Package: dnsmasq Version: 2.89-1 I'm using hosts lists to deny adservers. Since the OS-upgrade from Debian 11 to Debian 12 the host lists are bypassed by MX Queries.
Configs /etc/dnsmasq.conf no-resolv no-hosts no-poll expand-hosts domain-needed bogus-priv auth-server=dns.mld listen-address=192.168.109.50,127.0.0.1,fd00::6662:66ff:fed0:5ac,::1 auth-zone=mld,192.168.109.0/24 #- Serial,Hostmaster,Refresh,Retry,Expiry -# auth-soa=42,ad...@xyz.mld,86400,900,86400 domain=mld,192.168.109.0/24,local server=9.9.9.9 # Speedy server=2620:0:ccc::2 # OpenDNS IPv6 /etc/dnsmasq.d/hosts-adblock hosts-adblock:address=/ad.yieldlab.net/192.168.109.10 Expected behaviour: host ad.yieldlab.net ad.yieldlab.net has address 192.168.109.10 Actual behaviour: host ad.yieldlab.net ad.yieldlab.net has address 192.168.109.10 ad.yieldlab.net is an alias for yieldlab.net.edgekey.net. yieldlab.net.edgekey.net is an alias for e3120.g.akamaiedge.net. ad.yieldlab.net is an alias for yieldlab.net.edgekey.net. yieldlab.net.edgekey.net is an alias for e3120.g.akamaiedge.net. dig works more precise: dig ad.yieldlab.net ;; ANSWER SECTION: ad.yieldlab.net. 0 IN A 192.168.109.10 dig -t mx ad.yieldlab.net ;; ANSWER SECTION: ad.yieldlab.net. 5198 IN CNAME yieldlab.net.edgekey.net. yieldlab.net.edgekey.net. 12440 IN CNAME e3120.g.akamaiedge.net. ;; AUTHORITY SECTION: g.akamaiedge.net. 1000 IN SOA n0g.akamaiedge.net. hostmaster.akamai.com. 1724065134 1000 1000 1000 1800 If I call a webpage in a webbrowser (Firefox, Vivaldi), I can see the queries in dnsmasq.log: dnsmasq.log:Aug 19 00:27:02 dnsmasq[45201]: query[A] ad.yieldlab.net from 192.168.109.21 dnsmasq.log:Aug 19 00:27:02 dnsmasq[45201]: config ad.yieldlab.net is 192.168.109.10 dnsmasq.log:Aug 19 00:27:02 dnsmasq[45201]: query[AAAA] ad.yieldlab.net from 192.168.109.21 dnsmasq.log:Aug 19 00:27:02 dnsmasq[45201]: forwarded ad.yieldlab.net to 9.9.9.9 On my notebook I'm using an unbound DNS, which doesn't suffer this problem. host returns only the IPv4 address.
