Option to drop responses without EDNS(0)

AdguardTeam / AdGuardHome

Network-wide ads & trackers blocking DNS server

https://adguard.com/adguard-home.html

GNU General Public License v3.0

25.43k stars 1.83k forks source link

Option to drop responses without EDNS(0) #5680

Open wangziyao318 opened 1 year ago

wangziyao318 commented 1 year ago

Prerequisites

[X] I have checked the Wiki and Discussions and found no answer
[X] I have searched other issues and found no duplicates
[X] I want to request a feature or enhancement and not ask a question

Description

https://github.com/IrineSistiana/udpme

This is NOT my work.

I found it very useful in preventing DNS hijack by using EDNS0, achieving the same effect of DoH/DoT/DoQ while preserving the low latency of UDP. Also, this project is written in go and based on github.com/miekg/dns, making it easier to integrate.

fernvenue commented 1 year ago

Seems duplicate of https://github.com/AdguardTeam/AdGuardHome/issues/4965.

ainar-g commented 1 year ago

I'm not exactly sure, what that is. AdGuard Home already has support for EDNS(0) Client Subnet, but this seems to be something else?

wangziyao318 commented 1 year ago

You mean this one in WebUI, or some extra configuration in AdGuardHome.yaml?

fernvenue commented 1 year ago

Hi @ainar-g, it seems that it is based on EDNS(0), but it will drop all responses that don't have EDNS(0).

By the way, @wangziyao318 said that it's helpful to preventing DNS hijack, is there any evidence of this?

wangziyao318 commented 1 year ago

Yes, I'm in China and I've tested it.

ainar-g commented 1 year ago

Ah, I see, thanks.

wangziyao318 commented 1 year ago

Seems that the Chinese operator's DNS hijack response doesn't contain the EDNS0 field.

The DNS hijack response

The correct response