rDNS PTR records leak local IP

[EntropySmoke]

Prerequisites

• I am running the latest version
• I checked the documentation and found no answer
• I checked to make sure that this issue has not already been filed

I'm running the latest Beta of AdGuard Home on Raspberry Pi 2. I do not host anything over WAN and use strict outbound-only NAT. AdGuard Home resolves DNS only for local clients.

Issue Details

Unless specifically blocked in custom filtering rules, AdGuard Home resolves rDNS PTR records that leak local clients' IP's (in reverse). If I enable DHCP Server or assign static DHCP leases, the custom filtering rules do not block rDNS PTR records that leak local clients' IP's. Wikipedia says that such leaks are a common problem for incorrectly-configured DNS servers.

Expected Behavior

The expected behavior is for such leaks not to happen and that custom rules to block outbound rDNS PTR records would work regardless of AdGuard Home's DHCP settings.

Additional Information

Strict SNI is enabled in AdGuardHome.yaml. Self-signed SSL Certificate is assigned as a local administration login security measure and domain name is left empty.

[ameshkov]

Could you please provide a little bit more info, do you mean that AG sends PTR queries for your LAN clients to upstreams?

[EntropySmoke]

Local Network Info:

• Router IP 10.0.0.0, router is Gateway
• Router is an edge router with public IP, router is not DHCP server, but router uses DHCP static IP assignment table
• 6 local network clients with private IP range 10.0.0.1-10.0.0.7 connect to router 10.0.0.0
• 10.0.0.7 is a local network client, a Raspberry Pi, running AGH and dedicated to DNS resolution for local clients
• AGH is not DHCP server
• Each client, including the client that runs AGH, has static IP manually configured
• Router 10.0.0.0 specifies IP 10.0.0.7 for DNS resolution for all local clients
• Trusted local clients are manually configured to use Gateway IP 10.0.0.0 and DNS IP 10.0.0.7
• Untrusted local clients use Layer-3 guest isolation and are are manually configured to use Gateway IP 10.0.0.0 and DNS IP 10.0.0.0 because guest isolation prevents untrusted clients from directly accessing any other device on the local network, except the router
• Local network does not host anything over WAN and is behind a strict NAT with all inbound connections dropped
• AGH is set to use AdGuard DNS-over-HTTPS
• AGH only allows DNS-over-HTTPS resolution, blocks all domains with "||*" rule, except for domains used to connect other local clients to VPN servers

Problem:

• AGH lists *.0.0.10-in.addr-arpa queries in log where * is a wildcard belongs to each of my network's local clients or my router
• When AGH is not DHCP server and there are no static DHCP assignments in AGH DHCP settings, AGH blocks .0.0.10-in.addr-arpa queries via NXDOMAIN or resolves to 0.0.0.0 based on "||" rule
• When AGH is not DHCP server, but AGH DHCP static assignments are set with friendly names, AGH does not block *.0.0.10-in.addr-arpa queries

Inquiries:

• Should there be any *.0.0.10-in.addr-arpa queries for my local client queries traversing NAT? There are no services hosted over WAN, AGH DNS resolver is only for local network clients
• Don't PTR *.0.0.10-in.addr-arpa with reversed local IP reveal local IP addresses of my network? If, for example, there is a 4.0.0.10-in.addr-arpa outbound query that is not blocked, then is it not obvious that the request comes from local client with IP 10.0.0.4?
• When router 10.0.0.0 specifies local DNS resolver with IP 10.0.0.7 and DNS resolver with IP 10.0.0.7 specifies router 10.0.0.0 in /etc/dhcpcd.conf, does it not create a loop? How to get around that loop?

[ameshkov]

@ainar-g waiting for you to triage

[ainar-g]

Sorry, I've been busy with the v0.105.1 hotfixes. Once we're done with this one, I'll thoroughly research this one.

[ameshkov]

Sounds like this one: #2704