| View previous topic :: View next topic |
| Author |
Message |
musv
Advocate
Joined: 01 Dec 2002
Posts: 3357
Location: de
|
 Posted: Sun Aug 18, 2024 8:49 am Post subject: [solved] dnsmasq: adserver forwarded to 9.9.9.9 |
 |
|
Good morning,
I'm using dnsmasq on my NAS to provide DNS and DHCP services to my local network. And moreover but not less important is the use of adblock-lists. It worked quite will all the time. But since one of the last updates the ads are flooding my network again.
For blocking ads I use entries like this:
| Code: | address=/te.technical-service.net/192.168.109.10
address=/te.technical-service.net/:: |
192.168.109.10 is the internal IP of my NAS. The official adblock lists like Steven Black don't bother with IPv6. But I've noticed some AAAA requests in dnsmasq. So I added the 2nd line just for testing.
On my host I've flushed the DNS cache. Now requesting:
| Code: | dig -t A te.technical-service.net
;; ANSWER SECTION:
te.technical-service.net. 0 IN A 192.168.109.10
|
| Code: | dig -t AAAA te.technical-service.net
;; ANSWER SECTION:
te.technical-service.net. 0 IN AAAA ::
|
But now I get the behaviour I don't understand:
| Code: | host te.technical-service.net.
te.technical-service.net has address 192.168.109.10
te.technical-service.net has address 192.168.109.10
te.technical-service.net has IPv6 address ::
te.technical-service.net is an alias for te.ip-prod.aws-cbc.cloud |
And the dnsmasq-log shows:
| Code: | Aug 18 10:37:13 dnsmasq[33010]: query[A] te.technical-service.net from 192.168.109.21
Aug 18 10:37:13 dnsmasq[33010]: config te.technical-service.net is 192.168.109.10
Aug 18 10:37:13 dnsmasq[33010]: config te.technical-service.net is 192.168.109.10
Aug 18 10:37:13 dnsmasq[33010]: query[AAAA] te.technical-service.net from 192.168.109.21
Aug 18 10:37:13 dnsmasq[33010]: config te.technical-service.net is ::
Aug 18 10:37:13 dnsmasq[33010]: query[MX] te.technical-service.net from 192.168.109.21
Aug 18 10:37:13 dnsmasq[33010]: forwarded te.technical-service.net to 9.9.9.9
Aug 18 10:37:13 dnsmasq[33010]: reply te.technical-service.net is <CNAME>
Aug 18 10:37:13 dnsmasq[33010]: reply te.ip-prod.aws-cbc.cloud is NODATA |
Ok, that's weird. Digging deeper into this problem, I found the reason, but I don't understand the behaviour:
| Code: | dig -t MX te.technical-service.net @192.168.109.50
; <<>> DiG 9.16.48 <<>> -t MX te.technical-service.net @192.168.109.50
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 194
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1410
;; QUESTION SECTION:
;te.technical-service.net. IN MX
;; ANSWER SECTION:
te.technical-service.net. 121 IN CNAME te.ip-prod.aws-cbc.cloud.
;; AUTHORITY SECTION:
ip-prod.aws-cbc.cloud. 900 IN SOA ns-2027.awsdns-61.co.uk. awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400 |
My conclusion:
In my current configuration of dnsmasq the adblock lists are partly useless, because instead of serving the A and AAAA entries, dnsmasq bypasses my adblock lists by requesting the MX entries.
| dnsmasq.conf: |
# Base options
no-resolv
no-hosts
no-poll
expand-hosts
domain-needed
bogus-priv
server=9.9.9.9 # Speedy
server=1.1.1.1 # Cloudflare (1.0.0.1)
server=2a02:2970:1002::18 # Digital Courage IPv6
server=2620:0:ccc::2 # OpenDNS IPv6
|
How can I prevent this?
Last edited by musv on Wed Aug 21, 2024 10:53 am; edited 1 time in total |
|
| Back to top |
|
 |
musv
Advocate
Joined: 01 Dec 2002
Posts: 3357
Location: de
|
| Posted: Sun Aug 18, 2024 10:21 am Post subject: |
|
|
Some more strange behaviour, I don't understand:
Firefox
In Firefox the adds appear, e.g. on my favourite news page: www.n-tv.de. The ads load some time later after the ordinary content. DoH is deactivated.
In about:networking → DNS: I can check the DNS requests (which me scares me some kind regarding the amount of the requests). In some cases the protocol shows domains, which are listet in my dnsmasq adblock configs,
| Firefox: | | ad.yieldlab.net ipv4 false 69.192.161.76 118 ^partitionKey=%28https%2Cn-tv.de%29 |
| dnsmasq.d/hosts-adblock: | | hosts-adblock:address=/ad.yieldlab.net/192.168.109.10 |
| host ad.yieldlab.net: |
ad.yieldlab.net has address 192.168.109.10
ad.yieldlab.net is an alias for yieldlab.net.edgekey.net.
yieldlab.net.edgekey.net is an alias for e3120.g.akamaiedge.net.
ad.yieldlab.net is an alias for yieldlab.net.edgekey.net.
yieldlab.net.edgekey.net is an alias for e3120.g.akamaiedge.net. |
Different browser
Next trial: Maybe it's only Firefox. So I deleted the local dns cache:
| Code: | | systemd-resolved --flush-caches |
and started vivaldi with a private window. But also in there the ads are shown.
Different account
I've created a fresh test account and started there Firefox (no existing profile): Ads are shown. |
|
| Back to top |
|
|
musv
Advocate
Joined: 01 Dec 2002
Posts: 3357
Location: de
|
|
| Back to top |
|
|
musv
Advocate
Joined: 01 Dec 2002
Posts: 3357
Location: de
|
| Posted: Wed Aug 21, 2024 10:58 am Post subject: |
|
|
https://dnsmasq.org/docs/dnsmasq-man.html
| Quote: | A, --address=/<domain>[/<domain>...]/[<ipaddr>]
Specify an IP address to return for any host in the given domains. A (or AAAA) queries in the domains are never forwarded and always replied to with the specified IP address which may be IPv4 or IPv6. To give multiple addresses or both IPv4 and IPv6 addresses for a domain, use repeated --address flags. Note that /etc/hosts and DHCP leases override this for individual names. A common use of this is to redirect the entire doubleclick.net domain to some friendly local web server to avoid banner ads. The domain specification works in the same way as for --server, with the additional facility that /#/ matches any domain. Thus --address=/#/1.2.3.4 will always return 1.2.3.4 for any query not answered from /etc/hosts or DHCP and not sent to an upstream nameserver by a more specific --server directive. As for --server, one or more domains with no address returns a no-such-domain answer, so --address=/example.com/ is equivalent to --server=/example.com/ and returns NXDOMAIN for example.com and all its subdomains. An address specified as '#' translates to the NULL address of 0.0.0.0 and its IPv6 equivalent of :: so --address=/example.com/# will return NULL addresses for example.com and its subdomains. This is partly syntactic sugar for --address=/example.com/0.0.0.0 and --address=/example.com/:: but is also more efficient than including both as separate configuration lines. Note that NULL addresses normally work in the same way as localhost, so beware that clients looking up these names are likely to end up talking to themselves.
Note that the behaviour for queries which don't match the specified address literal changed in version 2.86. Previous versions, configured with (eg) --address=/example.com/1.2.3.4 and then queried for a RR type other than A would return a NoData answer. From 2.86, the query is sent upstream. To restore the pre-2.86 behaviour, use the configuration --address=/example.com/1.2.3.4 --local=/example.com/ |
To get the adblock lists working again:
| < 2.86: |
address=/evildomain.com/0.0.0.0
|
| >=2.86: |
local=/evildomain.com/
|
This adoption also changed the return value. Instead of returning 0.0.0.0 the new config returns NX-DOMAIN. This again works quite well with Vivaldi. Unfortunately Firefox can't handle this and hangs, when loading a page. |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
