ShreyasZare
commented
1 month ago Thanks for the post and compliments. The Drop Requests app will simply cause the DNS server to not respond to the requests that match the ones in the config. Only the IP/network addresses listed under allowedNetworks array get to bypass this so as to allow only certain networks to be able to query for those domain names.
The IP/networks listed under blockedNetworks are blanket banned causing all there requests to be dropped (i.e. no response at all).
The blockedQuestions array allows you to configure a domain name and/or query type that must be dropped. The domain name is matched exactly (no regex) and if blockZone is set to true then the domain name and all its subdomain names too are blocked.
So, the Drop Requests app will essentially cause the offending DNS client to timeout on its request. If you need to respond to such queries with NXDOMAIN response then there is another app for it called NX Domain. If you just wish to respond with 0.0.0.0 IP address then you can just use the Blocked section on the DNS admin panel to add those domain names.
the-moog
Can you first confirm the purpose of this app is to keep silent and actively refuse to cooporate for certain questions. Only I found another question about NXDOMAIN responces and that is what I am trying to avoid.
The issue, a locked down PC's VPN client and vast array of security and network add-ons. is mis-configured such that it leaks DNS queries onto a local LAN and out to the ISP unless prevented. So much for locked down, eh?. However I am sure Virgin Media don't care if they get to know the names of a certain multinationals engineering servers. For those that have one of those dodgy 'secure' VPN boxes at home, I'd be very worried indeed. Who knows what is being done with the data....
The owner of this PC (i.e. my employer) IT dept is tricky to deal with so far too often it is just easier to work round things. I had it set up that a simple resolver responded 0.0.0.0 to questions that otherwise would cause a race condition between the corporate internal DNS on the other end of a the VPN and in another country, and my resolver which unless told otherwise just forwards to the ISP's DNS. Being Windows once it gets a wrong answer it finds it hard to forget it.
But it seems a recent update has broken things again. Now even more misdirected requests leak onto my LAN and get the "dunno" response. Despite the PC bring the only thing on that VLAN other than my firewall and the ISPs NTU. The main issue is that a considerable number of root domains exist on the internet, on the corporate network or in some circumstances, both! ... some with different answers. It is the subdomain that matters. (TBH it's a dogs dinner) - So fine grained parsing is required.
I assumed the syntax used Regex?? I looked at the source, but I am not a C# programmer (used it once, hated it) so I have no idea what the capabilities are of the string processing methods. I put in a regex that would pick out the true internet domains and dump the rest (or block the rest??) (it says blocking not dropping in the config) and it seems to be sort of doing what I want, but with no indication I can find in logs what it is really doing. It is certainly blocking / dropping (which one?) but I get no clue as to what. Is there a way to put in a negative query. i.e. start with a drop queries about xyz.com. Then add except abc.xyz.com?
btw: Perhaps it's my odd personality, The disparity between the purpose of the app, it's name and example is rather confusing and inconsistent and one of those things that's that I'd just have to change, given half a chance. Is this a terminology related thing? Surely blocking would involve a "go away" or 'not here' response rather than none at all - which is more like a DNS that does not exist? Are there other keywords, i.e. drop.... or something? I was just imagining a "road block", that is a definite message to a wannabe user that you can't enter, but if there is a road drop (i.e. complete removal of the road name/number/signage), then you have no information about the road at all.
I am rambling, sorry. Love the software by the way. I wish I'd found it a LONG time ago. I had it up and running in minutes. I was dreading messing with BIND again, as that can take hours to get right. This is so polished and has all the features at your fingertips. And the reporting, logging. (Except the drop addon?) Even multiple scope DHCP with built in DDNS updates. I was not even looking for that but it simplifies things a lot. Getting that working in Bind is probably how it got it's name.