Skip to content

Add support for blocked replies with NOERROR code and empty answer#8245

Open
agross wants to merge 1 commit intoAdguardTeam:masterfrom
agross:fix-8024
Open

Add support for blocked replies with NOERROR code and empty answer#8245
agross wants to merge 1 commit intoAdguardTeam:masterfrom
agross:fix-8024

Conversation

@agross
Copy link

@agross agross commented Feb 11, 2026

Hello,

I'm not a Go developer by trade and not a DNS expert; please be gentle.

I found #8024 is affecting me.

The default behavior of returning the null address makes localhost reachable under blocked names. This causes errors and unwanted behavior, like being able to ping blocked hosts (by talking to localhost).

Returning NXDOMAIN or REFUSED, on the other hand, will cause extra DNS queries with the search domain appended, i.e., blocked.example.com becomes blocked.example.com.local.domain.com.

By returning NOERROR without an answer section, these problems go away.

With this patch, AdGuard will return a response similar to resolving a non-existing name, i.e., asking a question but not getting an answer:

$ dig doesntexist.example.com # not blocked
...
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52361
...
;; QUESTION SECTION:
;doesntexist.example.com.       IN      A

;; AUTHORITY SECTION:
example.com.            1708    IN      SOA     elliott.ns.cloudflare.com. dns.cloudflare.com. 2395194487 10000 2400 604800 1800

If NOERROR is selected and a blocked name is requested, it looks like this:

$ dig ogads-pa.clients6.google.com # blocked by AdGuard DNS filter
...
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8474
...
;; QUESTION SECTION:
;ogads-pa.clients6.google.com.  IN      A

;; AUTHORITY SECTION:
ogads-pa.clients6.google.com. 10 IN     SOA     fake-for-negative-caching.adguard.com. hostmaster.ogads-pa.clients6.google.com. 100500 1800 900 604800 86400

Closes #8024

windsurf-bot[bot]
windsurf-bot bot reviewed Feb 11, 2026
View reviewed changes
Copy link

@windsurf-bot windsurf-bot bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 To request another review, post a new comment with "/windsurf-review".

internal/dnsforward/dnsforward.go
filtering.BlockingModeDefault,
filtering.BlockingModeNXDOMAIN,
filtering.BlockingModeREFUSED,
filtering.BlockingModeNOERROR,
Copy link

@windsurf-bot windsurf-bot bot Feb 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The PR adds filtering.BlockingModeNOERROR to the list of valid blocking modes, but I don't see a corresponding implementation in the filtering package. Make sure this mode is properly implemented in the filtering package to handle blocked domains with NOERROR responses without answer sections.

Copy link
Author

@agross agross Feb 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a new approach to responding to filtered queries, not a new method for filtering.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@windsurf-bot windsurf-bot[bot] windsurf-bot[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Add "Blank" block mode

1 participant

@agross