Feature Request: Conditional Forwarders And Using Proxy

[Kation]

1. If a domain is in a list then use specially forwarders to request dns configured by Zone.
2. If a domain resolved ip in a ipaddress list, go a second dns request using 1.
3. If a domain resolved ip not in a configured location ('CN' etc), go a second dns request using 1.

These features are helpful to resolve dns contaminating problem.

[ShreyasZare]

Thanks for the post. You need to explain the request in more details so that I can understand it better.

1. If a domain is in a list then use specially forwarders to request dns configured by Zone.

Which list is this? What are special forwarders?

2. If a domain resolved ip in a ipaddress list, go a second dns request using 1.

Which IP address list is this? Which is the second DNS server?

3. If a domain resolved ip not in a configured location ('CN' etc), go a second dns request using 1.

How is the DNS server going to determine if an IP address belongs to CN especially when IP 2 location databases are expensive and they are not 100% accurate? Not all websites resolve to IP in CN so how does this work out?

[Kation]

Which list is this? What are special forwarders?

Zone with Type Conditional Forwarder Zone. But domain and Forwarder only support one record. Maybe it can set multiple domain and forwarders to one Zone that I was missing?

Which IP address list is this? Which is the second DNS server?

A new configurable global IP address list. Using upper Zone forwarder to request dns or a configurable forwarders and its proxy.

How is the DNS server going to determine if an IP address belongs to CN especially when IP 2 location databases are expensive and they are not 100% accurate? Not all websites resolve to IP in CN so how does this work out?

It doesn't matter that IP geo database are not 100% accurate. It's acceptable to request dns twice.

For example.
A DNS server locate in CN, and it is default forwarder.
B DNS server locate out of CN and it blocked, can not access without proxy. Configure a proxy to B.
C is a domain list which domain need to using B to resolve. D is a IP address list contains contaminating ip result.

Resolve www.baidu.com, it is not include in C. Using A to resolve and get result 14.119.104.254.
It's belong to CN, return it directly to client.

Resolve www.github.com, it is not include in C. Using A to resolve and get result 192.30.255.113.
It's not belong to CN, using B to resolve again.

Resolve www.youtube.com, it is not include in C. Using A to resolve and get result 192.18.25.132.
It's contains in D, using B to resolve again.

Resolve www.google.com, it is include in C. Using B to resolve it.

[ShreyasZare]

Thanks for the details. This feature request is very specific use-case for your scenario and not a generalized feature. This would require writing a completely independent DNS server to make it work which is not feasible for the current project. There is also cost of buying IP location database which is not addressed.

[Kation]

Maybe we can do these through App?

These is some free IP location database and it can subscribe to.

[ShreyasZare]

If it was a general feature which everyone can use then it would have made sense to implement it. But, its highly specific requirement for your own scenario which wont be useful for anyone else. Its also not a simple implementation and will take a lot of time which is why its not feasible.

[Kation]

@ShreyasZare I write a app but have some questions.

How can I get ip address from IDnsServer.DirectQueryAsync(request)?

Code

[ShreyasZare]

@ShreyasZare I write a app but have some questions.

How can I get ip address from IDnsServer.DirectQueryAsync(request)?

Code

The function returns DnsDatagram object which will have the IP address in the Answer property if it was received.

Also, you are using ECS in code which is not how its going to work. You need to read RFC 7871 to understand ECS before you attempt to use it.

[Kation]

@ShreyasZare Thanks, I have done this app. Going to testing for few days.

[Kation]

@ShreyasZare How do I know a response answer is handled by a Zone in IDnsPostProcessor?

[ShreyasZare]

@ShreyasZare How do I know a response answer is handled by a Zone in IDnsPostProcessor?

Check for the AuthoritativeAnswer property of the response. Its set to true when answer is from a local zone. However, if answer is CNAME and the CNAME was expanded then it will be false.

So, there is no reliable way to know that.