hjkl
29 March 2020 11:01
1
Hi,
After recent upgrades of unbound and using DoT toward 1.1.1.1 I noticed the following behavior:
Only Android machines are impacted
Any URL shorten-er that translates in an https://[AppName].app.link/ gets an NXDOMAIN as answer from unbound -> Chrome stops
Putting the Android on 4G/GMS data that links is somehow resolved -> chrome then starts the app dedicated to handle those links (ebay.app.link for example).
Is there any way to define the *.app.link in unbound or…anything else that would avoid the NXDOMAIN response? (and Chrome stop)
Thanks!
ms
29 March 2020 15:38
2
If this won’t resolve then 1.1.1.1 must not resolve this either.
hjkl
31 March 2020 18:44
3
I found the issue:
DNS server 1.1.1.1 does resolve any app.link domain
Unbound on the other hand responds with NXDOMAIN
Root Cause: /etc/unbound/local.d/blocklist.conf does contain directive
[root@ipfire ~]# grep app.link -R /etc/unbound/always_nxdomain
Adding app.link in whitelist.txt solved the issue… now only the dangerous subdomains from app.link are blocked and not entire TLD+1
grep app.link -R /etc/unbound/
Sorry, my fault!
nslookup amazon.app.link
Non-authoritative answer:
arne_f
31 March 2020 21:34
4
We don’t ship any file in /etc/unbound/local.d/ so it is not an IPFire problem…