Request for bpf blocking domain over DOH3 #15459

Zqsdoo · 2025-04-17T11:28:24Z

Zqsdoo
Apr 17, 2025

Program: dnsdist
Issue type: Feature request

Short description

Hello,

I'm currently using dnsdist 2.0:

dnsdist --version
dnsdist 2.0.0-alpha1 (Lua 5.1.4 [LuaJIT 2.1.1703358377])
Enabled features: AF_XDP cdb dns-over-quic dns-over-http3 dns-over-tls(gnutls openssl) dns-over-https(nghttp2) dnscrypt ebpf fstrm ipcipher libedit libsodium lmdb protobuf re2 recvmmsg/sendmmsg snmp systemd

I ran some tests and noticed that BPF blocking works as expected when using standard DNS queries like this:

bpf:blockQName(newDNSName("myblockeddomain.com"), 65535)

Example test:

host myblockeddomain.com <dnsdist_ip>

The domain is successfully blocked.

However, when using DoH3 with a command like:

dnslookup myblockeddomain.com h3://mydns/dns

→ The query is not blocked and gets a valid response.

I suspect this is due to payload encryption in DoH/DoQ/DoH3, preventing BPF from inspecting the domain at the right level.

Interestingly, using a dnsdist rule like:

addAction("myblockeddomain.com", SpoofCNAMEAction("blocked.example.com."))

works correctly across all transport types, including DoH3.

Use Case

I'm trying to block specific domains using BPF logic, including when the query is made over DoH3 or other encrypted transports.

Feature request / Proposal

Would it be possible to extend or adapt BPF-based domain blocking in dnsdist to support encrypted DNS protocols (DoH, DoQ, DoH3), or alternatively, provide an equivalent mechanism that works at the application level but behaves similarly to bpf:blockQName()?

Answered by rgacogne

Apr 24, 2025

Would it be possible to extend or adapt BPF-based domain blocking in dnsdist to support encrypted DNS protocols (DoH, DoQ, DoH3),

Unfortunately that's not possible: the BPF program runs in kernel space and does not have any knowledge of HTTP, QUIC or even TLS, and even if it did it has no access to the key material needed to decrypt the data.

or alternatively, provide an equivalent mechanism that works at the application level but behaves similarly to bpf:blockQName()?

This is possible using the regular rules, and in particular:

View full answer

rgacogne · 2025-04-24T07:26:38Z

rgacogne
Apr 24, 2025
Maintainer

Would it be possible to extend or adapt BPF-based domain blocking in dnsdist to support encrypted DNS protocols (DoH, DoQ, DoH3),

Unfortunately that's not possible: the BPF program runs in kernel space and does not have any knowledge of HTTP, QUIC or even TLS, and even if it did it has no access to the key material needed to decrypt the data.

or alternatively, provide an equivalent mechanism that works at the application level but behaves similarly to bpf:blockQName()?

This is possible using the regular rules, and in particular:

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

PowerDNS

Request for bpf blocking domain over DOH3 #15459

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Replies: 1 comment

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

PowerDNS

Request for bpf blocking domain over DOH3 #15459

Uh oh!

Uh oh!

Zqsdoo Apr 17, 2025

Short description

Use Case

Feature request / Proposal

Replies: 1 comment

Uh oh!

rgacogne Apr 24, 2025 Maintainer

Zqsdoo
Apr 17, 2025

rgacogne
Apr 24, 2025
Maintainer