NXDOMAIN And Null Blocking With FTLDNS

Originally published at: NXDOMAIN And Null Blocking With FTLDNS – Pi-hole

Pi-hole has traditionally returned a blank HTML page in place of advertisements. An alternative method is to return NXDOMAIN--no such domain. This is a behaviour you asked us to implement and we have listened.

To use it, you'll need to be running the FTLDNS beta (pihole -up if you're already on it):

echo "FTLDNS" | sudo tee /etc/pihole/ftlbranch
pihole checkout core FTLDNS 
pihole checkout web FTLDNS

You can also checkout the development branches, but if you want the most up-to-date code, use the FTLDNS branches.

Once you've checked out on the new branches, you need to add this to /etc/pihole/pihole-FTL.conf (note you may need to create this file if it does not exist)

BLOCKINGMODE=NXDOMAIN

or

BLOCKINGMODE=NULL

depending on which method you prefer and then restart FTLDNS (pihole-FTL) to apply the change

sudo service pihole-FTL restart

What Is NXDOMAIN?

This is a mechanism built into DNS that can be returned as an answer when the domain doesn't exist. You can see this response by using nslookup on a domain that is not likely to be registered:

me@pihole:~$ nslookup skfmndfosfmmpofpwmf.com
Server: 8.8.8.8
Address: 8.8.8.8#53

** server can't find skfmndfosfmmpofpwmf.com: NXDOMAIN

There are benefits and drawbacks to both methods, but NXDOMAIN response has been an open feature request for some time. This functionality is now available in FTLDNS.

Benefits And Drawbacks Of Serving HTML Or Using A 404 (The current method)

Benefits

  • The block page can be used and is fully functional

Drawbacks

  • Additional software to run the Web server is needed
  • Performance may be slightly impacted
  • Firewall rules are often needed to prevent slow loading pages (But even then you can still run into issues with certain routers)

Benefits And Drawbacks Of NXDOMAIN

Benefits

  • Improved speed and performance
  • No Web server needed
  • No connections made to Pi-hole for blocked domains (except for the DNS request itself)
  • No firewall rules needed

Drawbacks

  • Block page will not work
  • You may see a browser error for blocked domains
  • If you visit a blocked domain directly, your browser may say the domain doesn't exist, which may be confusing
  • Some connections will still try to connect to the non-existant domain for a few tries before it times out

What About Null Blocking?

Another method is null blocking, which responds with 0.0.0.0 or ::1. This special IP address is unspecified.

Benefits And Drawbacks

These are similar to that of NXDOMAIN but this is more experimental so your mileage may vary,

Your Support

Thanks to you, we can keep working on Pi-hole and implementing features you want. We're currently running a fundraiser so please consider donating to our project!

3 Likes

Unfortunately this does not work in my case - and others on Reddit. Still, the IP address of Pi-hole is returned.

Current Pi-hole version is v3.3.1-136-ga7e7680
Current AdminLTE version is v3.2.1-195-g4355bde2
Current FTL version is vDev-5ecab0a

Note that you may need to run pihole -g after updating.

FTLDNS will indicate this in its log file but I agree that this is not very visible.

Should it be pihole-FTL.conf or doesn't it matter?? [so FTL in upper case]

It's pihole-FTL.conf

Yay!
After renaming pihole-ftl.conf to pihole-FTL.conf (and running pihole -g beforehand) it works!
I'd recommend editing the original post so pihole-FTL.conf is correctly created.

Done. Thanks for the hint.

I also edited the original blog article now.

2 Likes

I am using the NXDOMAIN now, instead of the redirection to 127.0.0.1 and everything seems to work faster. Thanks!

1 Like

I'm seeing that certain clients try hard to resolve their domains when Pi-hole returns NXDOMAIN (try try to resolve a given domain a dozen times before they give up). This increased the query log by a notable amount of "query noise". Switching to NULL IP blocking seems to have helped, maybe you should give it a try as well.

I was about to post the same thing. I'm seeing that my total % blocked has dropped to nearly half it's previous value now that I've switched from NXDOMAIN to BLOCKINGMODE=NULL (currently running around 36% total queries blocked). Curiously the top 2 worst offenders are Microsoft - not strictly ads!

There where several other incidents of "normal" sites when I had to refresh several times the page until it got served.

Thanks for suggestions, I'll try the NULL method now.

Am I wrong or NXDOMAIN is now the default behavior for pi-hole?

I was starting to implement this method by following this guide, but I decided to check using nslookup just before doing it... and it seems that my pi-hole is replying with NXDOMAIN instead that its own IP address or 0.0.0.0.

My current setup is:
Raspbian 9 (stretch)
Pi-hole version is v3.3.1 (Latest: v3.3.1)
AdminLTE version is v3.3 (Latest: v3.3)
FTL version is v3.0 (Latest: v3.0)

With FTLDNS, the new default method is NULL blocking as described here.

NXDOMAIN turned out to be disadvantageous in some cases where clients tried to resolve hostnames like crazy as they didn't accept NXDOMAIN as reply.

1 Like

Thanks for the useful link.
In this case, having Pi-hole 3.3.1, would be better for me to switch to dev branch (Pi-hole ver 4+) or as for the guide, use the FTLDNS branch?

The dev branch of 4.0 is recommended.