Should the uninstall function not also call stop()?
It should and it does:
Are you sure this works? A new config dnsmasq
section is usually for a new separate dnsmasq instance. Did you remove the existing addnmount
entry before testing this new one? Feels like it shouldn’t work.
I'm not really sure how this is supposed to work, but I tested this extensively... You are welcome to test as well.
Yes
So the current revision implements kind of a hybrid allowlist-only mode, which blocks some subdomains from blocklists. Since the word 'only' doesn't really fit what it does, I changed the option name to whitelist_mode
.
This is how the proposed README section explains it:
Whitelist mode
This mode can be used to implement parental control or similar functionality while also adblocking inside the allowed domains. It can be enabled by setting the config option
whitelist_mode
to1
. In this mode all domain names will be resolved to 127.0.0.1, except for domains (and their subdomains) included in local and/or downloaded allowlists. In this mode, if blocklists are used in addition to allowlists, subdomains which are included in the blocklists and which are subdomains of allowed domains - will be blocked (with the 'nx domain' response).
For example, if an allowlist has this entry:
google.com
and a blocklist has this entry:ads.google.com
, andwhitelist_mode
is set to1
, thenads.google.com
will be blocked, whilegoogle.com
andmail.google.com
(and any other subdomain ofgoogle.com
which is not included in the blocklist) will work.
This is the awk command which does the selective domains removal:
In whitelist mode this method dramatically reduces the size of the final blocklist. The only drawback is that rather than nx domain
, queries to most blocked domains will be resolved to 127.0.0.1.
(I also discovered that the allowlist domains removal awk command was not adapted to process raw lists and hence was not working - fixed that as well)
What do you guys think about this?
I think this is super cool. Is there a way to present nx domain rather than the local resolve? Maybe @Wizballs knows?
The issue is that while one would expect this dnsmasq option local=/*/
to make it reply with nx domain
for all domains, this appears to do nothing. So instead, currently the whitelist mode is implemented this way: address=/#/#
, which basically resolves all domains to localhost. Then on top of that we are adding the allowlist domains which override this behavior and resolve to the actual ip addresses, and subdomains of allowlist domains which are included in the blocklist, which return nx domain
.
I tried all sorts of combinations, and the 2 only alternative ways I found to implement whitelist functionality:
local=/*/#
-this actually produces thebut it takes a long while (a few seconds) before that response is generated for each requestnx domain
response
address=/#/255.255.255.255
address=/#/ff:ff:ff:ff:ff:ff:ff:ff
This resolves the non-specifically-allowed and non-specifically-blocked domains to the above ip addresses (the ipv4 address is a broadcast address, not sure about the ipv6 address) - this is fast, but the response is still not nx domain
. When trying to ping such domain, this is happening:
PING github.com (ff:ff:ff:ff:ff:ff:ff:ff): 56 data bytes
ping: sendto: Network unreachable
Ping to specifically allowed domains works fine.
Maybe there is a clever way to have all domains return nx domain
unless specifically allowed, but I couldn't find one.
Edit: just checked and actually local=/*/#
causes this behavior:
root@OpenWrt:~# nslookup google.com
nslookup: write to '::1': Connection refused
;; connection timed out; no servers could be reached
So it's not nx domain either.
Perhaps someone could ask on the dnsmasq mailing list if and how this can be achieved. Or maybe @dave14305 has some idea?
A pretty lame idea which has the benefit of actually working would be something like this:
local=/*a/*b/*c/.../*z/
I love your persistence and I’m curious if this formulation can be beaten.
The above idea is implemented in the current revision. Seems to work.
The best I can think of is eliminate the characters which no domain "extension" (i.e. .com
, .gov
, .uk
etc etc) ends with. Probably not worth our time.
@Ree9 the uninstall
command accepts the variable ${luci_uninstall_rm_config}
. If you are planning to implement the uninstall functionality in the luci interface then setting this variable to 'y' before calling uninstall()
will trigger config directory removal, otherwise the config directory will not be removed when uninstalling.
How about this:
Doesn't work
I also came across this, but perhaps you're already leveraging it:
https://www.mail-archive.com/dnsmasq-discuss@lists.thekelleys.org.uk/msg14707.html
I'm not sure what to do about that information. Simon says "done" but what's done and how to use that?
Doesn't that refer to this portion:
So if bogus-nxdomain could be updated to accept a network cidr I think
that would work.
Just a stab in the dark for me really, but would something like this work:
bogus-nxdomain=0.0.0.0/1
bogus-nxdomain=128.0.0.0/1
Hard to find the optimal solution here.
@dave14305, I wonder whether you might be able to offer any insight in terms of the best way to tell dnsmasq to return nxdomain for everything (save for explicit allows)?
@antonk has already identified:
local=/*a/*b/*c/.../*z/
Maybe that's the best already. But just want to verify this.
I think dnsmasq is not well-equipped to do this job anymore. I suspect the favorable features in 2.86 that allowed better adblocking memory efficiency also “broke” the ability to use the #
wildcard in this way.
Adblock has a similar DNS jail feature that uses the address=/#/
syntax, but I suspect it doesn’t work as it once did anymore.
This seems to work in the sense that it returns nxdomain for everything, however with this entry in place, overrides in the form of server=/google.com/#
don't work - it still returns nxdomain for them as well.