Be able to use ECS in "client-blocklist"

[cbuijs]

As the subject says, be able to use the ECS (ENDS0) network/subnet information in the query instead of the IP where the query comes from.

I think an extra option on client-blocklist that says use-ecs = true would be most convienent, then the IP information is matched against the blocklists.

When there is no ECS, then the default-resolver should be used. Default of use-ecs would be false.

Use case: When centralizing filtering of queries, you can "profile" certain groups of IP-Addresses that are behind gateways and such, instead of doing everything local (as alternative). In my case, I know my "inside" IP ranges that are used by my kids so I can filter non-kid stuff centrally on my central DNS box (which runs on Internet). Handy when not home (on travel) and I need to do modifications when not be able to go inside my home-network as example.

[folbricht]

Can you try #351 ? Completely untested so far. It relies on the ECS IP to be a full IP, not just a network though.

[cbuijs]

That should be okay, no? As the blocklists can use CIDR. The normal (non ecs) client-ip is an IP as well. The difference is that the ECS mostly will be a subnet (by default in most implementations,, but depends on the sender of the query how to represent the client ip in ECS (in my case, I put a /32 IPv4 or /128 IPv6 address).

Will test over the week, no access to the environment at the moment.

[folbricht]

The issue is if you were to use a non-/32 address in the query, this won't really work. So basically for use-ecs to work properly requires either /32 or /128 addresses in the query.

[cbuijs]

Gotcha. I think we can fix this by "documentation" and point out why/how. And it is a client-blocklist not a subnet-blocklist anyway ;-).

[cbuijs]

Just thinking... Maybe this is better and more usable in routers rule. Where we now have source we could use ecs-source? No need to have large lists, my expectation is that the use of it will be limited number of rules.

[folbricht]

That'd be more generic and useful I think, could also handle the network-ranges properly that way. Going to come up with a draft for this

[cbuijs]

Tried Brache-348, it works.

I was wondering. What if we just strip the bitmask from the ecs-ip? So it becomes a /32 or /128 anyway. I think the IP-List that is matched against should have the logic of being put together right then, no?

If I block 192.168.0.0/16 it really doesn't matter what IP-Address in that subnet is in ECS, as long as it matches on subnet-level (so 192.168.0.0, 192.168.1.0, 192.168.2.0 etc will match anyway).

[folbricht]

That's basically what's happening currently, it'll only use the ECS address, not the associated mask. In the current implementation it's treated as a /32 (/128). So to be blocked, it's just the address part that needs to be inside 192.168.0.0/16 in your example. If the ECS IP was 192.0.0.0/8 then it wouldn't match.

[cbuijs]

That works. Will test later today and feedback. Guess this needs clear documentation if not done already.

[cbuijs]

It works as expected/discussed... But... Checking with my configs and needs, and implementing it, I think supporting ecs as source in routers is more handy/flexible.