How to unblock specific IDN domains?

What if someone doesn't want to block all IDN domains?

For example www.theländ.de is a govermental domain from Baden-Württemberg in Germany.

So why can't Pi-Hole handle IDN domains and says they are invalid?

  [i] Target: https://raw.githubusercontent.com/blocklistproject/Lists/master/phishing.txt
  [✓] Status: Retrieval successful
  [i] Analyzed 190258 domains, 7 domains invalid!
      Sample of invalid domains:
      - госулуги.рф
      - госуслуги-ру.рф
      - гослуги.рф
      - госсуслуга.рф
      - госсуслуугии.рф
  [i] List has been updated

DNS records themselves don't deal with IDN.
It's a client application like a browser that translates them to Punycode before issuing a DNS request:

11:14:37 dnsmasq[576]: query[A] www.xn--thelnd-eua.de from 192.168.1.12

If a client would omit translation (as e.g. nslookup on some Windows may do), the answer would be NXDOMAIN, resulting in log entries like:

11:13:25 dnsmasq[576]: query[A] <name unprintable> from 192.168.1.21
11:13:25 dnsmasq[576]: forwarded <name unprintable> to 192.168.1.1
11:13:25 dnsmasq[576]: reply <name unprintable> is NXDOMAIN

As usual, you may whitelist the respective domain (www.xn--thelnd-eua.de in your case) directly from Pi-hole's Query Log.

If I understand you right, every blocklist with IDN domains should/must be converted to punycode before using them with Pi-Hole?! :thinking:

Yes, that's what well-maintained blocklists (like the default Steven Black hosts list) for DNS-based filtering would do.

I also note that the offending list https://raw.githubusercontent.com/blocklistproject/Lists/master/phishing.txt
you've been using above has currently well over 1,500 Punycode definitions in it, so I guess the maintainer just forgot to translate those seven invalid ones.

1 Like

Thanks! I will make some issues for this (and some more :wink: ) blocklists on GitHub.