So I got pihole up and running in a complex environment. However I have Amazon devices on my net and yeah they are spamming reconnects to device-metrics-us.amazon.com. This firehose of ssl reconnects makes using the logs and graphs of pihole impossible or at least of very limited value.
I kinda played around with it this morning and while I think that yeah the FireOS devices are handling this badly I think Pihole could actually handle this scenario better as well.
I think the logic the FireOS devices use is
Do I have a network? if yes can I resolve device-metric-us.amazon.com? if yes reconnect 10 times a second spamming everything.
Anyways I'm wondering if pihole (or dnsmasq) can just return a NXDOMAIN for for device-metric-us.amazon.com or "none such host"
I'm at work but, when I get home tonight I'll play around with the dnsmasq settings and see if I can see anything
Having a quick look at the dnsmasq manpage,we can find
As for --server, one or more domains with no address returns a no-such-domain answer, so --address=/example.com/ is equivalent to --server=/example.com/ and returns NXDOMAIN for example.com and all its subdomains.
It is basically possible to have such a feature, but this would mean you should have to maintain at least two kind of blacklists:
Blacklist, which point to the pihole webservice
Blacklist, which points to a NXDOMAIN record
But, I see the additional blacklist to compete with the status quo wildcard blacklist ...
What about maintaining a blacklist for domains that you wanted to block and show the blockpage and a silent list for domains that should NXDOMAIN and not report anywhere nor show the blockpage?
It's a good suggestion for a Feature Request. It may not be implemented in the near future due to some restructuring of the internal code, but after that restructure is finished we may be able to use some more of the dnsmasq features directly. No timeline is currently released for the restructure but it's being developed now and is something that should* be in the next few months. We'll take this under suggestion and see what is possible.
I've tested this with the current FTL beta and a manual merge of gravity.sh and pihole files from https://github.com/pi-hole/pi-hole/tree/new/nxdomain. It seems to work pretty well. As a possible side benefit, I noticed a speed improvement when browsing. I'm using a fairly old device for my pihole (old 32bit netbook), and I noticed that some requests for blocked sites that were taking around 2 seconds (connection refused - default blocking method) went down to around 100ms or less with the new NXDOMAIN blocking style. (That 2 second speed was noticed even after putting in the appropriate firewall rules to send tcp-reset).
