Can I block external lookup for a split brain domain?

Daylights · September 17, 2021, 6:56pm

I'm using Pi-hole as an internal DNS server for my clients and I'm running resources on another server that are internally and externally available on the same domain name (split-brain DNS). I've created a /etc/dnsmasq.d/domain.tld.conf file containing my internal DNS records like:

address=/server.domain.tld/192.168.100.100

server.domain.tld is also externally available with my internet IP. Half of the time, Pi-hole answers to the client with the internal 192.168.100.100 IP for server.domain.tld, but the other half requests are forwarded to the forwarder DNS servers and my internet IP is returned. Since my router by default doesn't accept hairpin routes, this obviously doesn't work alright.

I've tried to add server.domain.tld and domain.tld to 'Local DNS --> DNS Records' which kind of makes it better, but not completely. I've also limited Pi-hole to 127.0.0.1 as it's DNS server. Is there a way to somehow make Pi-hole/DNSmasq authoritative for the domain to that it doesn't passes requests for that particular domain to the forwarder DNS servers?

Bucking_Horn · September 18, 2021, 5:00pm

Could you show sample lines for resolution of your local IP as well as your public IP each from /var/log/pihole.log ?

Also, please upload a debug log and post just the token that is generated after the log is uploaded by running the following command from the Pi-hole host terminal:

pihole -d

or do it through the Web interface:

Tools > Generate Debug Log

Daylights · September 19, 2021, 12:34pm

Ok, I've created an example:

My client is 192.168.50.103
I'm running Pi-hole in a docker container 172.20.0.10
The docker host server of my Pi-hole container is 192.168.50.200
There are multiple services running in the same docker host
home.domain.tld and nas.domain.tld in the DNSmasq config are pointing towards the docker host
nas.domain.tld cannot be externally resolved
home.domain.tld can also be externally resolved as a CNAME domain.mooo.com

The query for nas.domain.tld goes as expected, the query for home.domain.tld is done externally?

Sep 19 14:07:14 dnsmasq[120623]: query[A] home.domain.tld from 192.168.50.103
Sep 19 14:07:14 dnsmasq[120623]: cached home.domain.tld is <CNAME>
Sep 19 14:07:14 dnsmasq[120623]: config home.domain.tld is 192.168.50.200
Sep 19 14:07:16 dnsmasq[120623]: query[type=65] home.domain.tld from 192.168.50.103
Sep 19 14:07:16 dnsmasq[120623]: cached home.domain.tld is <CNAME>
Sep 19 14:07:16 dnsmasq[120623]: forwarded home.domain.tld to 1.1.1.1
Sep 19 14:07:17 dnsmasq[120623]: query[type=65] home.domain.tld from 192.168.50.103
Sep 19 14:07:17 dnsmasq[120623]: cached home.domain.tld is <CNAME>
Sep 19 14:07:17 dnsmasq[120623]: forwarded home.domain.tld to 1.1.1.1
Sep 19 14:07:17 dnsmasq[120623]: forwarded home.domain.tld to 1.0.0.1
Sep 19 14:07:17 dnsmasq[120623]: reply home.domain.tld is <CNAME>
Sep 19 14:07:17 dnsmasq[120623]: reply domain.mooo.com is NODATA
Sep 19 14:07:17 dnsmasq[120623]: query[A] home.domain.tld from 192.168.50.200
Sep 19 14:07:17 dnsmasq[120623]: cached home.domain.tld is <CNAME>
Sep 19 14:07:17 dnsmasq[120623]: config home.domain.tld is 192.168.50.200
Sep 19 14:07:17 dnsmasq[120623]: query[AAAA] home.domain.tld from 192.168.50.200
Sep 19 14:07:17 dnsmasq[120623]: cached home.domain.tld is <CNAME>
Sep 19 14:07:17 dnsmasq[120623]: cached domain.mooo.com is NODATA-IPv6
Sep 19 14:07:17 dnsmasq[120623]: query[A] home.domain.tld from 192.168.50.200
Sep 19 14:07:17 dnsmasq[120623]: cached home.domain.tld is <CNAME>
Sep 19 14:07:17 dnsmasq[120623]: config home.domain.tld is 192.168.50.200
Sep 19 14:07:17 dnsmasq[120623]: query[AAAA] home.domain.tld from 192.168.50.200
Sep 19 14:07:17 dnsmasq[120623]: cached home.domain.tld is <CNAME>
Sep 19 14:07:17 dnsmasq[120623]: cached domain.mooo.com is NODATA-IPv6
Sep 19 14:07:17 dnsmasq[120623]: query[A] home.domain.tld from 192.168.50.200
Sep 19 14:07:17 dnsmasq[120623]: cached home.domain.tld is <CNAME>
Sep 19 14:07:17 dnsmasq[120623]: config home.domain.tld is 192.168.50.200
Sep 19 14:07:17 dnsmasq[120623]: query[AAAA] home.domain.tld from 192.168.50.200
Sep 19 14:07:17 dnsmasq[120623]: cached home.domain.tld is <CNAME>
Sep 19 14:07:17 dnsmasq[120623]: cached domain.mooo.com is NODATA-IPv6
Sep 19 14:07:29 dnsmasq[120623]: query[A] nas.domain.tld from 192.168.50.103
Sep 19 14:07:29 dnsmasq[120623]: config nas.domain.tld is 192.168.50.200

I've replaced my real domain name to domain.tld, obviously. The debug token is iQOGBdrg.

Bucking_Horn · September 19, 2021, 1:37pm

Daylights:

Sep 19 14:07:16 dnsmasq[120623]: query[type=65] home.domain.tld from 192.168.50.103
Sep 19 14:07:16 dnsmasq[120623]: cached home.domain.tld is <CNAME>
Sep 19 14:07:16 dnsmasq[120623]: forwarded home.domain.tld to 1.1.1.1

I suppose all forwarded DNS requests are query[type=65], whereas query[A] requests would return the local IP?
Would that be correct?

EDIT:
Also, would any of those forwarded DNS requests ever return a public IP ?

Daylights · September 19, 2021, 5:06pm

That doesn't always seems to be the way it works:

Sep 19 18:36:29 dnsmasq[436]: query[type=65] outlook.ms-acdc.office.com from 192.168.50.103
Sep 19 18:36:29 dnsmasq[436]: forwarded outlook.ms-acdc.office.com to 1.1.1.1
Sep 19 18:36:29 dnsmasq[436]: query[A] outlook.ms-acdc.office.com from 192.168.50.103
Sep 19 18:36:29 dnsmasq[436]: forwarded outlook.ms-acdc.office.com to 1.1.1.1
Sep 19 18:36:29 dnsmasq[436]: reply outlook.ms-acdc.office.com is <CNAME>
Sep 19 18:36:29 dnsmasq[436]: reply AMS-efz.ms-acdc.office.com is NODATA
Sep 19 18:36:29 dnsmasq[436]: reply outlook.ms-acdc.office.com is <CNAME>
Sep 19 18:36:29 dnsmasq[436]: reply AMS-efz.ms-acdc.office.com is 40.101.12.18
Sep 19 18:36:29 dnsmasq[436]: reply AMS-efz.ms-acdc.office.com is 52.97.176.34
Sep 19 18:36:29 dnsmasq[436]: reply AMS-efz.ms-acdc.office.com is 40.101.19.146
Sep 19 18:36:29 dnsmasq[436]: reply AMS-efz.ms-acdc.office.com is 40.101.18.34
Sep 19 18:36:29 dnsmasq[436]: query[type=65] AMS-efz.ms-acdc.office.com from 192.168.50.103
Sep 19 18:36:29 dnsmasq[436]: forwarded ams-efz.ms-acdc.office.com to 1.1.1.1
Sep 19 18:36:29 dnsmasq[436]: query[A] AMS-efz.ms-acdc.office.com from 192.168.50.103
Sep 19 18:36:29 dnsmasq[436]: cached AMS-efz.ms-acdc.office.com is 40.101.18.34
Sep 19 18:36:29 dnsmasq[436]: cached AMS-efz.ms-acdc.office.com is 40.101.19.146
Sep 19 18:36:29 dnsmasq[436]: cached AMS-efz.ms-acdc.office.com is 52.97.176.34
Sep 19 18:36:29 dnsmasq[436]: cached AMS-efz.ms-acdc.office.com is 40.101.12.18
Sep 19 18:36:29 dnsmasq[436]: reply AMS-efz.ms-acdc.office.com is NODATA

EDIT:
It does look like all internal DNS records are indeed also forwarded:

Sep 19 19:14:27 dnsmasq[1078]: query[A] nas.domain.tld from 192.168.50.200
Sep 19 19:14:27 dnsmasq[1078]: config nas.domain.tld is 192.168.50.200
Sep 19 19:14:27 dnsmasq[1078]: query[AAAA] nas.domain.tld from 192.168.50.200
Sep 19 19:14:27 dnsmasq[1078]: forwarded nas.domain.tld to 1.1.1.1
Sep 19 19:14:27 dnsmasq[1078]: reply nas.domain.tld is NODATA-IPv6
Sep 19 19:14:27 dnsmasq[1078]: query[PTR] 200.50.168.192.in-addr.arpa from 192.168.50.200
Sep 19 19:14:27 dnsmasq[1078]: config 200.50.168.192.in-addr.arpa is <PTR>

But since there is no external record for that host name, Pi-hole/dnsmasq returns the internal IP from the config to my client?

Bucking_Horn · September 19, 2021, 5:22pm

You were claiming you see issues for resolving your server.domain.tld.

Your above log excerpts now show outlook.ms-acdc.office.com.

Is outlook.ms-acdc.office.com relevant here, i.e. is it equivalent to server.domain.tld?

Daylights · September 19, 2021, 5:25pm

No, outlook.ms-acdc.office.com is not relevant to server.domain.tld, but more like an example that 'query[A]' types also get forwarded.

But as it seems, al queries get forwarded, as the edit of my previous post shows.

Bucking_Horn · September 19, 2021, 5:42pm

I see.
I should have been more specific with my question.
The more precise question would have been:
I suppose all forwarded DNS requests for your local *.domain.tld domains are query[type=65] , whereas query[A] requests would return the local IP?

And still important:

Daylights:

ep 19 19:14:27 dnsmasq[1078]: query[AAAA] nas.domain.tld from 192.168.50.200
Sep 19 19:14:27 dnsmasq[1078]: forwarded nas.domain.tld to 1.1.1.1
Sep 19 19:14:27 dnsmasq[1078]: reply nas.domain.tld is NODATA-IPv6

This is happening because you have not defined AAAA records for your *.domain.tld. If there is indeed no IPv6 address for your domains, neither private nor public, you could leave it as is. Otherwise, create the respective IPv6 address entries.

Daylights · September 20, 2021, 9:32am

I suppose all forwarded DNS requests for your local *.domain.tld domains are query[type=65] , whereas query[A] requests would return the local IP?

It looks like the local IP is correctly returned for those records, yes.

Also, would any of those forwarded DNS requests ever return a public IP ?

Only for home.domain.tld, as it's the only record that is also available in the public domain as the CNAME domain.mooo.com.

Sep 19 19:14:27 dnsmasq[1078]: query[A] nas.domain.tld from 192.168.50.200
Sep 19 19:14:27 dnsmasq[1078]: config nas.domain.tld is 192.168.50.200
Sep 19 19:14:27 dnsmasq[1078]: query[AAAA] nas.domain.tld from 192.168.50.200
Sep 19 19:14:27 dnsmasq[1078]: forwarded nas.domain.tld to 1.1.1.1
Sep 19 19:14:27 dnsmasq[1078]: reply nas.domain.tld is NODATA-IPv6
Sep 19 19:14:27 dnsmasq[1078]: query[PTR] 200.50.168.192.in-addr.arpa from 192.168.50.200
Sep 19 19:14:27 dnsmasq[1078]: config 200.50.168.192.in-addr.arpa is

The Pi-hole container used to work as expected in a previous install of Ubuntu 18 LTS as a hosts, but since a server crash now is running in Ubuntu 20 LTS. I'm not sure if I ever disabled IPv6 on Ubuntu 18, is that maybe relevant here?

Daylights · September 21, 2021, 1:54pm

When I check the notes for the local DNS settings:

The order of locally defined DNS records is:

1. The device's host name and `pi.hole`
2. Configured in a config file in `/etc/dnsmasq.d/`
3. Read from `/etc/hosts`
4. Read from the "Local (custom) DNS" list (stored in `/etc/pihole/custom.list` )

Only the first record will trigger an address-to-name association.

That doesn't seem to be the case. Even though there is an existing /etc/dnsmasq.d/ config with a match for the record, Pi-Hole still forwards the request (sometimes). And when that record also exists in /etc/pihole/custom.list, then the number of forwards are reduced, but still some requests are forwarded. And when a record for it is present in the external DNS, that record is cached and causes issues in my internal LAN.

Unfortunately I cannot blacklist domain.tld or home.domain.tld, as that will break resolving entirely.

Bucking_Horn · September 22, 2021, 7:24am

What about the first part?

And for my other question:

Those lines do not contain any query[type=65] with its reply, so there is no way to tell whether the answer ultimately would be a pubic IP.

Local DNS records are types A (for IPv4) , AAAA (for IPv6) or CNAME, so your observation would be expected if those forwarded requests are type=65 (HTTPS Binding).

Daylights · September 22, 2021, 1:31pm

Ok, after doing some research what type=65 actually means I understand that by this way, iOS/macOS devices are able to do a secure (https) query to Pi-hole, thus bypassing any local A/AAA/CNAME records, thus having mixes replies in my case?

Looking at pihole.log, indeed only type=65 requests are being forwarded. I also read that this can be resolved by blocking using a RegEx filter:

.;querytype=HTTPS

Is this the correct way? Or should I limit to only home.domain.tld? domain.tld;querytype=HTTPS

Daylights · September 27, 2021, 5:05am

As of now, I've added domain.tld;querytype=HTTPS as a RegEx filter to the blocking list, and that seems to have solved my issue for the last couple of days. Also changing from Cloudflare to OpenDNS already seemed to have made it better (OpenDNS doesn't reply to type=65/HTTPS DNS requests?) Not entirely sure about that last bit though.

So, case closed Thanks!

system · October 4, 2021, 5:06am

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.