103.130.130 +tls-host=dns.adguard.com googleads.g.doubleclick.net "answers": [ { "name": "googleads.g.doubleclick.net", "type": "A", "ttl": 3274, "class": "IN", "flush": false, "data": "0.0.0.0" }

This is a problem, since a client using AdGuard DNS servers above, or Firefox browser on laptop, if vising any shitty webpage or using any shitty application! They could try to connect to services running on Android phone or laptop, just because they have http://googleads.g.doucleblick.net:anyport and basically perform any kind of queries to, supposedly "local" services. This is worse since many developers think running stuff on localhost, or bound to any of their "internal" interfaces is not exposed to the internet.

When using AdGuard DNS, by default, its possible for any program to access services on localhost.

Specifying an address such as 127.6.6.6 as response, or NXERROR would fix the problem.

ameshkov avatar Oct 17 '19 08:10 ameshkov

NXDOMAIN is problematic, Apple devices may fall back to a different DNS when they receive it. Smth like 127.X.X.X is an option indeed, we should try it.

ameshkov avatar Oct 17 '19 09:10 ameshkov

I know, hence it would be good to have an option in dnsproxy - when upstream (using adguard dns as upstream but have my own slef-hosted version) says nxdomain error, Id like reply with my own choice of 127.5.6.7 or similar - where I know none of my local services are running on any of my devices.

Or, alternative solution, to rewrite any 0.0.0.0 responses from any upstreams, to one of my choice. But 0.0.0.0 by default is really bad, it should be 127.0.0.1 to lower chances of ads "accidently" making connections and spreading malware on any interfaces.

iskradelta avatar Oct 17 '19 09:10 iskradelta

Ah, I got it now.

Well, dnsproxy is supposed to simply proxy DNS queries/responses, not modify it.

We could add a setting for that to AG Home so that you could define what exactly is returned when a request is blocked.

ameshkov avatar Oct 17 '19 09:10 ameshkov

Thats OK, I can run my own AG Home. Do you have pointers where in the code the change should be done?

iskradelta avatar Oct 17 '19 10:10 iskradelta

Well, now that we have AdGuard DNS with the option of having a personal server, this task should be revived.

Planned for a future update, thanks for the reminder.

ameshkov avatar Sep 19 '22 10:09 ameshkov