[Feature Request] Blocking of Multicast DNS (automatic) including external reverse addresses (inaddr.arpa/ipv6.arpa)

[69d]

First, thank you for making DNS a managable thing for my small network.

I run a household with Chromecast, and Wifi extenders (including cctv). Multicast is somewhat extensive because Chromecast works like a wifi extender as well. These devices uses and seeks randomized names over dns (for some reason). Difference is wifi extender defaults to looking under ".local" domain so I can just block the that top-level domain. Chromecast however does not use top level domain and always assume it runs locally. This creates what you see in my BlockedZones.txt (attached).

In addition to randomized names, their use of multicast dns seeks dns servers as well. So even if Technitium doesn't listen on port 5353 (for mDNS), it receives these multicast queries and I had to block entire subnets. I have used iptables at the router to block port 5353, but considering I'm using the DNS server for the network I can't block port 53 as well.

Please consider making this feature.

BlockedZones.txt

[ShreyasZare]

Thanks for the post.

The random names that you see is due to Google's DNS hijacking detection method which is implemented in Chrome. Its the cause for around 50% global traffic at the root servers. There is nothing that can be done about it.

Technitium DNS server does not receive mDNS requests, its just that the OS is sending name resolution requests on multiple protocols. For example, if you are on Windows 10 and you enter name of a device, the OS will query the name with DNS, NBNS, mDNS & LLMNR. So you will see that name everywhere.

[69d]

Thank you for the reply. That explains a lot. I have been wrapping my head searching for solution. My only remaining issue with this is it clogs the cache so much and it's hard to tell which is a hijacking method and which is just a mere typo.

Can unresolved queries be put in separate tab/cache? or maybe not cached at all? I know ISP does a lot of redirects/hijacking. That is my primary goal for putting up a DNS server.

[ShreyasZare]

Its the same problem with the DNS server since it cannot identify which is a genuine domain name and which one is this random name to check for hijack.

The DNS server also does negative caching which means that it caches entries which it finds to not exists. This is the reason you get these names in the cache. Separating cache will have the same problem of identifying if the domain name is genuine or made up.

So, you can just ignore these cache entries and move on or there is another option which is a bit complex to setup and wont work with any forwarders that you may wish to use.

The option is to run your DNS server as the root server so that the server "knows" that some random domain does not exists.

To do this, you need to create a secondary zone for "." i.e. a root zone. To create it, just go to the Zones tab, click on Add Zone, enter "." as the zone name, select Secondary Zone option and enter these IP addresses as primary name server addresses [199.9.14.201, 192.33.4.12, 199.7.91.13, 192.5.5.241, 192.112.36.4, 193.0.14.129]. These IP addresses belong to root servers that support zone transfer.

Once you create this secondary zone, the DNS server will do zone transfer and all entries from the root servers will populate on your local DNS server. Now, your local DNS server knows all the top level domains that exists and their name servers. Also, your local DNS server will automatically sync any changes in the root zone so you don't need to worry about updates.

Note that this secondary zone will force the DNS server to do all recursive resolution and thus any forwarder that you configure will be ignored completely.

This is usually implemented by ISPs or a DNS provider with large number of users so as to prevent frequent queries from going to the root server but also works for anyone.