Implement _dns.resolver.arpa as a special domain or add BLOCK_SVCB as a configuration option

As it stands, pi-hole does not provide an intuitive way to block DoH bypasses by itself.

The special domain _dns.resolver.arpa is used to upgrade clients to use DNS over HTTPS, and may provide a way around the pi-hole's blocking. With a pi-hole configured forwarder of 1.1.1.1, clients resolving _dns.resolver.arpa can be directed to instead use Cloudflare's DoH server directly. This is not limited to just Cloudflare.

This not only has privacy concerns for those running unbound, but also completely negates the pi-hole's blocking unless other measures are taken, such as a firewall rule with a hard-coded IP address list is implemented. I do not believe the average user would be aware of this bypass.

Edit: Including a relevant thread: Are SVCB queries sent through pi-hole of blocking concern?

Thank you for the suggestion, it quite obviously seems a good idea. I had a look at the other discussion, too, dating back to the end of 2022 and think I missed parts of it back then. I seem to recall having only seen the discussion about a general blocking of all SVCB queries which seemed (and still seems) over the top. But your request is nonetheless a valid one IMO, see

for further details.

I'd be great if you could run

sudo pihole checkout ftl new/dns_resolver_arpa

and verify yourself that this is behaving as you expect it to.

That's cool! I Iike it :slight_smile:

While everything looks good in the WebUI and the .toml, it's not returning with an NXDOMAIN. Functionally, it does block the query however.

EDIT: Just took a look at the RFC. NODATA is the correct response. Looks good to me! Thanks @DL6ER

1 Like

The feature has just been merged into development and will be part of the next FTL release.

2 Likes

Just some food for thought, Palo Alto themselves do recommend blocking all SVCB records:


See: Security Profile: Anti-Spyware

2 Likes
.*;querytype=ANY,HTTPS,SVCB;reply=nodata

I've bee running the "regex deny" for quite some time, without any noticeable impact. Be aware "whitelist always wins", so in order to enforce blocking for the specified query types, a whitelist entry (regex allow) needs to look like (example):

ctldl.windowsupdate.com;querytype=!ANY,SVCB,HTTPS	

enforcing blocking also implies you cannot use "allow lists"...