Can APP records return NXDOMAIN?

[rsbfox]

I setup Technitum for my local network. I really love it. :)

I half vibe coded a tool that updates dynamic dns and updates my zone when WAN IP changes.

https://github.com/rsbfox/technitium-ddns

It uses a zone file format to make adding stuff easier.
APP true returns WAN+LAN - false only LAN

$ORIGIN example.com
$TTL 1h
$APP SplitHorizon.SimpleAddress Split Horizon

@                IN  SOA  ns1 admin auto 3600 900 604800 300
@                IN  NS   ns1
@                IN  APP  true

ns1              IN  A    ${WAN}

modem            IN  APP  false

It's working great, I can access stuff like modem.example.com only from LAN.

I noticed it doesn't reply with NXDOMAIN for external requests like it would for a fake.zorro.root.sx

Is this intentional? Seems it technically leaks information about what internal subdomains exist.

My caddy file should prevent anyone not on LAN from accessing services, even if they fake the SNI, so I don't think this is a problem for me but was curious if I set it up correctly.

*.example.com {
    @external {
        not remote_ip 192.168.1.0/24
    }
    handle @external {
        abort
    }

Thanks!

AI disclosure - No generative AI was used to write this post. Some was used for the bash scripts.

[ShreyasZare]

Thanks for the post. The APP record format in zone file that you have here is invalid and wont parse. I am not sure how its is really working for you.

Also, its not clear if the zone is a primary or forwarder zone.

Please share a complete zone file that you tested so that I can try it out here.

[rsbfox]

Thanks for the reply. That zone file format is only specific to my tool technitium-ddns

It is a primary domain.

modem.example.com {"private":["192.168.1.1"]} is returning NOERROR instead of NXDOMAIN

example.com is also an APP {"private":["192.168.1.1"],"public":["8.8.8.8"]}

It works correctly giving out 192.168.1.1 to all devices on my local network.

[ShreyasZare]

Thanks for the details. Its not really feasible for the app to return NXDOMAIN since it does not know if the zone has any other records or subdomain names. The RCODE is also set by the DNS server and not the APP in such cases and since there is a record, the RCODE will always be NOERROR.

There is no need to worry about leakage since with DNS, you have to know the domain name first to be able to query it.

[rsbfox]

I assumed it was something like that. I just thought it was similar to bind views and thought those do return NXDOMAIN in this situation. I'm new to DNS and it's not a security issue really. Thanks.

[ShreyasZare]

You're welcome. Bind views are very different from this.