Detect typosquatting redirect from ISP's DNS and send out a proper NXDOMAIN

I want to use my ISP's DNS servers for upstream DNS because I've found that various streaming services perform better this way.

However, if you typo a domain (or type in random gibberish), my ISP's DNS sends out a fake/incorrect response that points to a server that just redirects you to a page full of ads. It's basically DNS hijacking.

I have Pi-hole set to block this domain for the page full of ads, but I want the block to happen before the redirect so that I can just correct the typo instead of having to re-type the entire url.

Expected Behaviour:

I want Pi-Hole to detect this fake/incorrect DNS response and send out a proper NXDOMAIN response.

Actual Behaviour:

Pi-hole forwards the fake/incorrect DNS response, and then blocks the ads after the address bar has changed.

Debug Token:

pp8jou2ti7


To clarify: I don't want to set BLOCKINGMODE=NXDOMAIN - I'm very happy with a blank white page for advertising domains. What I want is NXDOMAIN only for domains that legitimately don't exist. E.g. anything 8.8.8.8 would return an NXDOMAIN for, I want my pi-hole to return NXDOMAIN for. But I want to use the IP from my ISP's DNS when it differs from what 8.8.8.8 would return (e.g. for netflix, which I'm pretty sure has servers inside of my ISP's network, so no external DNS would ever point to them.)

You need to edit /etc/pihole/pihole-FTL.conf and add :slight_smile:

BLOCKINGMODE=NXDOMAIN 

(see Blocking mode - Pi-hole documentation for FTLDNS blocking modes).

You need to stop FTLDNS prior to the change :
sudo systemctl stop pihole-FTL.service
and once the /etc/pihole/pihole-FTL.conf was edited, restart FTLDNS with
sudo systemctl start pihole-FTL.service

L.E. I would recommend switching away from your ISP's DNS servers.

I would be really best (not only from a privacy perspective but also from the point that you would not depend on any 3-rd party DNS') for you if you would run unbound:

https://docs.pi-hole.net/guides/unbound/

I am running it it like this and there are no problems with streaming services of any kind.

1 Like

Hi, thanks!

I looked at that, but my understanding of BLOCKINGMODE=NXDOMAIN is that I would still get the redirect to the advertising domain, but then that would have the browser's NXDOMAIN error page instead of a white page (?) I want something that kicks in earlier.

Update: I tested it with BLOCKINGMODE=NXDOMAIN, and it does indeed still redirect before applying the block. I get Firefox's "Hmm. We’re having trouble finding that site.", but my address bar has already been changed, so it's too late.

(Also, I have to use my browser console quite a lot for work, so I prefer the default empty html page response since it doesn't fill the browser console with errors.)

I'm pretty sure what I'm looking for is possible, because I remember having a router that did it a few years ago, but I can't seem to remember what it's called.

I'll look into unbound, though, and maybe give up on my ISP's DNS.

Unbound works nicely. No filtering, no logging, you are in control. ISP's can be problematic with the behavior you note.

Interesting that your streaming services perform better when you use ISP DNS. Have you compared nlslookup or dig for a streaming provider domain from your ISP and from a third party DNS to see if they are returning the same IP?

This screen shot from the dev branch of Pi-Hole shows which ISPs provide ECS (for geolocating responses). Using one of these may provide adequate streaming performance.

1 Like

Well, maybe I don't need my ISP's DNS anymore, netflix has apparently gotten smarter, and actually pulls video through a subdomain that includes my ISP's name. So, unsurprisingly, that gives the same IP no matter which DHS server I hit.

Youtube also seems to give the same IP through various DNS providers now. (Now that I'm thinking about it, poor youtube performance was the main reason I went back to my ISP's DNS a few years ago.)

I haven't tried anything else, but those two results are promising. So maybe I'll just give the ISP's DNS the boot.

1 Like

I think, when I had this working before, it was using OpenWRT and DNSmasq. DNSmasq was somehow configured to detect the specific IP of the ad server that my ISP use, and any DNS response which pointed to that was changed to NXDOMAIN.

I might try and set that up again and put it in between the Pi-hole and ISP's DNS.

I just ran namebench, and in addition to any geolocation / internal server benefits I may get, my ISP's DNS is also the fastest. So there is definitely some value in sticking with them.

It might be faster only because of the existing cache on their DNS servers. Once Unbound builds up it's cache, it will be the fastest ...

A bit of experimentation might be needed to find your best setup. Unbound works nicely, and is easy to set up. If it doesn't meet your needs, it's a few steps to go back to what you had.

I would also check the box in "upstream DNS servers" on your web GUI for adding some of the commercial servers. Pi-Hole V4 has an algorithm to determine which is the better responder and it will migrate to the fastest and most reliable. That may help you decide which is best in your particular area.

https://docs.pi-hole.net/ftldns/dns-resolver/

1 Like

You should be able to do the same in dnsmasq configuration files on your Pi. Even though dnsmasq does not run as a separate process, pihole-FTL contains the code and does that function and all the dnsmasq configuration files still work.

1 Like

Yea, I was just noticing that pi-hole uses dnsmasq under-the-hood. Now I just have to remember what exactly I did with dnsmasq...

Please post your solution on this thread when you get it working.

Figured it out!

First, run dig example.invalid to get all of the IPs that the DNS server gives out when hijacking NXDOMAIN results.

In my case it looked like this:

pi@pi-hole:~ $ dig example.invalid

; <<>> DiG 9.10.3-P4-Raspbian <<>> example.invalid
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27003
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;example.invalid.               IN      A

;; ANSWER SECTION:
example.invalid.        10      IN      A       198.105.244.65
example.invalid.        10      IN      A       104.239.198.84

;; Query time: 39 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Oct 01 23:25:59 EDT 2018
;; MSG SIZE  rcvd: 65

Then edit /etc/dnsmasq.conf and add a new bogus-nxdomain= for each IP:

bogus-nxdomain=198.105.244.65
bogus-nxdomain=104.239.198.84

Restart pi-hole and run the dig query again to verify that it is now filtering out the dns hijacking:

pi@pi-hole:~ $ sudo systemctl stop pihole-FTL.service
pi@pi-hole:~ $ sudo systemctl start pihole-FTL.service
pi@pi-hole:~ $ dig example.invalid

; <<>> DiG 9.10.3-P4-Raspbian <<>> example.invalid
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 31857
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;example.invalid.               IN      A

;; Query time: 25 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Oct 01 23:27:15 EDT 2018
;; MSG SIZE  rcvd: 33

It'd be wonderful if this became a setting in the web ui, or even better, something that the pi-hole just did automatically. But, this is good enough for me.

1 Like

FYI, the example.invalid domain is based on RFC 2606 which reserves the .invalid TLD.

I like the idea of randomness, but I'd recommend sticking with .invalid and it should only need to send one query. Any IP address returned is a bogus-nxdomain.

I'll put a post in the feature request forum and cross-link.

Here is the feature request: Automatically block upstream DNS hijacking / typosquatting with dnsmasq's bogus-nxdomain

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.