• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

prevent forwarding of non public suffix domains

Scheduled Pinned Locked Moved DHCP and DNS
5 Posts 2 Posters 850 Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • J
    jawz101
    last edited by Oct 12, 2021, 9:52 PM

    I use NextDNS as my upstream DNS provider and I've noticed in my logs on their service that some non-public suffix domain entries end up being forwarded to them. Is there a way to block any invalid public suffix'd name lookups from escaping my network?

    I'm thinking there could be a situation where sensitive name lookups could be leaked out to a public resolver.

    J 1 Reply Last reply Oct 12, 2021, 10:03 PM Reply Quote 0
    • J
      jawz101 @jawz101
      last edited by jawz101 Oct 12, 2021, 10:04 PM Oct 12, 2021, 10:03 PM

      https://www.theregister.com/2018/02/12/icann_corp_home_mail_gtlds/

      I have lookups from my pfsense box > NextDNS upstream for

      app.adjust.com.home
      app-measurement.com.home
      beacons.gcp.gvt2.com.home
      beacons.gvt2.com.home
      beacons3.gvt2.com.home
      cloud1.linksyssmartwifi.com.home
      connectivitycheck.gstatic.com.home
      device-api.urbanairship.com.home
      firebase-settings.crashlytics.com.home
      juke.api.247e.com.home
      mads.amazon-adsystem.com.home
      manifest.localytics.com.home
      profile.localytics.com.home
      s.amazon-adsystem.com.home
      ssl.google-analytics.com.home
      www.google.com.home
      www.gstatic.com.home

      J 1 Reply Last reply Oct 13, 2021, 1:03 AM Reply Quote 0
      • J
        johnpoz LAYER 8 Global Moderator @jawz101
        last edited by johnpoz Oct 13, 2021, 1:08 AM Oct 13, 2021, 1:03 AM

        @jawz101 so clients quite often will add their local suffix to something they are looking up.

        There are some things you could do on the client to stop that.. Stop using suffix searches..

        But simple solution if unbound is asking for stuff in your local domain upstream, that you don't want it too.. Is change your type from transparent to static..

        In the resolver gui

        static.jpg

        https://nlnetlabs.nl/documentation/unbound/unbound.conf/

        type.jpg

        When a client asks for something.home, and there is no local record for that for example www.google.com.home with transparent unbound will try to resolve that.

        With static since unbound has local resources for .home - and if there is no www.google.com.home - then you would get back a nx and nothing would be asked upstream.

        on a side note, use of single label is normally a bad idea.. use maybe network.home or the new recommended local domain is home.arpa as your local domain.

        https://datatracker.ietf.org/doc/html/rfc8375
        Special-Use Domain 'home.arpa.'

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        J 1 Reply Last reply Oct 13, 2021, 4:06 PM Reply Quote 1
        • J
          jawz101 @johnpoz
          last edited by jawz101 Oct 13, 2021, 4:09 PM Oct 13, 2021, 4:06 PM

          @johnpoz thanks! I've noticed it a bit too when sifting through Cisco's Umbrella top 1million lists.

          I think I'd not want to forward anything that isn't a public suffix'd record regardless of whatever suffix used for my internal network.

          J 1 Reply Last reply Oct 13, 2021, 4:18 PM Reply Quote 0
          • J
            johnpoz LAYER 8 Global Moderator @jawz101
            last edited by johnpoz Oct 13, 2021, 4:21 PM Oct 13, 2021, 4:18 PM

            @jawz101 well you could create blocks for all non public tlds that you would like to block - but what on your network would be looking for those, if wasn't in your search suffix..

            The possibilities are pretty infinite for non actual tlds ;) But only those in your search suffix would be added by clients.

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            1 Reply Last reply Reply Quote 0
            1 out of 5
            • First post
              1/5
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
              This community forum collects and processes your personal information.
              consent.not_received