feat: specify local-only domains

[tnyeanderson]

At the moment, it doesn't seem possible to specify that a domain (and its subdomains) should only ever be resolved locally.

There is private_networks which works for in the opposite direction (ensures local IP reverse lookups are not recursed upstream). There is also local_domain_name which is unfortunately a DHCP setting and seems to have no effect on this behavior (at least if DHCP is disabled as it is in my setup).

This PR adds the ability to ensure that certain domains are treated as local-only and are never sent to any upstream servers for resolution. Essentially, it allows you to manage DNS for a local domain through AdGuardHome while ensuring that requests for non-existent subdomains aren't leaked to an upstream resolver.

[EugeneOne1]

@tnyeanderson, hello and thanks for the contribution. What exactly do you mean by "should be resolved locally"? As far as I can see, the introduced changes just add the ability to respond with NXDOMAIN code for specific domain names. I'm assuming you're using the AdGuard Home, which already provides such a functionality with $dnsrewrite rules, e.g.:

||domain.local^$dnsrewrite=NXDOMAIN

If the purpose is to prevent non-local clients from resolving such domains, the $client modifier may also appear useful. For example:

||domain.local^$client=~127.0.0.0/8|~192.168.0.0/16,dnsrewrite=NXDOMAIN

will only allow resolving the domain.local (and its subdomains) to the clients with addresses within 127.0.0.0/8 and 192.168.0.0/16 networks.

[tnyeanderson]

Hi Eugene, the more I think about this, I think the goal should be to mimic the behavior of --auth-zone in dnsmasq.

In other words, tell dnsproxy (and therefore adguardhome) that it should act as the authoritative nameserver for a particular domain/subdomain, so that DNS requests asking to resolve that domain (or its subdomains) will never be forwarded on to any other upstream nameserver. For answers known to adguardhome (through rewrites in the config file or $dnsrewrite hosts), it should return with AUTHORITY: 1 (the AA header from RFC1035). If adguardhome cannot resolve the name on its own, it should not recurse, and instead return NXDOMAIN.

Of course this PR doesn't exactly do this at the moment, but I think it's a reasonable part of the DNS spec to implement, and meets my need better than my current shoehorned implementation.

Before I switched to adguardhome, I was actually using dnsmasq and was using this auth-zone config for my homelab domain, so now I'm trying to get the same behavior here. At the moment, subdomains which I haven't explicitly set in rewrites get recursed and end up with a SERVFAIL response. I haven't nailed down why, but ideally I don't want them recursed (leaked) at all. If there's a way to do that currently, then I've missed it. I tried adding your configuration, but it doesn't seem to stop the SERVFAILs...