[Dnsmasq-discuss] State of blocking type=65 requests?

Simon Kelley simon at thekelleys.org.uk
Tue Mar 7 21:50:54 UTC 2023 


On 06/03/2023 22:36, Ed W wrote:
> Hi, can I get a leg up in understanding the options for blocking dns queries for a specific resource
> type, specifically type 65 queries
> 
> I see there was a patch to implement a "filter-http" option here:
> 
>      https://github.com/rozahp/dnsmasq
> 
> It possibly seems like there is a filter-aaaa implemented in dnsmasq already, so I wonder if there
> is appetite for the filter-http to also be accepted?

It's well known that the only sensible numbers of entities in computer 
software are zero, one and many.

We've already got filter-a and filter-aaaa so that rule is broken, but I 
don't feel like breaking it further. At this point we should just go to 
filter-rrtype=<type>, in your case filter-rrtype=65.

> 
> 
> My motivation for needing this is that we operate a firewalling system for a very bandwidth
> constrained system (even DNS is extremely expensive) and we operate a 'blocked unless whitelisted'
> firewalling system. The type 65 queries are currently inhibiting some of the whitelisting
> capability. Whilst we can potentially improve things, the short term solution would be to block type 65
> 
> I see that there is an option in pi-hole, but I'm looking for an option within dnsmasq, ideally
> without maintaining my own out of tree patch
> 
> 

Just to make clear, as I know you count every every byte of traffic, 
these filters are on _answers_ not on queries. The query for A or AAAA 
(or in future an arbitrary type) still gets sent upstream and when the 
answer comes back, the RRs are stripped out of the answer. It has to be 
that way because the upstream there may not be an positive answer from 
upstream, and in that case we need to know is it's a NODATA answer (The 
RRtype we queried doesn't exist) or an NXDOMAIN answer (the domain we 
queried doesn't exist.)



> Have I missed a solution that is possible within vanilla dnsmasq?


No possible, unless I've missed something.
> 
> Has the idea to implement a filter-http option been rejected already? (I'm happy to send a patch if
> not?)
> 

Send away for an implementation of filter-rrtype.



Cheers,

Simon.

> 
> Thanks
> 
> Ed W
> 
> 
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss

More information about the Dnsmasq-discuss mailing list