[Dnsmasq-discuss] [RFC PATCH] Add support for blocking A or AAAA queries per domain
Peter Tirsek
peter at tirsek.com
Fri Jan 20 04:34:04 UTC 2023
On Wed, 18 Jan 2023, Buck Horn wrote:
>> This patch extends the `--address` option to accept two new special
>> address, `!4` and `!6`, which will cause the server to block A or AAAA
>> queries for the specified domain(s), respectively.
> I may be a bit late, but somehow, naming the options '!4' and '!6' does not
> sit right with me.
You're not too late at all. Like I said, I'm not particularly happy
with parts of it as it is, so comments and suggestions are very
welcome.
> If I understand correctly, your patch is about blocking specific query types
> (namely A and AAAA), rather than blocking IPv4 or IPv6.
> I'd prefer to see that reflected in the option name.
Although I think it could be argued that IPv4 and A records are
intrinsically linked, as are IPv6 and AAAA records, your suggestion
makes a lot of sense. Does address=/netflix.com/!AAAA look better?
> Thinking along the lines of query type would also point at potential issues
> with reverse lookups (query type PTR), which -going by your motivation- could
> be required to be dealt with as well?
My requirement is only for forward lookups to prevent clients from
attempting IPv6 connections to sepcific domains. I have no need to
block reverse lookups, but if I did, I imagine I would simply configure
dnsmasq with address=/x.y.z.in-addr.arpa/ or address=/x.y.z.ip6.arpa/
to block the reverse lookups.
> For what it's worth, you may want to take a look at how Pi-hole (which is
> based on a specialised dnsmasq fork) is tackling filtering by query type -
> see https://docs.pi-hole.net/regex/pi-hole/#only-match-specific-query-types
That's interesting. Maybe pihole is what I actually need to solve my
problem instead of dnsmasq. I'll have to look into that.
--
Peter Tirsek
More information about the Dnsmasq-discuss
mailing list