IDN domains are not really useful for most people. But there is high risk of phishing from domains that mimic popular sites.
e.g.
apple.com != аpple . com (xn--pple-43d . com) uses cyrillic a
adidas.com != adîdas . com (xn--addas-6sa . com)
airasia.com != airasîa . com (xn--airasa-fwa . com)
It would be great if you can block all IDN domains in the settings of pihole.
All IDN domains start with xn--
INTERNATIONALISATION
Dnsmasq can be compiled to support internationalisation. To do this, the make targets "all-i18n" and "install-i18n" should be used instead of the standard targets "all" and "install". When internationalisation is compiled in, dnsmasq will produce log messages in the local language and support internationalised domain names (IDN). Domain names in /etc/hosts, /etc/ethers and /etc/dnsmasq.conf which contain non-ASCII characters will be translated to the DNS-internal punycode representation. Note that dnsmasq determines both the language for messages and the assumed charset for configuration files from the LANG environment variable. This should be set to the system default value by the script which is responsible for starting dnsmasq. When editing the configuration files, be careful to do so using only the system-default locale and not user-specific one, since dnsmasq has no direct way of determining the charset in use, and must assume that it is the system default.
One possibility would be to run a bash command to convert unicode to punycode and do a regex to check for IDN domain if the option for IDN filtering is set.
The following NEW packages will be installed:
idn
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 75.6 kB of archives.
idn is very small
@DL6ER
How is wildcard blocking done in pihole?
You could do the same thing like wildcard but convert the domain to punycode and just check the first 3 letters for 'xn--'.
It is done following the DNS regulations which makes what you suggest impossible, unfortunately.
Let me write down a quick example: You want to contact some.thing.else.com
What happens now is:
Your request goes to the root servers where the first question is: Who knows about .com?
Your second request is now: Who handles else.com where you are already asking the server that is responsible for .com
Then you ask the else.com server for things.else.com
And eventually you ask the server returned by the latest query where some.thing.else.com can be found.
Wildcard blocking works now in the following way: Say you block com. Then the very first step will already result in a blocked response, because dnsmasq is told to answer all .com requests as blocked. Same goes for else.com. While it will allow all other com requests (like ebay.com), it will block else.comand everything underneath (like another.thing.below.some.thing.else.com).
So blocking xn would block the following:
anything below xn
but nothing else (xn.com would be fine, text.xnxn would be fine, etc.).
What I don't know is how IDN domains are handled inside of pihole.
as президент.рф or are they automatically converted to xn--d1abbgf6aiiy.xn--p1ai
For me it looks like it handles them as xn--d1abbgf6aiiy.xn--p1ai, because it gets blocked if I have xn--d1abbgf6aiiy.xn--p1ai on block list and query президент.рф domain.
So now if the IDN block is enabled. Then I want all domains and subdomains to be blocked.
Unfortunately, that's not how dnsmasq treats a domain. The wildcard blocking is only at the full segment (label) level, working from the right hand end. So, as mentioned above, you could block eg com. Or, you could block eg someadvertiser.com. But you can't block eg *advert*.com Or, as in this case, xn--*
One partial option, that I use, is to have a separate conf file that contains blocks on all of the current official IDN domains ie the final segment. It doesn't, and can't, catch hostnames using IDN characters but it's better than nothing.
