Block recursive requests by country

[Turab]

A new comer here. Thanks for sharing this great software with us. I have newly deployed Technitium DNS on two different sites, which I want to make a cluster with. I will be using Technitium for both authoritative DNS management and for recursive requests with the purpose of replacing AdGuard.

But the idea of employing two publicly open recursive DNS resolvers scare me. Right now, Technitium has the ability to deny recursive requests based on ACL or public IPs which are great; but these two options provide solutions which would be ineffective for my fright.

ACL has a limitation of 255 entries which is not illogical but is not suitable for all cases, and having to use private IPs for recursion is a luxury, for all the clients would need to have a VPN connection at all times to where Technitium is running, in the case of a remote deployment. And in my case, there are also mobile clients.

So I think having recursion limited to a country would be a good solution, instead of having it open to the whole world.

There are already GeoIP apps which help serve different DNS records for different regions. So why not use them like ACL too? This way for example Technitium would check if it is authoritative for the requested record and if so, it responds; but if it's a recursive request, then it would block (drop) the request coming from unwanted regions.

What say you?

[ShreyasZare]

Thanks for the post. This has been requested multiple times earlier too but its not really feasible to implement.

First issue is that end-user needs to buy expensive IP location databases which are billed per month so here itself it stop making sense for most people.

The other issue is that these databases are not accurate so if this feature was implemented, you may suddenly find that DNS is no longer working since the location db thinks you are in a different country. For the already existing DNS apps, all they do is serve IP of the nearest server so even if the location is incorrect, the user would just have an IP of a server far away with a few ms in delay added. It does not affect the service in such case.

Then having a country based geo fence is still of not much use since anyone in the region is still allowed to abuse your DNS service. Also, DNS requests over UDP transport can be spoofed so your server can still be abused by spoofed DNS requests.

[Turab]

As far as I know, the bodies responsible for distributing IP addresses also share IP lists they allocate to each country, don't they? So it doesn't have to be GeoIP.

Like for example Ripe NNC's up to date IP database allocated to Turkey in JSON format:
https://stat.ripe.net/data/country-resource-list/data.json?resource=tr

Since they are the body who is authorized to allocate any IP address, they would know best what IP they released to who and where. And they keep it updated each time an allocation changes. I think the case you mentioned as a risk is neglect-ably very minimal in this case.

Can't it work like how adblock lists work? You save adblock list links and Technitium updates it periodically from those links. That could be the same logic here.

[ShreyasZare]

The IP blocks are not allocated to a country. They are allocated to an organization which can then use it in any country they operate. So, it does not mean that a specific IP block allocated to an company in Turkey is using it in the same country.

[Turab]

Right, I missed that because the allocating authority grouped them by countries.