Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

customDNS interferes with TXT records #461

Closed
HubbeKing opened this issue Mar 18, 2022 · 4 comments · Fixed by #467
Closed

customDNS interferes with TXT records #461

HubbeKing opened this issue Mar 18, 2022 · 4 comments · Fixed by #467
Assignees
@0xERR0R
Labels
🐞 bug Something isn't working 🔨 enhancement New feature or request
Milestone
v0.19

Comments

@HubbeKing
Copy link

If you set a customDNS mapping for a domain foo.bar, any TXT record lookups on that domain fail.

For example:

...
customDNS:
  mapping:
    foo.bar: 192.168.1.1
...
$ dig foo.bar TXT

; <<>> DiG 9.18.1 <<>> foo.bar TXT
;; global options:  cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15481
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;foo.bar.			IN	TXT

;; Query time: 0 msec
;; SERVER: 192.168.1.100#53(192.168.1.100) (UDP)
;; WHEN: Fri Mar 18 16:40:29 EET 2022
;; MSG SIZE  rcvd: 28

This prevents, among other things, DNS-01 ACME validation from working from behind blocky, as TXT lookups on _acme-challenge.foo.bar will never resolve.

I attempted to work around this issue by adding a conditional mapping to utilize 1.1.1.1 for _acme-challenge.foo.bar, but that seems to not work, blocky simply returns nothing, with this in the logs:

[2022-03-18 14:45:09]  INFO queryLog: query resolved answer= client_ip=192.168.1.111 client_names=192.168.1.111 duration_ms=0 question=TXT (_acme-challenge.foo.bar.) response_code=NOERROR response_reason=CUSTOM DNS
@0xERR0R
Copy link
Owner

0xERR0R commented Mar 18, 2022
edited
Loading

If you set a customDNS mapping for a domain foo.bar, any TXT record lookups on that domain fail.

For customDNS you can only define IP addresses, blocky returns A or AAAA records respectively.

CustomDNS rule will also be automatically applied to all subdomains (in your case abc.foo.bar for example).

I think it is a bug. Blocky should pass TXT queries (and other types except A and AAAA) to the upstream resolver.

@0xERR0R 0xERR0R added the 🐞 bug Something isn't working label Mar 18, 2022
@0xERR0R 0xERR0R added this to the 0.19 milestone Mar 18, 2022
@HubbeKing
Copy link
Author

Ideally, I'd like for it to be possible to set other kinds of records in customDNS as well, but I can see how that might be tricky to implement.

Passing non-A/AAAA to upstream is probably a good option for now.

Maybe in the future one could set any kind of DNS record in customDNS, and anything not explicitly set there would be passed to the upstream resolvers?

@0xERR0R
Copy link
Owner

0xERR0R commented Mar 21, 2022

I created an issue to track the topic with other query types: #465

@0xERR0R 0xERR0R self-assigned this Mar 21, 2022
@0xERR0R 0xERR0R added the 🔨 enhancement New feature or request label Mar 22, 2022
@0xERR0R 0xERR0R mentioned this issue Mar 22, 2022
Merged
@0xERR0R
Copy link
Owner

0xERR0R commented Mar 22, 2022

I've been thinking about this: This could be a desired behaviour if blocky returns empty result for other types. This prevents the leak of internal network infrastructure information (custom DNS entries) to the external upstream resolver.

I introduced new parameter "filterUnmappedTypes". If it is set to "false" (default is true), it will forward all queries with defined custom DNS domain, but with unmapped types to the upstream DNS.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@0xERR0R 0xERR0R

Labels
🐞 bug Something isn't working 🔨 enhancement New feature or request
Projects
None yet
Milestone
v0.19
2 participants
@HubbeKing @0xERR0R