What if someone doesn't want to block all IDN domains?
For example www.theländ.de is a govermental domain from Baden-Württemberg in Germany.
So why can't Pi-Hole handle IDN domains and says they are invalid?
[i] Target: https://raw.githubusercontent.com/blocklistproject/Lists/master/phishing.txt
[✓] Status: Retrieval successful
[i] Analyzed 190258 domains, 7 domains invalid!
Sample of invalid domains:
- госулуги.рф
- госуслуги-ру.рф
- гослуги.рф
- госсуслуга.рф
- госсуслуугии.рф
[i] List has been updated
DNS records themselves don't deal with IDN.
It's a client application like a browser that translates them to Punycode before issuing a DNS request:
11:14:37 dnsmasq[576]: query[A] www.xn--thelnd-eua.de from 192.168.1.12
If a client would omit translation (as e.g. nslookup
on some Windows may do), the answer would be NXDOMAIN, resulting in log entries like:
11:13:25 dnsmasq[576]: query[A] <name unprintable> from 192.168.1.21
11:13:25 dnsmasq[576]: forwarded <name unprintable> to 192.168.1.1
11:13:25 dnsmasq[576]: reply <name unprintable> is NXDOMAIN
As usual, you may whitelist the respective domain (www.xn--thelnd-eua.de
in your case) directly from Pi-hole's Query Log .
If I understand you right, every blocklist with IDN domains should/must be converted to punycode before using them with Pi-Hole?!
Yes, that's what well-maintained blocklists (like the default Steven Black hosts list) for DNS-based filtering would do.
I also note that the offending list https://raw.githubusercontent.com/blocklistproject/Lists/master/phishing.txt
you've been using above has currently well over 1,500 Punycode definitions in it, so I guess the maintainer just forgot to translate those seven invalid ones.
1 Like
Thanks! I will make some issues for this (and some more ) blocklists on GitHub.
system
Closed
December 15, 2021, 11:36am
7
This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.