NXDOMAIN And Null Blocking With FTLDNS

jacob.salmela · May 18, 2018, 10:40am

Originally published at: NXDOMAIN And Null Blocking With FTLDNS – Pi-hole

Pi-hole has traditionally returned a blank HTML page in place of advertisements. An alternative method is to return NXDOMAIN--no such domain. This is a behaviour you asked us to implement and we have listened.

To use it, you'll need to be running the FTLDNS beta (pihole -up if you're already on it):

echo "FTLDNS" | sudo tee /etc/pihole/ftlbranch
pihole checkout core FTLDNS 
pihole checkout web FTLDNS

You can also checkout the development branches, but if you want the most up-to-date code, use the FTLDNS branches.

Once you've checked out on the new branches, you need to add this to /etc/pihole/pihole-FTL.conf (note you may need to create this file if it does not exist)

BLOCKINGMODE=NXDOMAIN

or

BLOCKINGMODE=NULL

depending on which method you prefer and then restart FTLDNS (pihole-FTL) to apply the change

sudo service pihole-FTL restart

What Is NXDOMAIN?

This is a mechanism built into DNS that can be returned as an answer when the domain doesn't exist. You can see this response by using nslookup on a domain that is not likely to be registered:

me@pihole:~$ nslookup skfmndfosfmmpofpwmf.com
Server: 8.8.8.8
Address: 8.8.8.8#53

** server can't find skfmndfosfmmpofpwmf.com: NXDOMAIN

There are benefits and drawbacks to both methods, but NXDOMAIN response has been an open feature request for some time. This functionality is now available in FTLDNS.

Benefits And Drawbacks Of Serving HTML Or Using A 404 (The current method)

Benefits

The block page can be used and is fully functional

Drawbacks

Additional software to run the Web server is needed
Performance may be slightly impacted
Firewall rules are often needed to prevent slow loading pages (But even then you can still run into issues with certain routers)

Benefits And Drawbacks Of NXDOMAIN

Benefits

Improved speed and performance
No Web server needed
No connections made to Pi-hole for blocked domains (except for the DNS request itself)
No firewall rules needed

Drawbacks

Block page will not work
You may see a browser error for blocked domains
If you visit a blocked domain directly, your browser may say the domain doesn't exist, which may be confusing
Some connections will still try to connect to the non-existant domain for a few tries before it times out

What About Null Blocking?

Another method is null blocking, which responds with 0.0.0.0 or ::1. This special IP address is unspecified.

Benefits And Drawbacks

These are similar to that of NXDOMAIN but this is more experimental so your mileage may vary,

Your Support

Thanks to you, we can keep working on Pi-hole and implementing features you want. We're currently running a fundraiser so please consider donating to our project!

Sander · May 18, 2018, 8:41pm

Unfortunately this does not work in my case - and others on Reddit. Still, the IP address of Pi-hole is returned.

Current Pi-hole version is v3.3.1-136-ga7e7680
Current AdminLTE version is v3.2.1-195-g4355bde2
Current FTL version is vDev-5ecab0a

DL6ER · May 18, 2018, 8:44pm

Note that you may need to run pihole -g after updating.

FTLDNS will indicate this in its log file but I agree that this is not very visible.

Packeteer · May 18, 2018, 9:03pm

Should it be pihole-FTL.conf or doesn't it matter?? [so FTL in upper case]

mibere · May 18, 2018, 9:12pm

It's pihole-FTL.conf

Sander · May 18, 2018, 9:22pm

Yay!
After renaming pihole-ftl.conf to pihole-FTL.conf (and running pihole -g beforehand) it works!
I'd recommend editing the original post so pihole-FTL.conf is correctly created.

mibere · May 18, 2018, 9:29pm

Done. Thanks for the hint.

DL6ER · May 18, 2018, 9:44pm

I also edited the original blog article now.

SoNic67 · May 18, 2018, 10:57pm

I am using the NXDOMAIN now, instead of the redirection to 127.0.0.1 and everything seems to work faster. Thanks!

DL6ER · May 20, 2018, 7:09am

I'm seeing that certain clients try hard to resolve their domains when Pi-hole returns NXDOMAIN (try try to resolve a given domain a dozen times before they give up). This increased the query log by a notable amount of "query noise". Switching to NULL IP blocking seems to have helped, maybe you should give it a try as well.

Packeteer · May 20, 2018, 8:02am

I was about to post the same thing. I'm seeing that my total % blocked has dropped to nearly half it's previous value now that I've switched from NXDOMAIN to BLOCKINGMODE=NULL (currently running around 36% total queries blocked). Curiously the top 2 worst offenders are Microsoft - not strictly ads!

SoNic67 · May 20, 2018, 11:17am

There where several other incidents of "normal" sites when I had to refresh several times the page until it got served.

Thanks for suggestions, I'll try the NULL method now.

Crazybyte · July 30, 2018, 9:37am

Am I wrong or NXDOMAIN is now the default behavior for pi-hole?

I was starting to implement this method by following this guide, but I decided to check using nslookup just before doing it... and it seems that my pi-hole is replying with NXDOMAIN instead that its own IP address or 0.0.0.0.

My current setup is:
Raspbian 9 (stretch)
Pi-hole version is v3.3.1 (Latest: v3.3.1)
AdminLTE version is v3.3 (Latest: v3.3)
FTL version is v3.0 (Latest: v3.0)

DL6ER · July 30, 2018, 9:46am

With FTLDNS, the new default method is NULL blocking as described here.

NXDOMAIN turned out to be disadvantageous in some cases where clients tried to resolve hostnames like crazy as they didn't accept NXDOMAIN as reply.

Crazybyte · July 30, 2018, 9:57am

Thanks for the useful link.
In this case, having Pi-hole 3.3.1, would be better for me to switch to dev branch (Pi-hole ver 4+) or as for the guide, use the FTLDNS branch?

jfb · July 30, 2018, 10:50am

The dev branch of 4.0 is recommended.