`$dnsrewrite` priority issue

Question

`$dnsrewrite` priority issue

Alex-302 opened this issue 2 years ago · 7 comments

Alex-302 commented 2 years ago

Actual behavior

$dnsrewrite cannot overryde a regular blocking rule.

The rule which I tried to override

||d192r5l88wrng7.cloudfront.net^

The rule, used to override the blocking rule:

||d192r5l88wrng7.cloudfront.net^$dnsrewrite=cloudfront.net

or/and

||d192r5l88wrng7.cloudfront.net^$dnsrewrite=cloudfront.net,important

Windows

Android

Expected behavior

$dnsrewrite must have a higher priority, than a basic rule: https://adguard-dns.io/kb/general/dns-filtering-syntax/#dnsrewrite

AdGuard for Windows 7.12 n5
AdGuard for Android 4 nightly (CL 1.10.177, DnsLibs 2.0.66)

Answer 1 · 2023-01-11T11:44:34.000Z

I've tried to reproduce this. $dnsrewrite correctly overrides the basic rule. However, looking at the screenshots, it's probable that REFUSED responses are due to CNAME blocking (i.e. matching CNAME from response against the filters). When a CNAME is matched against the filters, we set the (imaginary) query type to CNAME, and $dnsrewrite=example.org doesn't match, seemingly by design:

@sxgunchenko @ameshkov discuss?

Answer 2 · 2023-01-11T12:15:34.000Z

Why does it go through response filtering when a $dnsrewrite rule is applied?

Answer 3 · 2023-01-11T12:25:58.000Z

I can't say for sure, since all I got is screenshots, but it probably goes through response filtering when dnsrewrite rule is not applied. Consider something like this:
Rules:

||d192r5l88wrng7.cloudfront.net^
||d192r5l88wrng7.cloudfront.net^$dnsrewrite=cloudfront.net

Request/response:

$ dig example.org
example.org 1234 IN CNAME d192r5l88wrng7.cloudfront.net
d192r5l88wrng7.cloudfront.net 1234 IN A 1.2.3.4

No rules are matched to the original request, and dnsrewrite is not matched to the CNAME because of the above.

Answer 4 · 2023-01-11T12:58:41.000Z

The point is that if we already applied a $dnsrewrite rule, we should not filter response

Answer 5 · 2023-01-11T13:42:43.000Z

We don't :)

Answer 6 · 2023-01-11T13:57:05.000Z

I don't get the explanation then.

||d192r5l88wrng7.cloudfront.net^$dnsrewrite=cloudfront.net is applied to a query.
How can it be blocked due to CNAME blocking if responses are not filtered?

Answer 7 · 2023-01-11T14:27:50.000Z

Looks like I've overthought this. Those REFUSED responses are probably to HTTPS (or anything other than A or AAAA) queries. That is why $dnsrewrite is not applied.