feat: specify skipped domains

[tnyeanderson]

At the moment, it doesn't seem possible to specify that a domain (and its subdomains) should only ever be resolved locally.

There is private_networks which works for in the opposite direction (ensures local IP reverse lookups are not recursed upstream). There is also local_domain_name which is unfortunately a DHCP setting and seems to have no effect on this behavior (at least if DHCP is disabled as it is in my setup).

This PR adds the ability to ensure that certain domains are treated as local-only and are never sent to any upstream servers for resolution. Essentially, it allows you to manage DNS for a local domain through AdGuardHome while ensuring that requests for non-existent subdomains aren't leaked to an upstream resolver.

[EugeneOne1]

@tnyeanderson, hello and thanks for the contribution. What exactly do you mean by "should be resolved locally"? As far as I can see, the introduced changes just add the ability to respond with NXDOMAIN code for specific domain names. I'm assuming you're using the AdGuard Home, which already provides such a functionality with $dnsrewrite rules, e.g.:

||domain.local^$dnsrewrite=NXDOMAIN

If the purpose is to prevent non-local clients from resolving such domains, the $client modifier may also appear useful. For example:

||domain.local^$client=~127.0.0.0/8|~192.168.0.0/16,dnsrewrite=NXDOMAIN

will only allow resolving the domain.local (and its subdomains) to the clients with addresses within 127.0.0.0/8 and 192.168.0.0/16 networks.

[tnyeanderson]

Hi Eugene, the more I think about this, I think the goal should be to mimic the behavior of --auth-zone in dnsmasq.

In other words, tell dnsproxy (and therefore adguardhome) that it should act as the authoritative nameserver for a particular domain/subdomain, so that DNS requests asking to resolve that domain (or its subdomains) will never be forwarded on to any other upstream nameserver. For answers known to adguardhome (through rewrites in the config file or $dnsrewrite hosts), it should return with AUTHORITY: 1 (the AA header from RFC1035). If adguardhome cannot resolve the name on its own, it should not recurse, and instead return NXDOMAIN.

Of course this PR doesn't exactly do this at the moment, but I think it's a reasonable part of the DNS spec to implement, and meets my need better than my current shoehorned implementation.

Before I switched to adguardhome, I was actually using dnsmasq and was using this auth-zone config for my homelab domain, so now I'm trying to get the same behavior here. At the moment, subdomains which I haven't explicitly set in rewrites get recursed and end up with a SERVFAIL response. I haven't nailed down why, but ideally I don't want them recursed (leaked) at all. If there's a way to do that currently, then I've missed it. I tried adding your configuration, but it doesn't seem to stop the SERVFAILs...

[tnyeanderson]

Alright I finally got back around to working on this, I believe the tests pass (can you run the workflow to check?), and I've narrowed the scope a bit here.

This PR adds syntax for skipping requests for certain domains and immediately responding NXDOMAIN: [/host.com/]- will accomplish this for host.com and all of its subdomains.

This will be useful for those who want to use dnsproxy with very limited "blocking" capabilities, but will also accomodate the use case where someone using AdGuardHome wants to ensure that their locally-configured domains (set with rewrite directives) are not accidentally recursed upstream. For example, if a subdomain is typo'd, the request would end up leaking upstream. However, if I configure the dnsproxy used by AdGuardHome to skip my local domain, then the client would get an NXDOMAIN for their typo'd subdomain, as "expected".

The "authoritative" piece of this has been dropped for now to keep things simple.

Let me know if there's any adjustments I need to make here. Thanks!