[Dnsmasq-discuss] shortcuts for REFUSED / RCODE
Dominik Derigs
dl6er at dl6er.de
Wed Mar 20 17:19:18 UTC 2024
Hey Ercolino,
> In the context of adblocking I am told certain browsers/systems react
> much better when the DNS server returns FORBIDDEN (I guess they mean
> REFUSED which is return code 5
> https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml#dns-parameters-6)
> as this instructs the query generator (app) to stops hammering again
> for such domain.
>
Have you actually tried this?
A few years back, the Pi-hole team explored various possibilities for
blocking requests. REFUSED was among them. However, in our testing,
devices did not stop to request when they received REFUSED but continued
hammering the server. This was especially true for embedded devices
where any kind of DNS "error" may simply trigger endless repetitions.
The best compromise we could come up with was in fact defining a "valid"
response (A 0.0.0.0, AAAA ::) for blocking.
Best,
Dominik
>
> It seems like this behavior can be achieved in dnsmasq via the syntax
>
> local=/example.com/127.0.0.1
>
> Great. Since we run this on routers (Tomato) the dsnamsq configuration
> file size matters.
>
> Bottom line: Could we have a shortcut char for REFUSED as well e.g.
>
> local/example.com/%
>
> As an alternative request... is it a good idea to re-thing the
> shortcut approach and simply allow the rfc's RCODE after the latest
> slash to return the correspondent RCODE name? e.g.
>
> local/example.com/2 // ServFail
> local/example.com/9 // notAuth
> etc?
>
> Thanks
>
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
More information about the Dnsmasq-discuss
mailing list