documentation in example-blocked-names.txt · DNSCrypt/dnscrypt-proxy · Discussion #2787

Philippe-Cmoi
Feb 12, 2025

Hello,

The file example-blocked-names.txt states :

## *.example.com | matches example.com and all names within that zone such as www.example.com
## example.com | identical to the above

but this is not completly true when the query concern a CNAME.

For example, this filter in the blocklist :
facebook.*
block queries for facebook.com but not queries for www.facebook.com or connect.facebook.net :

$ host facebook.com
facebook.com host information "This query has been locally blocked" "by dnscrypt-proxy"

$ host www.facebook.com
www.facebook.com is an alias for star-mini.c10r.facebook.com.
star-mini.c10r.facebook.com has address 157.240.14.35

$ host connect.facebook.net
connect.facebook.net is an alias for scontent.xx.fbcdn.net.
scontent.xx.fbcdn.net has address 31.13.69.13

This filter (in the blocklist) :
*.facebook.*
block queries for both facebook.com, www.facebook.com and connect.facebook.net.

If I understand correctly, this is the intented operation. But example-blocked-names.txt could be more precise.

Anyway... thanks for dnscrypt-proxy, it is really super useful.

Replies: 1 comment 3 replies

jedisct1
Feb 12, 2025
Maintainer

In addition to the documentation, the example-blocked-names.txt file says:

ads.* | matches anything with an "ads." prefix
*sex* | matches any name containing that substring

which seem to match the two examples you gave.

3 replies

@Philippe-Cmoi

Philippe-Cmoi Feb 12, 2025
Author

Thanks for your reply.

Yes, you are right, *facebook* also blocks the three requests.
My concern is about the "example.com | identical to the above" : I was surprised to see successfull requests to connect.facebook.net despite facebook.* in the blocklist ; it took me some time to understand how it works...
Maybe :
## example.com | identical to the above, except when example.com is an alias/cname
can help the beginner.

@jedisct1

jedisct1 Feb 12, 2025
Maintainer

This is unrelated to CNAMEs.

facebook.* matches anything with a facebook. prefix.

connect.facebook.net doesn't start with facebook.

@Philippe-Cmoi

Philippe-Cmoi Feb 13, 2025
Author

Gasp... I got the examples completly wrong.
Thanks for your explanations, I finallly see my mistake.

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

documentation in example-blocked-names.txt #2787

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Philippe-Cmoi
Feb 12, 2025

Replies: 1 comment 3 replies

Uh oh!

{{title}}

Uh oh!

jedisct1
Feb 12, 2025
Maintainer

Uh oh!

{{title}}

Uh oh!

Philippe-Cmoi Feb 12, 2025
Author

Uh oh!

{{title}}

Uh oh!

jedisct1 Feb 12, 2025
Maintainer

Uh oh!

{{title}}

Uh oh!

Philippe-Cmoi Feb 13, 2025
Author

Select a reply

Uh oh!

documentation in example-blocked-names.txt #2787

Uh oh!

Uh oh!

Philippe-Cmoi Feb 12, 2025

Replies: 1 comment · 3 replies

Uh oh!

jedisct1 Feb 12, 2025 Maintainer

Uh oh!

Philippe-Cmoi Feb 12, 2025 Author

Uh oh!

jedisct1 Feb 12, 2025 Maintainer

Uh oh!

Philippe-Cmoi Feb 13, 2025 Author

Philippe-Cmoi
Feb 12, 2025

Replies: 1 comment 3 replies

jedisct1
Feb 12, 2025
Maintainer

Philippe-Cmoi Feb 12, 2025
Author

jedisct1 Feb 12, 2025
Maintainer

Philippe-Cmoi Feb 13, 2025
Author