Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Prevent HTTPS queries responding IPv6 addresses #6122

Closed
4 tasks done
starryloki opened this issue Aug 20, 2023 · 5 comments
Closed
4 tasks done

Prevent HTTPS queries responding IPv6 addresses #6122

starryloki opened this issue Aug 20, 2023 · 5 comments
Assignees
@Mizzick
Labels
enhancement P4: Low
Milestone
v0.107.37

Comments

@starryloki
Copy link

starryloki commented Aug 20, 2023
edited
Loading

Prerequisites

Platform (OS and CPU architecture)

Linux, AMD64 (aka x86_64)

Installation

GitHub releases or script from README

Setup

On one machine

AdGuard Home version

v0.107.36

Action

Example:

nslookup -debug -type=type65 'cdn.v2ex.com' '$YOUR_AGH_ADDRESS'

I have turned on Disable resolving of IPv6 addresses.

Expected result

HTTPS: 1 . alpn="h3,h2" ipv4hint="104.20.9.218,104.20.10.218,172.67.3.188"

Actual result

In AdGuard Home, I checked the DNS resolution records and found that the corresponding response is as follows:
HTTPS: 1 . alpn="h3,h2" ipv4hint="104.20.9.218,104.20.10.218,172.67.3.188" ipv6hint="2606:4700:10::6814:9da,2606:4700:10::6814:ada,2606:4700:10::ac43:3bc"

Just as described in "Disable resolving of IPv6 addresses", enabling it should result in blocking all IPv6 addresses, but it seems that only AAAA records are being blocked and not the IPv6 addresses within HTTPS records.
It appears that using HTTPS records allows for bypassing the restrictions on IPv6 resolution.

Additional information and/or screenshots

No response
@starryloki starryloki changed the title Prevent HTTPS queries respondingIPv6 addresses Prevent HTTPS queries responding IPv6 addresses Aug 20, 2023
@duckxx
Copy link

duckxx commented Aug 20, 2023
edited
Loading

但是注释那里写的是:丢弃所有 IPv6 地址 (AAAA) 的 DNS 查询。
是禁止直接解析AAAA的记录,不包括HTTPS记录中的AAAA。

@starryloki
Copy link
Author

但是注释那里写的是:丢弃所有 IPv6 地址 (AAAA) 的 DNS 查询。
是禁止直接解析aaaa的记录,不包括HTTPS记录。

I know that the comments have already provided an explanation. However, disabling AAAA records is a means to prevent IPv6 resolution. It is clear that with the widespread use of HTTPS records, this method is no longer effective in blocking IPv6 resolution. Therefore, it is necessary to update this option or similar filtering rules to address it.

@fernvenue
Copy link
Contributor

Totally agree with @starryloki, just disable AAAA records seems not enough.

@ainar-g ainar-g added this to the v0.107.37 milestone Aug 21, 2023
@Mizzick
Copy link
Contributor

Mizzick commented Aug 23, 2023

Please have a look, we have implemented the requested changes.
The new build version v0.108.0-a.657+cb6d4620 has been just published to the edge channel.

@starryloki
Copy link
Author

Please have a look, we have implemented the requested changes.
The new build version v0.108.0-a.657+cb6d4620 has been just published to the edge channel.

I have tested it on Linux amd64, and the new features are working fine!

@ainar-g ainar-g modified the milestones: v0.107.38, v0.107.37 Sep 7, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Mizzick Mizzick

Labels
enhancement P4: Low
Projects
None yet
Milestone
v0.107.37
Development

No branches or pull requests
5 participants
@ainar-g @Mizzick @starryloki @fernvenue @duckxx