**Ondřej Surý** @ondrej@sury.org · Oct 28, 2023, 06:32

**Ondřej Surý** @ondrej@sury.org · Oct 28, 2023, 06:32

Ondřej Surý @ondrej@sury.org

Oct 28, 2023, 06:32

Unifi “Ad Blocking” features will hijack your DNS on just every IP address. It absolutely breaks DNS resolution - it returns REFUSED to non-recursive queries. Total mayhem.

**ruff** @ruff@librem.one · Oct 28, 2023, 07:46

**ruff** @ruff@librem.one · Oct 28, 2023, 07:46

Oct 28, 2023, 07:46

ruff @ruff@librem.one

@ondrej Uhm, that's a default in unbound now, called cache snoop protection (REFUSE to rd=0)

**Ondřej Surý** @ondrej@sury.org · Oct 28, 2023, 07:55

**Ondřej Surý** @ondrej@sury.org · Oct 28, 2023, 07:55

Oct 28, 2023, 07:55

Ondřej Surý @ondrej@sury.org

@ruff How is the even closely related to what I wrote? It’s the combination of DNS hijacking and RD-required that’s problematic.

**ruff** @ruff@librem.one · Oct 28, 2023, 07:56

**ruff** @ruff@librem.one · Oct 28, 2023, 07:56

Oct 28, 2023, 07:56

ruff @ruff@librem.one

@ondrej I mean it's OK to return REFUSED to non recursive queries. It's not OK to do otherwise. Nothing to do with hijacking.

**Ondřej Surý** @ondrej@sury.org · Oct 28, 2023, 08:01

**Ondřej Surý** @ondrej@sury.org · Oct 28, 2023, 08:01

Oct 28, 2023, 08:01

Ondřej Surý @ondrej@sury.org

@ruff I never said that it is not ok. You can’t rip one sentence of the whole message and start arguing.

**ruff** @ruff@librem.one · 2023-10-28T08:13:54Z

ruff @ruff@librem.one

@ondrej ok then I totlly miss the point. You cannot do DNS adblock without hijacking DNS, but yes that shouldn't be each and every request (proxying dns and breaking normal recursion) instead only for blacklisted. But if you hijack everything and pretend to be AA for everything then RD should be totally irrelevant as everything is non-recursive. Is it what you are saying that it still requires RD even when pretending being AA?

Oct 28, 2023, 08:13 · Web · · ·