Some servers filter responses with intranet IP addresses #813
Comments
## sby-limotelu
non-censoring, non-logging, DNSSEC-capable Hosted in Surabaya, Indonesia (Dnscrypt) https://limotelu.org maintained by poentodewo (https://github.com/poentodewo)
sdns://AQcAAAAAAAAAEzE5OS4xODAuMTMwLjM5Ojg0NDMg1U5MYSDK58uVdJ8dKtp0UZaCKSG0znwQLVHYKk1QyuwcMi5kbnNjcnlwdC1jZXJ0LnNieS1saW1vdGVsdQ
# dnslookup local.03k.org sdns://AQcAAAAAAAAAEzE5OS4xODAuMTMwLjM5Ojg0NDMg1U5MYSDK58uVdJ8dKtp0UZaCKSG0znwQLVHYKk1QyuwcMi5kbnNjcnlwdC1jZXJ0LnNieS1saW1vdGVsdQ
dnslookup v1.9.1
dnslookup result (elapsed 16.285129805s):
;; opcode: QUERY, status: REFUSED, id: 52879
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version 0; flags:; udp: 1232
; EDE: 18 (Prohibited): (EIM4)
;; QUESTION SECTION:
;local.03k.org. IN A
;; ADDITIONAL SECTION:
explanation.invalid. 10800 IN TXT "blocked by DNS rebinding protection" |
|
Furthermore, I believe that this behavior can be detected using a script and can be addressed by running periodic checks through actions. These checks can remove the "No filter" label from these servers. |
jedisct1
changed the title
|
Hi! And thanks for reporting this! Indeed, it is not expected to block local IP addresses when the "no filter" flag is set. And this is causing more issues that it solves. I'll run a scan of the servers for that. Thanks again! |
|
I tested all DNS servers using a simple script to get a list of some DNS servers that will filter, I hope this helps. |
|
Good catch! |
I've noticed that certain server are filtering intranet domain names and returning empty records when the resolved IP address is a private address. One such server is jp.tiar.app. I suspect that this filtering is implemented for security reasons. However, can we consider these server as having "filter=false" behavior?
To reproduce the issue, you can test it with the following domain name: local.03k.org (10.9.8.7).
The text was updated successfully, but these errors were encountered: