dns-over-https icon indicating copy to clipboard operation
dns-over-https copied to clipboard
verified publisher icon m13253

How can I limit or disable query type?

Open garrriton opened this issue 4 years ago • 2 comments

Situation:

  • I want to configure doh-server to query only A record and block(ignore) other query type like AAAA.
  • upsteam DNS server has ad-blocking capability and your server is returning AAAA record, rendering adblock useless.

e.g

advert.com A 0.0.0.0 (same answer from upsteam) advert.com AAAA 111.2222.333...4444

Please add a limit (block by query type) or select upsteam by query type doh-server.conf options.

  • limit (block by query type) limit_type =

default:none. values are uppercase comma-separated. sample values: limit_type = A,TXT will only allow A or TXT queries and return empty{} results if other types are asked.

  • select upsteam by query type

upsteam = [ "udp:1.1.1.1:53", "A@udp:1.0.0.1:53", "AAAA@udp:8.8.8.8:53" ]

garrriton avatar Jul 31 '21 09:07 garrriton

If the 2nd option is selected I could use upsteam= [... "AAAA@udp:127.0.0.1:1234"] to block any AAAA requests (request goes into empty location)

Which code line I should modify to block AAAA now?

garrriton avatar Jul 31 '21 09:07 garrriton

I believe this is a problem with your upstream ad blocker. It should also replace AAAA record with :: in addition to A. This problem would also affect users that do not use DoH, so why not report to them?

But the most simple workaround to you is just disable IPv6 from your computer, since banning AAAA records essentially equals to disabling IPv6, because almost no software connects to hard-coded IPv6 address.

m13253 avatar Jul 31 '21 11:07 m13253

  • I want to configure doh-server to query only A record and block(ignore) other query type like AAAA.

What would be the behaviour when such records are received? not found?

I believe this is a problem with your upstream ad blocker. It should also replace AAAA record with :: in addition to A. This problem would also affect users that do not use DoH, so why not report to them?

@garrriton did you report this issue upstream?

the most simple workaround to you is just disable IPv6 from your computer, since banning AAAA records essentially equals to disabling IPv6, because almost no software connects to hard-coded IPv6 address.

There are some configuration where it would be beneficial, like for example disabling IPv6 on a single interface, but I don't think that other software/libraries would play nicely.

gdm85 avatar Sep 03 '22 08:09 gdm85

I prefer to close this issue because DNS filtering is generally done by another software. I personally want to include only features that must be implemented at DoH layer. (For example, ECS must be implemented at this layer to correctly track X-Forwarded-For headers.) As long as there is an external software to perform a specific task, I would rather let them do the task.

m13253 avatar Sep 19 '22 00:09 m13253