starred/AdGuardHome

Fork 0

mirror of https://github.com/AdguardTeam/AdGuardHome.git synced 2026-03-04 00:01:12 -05:00

Additional validation in $dnsrewrite rules #2307

New issue

Closed

opened 2026-03-04 01:55:42 -05:00 by deekerman · 2 comments

deekerman commented

2026-03-04 01:55:42 -05:00

Owner

Originally created by @ainar-g on GitHub (Dec 28, 2020).

Originally assigned to: @ainar-g on GitHub.

Context: #2101, #2452, #2492.

We need to decide, which additional validations we want for the $dnsrewrite response modifier. Among the ones that are likely to be requested:

The FQDN in the MX and PTR rewrites.
The hostname in the full-form CNAME rewrites.
The hostname in SVCB/HTTPS rewrites.

Any more I've missed?

Originally created by @ainar-g on GitHub (Dec 28, 2020). Originally assigned to: @ainar-g on GitHub. Context: #2101, #2452, #2492. We need to decide, which additional validations we want for the `$dnsrewrite` response modifier. Among the ones that are likely to be requested: * The FQDN in the `MX` and `PTR` rewrites. * The hostname in the full-form `CNAME` rewrites. * The hostname in `SVCB`/`HTTPS` rewrites. Any more I've missed?

deekerman

2026-03-04 01:55:42 -05:00

closed this issue
added the
enhancement

P3: Medium
labels

deekerman commented

2026-03-04 01:55:47 -05:00

Author

Owner

@DandelionSprout commented on GitHub (Jan 12, 2021):

Presuming I understand the question correctly: I get quite a few TXT DNS requests to my server, e.g. hostname.bind, id.server, version.bind, etc. For those, they can be treated as hostnames, but without being limited to regular TLDs.

There's also RRSIG requests (to e.g. pizzaseo.com), which I doubt the legitimacy of as a whole. If they are to be treated as legitimate requests, then the hostname is sufficient.

@DandelionSprout commented on GitHub (Jan 12, 2021): Presuming I understand the question correctly: I get quite a few `TXT` DNS requests to my server, e.g. `hostname.bind`, `id.server`, `version.bind`, etc. For those, they can be treated as hostnames, but without being limited to regular TLDs. There's also `RRSIG` requests (to e.g. `pizzaseo.com`), which I doubt the legitimacy of as a whole. If they are to be treated as legitimate requests, then the hostname is sufficient.

deekerman commented

2026-03-04 01:55:47 -05:00

Author

Owner

@ainar-g commented on GitHub (Jan 13, 2021):

@DandelionSprout

If I recall correctly, TXT records can contain arbitrary textual data, so I don't think we'll apply any validations there besides the byte size.

As for RRSIG records, we currently don't support them. If you have a need for them, please file a separate issue about it and we'll try to add them in v0.106.0 as well.

@ainar-g commented on GitHub (Jan 13, 2021): @DandelionSprout If I recall correctly, `TXT` records can contain arbitrary textual data, so I don't think we'll apply any validations there besides the byte size. As for `RRSIG` records, we currently don't support them. If you have a need for them, please file a separate issue about it and we'll try to add them in v0.106.0 as well.

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/AdGuardHome#2307

No description provided.

Rows
Columns