Add support for blocked replies with NOERROR code and empty answer

Closes #8024

Author: agross

client/src/__locales/en.json

@@ -61,6 +61,7 @@
   "blocking_mode_null_ip": "Null IP: Respond with zero IP address (0.0.0.0 for A; :: for AAAA)",
   "blocking_mode_nxdomain": "NXDOMAIN: Respond with NXDOMAIN code",
   "blocking_mode_refused": "REFUSED: Respond with REFUSED code",
+  "blocking_mode_noerror": "NOERROR: Respond with NOERROR code and an empty reply",
   "blocklist": "Blocklist",
   "bootstrap_dns": "Bootstrap DNS servers",
   "bootstrap_dns_desc": "IP addresses of DNS servers used to resolve IP addresses of the DoH/DoT resolvers you specify as upstreams. Comments are not permitted.",
@@ -527,6 +528,7 @@
   "no_servers_specified": "No servers specified",
   "no_upstreams_data_found": "No upstreams data found",
   "no_whitelist_added": "No allowlists added",
+  "noerror": "NOERROR",
   "nothing_found": "Nothing found",
   "null_ip": "Null IP",
   "number_of_dns_query_blocked_24_hours": "The number of DNS requests blocked by adblock filters and hosts blocklists",

client/src/components/Settings/Dns/Config/Form.tsx

@@ -96,6 +96,10 @@ const Form = ({ processing, initialValues, onSubmit }: Props) => {
             value: BLOCKING_MODES.nxdomain,
             label: t('nxdomain'),
         },
+        {
+            value: BLOCKING_MODES.noerror,
+            label: t('noerror'),
+        },
         {
             value: BLOCKING_MODES.null_ip,
             label: t('null_ip'),
@@ -110,6 +114,7 @@ const Form = ({ processing, initialValues, onSubmit }: Props) => {
         t(`blocking_mode_default`),
         t(`blocking_mode_refused`),
         t(`blocking_mode_nxdomain`),
+        t(`blocking_mode_noerror`),
         t(`blocking_mode_null_ip`),
         t(`blocking_mode_custom_ip`),
     ];

client/src/helpers/constants.ts

@@ -189,6 +189,7 @@ export const BLOCKING_MODES = {
     default: 'default',
     refused: 'refused',
     nxdomain: 'nxdomain',
+    noerror: 'noerror',
     null_ip: 'null_ip',
     custom_ip: 'custom_ip',
 };

internal/dnsforward/dnsforward.go

@@ -733,6 +733,7 @@ func validateBlockingMode(
 		filtering.BlockingModeDefault,
 		filtering.BlockingModeNXDOMAIN,
 		filtering.BlockingModeREFUSED,
+		filtering.BlockingModeNOERROR,
 		filtering.BlockingModeNullIP:
 		return nil
 	case filtering.BlockingModeCustomIP:

internal/dnsforward/msg.go

@@ -141,6 +141,8 @@ func (s *Server) genForBlockingMode(
 		return s.NewMsgNXDOMAIN(req)
 	case filtering.BlockingModeREFUSED:
 		return s.makeResponseREFUSED(req)
+	case filtering.BlockingModeNOERROR:
+		return s.NewMsgNOERROR(req)
 	default:
 		s.logger.ErrorContext(ctx, "invalid blocking mode", "mode", mode)
 
@@ -395,6 +397,14 @@ func (s *Server) NewMsgNXDOMAIN(req *dns.Msg) (resp *dns.Msg) {
 	return resp
 }
 
+// NewMsgNOERROR creates an empty response pretending there is no address associated with the requested name.
+func (s *Server) NewMsgNOERROR(req *dns.Msg) (resp *dns.Msg) {
+	resp = s.replyCompressed(req)
+	resp.Ns = s.genSOA(req)
+
+	return resp
+}
+
 // NewMsgSERVFAIL implements the [proxy.MessageConstructor] interface for
 // *Server.
 func (s *Server) NewMsgSERVFAIL(req *dns.Msg) (resp *dns.Msg) {

internal/filtering/filtering.go

@@ -208,6 +208,9 @@ const (
 	// BlockingModeNXDOMAIN means respond with the NXDOMAIN code.
 	BlockingModeNXDOMAIN BlockingMode = "nxdomain"
 
+	// BlockingModeNOERROR means respond with the NOERROR code.
+	BlockingModeNOERROR BlockingMode = "noerror"
+
 	// BlockingModeREFUSED means respond with the REFUSED code.
 	BlockingModeREFUSED BlockingMode = "refused"
 )

scripts/translations/main.go

@@ -267,6 +267,7 @@ func findUnused(fileNames []string, loc locales) (err error) {
 	knownUsed := []textLabel{
 		"blocking_mode_refused",
 		"blocking_mode_nxdomain",
+		"blocking_mode_noerror",
 		"blocking_mode_custom_ip",
 	}