dnsmasq

[spirillen]

As I'm reading through the docs of dnsmasq for preparing the RPZ output I can read in the man pages that the preferred way to do NXDOMAIN is in the following format to reach out for both ipv4 and ipv6

address=/zarget.com/

Man page can be found here: http://thekelleys.org.uk/dnsmasq/docs/dnsmasq-man.html # Search NXDOMAIN 3. hit and you'll find this:

As for --server, one or more domains with no address returns a no-such-domain answer, so --address=/example.com/ is equivalent to --server=/example.com/ and returns NXDOMAIN for example.com and all its subdomains. An address specified as '#' translates to the NULL address of 0.0.0.0 and its IPv6 equivalent of :: so --address=/example.com/# will return NULL addresses for example.com and its subdomains. This is partly syntactic sugar for --address=/example.com/0.0.0.0 and --address=/example.com/:: but is also more efficient than including both as seperate configuration lines.

[ScriptTiger]

--address=/example.com/ is equivalent to --server=/example.com/ and returns NXDOMAIN for example.com and all its subdomains.

So subdomains should be removed from this list, too? Have you tested this?

@dnmTX, have you tried this?

[spirillen]

Evenig @ScriptTiger No I haven't tested it yet, only been reading on the man page... and have seen one repo doing it this way...

[dnmTX]

@ScriptTiger give me some domain sample to test and web page to check if that domain's subdomains are getting blocked this way and i'll post the results.

P.S. Something legit that it's not blocked by some lists,just for the test.

[ScriptTiger]

Try this one:

address=/telemetry.microsoft.com/

And then try nslookup on your dnsmasq for these domains:

telecommand.telemetry.microsoft.com watson.telemetry.microsoft.com sqm.telemetry.microsoft.com reports.wes.df.telemetry.microsoft.com wes.df.telemetry.microsoft.com

[dnmTX]

@ScriptTiger again,give me something legit(not blocked),cause that same domain is blocked in probably 2 or 3 lists that i'm using. Let's make it easy,just for the test.. Again,legit domain and subdomains that you know of.....

[spirillen]

@dnmTX Try this one

address=/example.com/

then try visit http://www.example.com/

[ScriptTiger]

Something legit and not blocked? If that's the case, just try google.com. www.google.com, mail.google.com, docs.google.com, etc., etc.

[dnmTX]

OK...posting results: address=/google.com/

address=/google.com/#

IN CONCLUSION: @ScriptTiger i guess you were right but still....making it this way,to block the main domain which automatically will block all of it's subdomains is very very risky. google.com is just one of many examples i can give you,another thing is you need to modify entire lists because of it,line by line,not sure that making some script to do it will really achieve the desired results.

[dnmTX]

....let's say you want to block adservice.google.com and of course you'll do address=/google.com/ for dnsmasq.....do i need to continue...? 😉

[spirillen]

Hey @dnmTX thx for the test results, could we ask you to do the same test but where you replace

address=/google.com/
address=/google.com/#

with

server=/google.com/

The rason is I'm confused about the result vs. the man page declaring this and all subdomainsshould return NXDOMAIN, but in your test you did not get a NXDOMAIN for google.com

PS: You're right you can't subtrackt all domains to the second level domain, but I consider it a work in progress :smiley:

[dnmTX]

server=/google.com/ (results are identical with address=/google.com/)

server=/google.com/# (such a option is not implemented looks like it,as google remains unblocked)

[dnmTX]

The rason is I'm confused about the result vs. the man page declaring this and all subdomainsshould return NXDOMAIN, but in your test you did not get a NXDOMAIN for google.com

of course,google.com is not subdomain,on the other hand mail.google.com,docs.google.com are. so the manual is right on point here.

[spirillen]

for what I understand in this qoute

--address=/example.com/ is equivalent to --server=/example.com/ and returns NXDOMAIN for example.com and all its subdomains

Then all nslookup of google.com + all kind of sub-domains should return NXDOMAIN... including google.com

.... or is it my English that sucks that much?

[dnmTX]

It looks to me as it's just different wording for NXDOMAIN,the end result is all of them are blocked,so does it really matter how it's described?

[spirillen]

@dnmTX I don't know in practice...
But NXDOMAIN is non existent domain and with the new network hacks that ex. Google and other ads suckers start to put into there malicious software for switching the DNS lookup to something other than you have setup if the lookup returned a [127.0.0.1|0.0.0.0], but not for nxdomain I can currently, of curse, only be thinking this could become an issue. This would, and still will, requires that users start to understand how to switch out there ISP routers with hard coded DNS server to private routers in which there can reroute all DNS traffic like :53, :443 and :853 to there own DNS setup.

In this case the concept of "using my stationary as ads blocker" die and the requirements for at least one other computer installation be necessary whit a mix of DNS, Proxy and HTTP(s) server to regained full control of there privacy and network.

This is , as I sees it, also requires that browser developers stops hard coding HTTPS protocol to certain sites, leaving users to the true full control.

Just my thought on this.....

[ScriptTiger]

Thanks, guys, for the help on this. I will be going out of town for a few days, but when I return I'll review this along with some of my other formats and do some personal testing myself and maybe make some changes then accordingly.