-
Notifications
You must be signed in to change notification settings - Fork 1.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
bogus_nxdomain does not block responses when at least one IP address is not listed as bogus #2394
Comments
Moved it to v0.105.0 since the only that's required is updating |
Merge in DNS/adguard-home from 2394-update-dnsproxy to master Updates #2394. Squashed commit of the following: commit 57526d1 Author: Ainar Garipov <A.Garipov@AdGuard.COM> Date: Wed Dec 16 14:43:29 2020 +0300 all: document changes commit acdfd6c Author: Ainar Garipov <A.Garipov@AdGuard.COM> Date: Wed Dec 16 14:28:23 2020 +0300 all: update dnsproxy
Should be fixed as of snapshot fd7b061. Can you please check if our solution fixes the issue for you? |
I tested it with the dnsproxy of the master branch, and without the bogus-nxdomain function, it returned full results (including the one with access problems). After that, all the results were gone. I'm not sure if this is what it should have been. |
@ameshkov, I'm not quite sure what the verdict here should be. Should we recheck if |
@ainar-g I already checked and this is exactly how it works in |
@ameshkov, I meant that OP probably wanted AGH to only exclude the blocked IP, and not the whole response (@PussAzuki, can you confirm?). But if you think that what we do now is more correct, then I guess we can close the issue? |
Yes, I think your idea is more suitable for the current environment; dnsmasq said that the function is to prevent DNS service providers from falsifying fake DNS responses, but this should no longer be the case, so I think this function should be changed to: if there is only one answer and is on the list, discard the result, and if there are multiple answers and at least one is not on the list, keep the result that is not on the list. This can solve the problem of routing black holes only in specific areas. |
@ainar-g I understand, but it does not change the point -- this feature should work exactly as it is implemented in dnsmasq. There're some "bogus IPs" lists compatible with dnsmasq, if we want to be fully compatible too, we should just repeat. Regarding the desired functionality, there are different feature requests (#2445) where this could be implemented. |
I see, thanks. I guess I'll close this one then. |
Merge in DNS/adguard-home from 2394-update-dnsproxy to master Updates AdguardTeam#2394. Squashed commit of the following: commit 57526d1 Author: Ainar Garipov <A.Garipov@AdGuard.COM> Date: Wed Dec 16 14:43:29 2020 +0300 all: document changes commit acdfd6c Author: Ainar Garipov <A.Garipov@AdGuard.COM> Date: Wed Dec 16 14:28:23 2020 +0300 all: update dnsproxy
Prerequisites
Please answer the following questions for yourself before submitting an issue. YOU MAY DELETE THE PREREQUISITES SECTION.
Issue Details
It's easy to reproduce.
Expected Behavior
Only IP that is not blocked in the above operation is returned.
Actual Behavior
As if the above blocking operation is invalid, it is possible to return an unblocked IP address and a blocked IP address.
Additional Information
bug_example
bug_example2
The text was updated successfully, but these errors were encountered: