Would it be possible to implement DNSSEC exclusion for defined list of domains?
I want to use DNSSEC, but my mobile banking application doesn't work with DNSSEC option turned ON. While I turn DNSSEC option OFF, my mobile banking is working well.
So I am thinking about to have possibility to exclude certain domains, so they would be treated like with dnssec turned OFF even it is ON.
Pi-hole version is v5.17.1 (Latest: v5.17.1)
AdminLTE version is v5.20.1 (Latest: v5.20.1)
FTL version is v5.23 (Latest: v5.23)
Even if it's possible, I'd advise against doing so, particularly for banking applications.
DNSSEC is designed to protect a validating client (you) from using forged DNS records, by cryptographically verifying digitally signed DNS records, provided the DNS authoritative for the requested domain does digitally sign its records.
So when requesting e.g. a DNSSEC validated A record, and DNSSEC validation returns SECURE, you can be sure that the IPv4 address you are going to communicate with is indeed the correct one, while a BOGUS reply would indicate that the DNS record has been tampered with.
An INSECURE DNSSEC reply would indicate that the name server authoritative for the requested domain does not digitally sign its DNS records, so DNS replies are to be regarded as regular DNS lookups.
It's important to note that DNSSEC validation requires correct time and time zone information on all involved systems.
What does Pi-hole's Query Log show for the DNSSEC Status for domains involved?
If your banking app does not work with DNSSEC enabled, and you can preclude time issues, then that should be brought to the attention of your bank.
Either one of the authoritative name servers referred by the banking software is not configured correctly, or someone is indeed trying to serve you manipulated DNS records.