Don't prefetch always blocked entries

[bcookatpcsd]

I saw this in the logs:

[2022-05-22 19:21:35] ERROR can't prefetch 'lcprd1.samsungcloudsolution.net' can't resolve request via upstream server 127.0.0.1:52: read udp 127.0.0.1:16898->127.0.0.1:52: read: connection refused

and was happy to see the prefetch entry.. but

  9 upstream:                                                                       
    8   default:                                                                      
    7     - 127.0.0.1:52                                                              
    6   1.2.3.0/14:                                                                 
    5     - https://dns.nextdns.io/123abc/vultr-blocky-doh                            
    4     - tcp-tls:vultr-blocky-dot-123abc.dns.nextdns.io:853                        
    3   4.5.6.0/16:                                                                
    2     - https://dns.nextdns.io/123abc/vultr-blocky-doh                            
    1     - tcp-tls:vultr-blocky-dot-123abc.dns.nextdns.io:853                        
  10    172.16.42.0/24:                                                               
    1     - https://dns.nextdns.io/123abc/vultr-blocky-doh                            
    2     - tcp-tls:vultr-blocky-dot-123abc.dns.nextdns.io:853                        
    3   172.17.0.0/16:                                                                
    4     - https://dns.nextdns.io/123abc/vultr-blocky-doh                            
    5     - tcp-tls:vultr-blocky-dot-123abc.dns.nextdns.io:853                        
    6   192.0.2.254/32:                                                               
    7     - https://dns.nextdns.io/123abc/vultr-blocky-doh                            
    8     - tcp-tls:vultr-blocky-dot-123abc.dns.nextdns.io:853                        
    9 blocking:

(if there is a better way to do ACL's - please let me know)

So prefetching works from the default entry..

I added an entry for 127.0.0.1/32 as that's where prefetch seems to come from..

So the oddity/casualty seems to be that entry never should have been included in the prefetch..

[2022-05-22 19:35:31]  INFO queryLog: query resolved answer=A (0.0.0.0) client_ip=1.2.3.4 client_names=1.2.3.4 duration_ms=0 question=A (lcprd1.samsungcloudsolution.net.) response_code=NOERROR response_reason=BLOCKED (ads)

This is by no means a problem, it just was not what I was expecting.

Thank you in advance.

[0xERR0R]

So if I understand you right, you think it is not necessary to prefetch this domain, since it is on the black list?

[bcookatpcsd]

(rhetorically..) what result are you prefetching?

(developer.mozilla.com) - dns-prefetch helps developers mask DNS resolution latency.

I don't think there is any resolution which requires a recursive answer. The answer is fixed, and the query is denied.

Blocky I think is doing minimal work to (scanning and comparing array results - all locally) vs anything remotely..

Prefetching previously denied answers to store them in a different array to be able to answer quicker; correct, I do not think it is necessary to prefetch a blocked query..

OT, I did set prefetching to false

blocking:
  blockType: zeroIP
  blockTTL: 5m
  refreshPeriod: 24h
  blackLists:
    ads:
      - https://dblw.oisd.nl/basic/
      - https://hosts.oisd.nl/basic/
      - https://raw.githubusercontent.com/notracking/hosts-blocklists/master/dnscrypt-proxy/dnscrypt-proxy.blacklist.txt
      - https://raw.githubusercontent.com/nextdns/cname-cloaking-blocklist/master/domains
      - https://raw.githubusercontent.com/crazy-max/WindowsSpyBlocker/master/data/dnscrypt/spy.txt
      - https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
        
  whiteLists:
    ads:
      - /etc/blocky/whitelist.txt
  clientGroupsBlock:
    default:
      - ads
port: 53
httpPort: 127.0.0.1:4000
bootstrapDns: tcp+udp:45.90.28.0
filtering:
  queryTypes:
    - AAAA
    - HTTPS
    - ANY

caching:
  minTime: 5m
  maxTime: 30m
  prefetching: false

logLevel: info

dblw.oisd.nl is wildcards.. I've not spent any time looking at if blocky works with wildcards..

Entry: "*.example.com" should block access to "example.com" and "subdomain.example.com" but not "thiseexample.com"

I'm not saying it's a problem, I didn't know blocky would want to prefetch a blocked answer.. and then I didn't understand why it came from 'default'.. which is what I was originally trying to determine.. "are my AcL's working.. , nothing should be using that default entry.. "

Hope this helps.. (again) thanks in advance.

[0xERR0R]

Regarding the wildcard in blacklists: it is not supported. You can either use the hosts format or regex (within "/"), see https://0xerr0r.github.io/blocky/configuration/#regex-support

Regarding the prefetching of always blocked entries -> in your example, yes, it doesn't make sense to prefetch the entry, since it is always on the black list. Prefetching has no user/client context information, so if an entry is only blocked for a client A, it should be prefetched, because it is on a whitelist for the user B.

I think, we should check if the entry is always blocked and don't prefetch those entries.

[bcookatpcsd]

Thank you sir..

sorry to hijack this with a regex question..

assuming the 'allowlist' and 'blocklist' work with regex entries.. that listed example only says block..

I didn't find that regex example when reading the docs.. and had problems with the wildcards.. (not being supported) is what I came up with as well.. and assumed no regex was supported.. just wildcards aren't.. ok.. thank you for the clarification..

So..

/media.domain.(com|net)$/

Would match blahmedia.domain.com or blahmedia.domain.net as well as www.blahmedia.com and www.blahmedia.net

/^media.domain.(com|net)$/

only media.domain.com and only media.domain.net would be matched

right?

Thank you in advance

[github-actions]

This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.

[github-actions]

This issue is stale because it has been open 90 days with no activity. Remove stale label or comment or this will be closed in 5 days.