You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
It is perfectly valid to block example.com and not api.example.com (using whitelisting or the = prefix in the blacklist).
But returning NXDOMAIN to a query for example.com would suggests to the client that *.example.com doesn't exist. A caching resolver in front of dnscrypt-proxy would cache that information, and return NXDOMAIN for api.example.com. A 0 TTL wouldn't help much with resolvers (ex: MacOS built-in stub resolver) enforcing a minimum TTL.
@jedisct1 alright. May be not a good idea practically, but I had to run dnsmasq just for this while doing some testing. dnsmasq --address=/example.com/ returns NXDOMAIN. Somewhat similar idea is pdnsd-ctl neg example.com ... which doesn't always block all subdomains, if I understand correctly.
Is your feature request related to a problem?
No.
Describe the solution you'd like
In addition to
refused
,hinfo
or IP responses, can we getNXDOMAIN
with configurable TTL andSOA.MINIMUM
field?Alternatives you've considered
Ad blockers like AdGuard and others provide similar option: AdguardTeam/AdguardForAndroid#2847 (comment)
Who will that feature be useful to?
It's just mprovement.
What have you done already?
Nothing.
What are you going to contribute?
Sorry I'm not capable of that.
Additional context
The text was updated successfully, but these errors were encountered: