Is it possible to add also custom dns entries?

when grimd is used as system dns server,after system boot,grimd auto starts and download blocklists,but system dns is grimd itself,this makes a deadlock.

maybe there should be a configuration set the bootstrap dns server for resolve those domains in blocklists

Using -update won't allow to write to sources directory on osx. Changing permission to 700 for that directory fixes it temporary.

It seems there is a race condition when setting up the grimdActivation global.
I have updated it to create the reference in the Activation goroutine and pass the reference back to main via a channel.

I have created a PR if it helps - #69

I ran a simple dns lookup and the cache is served from cache but with the same ttl which the original request was responded.
Ie 3600 seconds stays and will not reduce to lower.

I have just compiled Latest commit 50dc846 from 3 days ago.
When I tested it I a got the next result:

# dig @127.0.0.1 google.com
panic: send on closed channel

goroutine 28 [running]:
main.(*DNSHandler).DoUDP(...)
        /home/eliezer/Scripts/grimd/handler.go:275
main.(*DNSHandler).DoUDP-fm(0xca4740, 0xc0003d8000, 0xc00021e510)
        /home/eliezer/Scripts/grimd/server.go:29 +0x80
github.com/miekg/dns.HandlerFunc.ServeDNS(0xc00031c630, 0xca4740, 0xc0003d8000, 0xc00021e510)
        /home/eliezer/go/pkg/mod/github.com/miekg/[email protected]/server.go:52 +0x44
github.com/miekg/dns.(*ServeMux).ServeDNS(0xc000318880, 0xca4740, 0xc0003d8000, 0xc00021e510)
        /home/eliezer/go/pkg/mod/github.com/miekg/[email protected]/serve_mux.go:128 +0x5d
github.com/miekg/dns.(*Server).serveDNS(0xc0001b0a00, 0xc0003d8000)
        /home/eliezer/go/pkg/mod/github.com/miekg/[email protected]/server.go:687 +0x2c1
github.com/miekg/dns.(*Server).serve(0xc0001b0a00, 0xc0003d8000)
        /home/eliezer/go/pkg/mod/github.com/miekg/[email protected]/server.go:572 +0x2a7
github.com/miekg/dns.(*Server).worker(0xc0001b0a00, 0xc0003d8000)
        /home/eliezer/go/pkg/mod/github.com/miekg/[email protected]/server.go:244 +0x4d
created by github.com/miekg/dns.(*Server).spawnWorker
        /home/eliezer/go/pkg/mod/github.com/miekg/[email protected]/server.go:284 +0x86

I can test if it's a regression but, am I the first to see such an issue?
grimd.conf

# version this config was generated from
version = "1.0.6"

# list of sources to pull blocklists from, stores them in ./sources
sources = [
]

# list of locations to recursively read blocklists from (warning, every file found is assumed to be a hosts-file or domain list)
sourcedirs = [
"sources"
]

# log configuration
# format: comma separated list of options, where options is one of
#   file:<filename>@<loglevel>
#   stderr>@<loglevel>
#   syslog@<loglevel>
# loglevel: 0 = errors and important operations, 1 = dns queries, 2 = debug
# e.g. logconfig = "file:grimd.log@2,syslog@1,stderr@2"
logconfig = "file:grimd.log@2,stderr@2"

# apidebug enables the debug mode of the http api library
apidebug = false

# address to bind to for the DNS server
bind = "0.0.0.0:53"

# address to bind to for the API server
api = "127.0.0.1:8080"

# ipv4 address to forward blocked queries to
nullroute = "0.0.0.0"

# ipv6 address to forward blocked queries to
nullroutev6 = "0:0:0:0:0:0:0:0"

# nameservers to forward queries to
nameservers = ["1.1.1.1:53", "8.8.8.8:53"]

# concurrency interval for lookups in miliseconds
interval = 200

# query timeout for dns lookups in seconds
timeout = 5

# cache entry lifespan in seconds
expire = 600

# cache capacity, 0 for infinite
maxcount = 0

# question cache capacity, 0 for infinite but not recommended (this is used for storing logs)
questioncachecap = 5000

# manual blocklist entries
blocklist = []

# Drbl related settings
usedrbl = 0
drblpeersfilename = "drblpeers.yaml"
drblblockweight = 128
drbltimeout = 30
drbldebug = 1

# manual whitelist entries
whitelist = [
        "getsentry.com",
        "www.getsentry.com"
]

# When this string is queried, toggle grimd on and off
togglename = ""

# If not zero, the delay in seconds before grimd automaticall reactivates after
# having been turned off.
reactivationdelay = 300

#Dns over HTTPS provider to use.
DoH = "https://cloudflare-dns.com/dns-query"

Hi,

I am trying to forward DNS queries to a local DNSmasq server running on port 1053 (non standard), to support for instance address=/combro2k/172.32.0.2
If I add the entry like this into grimd.toml:

nameservers = ["127.0.0.1:1053", "8.8.8.8:53", "8.8.4.4:53"]

And I do a lookup on the grimd server:

host combro2k 172.32.0.1
I got NXDOMAIN

However if I do

dig @127.0.0.1 -p 1053 combro2k
I got the right reply.

So it looks like he doesn't call 127.0.0.1:1053 while it is being bound by dnsmasq and works directly.

Do I miss something?

Hi,

Thanks for creating grimd !
A little bit of context, here's my setup :
a linux raspi with golang 1.6.2 :

BIND9:

• bind9 DNS server listening on 0.0.0.0:53, that is authoritative on a private domain name (lan domain).
• bind9 configured to use grimd (127.0.0.1:54) as the sole forwarders for anything else

GRIMD :

• grimd configured on 0.0.0.0:54 and forwards everything to 8.8.8.8.

resolv.conf
it is set to query 127.0.0.1 (bind9)

The problem :
When I start grimd -update, it tries to lookup blacklists and so it makes DNS request to my bind9, which in turn tries to forward grimd's DNS requests to grimd.

Since grimd is starting but not fully started, it fails. The snake bites its own tail.

Would it be possible to configure grimd to perform DNS requests on startup to 8.8.8.8 instead of 127.0.0.1 ?

Thanks

Our blacklist has domains such as "*.google.com"
Grimd don't understand this form as subdomains.
Also if domain listed as "google.com", and domain "www.google.com" is working.

First of all its awesome tool, thanks a lot for sharing it.
I'm not sure are you still developing it actively but I got a few feature ideas for you.
Is it possible to add log to syslog feature and rotating of log file by criteria (daily, weekly or size)

Here is an updated version of the OpenBSD rc.d script.

#!/bin/sh
#
# OpenBSD
#
daemon="<path_to_daemon>"  

. /etc/rc.d/rc.subr

rc_bg=YES
rc_reload=NO

rc_cmd $1

Hi ... if project still alive.. i ll be glad to push this one on Qnap NAS as QPKG

i wonder if you can propose an ARMv5, V7 and ARM64 version in your release

thanks

Hey looterz,
Thanks for writing this! I was looking for a replacement to pi-hole and grimd seems to fit the bill perfectly. I installed grimd on a RPi and declared it as primary DNS for my network (Google DNS being secondary) but unfortunately when I run a DNS query from the local network, grimd is systematically bypassed. 'nslookup' reports:
;; Got recursion not available from 192.168.x.x, trying next server
Is there anything that can be done about this? Forgive my ignorance about DNS issues.
Cheers
Nicolas

List can be found here:

https://raw.githubusercontent.com/CHEF-KOCH/NSABlocklist/master/HOSTS

note: this is built for Windows hosts, but I can imagine there's some way to tranlsate that into Linux

hello maintainer 👋 @looterz

I tried using reaper with grimd and it worked fine.

https://github.com/looterz/reaper

But using two projects at the same time can be a bit complicated at deployment or startup time.

I have an idea, if you agree, I'll simply tweak the build, add steps to get the reaper interface, and then build reaper into grimd.

I can also add a simple user authentication feature to this interface if necessary.

Looking forward to hearing your views.

Hello, I am unable to access the dashboard no matter what I try. I get the following errors after building a latest release of grimd from source. Everything else is working except for this.

Hello maintainer 👋 @looterz

The dockerfile used by the current project needs to be used with the built binary.

If we wanted to use containers for multi-architecture builds, it would get complicated.

So I tried submitting a PR and building the program entirely inside the container.

In addition, I also use UPX to compress the program. Compared with the past, the image size of grimd will be reduced by nearly 40%, and the running and distribution speed will also become faster.

                       Ultimate Packer for eXecutables
                          Copyright (C) 1996 - 2020
UPX 3.96        Markus Oberhumer, Laszlo Molnar & John Reiser   Jan 23rd 2020

        File size         Ratio      Format      Name
   --------------------   ------   -----------   -----------
   8503296 ->   3253452   38.26%   linux/amd64   grimd.minify

Packed 1 file.

Please review the code, if you have any questions, welcome to discuss in the issue, looking forward to your opinion

#95

at the moment there is basic docs in the wiki for digital ocean.

what about if you want to run on your laptop Or on a raspberry pi on your home network ?
would be really nice if there was info on this.

• down to the point of explaining that you have to change the DNS resolver in your router etc

I am trying to develop flutter mobile app as a front end for grimd. I am looking for api which will give me the list of clients using grimd. I went through api.go and did not found any api for the same. Am I missing something? Can this be implemented?

Hi,

Is there a way to daemonize the process, besides just adding &.

Mischa

Grimd don't work with national domains (e.g. russian cyrillic domain - дом.рф). Will it been fixed?

As far as i can tell, grimd seems to not be compatible with easylist (https://easylist.to/easylist/easylist.txt)

So i suppose i could probably have an external curl operation with a few sed/grep to clean those lists before starting grimd, but wouldn't it be better to have to grimd work out-of-the box with that configuration ?

@looterz Hi 👋

I see a GitHub action is used in the build record with the CGO parameter enabled in the go env:

https://github.com/looterz/grimd/runs/5596926600?check_suite_focus=true

  CGO_ENABLED="1"
  GOMOD="/home/runner/work/grimd/grimd/go.mod"
  CGO_CFLAGS="-g -O2"
  CGO_CPPFLAGS=""
  CGO_CXXFLAGS="-g -O2"
  CGO_FFLAGS="-g -O2"
  CGO_LDFLAGS="-g -O2"
  PKG_CONFIG="pkg-config"

But in the Go Release config, I see the opposite config:

https://github.com/looterz/grimd/blob/master/.goreleaser.yaml

project_name: grimd
builds:
  - env: [CGO_ENABLED=0]

Which configuration should prevail? If community users want to submit some contributions to grimd, what is your suggestion?

Looking forward to your reply.

Hi 👋, I see a dependency risk, I will submit a PR to fix it later, hope it helps you

github.com/gin-gonic/gin: v1.7.0
Number of packages: 1
Known security vulnerability: 1
Security advisory: 0
Exploits: unavailable
Highest severity: high
Recommendation: v1.7.7

Grimd don't work if some symbols in DNS request in upper state (e.g. "gOogle.com") and domain listed as "google.com".

I'll try to provide a fix myself

After running for a while, it will crash. I check the source code but can't find the reason. Here is the log info:

panic: not reached 
   goroutine 859142 [running]:
   panic(0x83f320, 0xc4211353a0)
           /go-root/src/runtime/panic.go:500 +0x1a1
 github.com/miekg/dns.(*response).Write(0xc420065480, 0xc421078300, 0x25, 0x26, 0x0, 0x0, 0x7f7cc19c9000)
           /my-project-path/src/.vendor/src/github.com/miekg/dns/server.go:702 +0x325
   github.com/miekg/dns.(*response).WriteMsg(0xc420065480, 0xc421949200, 0x1, 0xc420d0baa0)
          /my-project-path/src/.vendor/src/github.com/miekg/dns/server.go:677 +0x9c
  github.com/miekg/dns.HandleFailed(0xade740, 0xc420065480, 0xc42035f0e0)
          /my-project-path/src/.vendor/src/github.com/miekg/dns/server.go:92 +0x8b
  main.(*DNSHandler).do(0xc420129380, 0x8d5330, 0x3, 0xade740, 0xc420065480, 0xc42035f0e0)
          /my-project-path/src/handler.go:223 +0x11db
  created by main.(*DNSHandler).DoTCP
         /my-project-path/src/handler.go:267 +0x72

My go version : go version go1.7.4 linux/amd64.

If any website is blocked via http api, it remains blocked until grimd restarts. One has to block website again after restart.

Currently only way to block website permanently seems to be blacklist parameter in toml. Am I missing something? Any suggestions?

I wrote this library:
https://github.com/elico/drbl-peer

and it has an option to check a hostname against a specific blacklist server which uses wither dns or http interface.
I am using it with squid and I noticed that I can integrate it with your service easily just adding couple cli config parameters.
I can code the integration of my library, would you accept a PR or a patch that will add support for my library?
The main thing is that the DRBL service can be updated on the fly without any need to reload the any file from any server but will add a rtt addition if the service sits far in the network layer.

Haven't been able to reproduce this on my own, but the same stack happens occasionally during a DoTCP call.

panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x0 pc=0x9abe1b]

goroutine 14743 [running]:
github.com/miekg/dns.(*SessionUDP).RemoteAddr(...)
        /go/pkg/mod/github.com/miekg/[email protected]/udp.go:36
github.com/miekg/dns.(*response).RemoteAddr(0xc00010d100, 0xc0001a2c00, 0xc00004ae72)
        /go/pkg/mod/github.com/miekg/[email protected]/server.go:773 +0x5b
main.(*DNSHandler).do(0xc0001bc660, 0xb8e740, 0x3, 0xc675a0, 0xc00010d100, 0xc0002d22d0)
        /go/grimd/handler.go:75 +0x2801
created by main.(*DNSHandler).DoTCP
        /go/grimd/handler.go:237 +0x72

The quad9 https://www.quad9.net/ uses another approach then specifying a response A/AAAA record and response with a NXDOMAIN.
Would this approach might fit some use cases with grimd?

If so we can put a switch that returns a NXDOMAIN instead of null route.

Hello,

there is a small mistake in the Deploying-on-Digital-Ocean wiki: It should be "/etc/systemd/system" instead of "/etc/systemd/services" for the systemd service file.

Best,
jfreax

With the following custom records config:

customdnsrecords = [
    "test1.     3600      IN  A   10.8.0.1  ",
    "test1.     3600      IN  A   10.8.0.2  ",
]

I get the following dig output:

❯ dig test1

; <<>> DiG 9.10.6 <<>> test1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48412
;; flags: qr rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;test1.				IN	A

;; ANSWER SECTION:
test1.			3600	IN	A	10.8.0.2

;; Query time: 107 msec
;; SERVER: 10.8.0.1#53(10.8.0.1)
;; WHEN: Wed Aug 09 23:56:53 WEST 2023
;; MSG SIZE  rcvd: 44

I would expect the answer section to have all of the A records I provided (so, both 10.8.0.1 and 10.8.0.2).
More critically, this also happens when using several DNS records of different types. For the following config:

customdnsrecords = [
    "test1.     3600      IN  A              10.8.0.1  ",
    "test1.     3600      IN  SRV 0 0  443   test1.    ",
]

I get:

❯ dig test1

; <<>> DiG 9.10.6 <<>> test1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51739
;; flags: qr rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;test1.				IN	A

;; ANSWER SECTION:
test1.			3600	IN	SRV	0 0 443 test1.

;; Query time: 95 msec
;; SERVER: 10.8.0.1#53(10.8.0.1)
;; WHEN: Thu Aug 10 00:01:53 WEST 2023
;; MSG SIZE  rcvd: 53

With no A record in the answer section

With the following custom records config (other config params mostly defaults):

customdnsrecords = [
    "example.memez         3600      IN  A       0.0.0.1",
    "example.different     3600      IN  CNAME   example.memez",
]

It seems when looking up example.different replies do not contain A 0.0.0.1 in the answer section.

dig output:

❯ dig @10.8.0.1 example.different

; <<>> DiG 9.10.6 <<>> @10.8.0.1 example.different
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40343
;; flags: qr rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;example.different.		IN	A

;; ANSWER SECTION:
example.different.	3600	IN	CNAME	example.memez.

;; Query time: 86 msec
;; SERVER: 10.8.0.1#53(10.8.0.1)
;; WHEN: Wed Aug 09 14:17:51 WEST 2023
;; MSG SIZE  rcvd: 79

nslookup output:

❯ nslookup example.different
Server:		10.8.0.1
Address:	10.8.0.1#53

Non-authoritative answer:
example.different	canonical name = example.memez.


❯ nslookup example.memez
Server:		10.8.0.1
Address:	10.8.0.1#53

Non-authoritative answer:
Name:	example.memez
Address: 0.0.0.1

Not flattening is fine for some OSs (MacOS in my case does not mind) but on a Docker image (grafana/grafana:9.4.7) I found it to not be fine, resulting in the following:

# on grafana/grafana:9.4.7
/usr/share/grafana # ping example.different
ping: bad address 'example.different'

/usr/share/grafana # ping example.memez
PING example.memez (0.0.0.1): 56 data bytes
--- example.memez ping statistics ---
3 packets transmitted, 0 packets received, 100% packet loss

# on MacOS
❯ ping example.different
PING example.memez (0.0.0.1): 56 data bytes
ping: sendto: No route to host
Request timeout for icmp_seq 0

So as you can see it can't recurse, maybe because the image is based on alpine?

Other DNS servers (like blocky) do flatten custom DNS but do not allow
specyfing the records themselves (SRV, CNAME...) but grimd is the only one I have found that allows specifying custom DNS records and does adblocking. So I would love for this to work.

It seems we can't use grimd as "Private DNS" on Android 9 😢

To enable this, we probably need "DNS over HTTPS" support. Is / was somebody working on it already? What would be the best way to implement it?

See https://www.quad9.net/private-dns-quad9-android9/ for details.

Hi, I am pretty new to Go. I could not find doc about where to put the non-default toml file. Could someone help?

Hi!
a linux gentoo with golang v1.7.3, grimd v1.0.2

The default configuration file.
After some time, no longer be given zone.
Here he writes in debug mode:

[GIN-debug] Listening and serving HTTP on 127.0.0.1:8080
start tcp listener on 0.0.0.0:53
server.go:45: start udp listener on 0.0.0.0:53
updater.go:76: fetching source http://xxx.xxx.xxx.xxx/domain-abuse.txt
updater.go:92: loading blocked domains from 1 locations...
updater.go:121: 29857 domains loaded from sources
handler.go:112: ya.ru IN A didn't hit cache
handler.go:192: ya.ru not found in blocklist
resolver.go:61: ya.ru resolv on 8.8.8.8:53 (udp)
handler.go:240: insert ya.ru IN A into cache

over time, domain it's not resolve :

handler.go:128: ya.ru IN A hit cache
handler.go:84: 192.168.1.10 lookup　ya.ru IN A
handler.go:90: Found ToggleName! (cache-stav01.cdn.yandex.net)
activation.go:42: Toggle is too close: wait 10 seconds
handler.go:84: 192.168.1.10 lookup　yandex.ru IN A
handler.go:90: Found ToggleName! (cache-stav01.cdn.yandex.net)
activation.go:42: Toggle is too close: wait 10 seconds
handler.go:84: 192.168.1.10 lookup　yandex.ru IN A
handler.go:96: Grimd Activated
handler.go:128: yandex.ru IN A hit cache
handler.go:84: 192.168.1.10 lookup　yandex.ru IN A
handler.go:90: Found ToggleName! (cache-stav01.cdn.yandex.net)
handler.go:98: Grimd Deactivated
handler.go:128: sitecheck2.opera.com IN A hit cache
handler.go:84: 192.168.1.10 lookup　yandex.ru IN A
handler.go:90: Found ToggleName! (export.yandex.ru)
activation.go:42: Toggle is too close: wait 10 seconds
what could be the problem?
that can then be added to the configuration?
Thank you!

I wonder if it is possible to use or implement DNS-over-TLS upstream nameservers?
Right now I'm a bit experimenting with grimd and coredns which is able to use DNS-over-HTTPS and DNS-over-TLS.
I want to use grimd as the 'upstream' server for coredns and grimd to upstream it's request via DNS-over-TLS to another public server.

If the user calls the API toggle endpoint while grimd is loading the blocklist URI’s; the application crashes. To increase stability, I believe there needs to be a rate-limit conditional that affects all API calls. If I have time I’ll do a PR in the future unless someone beats me to it.

Sorry if this a bit of a dumb question, but does grimd merely block the domains it parses from the list, or is it possible that it might answer with a different ip address?

I'm asking because some of the host-lists seem to contain ip addresses. Now granted they all point to 127.0.0.1, but once I start using those lists as sources I have no guarantee that this will remain so. I could imagine that someone would rewrite a list to point some domain to another ip address.

So I could ask this in another way. Does grimd ignore the ip-addresses in the host-lists? I'd like to know that before trusting grimd with all my DNS requests.

Thanks :)

@looterz , haven't seen you for a long time.

I submitted a new PR that includes updating the golang version to 1.19 and fixing a missing part of the current build script.
#104

Hello maintainer 👋 @looterz

I try to build the project locally and everything works fine, but I found two small problems:

1. After building the grimd and running the program, some files will be generated, which are not in the ignore list. In order to avoid introducing these files by mistake in the subsequent development process, I recommend updating the ignore list.

2. The configuration content in the project document is inconsistent with the content generated by the current program, so when it is used directly, the program will prompt like this "please update your config".

I will submit a PR fix for these two issues later, looking forward to responses from community users and maintainers, thank you.

PR:
#94

Hello maintainer 👋 @looterz

In the default ReadMe document, I see that to run the program in a Docker, and to use the API properly, the default configuration needs to be adjusted. like this:

For Mac docker set 'api = "0.0.0.0:8080"' instead of 'api = "127.0.0.1:8080"'.

Maybe we can make it simpler and let the application listen to 0.0.0.0 by default in the container to reduce the user's modification cost.

PR: #97

I would love to assign custom domains to devices using grimd but I am not sure if it is even possible.

I tried defining domains in /etc/hosts file but it seems to have no effect. Any suggestions?

I would like to add a way to add iptables rules based on DNS query. This can be usefull if the DNS server is on the gateway with different outbound interfaces.

This can be done by calling an external program when the resolution is done (can be called once before the cache is set). It will required to have a script to be called on start, so it will be possible to clean the state (iptables).

Would be nice if grimd could drop privileges (switch away from root) and maybe also chroot after starting.

With command "Grimd -update" blocklist didn't refreshed.
Log:
root@www-srv:/opt/go# ./bin/grimd -update
grimd v1.0.2
2016/12/13 09:34:24 listen tcp 127.0.0.1:8085: bind: address already in use

After trying to do a "go get" and having my pull request failing for the same reason. I think there is something wrong with the API code.

Here is the error:
looterz/grimd/api.go:19: cannot use cors.Default() (type "github.com/gin-gonic/gin".HandlerFunc) as type "gopkg.in/gin-gonic/gin.v1".HandlerFunc in argument to router.Use

My go version : go version go1.8 linux/amd64.