Open tnyeanderson opened 7 months ago
@tnyeanderson, hello and thanks for the contribution. What exactly do you mean by "should be resolved locally"? As far as I can see, the introduced changes just add the ability to respond with NXDOMAIN
code for specific domain names. I'm assuming you're using the AdGuard Home, which already provides such a functionality with $dnsrewrite
rules, e.g.:
||domain.local^$dnsrewrite=NXDOMAIN
If the purpose is to prevent non-local clients from resolving such domains, the $client
modifier may also appear useful. For example:
||domain.local^$client=~127.0.0.0/8|~192.168.0.0/16,dnsrewrite=NXDOMAIN
will only allow resolving the domain.local
(and its subdomains) to the clients with addresses within 127.0.0.0/8
and 192.168.0.0/16
networks.
Hi Eugene, the more I think about this, I think the goal should be to mimic the behavior of --auth-zone
in dnsmasq.
In other words, tell dnsproxy (and therefore adguardhome) that it should act as the authoritative nameserver for a particular domain/subdomain, so that DNS requests asking to resolve that domain (or its subdomains) will never be forwarded on to any other upstream nameserver. For answers known to adguardhome (through rewrites
in the config file or $dnsrewrite
hosts), it should return with AUTHORITY: 1
(the AA
header from RFC1035). If adguardhome cannot resolve the name on its own, it should not recurse, and instead return NXDOMAIN
.
Of course this PR doesn't exactly do this at the moment, but I think it's a reasonable part of the DNS spec to implement, and meets my need better than my current shoehorned implementation.
Before I switched to adguardhome, I was actually using dnsmasq and was using this auth-zone
config for my homelab domain, so now I'm trying to get the same behavior here. At the moment, subdomains which I haven't explicitly set in rewrites
get recursed and end up with a SERVFAIL
response. I haven't nailed down why, but ideally I don't want them recursed (leaked) at all. If there's a way to do that currently, then I've missed it. I tried adding your configuration, but it doesn't seem to stop the SERVFAIL
s...
At the moment, it doesn't seem possible to specify that a domain (and its subdomains) should only ever be resolved locally.
There is
private_networks
which works for in the opposite direction (ensures local IP reverse lookups are not recursed upstream). There is alsolocal_domain_name
which is unfortunately a DHCP setting and seems to have no effect on this behavior (at least if DHCP is disabled as it is in my setup).This PR adds the ability to ensure that certain domains are treated as local-only and are never sent to any upstream servers for resolution. Essentially, it allows you to manage DNS for a local domain through AdGuardHome while ensuring that requests for non-existent subdomains aren't leaked to an upstream resolver.