Ir para o conteúdo principal

Structured DNS Errors (SDE)

With the release of AdGuard DNS v2.10, AdGuard has become the first public DNS resolver to implement support for Structured DNS Errors (SDE), an update to RFC 8914. This feature allows DNS servers to provide detailed information about blocked websites directly in the DNS response, rather than relying on generic browser messages. In this article, we'll explain what Structured DNS Errors are and how they work.

What Structured DNS Errors are

When a request to an advertising or tracking domain is blocked, the user may see blank spaces on a website or may not even notice that DNS filtering has occurred. However, if an entire website is blocked at the DNS level, the user will be completely unable to access the page. When trying to access a blocked website, the user may see a generic "This site can't be reached" error displayed by the browser.

"This site can't be reached" error

Such errors don't explain what happened and why. This leaves users confused about why a website is inaccessible, often leading them to assume that their Internet connection or DNS resolver is broken.

To clarify this, DNS servers could redirect users to their own page with an explanation. However, HTTPS websites (which are the majority of websites) would require a separate certificate.

Certificate error

There’s a simpler solution: Structured DNS Errors (SDE). The concept of SDE builds on the foundation of Extended DNS Errors (RFC 8914), which introduced the ability to include additional error information in DNS responses. The SDE draft takes this a step further by using I-JSON (a restricted profile of JSON) to format the information in a way that browsers and client applications can easily parse.

The SDE data is included in the EXTRA-TEXT field of the DNS response. It contains:

  • j (justification): Reason for blocking
  • c (contact): Contact information for inquiries if the page was blocked by mistake
  • o (organization): Organization responsible for DNS filtering in this case (optional)
  • s (suberror): The suberror code for this particular DNS filtering (optional)

Such a system enhances transparency between DNS services and users.

What is required to implement Structured DNS Errors

Although AdGuard DNS has implemented support for Structured DNS Errors, browsers currently do not natively support parsing and displaying SDE data. For users to see detailed explanations in their browsers when a website is blocked, browser developers need to adopt and support the SDE draft specification.

AdGuard DNS demo extension for SDE

To showcase how Structured DNS Errors work, AdGuard DNS has developed a demo browser extension that shows how Structured DNS Errors could work if browsers supported them. If you try to visit a website blocked by AdGuard DNS with this extension enabled, you will see a detailed explanation page with the information provided via SDE, such as the reason for blocking, contact details, and the organization responsible.

Explanation page

You can install the extension from the Chrome Web Store or from GitHub.

If you want to see what it looks like at the DNS level, you can use the dig command and look for EDE in the output.

% dig @94.140.14.14 'ad.doubleclick.net' A IN +ednsopt=15:0000

...

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; EDE: 17 (Filtered): ({"j":"Filtered by AdGuard DNS","o":"AdGuard DNS","c":["mailto:support@adguard-dns.io"]})
;; QUESTION SECTION:
;ad.doubleclick.net. IN A

...