[Dnsmasq-discuss] RFC: dnsmasq blacklist/whitelist functionality

[Jonathan McCrohan]

On 28/11/12 20:45, Simon Kelley wrote:
> On 24/11/12 14:04, Jonathan McCrohan wrote:
>> Is it possible to implement a blacklist or whitelist functionality which
>> could be used to stop or only allow certain types of DNS records to be
>> returned by dnsmasq to the client? A syntax such as a the following is
>> what I had in mind:
>>
>> blacklist=/brokenipv6host.example.com/aaaa,mx
>> whitelist=/brokenipv6host.example.com/a,txt
>>
> 
> I'm not clear exactly what these do. Return NODATA or NXDOMAIN replies
> for all queries in the domain for the specifed types?

In the case of the blacklist entry above, dnsmasq continues to function
as normal for all brokenipv6host.example.com DNS queries except the
blacklisted type queries.

For queries that match the blacklist, AAAA and MX in the example above,
the idea would be to return a false DNS response, showing that no AAAA
or MX records exist. I don't think NODATA or NXDOMAIN would be the
appropriate responses here, I think NOERROR along with 0 resource
records would better.

The whitelist concept is simply the inverse of the blacklist idea above,
basically, filter everything except the whitelist queries.

I am guessing that this idea will not work for DNSSEC domains, but
hopefully IPv6 will be widespread enough before DNSSEC becomes popular
that we won't have to block AAAA records anymore.

> There have certainly been requests in the past to suppress IPv6 DNS
> answers to fix hosts with broken IPv6 connectivity. It's not as simple
> as it appears to do.

I am not a DNS expert by any means, so there could be some obvious
blocker than I am missing. :-)

Jon