[Feature Request] Drop Requests App : beyond dropping requests, allow to reply with NXDOMAIN or REFUSED #952
Comments
lic0san
changed the title
lic0san
changed the title
|
Thanks for the post. NXDOMAIN response is sent by a parent domain so sending such a response will include SOA record for the parent zone. The REFUSED is the correct response for zones that are not hosted as per standards. Secondly, since these domain names are private, nobody on the Internet would know that you are hosting them. Queries to your name server for any domain name come only because you have NS records at parent zone. In absence of any such NS record delegation, your name server wont receive any such requests. I am not sure of the exact setup you have so my assumptions could be wrong. It would be best if you can provide more details on your setup so that I can understand this issue better. |
|
Well, my main (and public) zone is example.org. I also have a private zone lab.example.org for internal purposes, with private range IP addresses. I would prefer such details about my internal infrastructure to stay sealed from the outside. Even though I do not publish any NS for lab.example.org in my parent zone example.org, any request to host.lab.example.org will still reach my name server. With the Drop Requests App active, such request will be dropped, while I would prefer it to be answered by NXDOMAIN or REFUSED. I recognize it is a rather edge case ! Anyway, thank you for your work on this project : Technitium is an awesome tool, with very advanced features made convenient to implement. It is just perfect for a homelab setting like mine. |
|
Thanks for the details and compliments. I guess this can be much better be an option for the zone instead of modifying the Drop Requests app. The app's main purpose is to block abuse so if you make it return a response then it would not help with its objectives. Will evaluate some option which can be added to the Zone Options popup so that each zone can be independently configured. |
The Drop Request App is pretty convenient to keep some internal zones undisclosed on a public name server. However, the only option seems to just DROP the DNS requests coming from unauthorized networks. It works, but induces some unnecessarily charge on the server by forcing the unauthorized DNS client to retry before abandoning. Plus, it betrays the existence of the private zone (a truly non-existent zone or record would promply return NXDOMAIN). Returning REFUSED would also acknowledge the existence of an authentication mechanism, but would at least be accurate. Could a return code option be added to this App (something like "RCODE": false (DROP), "RCODE": "NxDomain"," RCODE": "Refused") ?
The text was updated successfully, but these errors were encountered: