Do not forward non-fqdn HTTPS record types?

Ramias1 · September 17, 2022, 3:03am

Pi hole can block non-fqdn A and AAAA records from being forwarded.

How can I do the same for HTTPS record types?

Seeing NODATA responses from my ISP (of course) since they will not know about my non-FQDN host name; but some device is querying for it via HTTPS record type.

Thanks

jfb · September 17, 2022, 3:33am

Add this regex blacklist entry to block them all. They won't be forwarded to an upstream resolver.

.*;querytype=HTTPS

Ramias1 · September 17, 2022, 3:54am

Thanks. Is there a way to allow the valid ones but block the non-fqdn ones? Or even return a valid value for local non-fqdn hosts for https records?

jfb · September 17, 2022, 5:16am

Have you seen any HTTPS queries returned with a valid IP from the upstream DNS server? All I see is NODATA or CNAME (with no IP returned).

Ramias1 · September 17, 2022, 10:49pm

Good point. Yes, came and nodata.

My issue may be I also have a VPN profile on my iOS devices for on-demand VPN if it can't find my home domain and since iOS queries first for HTTPS, then AAAA, then A, sometimes my phone does a VPN connection when it should not. If I could reply with the HTTPS record that may fix this.

jfb · September 17, 2022, 11:37pm

HTTPS DNS queries are not yet a standard, and they don't resolve to anything at this point.

Cheesecake · September 18, 2022, 8:27am

If I am not mistaken, HTTPS DNS queries are indeed resolving but not for every domain and maybe, as it looks like, not by every DNS server or ISP.

As far as I understand, HTTS DNS queries are of type 65 (see: List of DNS record types - Wikipedia).

I am using Unbound as a recursive DNS resolver with Pi-Hole and don't forward DNS queries to my ISP.

If I do a resolution to e.g.
dig cloudflare.com -t TYPE65
I get an answer of TYPE65.

If I take a look at the Wireshark response to this query, I see that IPv4 and IPv6 IPs are returned in one single reply at the same time.

Pi-Hole shows this particular query above as a "BLOB" reply. I would asume, if a forwarding DNS server or ISP doesn't reply to a HTTS query as above, you don't get a "BLOB" reply.

I can also observe "BLOB" replies in Pi-Hole when visiting e.g.:
https://www.cloudflare.com/
with Mac OS, iOS and other Apple devices.

system · October 9, 2022, 8:28am

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.