Optimise DNS server

Please follow the below template, it will help us to help you!

Expected Behaviour:

_[PiHole DNS server should provide filtering for the associated network IP
Below is a long text explaining the possibilities
The attached picture helps explain my question.
Namebench output

And as for the OUTER circles and arcs . . .

The outer circle of the resolver status icon shows what, if any, “DNS rebinding attack protection” the corresponding nameserver provides to its querying clients.

DNS rebinding attacks external reference utilize DNS to fool a browser’s scripting security into believing that local resources, such as the user’s own computer or router, are located in the same web domain as the script’s source. When this occurs, the browser’s “Same Origin Policyexternal reference protection is bypassed, giving scripts unrestricted access to the local resource. This allows scripts to do bad things such as change LAN router settings or access any resources and computers on the LAN. (That’s not good.)

Security conscious DNS nameservers are able to help block these attacks simply by never returning IP addresses that fall within the ranges of IP addresses commonly used with private LAN networks behind a router or the “Localhost IP” of 127.0.0.1 which computers use to refer to themselves.

127.0.0.1
192.168.0.1 rebinding-arcs\ 50x50 192.168.0.1
10.0.0.1
192.168.0.1
172.16.0.1

GRC’s DNS Benchmark tests each nameserver to determine whether it blocks (filters) the return of these reserved private IP addresses — in both IPv4 and IPv6 formats. At the time of this feature’s release, only the OpenDNS nameservers can be configured to do this, and then only for IPv4, IPv6 versions of these queries are still able to sneak through. Since there is never any reason to return a private IP address from a public DNS request all nameservers should block the return of private IP addresses. Hopefully, more will in the future.

As shown in the nearby diagram, the outer circle is divided into four quadrants with each quadrant associated with an IP address in non-routable private networks:

  • An EMPTY arc (see the 127.0.0.1 IP in the sample diagram) indicates that no filtering is provided by the nameserver for the associated network IP.
  • A BLUE arc (see the 192 and 10 network IPs in the sample diagram) indicates that filtering is provided for either the IPv4 or IPv6 style address, but not both , by the nameserver for the associated network IP.
  • A GREEN arc (see the 172 network IP in the sample diagram) indicates that filtering is provided for both the IPv4 or IPv6 style address by the nameserver for the associated network IP.

The best possible protection is therefore represented by a full, unbroken, green outer ring signifying that all four network IP ranges are being blocked in both IPv4 and IPv6 formats. While no nameservers are providing this protection at the time of this new feature’s release, it is our hope that, with time, many nameservers will be updated to do so. No new programming is required to provide this feature. It is simply a matter of updating the nameserver’s configuration file.]_

Actual Behaviour:

[PiHole DNS supplies filtering for either the IPv4 or IPv6 style address, but not both]

Debug Token:

[https://tricorder.pi-hole.net/6bq1n58l5f ]

This is not the case in your installation. From your debug log - this test for DNS blocking shows that blocked domains were actually blocked in both IPv4 and IPv6.

*** [ DIAGNOSING ]: Name resolution (IPv4) using a random blocked domain and a known ad-serving domain
[✓] gsp1.baidu.com is 0.0.0.0 via localhost (127.0.0.1)
[✓] gsp1.baidu.com is 0.0.0.0 via Pi-hole (192.168.2.1)
[✓] doubleclick.com is 172.217.17.142 via a remote, public DNS server (8.8.8.8)

*** [ DIAGNOSING ]: Name resolution (IPv6) using a random blocked domain and a known ad-serving domain
[✓] ads.pni.com is :: via localhost (::1)
[✓] ads.pni.com is :: via Pi-hole (2a02:a443:8cfd:1:ba27:ebff:fee3:b34f)
[✓] doubleclick.com is 2a00:1450:400e:807::200e via a remote, public DNS server (2001:4860:4860::8888)

In this line in the debug log, what are you trying to do? If you want the IPv6 DNS queries also to go to unbound, use the IPv6 loopback address ::#5353

PIHOLE_DNS_2=2a02:a443:8cfd:1:ba27:ebff:fee3:b34f#5353

Hi @jfb
Thanks for the prompt response.
I obviously did not look deep enough into the documentation.

However when I try to set : : #5353 as IPv6 loopback I get this message: Error IP (: : ) is invalid! The settings have been reset to their previous values

So I set it to ::1#5353
Is that correct?

Second question:
Do you have any idea from the logfile why I cannot upload and get a token?
This happens both on my RPI with the pihole -d command as from the admin -> tools -> generate debug log page.

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.