Ondřej Surý  

Unifi “Ad Blocking” features will hijack your DNS on just every IP address. It absolutely breaks DNS resolution - it returns REFUSED to non-recursive queries. Total mayhem.

1+
ruff  

@ondrej Uhm, that's a default in unbound now, called cache snoop protection (REFUSE to rd=0)

1
Ondřej Surý  

@ruff How is the even closely related to what I wrote? It’s the combination of DNS hijacking and RD-required that’s problematic.

1
ruff
Follow

@ondrej I mean it's OK to return REFUSED to non recursive queries. It's not OK to do otherwise. Nothing to do with hijacking.

· Web · 1 · 0 · 0
Ondřej Surý  

@ruff I never said that it is not ok. You can’t rip one sentence of the whole message and start arguing.

1
ruff  

@ondrej ok then I totlly miss the point. You cannot do DNS adblock without hijacking DNS, but yes that shouldn't be each and every request (proxying dns and breaking normal recursion) instead only for blacklisted. But if you hijack everything and pretend to be AA for everything then RD should be totally irrelevant as everything is non-recursive. Is it what you are saying that it still requires RD even when pretending being AA?

0
Sign in to participate in the conversation
Librem Social

Librem Social is an opt-in public network. Messages are shared under Creative Commons BY-SA 4.0 license terms. Policy.

Stay safe. Please abide by our code of conduct.

(Source code)

image/svg+xml Librem Chat image/svg+xml