[Dnsmasq-discuss] Noob question

Dominik DL6ER dl6er at dl6er.de
Tue Aug 31 09:49:28 UTC 2021 

Hey all,

[TL;DR: Check out the last paragraph]
d
Pi-hole, an free and open source ad-blocker, is based on dnsmasq. As
blocking is at our hearth, we've done studies on which blocking "modes"
would work the best in which situation. Our studies included serving
fixed addresses (to a self-hosted page offering information around why
this domain was blocked and how to permit it) as well as the zero
address, empty replies (both NODATA and NXDOMAIN), SERVFAIL, REFUSED
and even arbitrary combinations (like 0.0.0.0 for A and NODATA for AAAA
queries). All of this either immediately or artificially delayed.

Our tests included thousands of different devices, likely
representative for everything you can buy these days.

We found that not only almost every operating system (Linux, Windows,
MacOS, iOS, Android, various IoT OSes) behaved differently but their
behavior often depended on their version as well.

On Tue, 2021-08-31 at 01:00 +0300, rrandom via Dnsmasq-discuss wrote:
> Btw why dnsmasq redirects that connections but doesn't just drop
> them? Honestly, I don't know much about networking but simple
> dropping seems like easier for resources.

Dropping leads to retries as well as REFUSED and SERVFAIL on almost all
operating systems. The retries can happen anytime between immediately
(resulting in resource-intense infinite DNS query bouncing) to retries
after ten seconds of timeout. It has the negative effect that, if there
is a single element you want to be blocked on a domain, it can happen
that the entire content of the page is never rendered.

On Mon, 2021-08-30 at 14:07 +0200, Trey Sis wrote:
> Wouldn't it be better to return NXDOMAIN instead of all-zeros?
> Otherwise the application will try to connect to that address, which 
> might cause endless retries.

NXDOMAIN and NODATA was found to cause infinite loops on devices from
at least one widely used Chinese IoT manufacturer: Tuya. Tyua is
selling free-to-brand turnkey smart home solution branded for possibly
hundreds of different companies, also including some bigger well-known
name over here. There is likely a very large number (we're talking
about several millions of devices!) out there. They provide basically
everything where you out a "smart" in front. These devices simply don't
accept *any* reply that is not a valid A/AAAA record. Dropping,
refusing or similar can quickly escalate to billions of queries a day
(!) from each single device.

Our conclusion was that the all-zero address (0.0.0.0 and [::])
approach is the most effective one to block A and AAAA queries.
For all other query types we recommend NODATA (i.e., a NOERROR reply
with no answer records). Using this combination, we've not seen any
issues anywhere. Devices either recognize 0.0.0.0 as an address they
cannot connect to or us it to connect to themselves where there is
typically nothing served on port 443 (or wherever they are connecting
to).

Best,
Dominik

More information about the Dnsmasq-discuss mailing list