DnsServer icon indicating copy to clipboard operation
DnsServer copied to clipboard
verified publisher icon TechnitiumSoftware

FR: Allow blocking resource records in Conditional Forwarder Zones

Open LordMike opened this issue 4 years ago • 4 comments

I've created a CFZ that hijacks a single record from my target zone, and places it locally - but I've observed that if the record originally has other record types available, those will be used when I have non defined.

$ dig +short example.com a
93.184.216.34
$ dig +short example.com aaaa
2606:2800:220:1:248:1893:25c8:1946

I create the CFZ example.com and place a record for @ with the type A. My queries now produce:

$ dig +short example.com a
127.0.0.1
$ dig +short example.com aaaa
2606:2800:220:1:248:1893:25c8:1946

As I haven't created an AAAA record, I still get the original AAAA response... I have no way to block this AAAA record today, other than creating one of my own.. But if I have no local value to put in, my app won't use IPv4 instead of IPv6.

Please add a way to block a record type in a CFZ :)

Maybe a way to block all record types, that aren't defined. (f.ex. if I also wanted to block TXT, SPF, .. and future record types).

LordMike avatar Dec 14 '21 20:12 LordMike

Thanks for the post. This is actually a feature of conditional forwarder zones that allow you to only override a specific record while the rest of the domain resolves as usual.

In your case you want to completely override the zone. For such case, you can create a primary zone that will only respond to the entries that you have created. However, this will block all subdomains too unlike in the case of conditional forwarder zones. If this is what you wanted then it should work well for your scenario.

Let me know if primary zone works for your scenario. I can plan some feature if that is not sufficient.

ShreyasZare avatar Dec 15 '21 04:12 ShreyasZare

Hi,

It won’t - I need the zone to function as normal, except for this one record where I want A/AAAA to resolve to a local address. While I can run ipv6 locally, and can put both in, it’s be awesome to be able to block the one record type I don’t want.

This also means you can’t “undefine” a record - you can only replace it with a new value.

Mike.

From: Shreyas Zare @.> Sent: Wednesday, December 15, 2021 5:05:01 AM To: TechnitiumSoftware/DnsServer @.> Cc: Michael Bisbjerg @.>; Author @.> Subject: Re: [TechnitiumSoftware/DnsServer] FR: Allow blocking resource records in Conditional Forwarder Zones (Issue #352)

Thanks for the post. This is actually a feature of conditional forwarder zones that allow you to only override a specific record while the rest of the domain resolves as usual.

In your case you want to completely override the zone. For such case, you can create a primary zone that will only respond to the entries that you have created. However, this will block all subdomains too unlike in the case of conditional forwarder zones. If this is what you wanted then it should work well for your scenario.

Let me know if primary zone works for your scenario. I can plan some feature if that is not sufficient.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHubhttps://github.com/TechnitiumSoftware/DnsServer/issues/352#issuecomment-994271564, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AAH2YJ5UG4HXSD73PBOYE43URAHW3ANCNFSM5KBZ452A. Triage notifications on the go with GitHub Mobile for iOShttps://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Androidhttps://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.

LordMike avatar Dec 15 '21 14:12 LordMike

Thanks for the feedback. Will plan a way to do that in upcoming updates. This may not get added in the next immediate update as the focus is to get DNSSEC validation implemented.

ShreyasZare avatar Dec 15 '21 14:12 ShreyasZare

Awesome :)

For reference, I think a checkbox like "use this server", but "no value / no reply" would be the way to go. This way, you could still allow TXT and others, override A and completely blank out AAAA.

I also tried the DropRequests app, but I couldn't make it work with the following config:

{
  "enableBlocking": true,
  "blockedQuestions": [
    {
      "name": "example.com",
      "type": "AAAA"
    }
  ]
}

LordMike avatar Dec 15 '21 15:12 LordMike

Version 10 is now released that adds a new NO DATA app which can be used in conditional forwarder zones by creating APP record to return a NO DATA i.e. empty response for specified record types. Do update and let me know your feedback.

ShreyasZare avatar Nov 26 '22 10:11 ShreyasZare