[Feature Request] Local EndPoint with Client ID in Drop Requests App

[hchengting]

Problem/Use Case

Currently in the Drop Requests App, we can configure whether to allow or drop requests from specific networks.

{
  "enableBlocking": true,
  "dropMalformedRequests": false,
  "allowedNetworks": [
    "127.0.0.1",
    "::1",
    "10.0.0.0/8",
    "172.16.0.0/12"
  ],
  "blockedNetworks": [
    "192.168.0.0/16"
  ]
}

However, it lacks the ability to allow or drop requests based on client identifiers, similar to the localEndPointGroupMap option in the Advanced Blocking App.
I believe adding this feature would be helpful for use cases involving DoT, DoH, and DoQ, especially in publicly exposed scenarios.

Proposed Solution/Feature

Support domain names in allowed/blocked networks

{
  "enableBlocking": true,
  "dropMalformedRequests": false,
  "allowedNetworks": [
    "secret-client-id.example.com",
    "127.0.0.1",
    "::1",
    "10.0.0.0/8",
    "172.16.0.0/12"
  ],
  "blockedNetworks": [
    "192.168.0.0/16"
  ]
}

Or perhaps adding new fields for domain names

{
  "enableBlocking": true,
  "dropMalformedRequests": false,
  "allowedLocalEndpoints": [
    "secret-client-id.example.com"
  ],
  "allowedNetworks": [
    "127.0.0.1",
    "::1",
    "10.0.0.0/8",
    "172.16.0.0/12"
  ],
  "blockedNetworks": [
    "192.168.0.0/16"
  ]
}

Thank you very much!

[ShreyasZare]

Thanks for the request. I am not sure how you are going to use this exactly. Can you tell in brief how you intend to use this feature?

The Drop Request app is designed to drop unwanted requests to mitigate things like amplification attacks or DoS attacks.

The Local End Point feature with the Advanced Blocking app gives the end point of the DNS server itself. It does not tell anything about the client request apart from the fact that the client request was received on a specific local end point. So, allowing a local end point wont be of any use since that would allow an attacker to abuse the DNS server on that specific local end point.

[hchengting]

Hello @ShreyasZare, thank you for your reply.

In my use case, I deployed the Technitium DNS Server on a VPS and used the Private DNS feature on my Android phone to connect to the DNS server via DNS-over-TLS.

However, I've noticed occasionally random unknown IPs attempt to query via DoT. This led me to consider using a wildcard certificate with the Drop Requests App to only allow queries from pre-configured IDs like b5e37f50.mydomain.com, while dropping all others.

I understand that a better approach would be to connect directly to the VPS via VPN. However, due to the VPS's bandwidth limitations, I've found that doing so reduces overall network speed. This is why I prefer using the DoT method for connectivity.

[hchengting]

I'm currently using the Advanced Blocking App to achieve similar functionality. Beyond pre-configured local endpoints, any queries made via DoT receive an NXDOMAIN response. However, I think the ideal approach would be to drop the requests entirely.

[ShreyasZare]

Thanks for the details. This looks quite useful for such scenarios which are kind of common. Will get the app updated with an option for this.