I am on a Windows 10 computer that has a big list of DNS suffixes. This is enforced by GPO so I cannot remove them.
The net effect is that outside of the company network, DNS requests take a long time because the requests are for example.com and not example.com. and therefore go though the suffix list before getting to the actual FQDN.
One way to avoid that would be to discard some requests that meet a pattern.
I thought that blacklisting the suffixes would be the way to go, but it seems it does not work this way: upon matching the suffix, a correct response is sent back to the client (it is empty). The client then uses it as the resolved IP (which is empty). So it is rather a "we want to block this domain so nobody can access it" kind of blacklist. I am looking for the "when we see that domain, we pass" kind of blacklist.
Is this something that can be achieved with pi.hole?
No, and neither would any DNS server.
It's far too late if a DNS server receives the request, as the client has already send out its DNS requests.
If a DNS server would silently discard those requests, your client would quite possibly take even longer to resolve a domain, as it would wait for the network to timeout, which usually rates in seconds and could be orders of magnitude longer than your average forwarded DNS request at ~50 to ~100 milliseconds.
Using Pi-hole to blacklist your inaccessible/unresolvbale GPO enforced domains would at least make the answer as fast as possible, usually in under ~10 ms.
EDIT: There may be a chance to improve client resolution times by trying out different reply types, as sketched out by jpgpi250 below, as that may coerce a client into not repeating a query that it would otherwise deem a previous reply as unagreeable. However, I'd expect this to predominantly affect those DNS requests that really have no answer, neither public nor in any of the search domains.
Discarding a request would only work if you would discard it before it gets sent, by controlling it on the client that actually sends those DNS requests.
Once that client sends out a DNS request, a DNS server will reply to it one way or another.
Yes, you are correct. I was thinking as I was typing the question and I forgot that the client requests are sent linearly (myrequest.com.suffix1.com., then myrequest.com.suffix1.com., then all the suffixes, and finally myrequest.com.) so the client is waiting for each of them before sending the next one.
My only hope is either to have that GPO modified so that I can get rid of the suffixes, or find a way to parallelize the requests at the client level (I do not know whether this is possible with Windows 10).
