Expected Behaviour:
HTTPS/Type 65 queries sometimes return no data, and sometimes return a CNAME from upstream servers.
Expected behavior (determined by comparing 8.8.8.8 responses in wireshark) would be to always reply with a SOA record in the reply, and also return the associated CNAME record returned from upstream when available. Wireshark shows this not happening reliably. I have tried, but am unable to pinpoint an exact cause.
Installation/Hardware: Synology Docker:
- Docker Tag 2022.01.1
- Pi-hole v5.10
- FTL v5.15
- Web Interface v5.12
Client: Iphone 13 Pro / 15.5
Wireshark / monitoring setup: I have a unifi 8-port POE switch connecting my wireless AP. I have a USB ethernet adapter connected to a second port on the same switch and set to mirroring mode for the port the AP is connected to. This USB adapter is connected to a pc with wireshark and has all TCPIP disabled on the adapter, with only NPCAP enabled on it, so that its only function is to mirror packets to/from the AP into wireshark.
Note: I started down this path because of the discussion in this thread on limiting IP address tracking. I note that in that thread, there remains no specific root cause known. However, while comparing wireshark captures between 8.8.8.8 queries from the phone and pihole replies, I found the differences noted above. I am not intending to claim this topic is a root cause or even directly linked to the attached thread... but merely sharing how I came upon the differences.
For the screen-shot shown below, limit IP address tracking is set to off... however, I have not found that setting makes a difference for the behavior claimed in this topic. The only thing that changes the behavior is whether I use the pihole as a dns server or not.
Actual Behaviour:
The Pi-Hole web interface confirms that for type65 / https queries that contain a CNAME entry, the upstream service does return the proper entry (queries that do not find a cname entry will show 'NODATA' in the response column).
I believe based on what the pi-hole UI is showing that it receives a CNAME record in response to the forwarded query.
However, the response actually returned to the client is not including the CNAME record, nor is including a SOA record either (which should always be present in the response for this query).
(Note the time-stamp in the images to correlate the two queries between wireshark and the website.)
EDIT: After a suggestion from yubiuser, I have done some more testing with captures and only the google upstream DNS. The additional image I had previously pasted here, does appear to be specific to the behavior differences between opendns and google.
I am removing the image that was previously here, because the specific concern I still have is the scenario above where the cname was returned by the upstream service, but then removed in the pi-hole reply to the client.
Thank you.
I did spend about an hour searching github issues, this site, and the internet as a whole for a similarly reported issue to this one... or at least if someone had linked this behavior to the apple IP tracking thread linked above, but I did not find any other posts / issues / or links, so created a new topic.
This is my first topic here. Thank you for any help.
J.P.