nextdns / metadata

This repository contains the data behind our Security, Privacy and Parental Control features.
https://nextdns.io
644 stars 138 forks source link

Allow By Default "*.nextdns.io" Or Other NextDNS Service Domains? #528

Closed quantumpacket closed 3 years ago

quantumpacket commented 3 years ago

I've blocked all TLDs by default, so I can then allow per TLD as needed. I was surprised to have been blocked of NextDNS' dashboard because .io was blocked. I would have assumed that NextDNS would by default Allow all domains belonging to the service, to prevent such a thing from happening.

I'd like to suggest any domains that belong to NextDNS and are required for some sort of functionality of the service should be Allowed by default to prevent accidental breakage. At minimum at least add my.nextdns.io and api.nextdns.io.

Update:

Either have it listed already on the Allow list which can be deleted or disabled if wanted. Or have some sort of setting options like "Always allow NextDNS hostnames" or something along those lines so people don't get locked out of the dashboard if the hostnames ends up on a blocklist by accident.

ghost commented 3 years ago

i'm for your minimum only allow my.nextdns.io and api.nextdns.io, to prevent the use of nextdns to bypass nextdns for those who want when they lock nextdns.io

quantumpacket commented 3 years ago

to prevent the use of nextdns to bypass nextdns for those who want when they lock nextdns.io

Why would someone block nextdns.io? That would lock out the admin out of the dashboard since they would no longer be able to access it, unless they manually added the DNS entry to say their hosts file to bypass the DNS block, which anyone would be able to do as well.

ghost commented 3 years ago

to prevent the use of nextdns to bypass nextdns for those who want when they lock nextdns.io

Why would someone block nextdns.io? That would lock out the admin out of the dashboard since they would no longer be able to access it, unless they manually added the DNS entry to say their hosts file to bypass the DNS block, which anyone would be able to do as well.

actually i do it, to prevent client on my network to use their own nextdns DOH on my network, i whitelist all domain for the dashboard but block everything else

quantumpacket commented 3 years ago

So that's just blocking people from using the NextDNS dashboard.

DoH operates on TCP/443, what stops someone from just adding their own DoH server to connect to? You say you block everything else, that would mean you are blocking all HTTPS connections?

What stops someone from using DoT over TCP/853?

You can easily block DoT at the firewall by blocking all outgoing connections to TCP/853, but for DoH you must specify each and every DoH server to block, or use a next-gen firewall.

crssi commented 3 years ago

Its a choice of end user to decide if nextdns will be blocked out or not. It would be "politically" incorect of nextdns to not comply of a users choice and make exception that user cannot override... it is like denying of free speech.

Why do you rant? If it bothers you, then add nextdns on your whitelist.

ghost commented 3 years ago

So that's just blocking people from using the NextDNS dashboard.

DoH operates on TCP/443, what stops someone from just adding their own DoH server to connect to? You say you block everything else, that would mean you are blocking all HTTPS connections?

What stops someone from using DoT over TCP/853?

You can easily block DoT at the firewall by blocking all outgoing connections to TCP/853, but for DoH you must specify each and every DoH server to block, or use a next-gen firewall.

No because the url rules is "id.dns.nextdns.io" so if i lock nextdns.io (and it's subdomain), and only allow the dashboard, it will block any person to will enter in their browser "anotherID.dns.nextdns.io". After that you use your firewall to block the port 53 and 853 (and eventually the one of the news dns over quic) and you have blocked majority of dns bypass.

@crssi in my case i most ask when we block .io OR manually add nextdns.io, to ask to the user (who is admin) if he want to unlock the dashboard, just to be sure he don't lock himself outside by error.

edit : it's more like "hey with this configuration you will not have access to the dashboard is it what you want ? YES/NO"

crssi commented 3 years ago

As said, if user decide, then user decide. And it will not block the user to access dashboard from any other network where the particular DNS is not enforced.

Or you can simply add nextdns ip to hosts file and also access it.

ghost commented 3 years ago

As said, if user decide, then user decide. And it will not block the user to access dashboard from any other network where the particular DNS is not enforced.

I totally agree with you, but even I even who knows what I do by blocking domains and all sub domain, I already found myself blocked, so users more lambda would quickly have done to lock themselves out by pure accident, simply to make appear a popup aimed at asking again if they are sure that this is what it wants (as in linux when asked to remove it all from the root) , would do no harm to the freedom of choice, without forcing anything at all, then what no rule would be added by default.

(s)he ask to enforce a default rules, i'm only asking an alternative : to warn the user if he do a risky move, and asking again if he is sure to do that, it not remove any freedom, it will just save people like me who sometime move before think and pouf locked outside.

crssi commented 3 years ago

Or you can simply add nextdns ip to hosts file and also access it.

ghost commented 3 years ago

Or you can simply add nextdns ip to hosts file and also access it.

true, but in my case my network and my client don't use the same DNS so i don't have the problem, but i ask that for those who have simple network not for me ^^

quantumpacket commented 3 years ago

Its a choice of end user to decide if nextdns will be blocked out or not. It would be "politically" incorect of nextdns to not comply of a users choice and make exception that user cannot override... it is like denying of free speech.

I'm not requesting they add something that cannot be overridden. Either have it listed already on the Allow list which can be deleted or disabled if wanted. Or have some sort of setting options like "Always allow NextDNS hostnames" or something along those lines so people don't get locked out of the dashboard if the hostnames ends up on a blocklist by accident.

Why do you rant? If it bothers you, then add nextdns on your whitelist.

I don't know why you're interpreting a valid issue as a rant. Yes, I whitelisted in the end.

crssi commented 3 years ago

It was late yesterday (actually the middle of the night). The statement that someone will lock him/her out seems/seemed an exaggeration to me.

But, you are both true, and I am sorry for my responds. Please, accept my apologies. For someone it could be like a "cold shower" realizing to be "locked-out" (which would really not happen directly).

The "locking-out" can happen thru various "channels", not only from direct user action, but also over some of the subscribed Blocklist in any moment. Maybe the best way would be having a option (perhaps enabled by default) in security or setting page saying something like: Always prevent denying access to NextDNS dashboard over Denylist or Blocklist. I am not "smart" with wordings, but something like that.

@quantumpacket I would suggest you to report this as an idea at https://help.nextdns.io/category/ideas, since I have a felling it will be heard sooner.

Cheers and sorry again :relieved:

ghost commented 3 years ago

@quantumpacket Cheers and sorry again 😌

No offense taken, everyone have their opinions it's the beauty of internet ;)

romaincointepas commented 3 years ago

People may want to block nextdns.io on their network.

FR46M3N7-P4R71CL3 commented 2 years ago

It has happened today:

https://github.com/EnergizedProtection/block/issues/973

correabuscar commented 2 years ago

Populating the Allowlist with nextdns.io (which implies all subdomains) upon new profile creation, doesn't sounds like a bad idea to me :)

jacklollz2 commented 1 year ago

Agree, this is a vulnerability. The allowlist must have a "subdomain" option, to either allow all subdomains or only allow the specific domain.

FR46M3N7-P4R71CL3 commented 1 year ago

Agree, this is a vulnerability. The allowlist must have a "subdomain" option, to either allow all subdomains or only allow the specific domain.

The allow list already works just like that. Need to block a subdomain? Just enter that subdomain instead. The parent domain won't be blocked.