search

0xERR0R / blocky

Fast and lightweight DNS proxy as ad-blocker for local network with many features
https://0xERR0R.github.io/blocky/
Apache License 2.0
4.69k stars 208 forks source link

Per domain ipv6 response stripping #754

Open kbrierly opened 1 year ago

kbrierly commented 1 year ago

I've recently started using blocky and it's been great so far. So far I've used Custom records to implement lancache redirects.

I however I cannot see a way to strip IPv6 for only certain domains, just all domains.

This is a problem for me as i use He.net tunnelbroker for Ipv6 and several online services consider tunnelbroker a proxy. The solution in dnsmasq and unbound is create entries to block just the ipv6 lookups for a set of domains.

Would it be possible to add per domain stripping functionality to blocky?

Background Info: https://gist.github.com/jamesmacwhite/6a642cb6bad00c5cefa91ec3d742e2a6

0xERR0R commented 1 year ago

So you want that AAAA queries for certain domains (not all domains) return empty answer and not 0.0.0.0 (as typical ad blocking use case), right?

kbrierly commented 1 year ago

Yes, just certain domains. The A record shouldn't be touched, but the AAAA should return :: Completely stripping the AAAA may work as well but all the solutions i've seen return ::

dnsmasq:

server=/netflix.com/
address=/netflix.com/::

unbound:

local-zone: "netflix.com" typetransparent
local-data: "netflix.com IN AAAA ::"

NOTE: I've currently got it working by using conditional forwarding of the netflix domains to a dnsmasq server with the domain rules in place. It would be great to have it built-in as multiple chained servers introduce delays and complexity.

With filtering:

# host netflix.com
netflix.com has address 3.225.92.8
netflix.com has address 54.160.93.182
netflix.com has address 3.211.157.115
netflix.com has IPv6 address ::

Without filtering:

# host netflix.com 8.8.8.8
netflix.com has address 3.211.157.115
netflix.com has address 54.160.93.182
netflix.com has address 3.225.92.8
netflix.com has IPv6 address 2600:1f18:631e:2f85:93a9:f7b0:d18:89a7
netflix.com has IPv6 address 2600:1f18:631e:2f84:4f7a:4092:e2e9:c617
netflix.com has IPv6 address 2600:1f18:631e:2f83:49ee:beaa:2dfd:ae8f

Thanks!

0xERR0R commented 1 year ago

With your example customDNS configuration, you'll get zero IP as AAAA response and not empty result. If is nice if it works, but is is technically not the same result.

We do already have "filtering" in blocky, which returns empty result for certain query types. I think, we can extend this functionality and allow filtering on other conditions.

kbrierly commented 1 year ago

My configuration is currently replicating what I had in place before blocky with the unbound/dnsmasq solution. So I have the functionality I need for now however the configuration is indeed overly complex and relies on an undocumented feature I found by trial and error.

Ideally updating filtering mode to work conditionally on domains or other conditions would allow implementation method 2 in the gist I linked in the original post which accomplishes the same result. It would also likely be a much simpler in the configuration file.

Thanks.

leipert commented 2 weeks ago

@0xERR0R Another use case for this:

Sometimes I am running into issues with https://rubygems.org and ipv6. It's really hard to force ipv4 for one domain on macOS / the ruby toolchain. Just resolving the AAAA to zero IP fixed it for all hosts in the network.

The way PiHole chose to implement, is the possibility to have a "query parameter" in the block rules:

rubygems.org;querytype=AAAA