AdGuardDNS
AdGuardDNS copied to clipboard
Do not use 0.0.0.0 as response for adblocked domains
@iskradelta commented on Thu Oct 17 2019
Let this be a configuration option, which "ip" to return for adblocked domains, or NXERROR.
Example: node_modules/.bin/dnstls @176.103.130.130 +tls-host=dns.adguard.com googleads.g.doubleclick.net "answers": [ { "name": "googleads.g.doubleclick.net", "type": "A", "ttl": 3274, "class": "IN", "flush": false, "data": "0.0.0.0" }
This is a problem, since a client using AdGuard DNS servers above, or Firefox browser on laptop, if vising any shitty webpage or using any shitty application! They could try to connect to services running on Android phone or laptop, just because they have http://googleads.g.doucleblick.net:anyport and basically perform any kind of queries to, supposedly "local" services. This is worse since many developers think running stuff on localhost, or bound to any of their "internal" interfaces is not exposed to the internet.
When using AdGuard DNS, by default, its possible for any program to access services on localhost.
Specifying an address such as 127.6.6.6 as response, or NXERROR would fix the problem.
NXDOMAIN is problematic, Apple devices may fall back to a different DNS when they receive it. Smth like 127.X.X.X is an option indeed, we should try it.
I know, hence it would be good to have an option in dnsproxy - when upstream (using adguard dns as upstream but have my own slef-hosted version) says nxdomain error, Id like reply with my own choice of 127.5.6.7 or similar - where I know none of my local services are running on any of my devices.
Or, alternative solution, to rewrite any 0.0.0.0 responses from any upstreams, to one of my choice. But 0.0.0.0 by default is really bad, it should be 127.0.0.1 to lower chances of ads "accidently" making connections and spreading malware on any interfaces.
Ah, I got it now.
Well, dnsproxy
is supposed to simply proxy DNS queries/responses, not modify it.
We could add a setting for that to AG Home so that you could define what exactly is returned when a request is blocked.
Thats OK, I can run my own AG Home. Do you have pointers where in the code the change should be done?
Well, now that we have AdGuard DNS with the option of having a personal server, this task should be revived.
Planned for a future update, thanks for the reminder.