dnscrypt-resolvers icon indicating copy to clipboard operation
dnscrypt-resolvers copied to clipboard

Published 20 hours ago verified publisher icon DNSCrypt

Some servers filter responses with intranet IP addresses

Open kkkgo opened this issue 1 year ago • 5 comments

I've noticed that certain server are filtering intranet domain names and returning empty records when the resolved IP address is a private address. One such server is jp.tiar.app. I suspect that this filtering is implemented for security reasons. However, can we consider these server as having "filter=false" behavior?

To reproduce the issue, you can test it with the following domain name: local.03k.org (10.9.8.7).

kkkgo avatar Jun 15 '23 09:06 kkkgo 

## sby-limotelu

non-censoring, non-logging, DNSSEC-capable Hosted in Surabaya, Indonesia (Dnscrypt) https://limotelu.org maintained by poentodewo (https://github.com/poentodewo)

sdns://AQcAAAAAAAAAEzE5OS4xODAuMTMwLjM5Ojg0NDMg1U5MYSDK58uVdJ8dKtp0UZaCKSG0znwQLVHYKk1QyuwcMi5kbnNjcnlwdC1jZXJ0LnNieS1saW1vdGVsdQ

image

# dnslookup local.03k.org sdns://AQcAAAAAAAAAEzE5OS4xODAuMTMwLjM5Ojg0NDMg1U5MYSDK58uVdJ8dKtp0UZaCKSG0znwQLVHYKk1QyuwcMi5kbnNjcnlwdC1jZXJ0LnNieS1saW1vdGVsdQ
dnslookup v1.9.1
dnslookup result (elapsed 16.285129805s):
;; opcode: QUERY, status: REFUSED, id: 52879
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version 0; flags:; udp: 1232
; EDE: 18 (Prohibited): (EIM4)

;; QUESTION SECTION:
;local.03k.org. IN       A

;; ADDITIONAL SECTION:
explanation.invalid.    10800   IN      TXT     "blocked by DNS rebinding protection"

kkkgo avatar Jun 15 '23 09:06 kkkgo

Furthermore, I believe that this behavior can be detected using a script and can be addressed by running periodic checks through actions. These checks can remove the "No filter" label from these servers.

kkkgo avatar Jun 15 '23 09:06 kkkgo

Hi!

And thanks for reporting this!

Indeed, it is not expected to block local IP addresses when the "no filter" flag is set.

And this is causing more issues that it solves.

I'll run a scan of the servers for that. Thanks again!

jedisct1 avatar Jun 15 '23 11:06 jedisct1

I tested all DNS servers using a simple script to get a list of some DNS servers that will filter, I hope this helps. List of DNS servers that will filter: https://raw.githubusercontent.com/kkkgo/PaoPao-Pref/main/dnscrypt_resolver/ban_list.txt

kkkgo avatar Sep 18 '23 09:09 kkkgo

Good catch! This restriction should now be removed from all dnscry.pt resolvers. It's part of the default configuration CentOS/Alma Linux ship with unbound and I missed to remove it.

Brueggus avatar Sep 25 '23 06:09 Brueggus