Open emlimap opened 3 years ago
ameshkov
commented
3 years ago Let's extend this feature request and introduce a "Trusted" flag to filter lists.
Here are the limitations that are applied to non-trusted lists:
$dnsrewrite rules are discardedWhat else could it be
emlimap
commented
3 years ago If we are going to rewrite all IP addresses with null IP in hosts file, how does it work with some lists that have localhost entries like Dan Pollock's one for example. Will they get rewritten as well?
127.0.0.1 localhost
127.0.0.1 localhost.localdomain
255.255.255.255 broadcasthost
::1 localhost
127.0.0.1 local
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhoststhat have localhost entries
I guess localhost entries can be ignored.
stale[bot]
commented
3 years ago This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
emlimap
commented
3 years ago Bumping this issue so stale bot won't close it for inactivity
As requested, splitting feature request on its own https://github.com/AdguardTeam/AdGuardHome/issues/2102#issuecomment-732330183
Problem
With the addition of DNS rewrite syntax in upcoming version, it allows syncing rewrites across multiple AGH instance with ease by hosting the list in a web server.
This also opens up the possibility of abuse by malicious actor from one of the lists used by users by redirecting domains to phishing servers using DNS rewrite rules.
Solution
During the process of adding a block list, a checkbox could be provided that lets user choose whether to import any DNS rewrites from the list or not. This way user could let AGH continue importing rewrites from the list they maintain or trust.
We could also leave the checkbox to import unticked by default for additional security. Also, a brief explanation underneath would help as well. Something along the lines of DNS Rewrite allows overriding DNS records with list specified entries. Only enable this for blocklists where you trust the maintainers.