Feature request: Baked-in support for lancache

[m4gicfour]

Let me begin by saying that I realize this is both niche and somewhat out-of-scope for the core of this project, and that I have essentially zero idea how much work it would be. So I expect that even if there's interest in implementing this as a feature, I expect it to be (very) low priority.

Background:

Lancache.net is a project which provides for the caching of downloaded files from the CDNs of Steam, Origin, Riot, Battle.net, Frontier, Uplay, Windows Updates, and a handful of others. It does this via a DNS server and nginx as a caching proxy. Essentially, the lancache DNS server is set as the network DNS server, and it resolves requests for these CDNs to its own nginx server which proxies the download and keeps copies of the downloaded files which are then served locally the next time they are requested by a client. This can save significant bandwidth when multiple clients access request the same files. Other projects exist which can pre-load the cache by requesting lists of files (games) from steam, as well as requesting updates to keep the cache up-to-date. Steam and Origin (maybe others?) support Lancache explicitly via querying for a specific domain, and disabling HTTPS for file transfers if the result is a local IP (in origin's case, the user is prompted for a decision rather than doing so automatically.)

Currently, I'm using Technitium DNS Server for its security features and adblocking with Lancache, To do so I have my network set up such that:
Router hands out Lancache IP as (only) DNS server via DHCP Option 6 -> Lancache resolves requests that match its CDN list to its nginx server on port 80 and forwards all other DNS requests to TDNS -> TDNS performs adblocking, Forwarding via DNSoTLS, DNS caching, etc -> Cloudflare DNS

[ 192.X.X.1 (DHCP): Option 6 - X.X.X.2 ] -> Lancache 192.X.X.2 -> TDNS 192.X.X.3 -> 1.1.1.2

This is inelegant as all dashboard metrics on TDNS are aggregated on a single (Lancache) IP, and all DNS requests require an extra hop regardless of if they match a cache-able domain

Request:

The ideal-for-me solution would be an option to have TDNS as the Primary (and only DHCP-assigned) DNS server, to supply TDNS with the CDN domains list and the Lancache IP, and have TDNS download and parse the hostname lists (configurable on a schedule like a blocklist), and handle the DNS aspect - handing out the configured Lancache IP as a result for domain requests matching the domains lists - eliminating a hop and potential complete DNS outage if the Lancache docker/machine ever goes offline for any reason; this should theoretically also marginally improve security as only TDNS handles DNS requests - Lancache only ever receives file transfer connections from clients, and only for matching domains instead of ALL DNS traffic being piped through Lancache.

So [ X.X.X.1 (DHCP): Option 6 -X.X.X.3 ] -> TDNS X.X.X.3 -> 1.1.1.2
Steam -> X.X.X.2

I imagine this feature is possible via a DNS APP, but I am not a programmer. There's also the issue of Lancache itself needing to be able to resolve the real IP of the CDNs it's caching in order to proxy the connection; I assume pointing it back at TDNS in this configuration would also need TDNS to be able to recognise that the IP requesting domains in this case is configured as a lancache, and hand out the real internet IP instead.

[ShreyasZare]

Thanks for the feature request. While there is no special option/app to do such thing at the moment but you can achieve same results using the Advanced Blocking app.

If you are using the DNS server's blocking features from the Settings > Blocking section then the Advanced Blocking app can be directly used and configured. If you are using Advanced Blocking app already then you will have to manually install the app's zip file with a different name using the Install button in the App section. The zip file URL is displayed in the App Store dialog that can be used to download the zip file and manually install it with a different app name to run the same DNS app as a different instance.

Now the requirement you got is that there are lists of domain names available in text file for which you need to return a specific IP address. To do that, just configure the Advanced Blocking app with all of the URLs of the text file in its blockListUrls json array so that the app automatically downloads and keeps them updating. And using the blockingAddresses option, you can specify the IP address of your Lancache server. So effectively with such a config, all the domain names aggregated via the text file URLs will be resolved to the IP address that you have configured.

The Advanced Blocking app allows you to configure groups based on the network address or IP address. So using the networkGroupMap property in the config, you can specify an IP address or a network address and a group name that must be used for it. So, you can specify a group that maps to the IP address of your Lancache server and don't use any block lists so it gets to resolve the real IP address for all those domain names. While the other group where map it to the network address for your LAN network will have the block list configuration done and those devices in the network will get the IP address of your Lancache server resolved.

The app config is in JSON format so you may need to use any text editor like notepad++ that supports JSON syntax to make it easy to read and then copy paste it into the app config dialog to save it.

Do try and let me know if that works for you.

[m4gicfour]

Thanks for the response.

I had some free time today and tried to configure the advanced blocking app as described, but it doesn't seem to be working.

It should be possible to do a lookup of a test domain (for example steam's cache detection domain lancache.steamcontent.com; so long as the steam.txt is included in the blocklists) with DNS Client set to This Server and get the Lancache IP as a response when correctly configured, yes? I'm still getting public internet addresses as a response.

It's entirely possible I'm just doing it wrong; would you mind looking over this sample config and see if I've misinterpreted or missed anything?
If nothing pops out at you: I wonder if I need to make the groups mutually exclusive rather than a subset in order to function the way I intend?

For a given network 192.168.1.0 (Tried both 192.168.1.0 and 192.168.1.0/24) where 192.168.1.2 is the Lancache instance:

{
"enableBlocking": true,
"blockListUrlUpdateIntervalHours": 24,
"networkGroupMap": {
"192.168.1.0": "Lancache_Redirect",
"192.168.1.2": "Lancache_Passthrough"
},
"groups": [
{
"name": "Lancache_Redirect",
"enableBlocking": true,
"allowTxtBlockingReport": true,
"blockAsNxDomain": false,
"blockingAddresses": [
"192.168.1.2",
"::"
],
"allowed": [],
"blocked": [],
"allowListUrls": [],
"blockListUrls": [
"https://raw.githubusercontent.com/uklans/cache-domains/master/steam.txt"
],
"allowedRegex": [],
"blockedRegex": [],
"regexAllowListUrls": [],
"regexBlockListUrls": [],
"adblockListUrls": []
},
{ "name": "Lancache_Passthrough",
"enableBlocking": true,
"allowTxtBlockingReport": true,
"blockAsNxDomain": false,
"blockingAddresses": [
"0.0.0.0",
"::"
],
"allowed": [],
"blocked": [],
"allowListUrls": [],
"blockListUrls": [],
"allowedRegex": [],
"blockedRegex": [],
"regexAllowListUrls": [],
"regexBlockListUrls": [],
"adblockListUrls": []
}
]
}

The relevant section of the log seems to be:

[2022-10-14 02:44:27 UTC] [192.168.1.X:61039] [admin] DNS application 'Advanced Blocking' app config was saved successfully.
[2022-10-14 02:44:32 UTC] DNS App [Advanced Blocking]: Advanced Blocking app successfully downloaded block list (26 B): https://raw.githubusercontent.com/uklans/cache-domains/master/steam.txt
[2022-10-14 02:44:32 UTC] DNS App [Advanced Blocking]: Advanced Blocking app is reading block list from: https://raw.githubusercontent.com/uklans/cache-domains/master/steam.txt
[2022-10-14 02:44:32 UTC] DNS App [Advanced Blocking]: Advanced Blocking app read block list file (1 domains) from: https://raw.githubusercontent.com/uklans/cache-domains/master/steam.txt
[2022-10-14 02:44:32 UTC] DNS App [Advanced Blocking]: Advanced Blocking app loaded all zones successfully for group: Lancache_Redirect
[2022-10-14 02:44:32 UTC] DNS App [Advanced Blocking]: Advanced Blocking app loaded all zones successfully for group: Lancache_Passthrough
[2022-10-14 02:44:55 UTC] [192.168.1.X:57611] [admin] Cache was flushed.
[2022-10-14 02:45:08 UTC] [192.168.1.X:57611] [admin] Block list update was triggered.
[2022-10-14 02:45:08 UTC] DNS Server successfully checked for a new update of the block list: https://dbl.oisd.nl/

and the DNS Client's response is:

{
"Metadata": {
"NameServer": "89452e448e01 (127.0.0.1)",
"Protocol": "Udp",
"DatagramSize": "160 bytes",
"RoundTripTime": "0.3 ms"
},
"EDNS": {
"UdpPayloadSize": 1232,
"ExtendedRCODE": "NoError",
"Version": 0,
"Flags": "None",
"Options": []
},
"DnsClientExtendedErrors": [],
"Identifier": 58503,
"IsResponse": true,
"OPCODE": "StandardQuery",
"AuthoritativeAnswer": false,
"Truncation": false,
"RecursionDesired": true,
"RecursionAvailable": true,
"Z": 0,
"AuthenticData": false,
"CheckingDisabled": false,
"RCODE": "NoError",
"QDCOUNT": 1,
"ANCOUNT": 4,
"NSCOUNT": 0,
"ARCOUNT": 1,
"Question": [
{
"Name": "lancache.steamcontent.com",
"Type": "A",
"Class": "IN"
}
],
"Answer": [
{
"Name": "lancache.steamcontent.com",
"Type": "CNAME",
"Class": "IN",
"TTL": "6216 (1 hour 43 mins 36 sec)",
"RDLENGTH": "25 bytes",
"RDATA": {
"Domain": "origin-tier2.steampipe.steamcontent.com"
},
"DnssecStatus": "Disabled"
},
{
"Name": "origin-tier2.steampipe.steamcontent.com",
"Type": "CNAME",
"Class": "IN",
"TTL": "161 (2 mins 41 sec)",
"RDLENGTH": "25 bytes",
"RDATA": {
"Domain": "steampipe-origin-tier2.steamcontent.com"
},
"DnssecStatus": "Disabled"
},
{
"Name": "steampipe-origin-tier2.steamcontent.com",
"Type": "A",
"Class": "IN",
"TTL": "254 (4 mins 14 sec)",
"RDLENGTH": "4 bytes",
"RDATA": {
"IPAddress": "205.196.6.174"
},
"DnssecStatus": "Disabled"
},
{
"Name": "steampipe-origin-tier2.steamcontent.com",
"Type": "A",
"Class": "IN",
"TTL": "254 (4 mins 14 sec)",
"RDLENGTH": "4 bytes",
"RDATA": {
"IPAddress": "205.196.6.144"
},
"DnssecStatus": "Disabled"
}
],
"Authority": [],
"Additional": [
{
"Name": "",
"Type": "OPT",
"Class": 1232,
"TTL": "0 (0 sec)",
"RDLENGTH": "0 bytes",
"RDATA": {
"Options": []
},
"DnssecStatus": "Disabled"
}
]
}

Whereas if I query the Lancache directly I get:

{
"Metadata": {
"NameServer": "192.168.1.2",
"Protocol": "Udp",
"DatagramSize": "131 bytes",
"RoundTripTime": "1.27 ms"
},
"EDNS": {
"UdpPayloadSize": 4096,
"ExtendedRCODE": "NoError",
"Version": 0,
"Flags": "None",
"Options": []
},
"DnsClientExtendedErrors": [],
"Identifier": 43946,
"IsResponse": true,
"OPCODE": "StandardQuery",
"AuthoritativeAnswer": false,
"Truncation": false,
"RecursionDesired": true,
"RecursionAvailable": true,
"Z": 0,
"AuthenticData": false,
"CheckingDisabled": false,
"RCODE": "NoError",
"QDCOUNT": 1,
"ANCOUNT": 2,
"NSCOUNT": 1,
"ARCOUNT": 1,
"Question": [
{
"Name": "lancache.steamcontent.com",
"Type": "A",
"Class": "IN"
}
],
"Answer": [
{
"Name": "lancache.steamcontent.com",
"Type": "CNAME",
"Class": "IN",
"TTL": "5 (5 sec)",
"RDLENGTH": "26 bytes",
"RDATA": {
"Domain": "steam.cache.lancache.net"
},
"DnssecStatus": "Disabled"
},
{
"Name": "steam.cache.lancache.net",
"Type": "A",
"Class": "IN",
"TTL": "600 (10 mins)",
"RDLENGTH": "4 bytes",
"RDATA": {
"IPAddress": "192.168.1.2"
},
"DnssecStatus": "Disabled"
}
],
"Authority": [
{
"Name": "cache.lancache.net",
"Type": "NS",
"Class": "IN",
"TTL": "600 (10 mins)",
"RDLENGTH": "11 bytes",
"RDATA": {
"NameServer": "localhost"
},
"DnssecStatus": "Disabled"
}
],
"Additional": [
{
"Name": "",
"Type": "OPT",
"Class": 4096,
"TTL": "0 (0 sec)",
"RDLENGTH": "0 bytes",
"RDATA": {
"Options": []
},
"DnssecStatus": "Disabled"
}
]
}

[ShreyasZare]

Thanks for the details. I have made some minor changes in the config. Give it a try and see if that works.

{
	"enableBlocking": true,
	"blockListUrlUpdateIntervalHours": 24,
	"networkGroupMap": {
		"192.168.1.2": "Lancache_Passthrough",
		"192.168.1.0/24": "Lancache_Redirect"
	},
	"groups": [
		{
			"name": "Lancache_Redirect",
			"enableBlocking": true,
			"allowTxtBlockingReport": true,
			"blockAsNxDomain": false,
			"blockingAddresses": [
				"192.168.1.2"
			],
			"allowed": [],
			"blocked": [],
			"allowListUrls": [],
			"blockListUrls": [
				"https://raw.githubusercontent.com/uklans/cache-domains/master/steam.txt"
			],
			"allowedRegex": [],
			"blockedRegex": [],
			"regexAllowListUrls": [],
			"regexBlockListUrls": [],
			"adblockListUrls": []
		},
		{
			"name": "Lancache_Passthrough",
			"enableBlocking": true,
			"allowTxtBlockingReport": true,
			"blockAsNxDomain": false,
			"blockingAddresses": [
				"0.0.0.0",
				"::"
			],
			"allowed": [],
			"blocked": [],
			"allowListUrls": [],
			"blockListUrls": [],
			"allowedRegex": [],
			"blockedRegex": [],
			"regexAllowListUrls": [],
			"regexBlockListUrls": [],
			"adblockListUrls": []
		}
	]
}

The network group map array is the one with the main change where I am adding the IP address 192.168.1.2 first so that it matches first as the matching is done sequentially. The second entry in there is 192.168.1.0/24 which is the network address that matches to any IP address from the enter LAN network.

The other important thing is how will you test this. You cannot use DNS Client, the built-in tool to test this since the queries sent by the DNS Client will be received by the DNS server with 127.0.0.1 IP address which wont match any of the group as per the network group map config. You have to test this from the Lancache server and from any other machine on the network using a simple nslookup command. So you should get the correct IP address on the Lancache server and 192.168.1.2 when testing from any other machine on the network.

[m4gicfour]

Yep. That did it. I probably wouldn't have noticed and thought to rearrange the order of the ip/group before trying a bunch of other useless things.

As it turns out, I didn't even need to do a test, as after updating the config and performing an ipconfig /renew and ipconfig /flushdns on my windows client, steam immediately began downloading an update file at 5x my WAN line rate from the cache.

While there's obviously a lot of room for convenience and quality of life improvements if the functionality was built into the GUI, this gives me all the functionality I actually need, and I learned how to use the advanced blocking app while I'm at it.

Now I just need to go add all 23 other CDN lists to the config. Thanks!

[ShreyasZare]

Good to know that it worked. There is a plan to add GUI support for all DNS Apps so it will become easier in future to configure apps.