mirror of
https://github.com/AdguardTeam/AdGuardHome.git
synced 2026-03-04 00:01:12 -05:00
Prevent HTTPS queries responding IPv6 addresses #4671
Labels
No labels
P1: Critical
P2: High
P3: Medium
P4: Low
UI
bug
cannot reproduce
compatibility
dependencies
docker
documentation
duplicate
enhancement
enhancement
external libs
feature request
good first issue
help wanted
infrastructure
invalid
localization
needs investigation
performance
potential-duplicate
question
recurrent
research
snap
waiting for data
wontfix
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference
starred/AdGuardHome#4671
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @starryloki on GitHub (Aug 20, 2023).
Originally assigned to: @Mizzick on GitHub.
Prerequisites
I have checked the Wiki and Discussions and found no answer
I have searched other issues and found no duplicates
I want to report a bug and not ask a question or ask for help
I have set up AdGuard Home correctly and configured clients to use it. (Use the Discussions for help with installing and configuring clients.)
Platform (OS and CPU architecture)
Linux, AMD64 (aka x86_64)
Installation
GitHub releases or script from README
Setup
On one machine
AdGuard Home version
v0.107.36
Action
Example:
I have turned on
Disable resolving of IPv6 addresses.Expected result
HTTPS: 1 . alpn="h3,h2" ipv4hint="104.20.9.218,104.20.10.218,172.67.3.188"Actual result
In AdGuard Home, I checked the DNS resolution records and found that the corresponding response is as follows:
HTTPS: 1 . alpn="h3,h2" ipv4hint="104.20.9.218,104.20.10.218,172.67.3.188" ipv6hint="2606:4700:10::6814:9da,2606:4700:10::6814:ada,2606:4700:10::ac43:3bc"Just as described in "Disable resolving of IPv6 addresses", enabling it should result in blocking all IPv6 addresses, but it seems that only AAAA records are being blocked and not the IPv6 addresses within HTTPS records.
It appears that using HTTPS records allows for bypassing the restrictions on IPv6 resolution.
Additional information and/or screenshots
No response
@duckxx commented on GitHub (Aug 20, 2023):
但是注释那里写的是:丢弃所有 IPv6 地址 (AAAA) 的 DNS 查询。
是禁止直接解析AAAA的记录,不包括HTTPS记录中的AAAA。
@starryloki commented on GitHub (Aug 20, 2023):
I know that the comments have already provided an explanation. However, disabling AAAA records is a means to prevent IPv6 resolution. It is clear that with the widespread use of HTTPS records, this method is no longer effective in blocking IPv6 resolution. Therefore, it is necessary to update this option or similar filtering rules to address it.
@fernvenue commented on GitHub (Aug 21, 2023):
Totally agree with @starryloki, just disable AAAA records seems not enough.
@Mizzick commented on GitHub (Aug 23, 2023):
Please have a look, we have implemented the requested changes.
The new build version
v0.108.0-a.657+cb6d4620has been just published to the edge channel.@starryloki commented on GitHub (Aug 23, 2023):
I have tested it on Linux amd64, and the new features are working fine!