Phiole.log - the upper and lower case in the logfile is randomly mixed

quarius · June 29, 2022, 4:06pm

Expected Behaviour:

Logfile pihole.log shows upper and lower case as expected (and I know from earlier logs) like

pihole.log:
reply gateway.fe.apple-dns.net
gravity blocked s.deepl.com is 0.0.0.0

Hardware/OS:

Linux 5.1.1-BPI-Kernel #1 SMP Thu Aug 22 13:53:49 CST 2019 armv7l GNU/Linux
Banana Pi M1
already tried pihole -r, disable/enable logging, flush logs, flush network table, ..
system is running stable and correctly working until 2022-01-01

Actual Behaviour:

Logfile phihole.log shows alle entries like below, from nano pihole.log and also through the web interface tools "tail piholge.log" - always like "randomized" case:

pihole.log:
reply gatEwAY.Fe.ApPLE-dNs.neT
gravity blocked s.DeePl.cOm is 0.0.0.0

Are the DNS servers returning this case-scrambled DNS answers or pihole?
WebApp GUI->"Query Log" shows all queries domain names lower case.

Debug Token:

https://tricorder.pi-hole.net/nf3gdadi/

jfb · June 29, 2022, 4:10pm

The log is accurately reflecting the query that was received - including case.

root@nanopi:~# dig gaTeWAY.FE.applE-dNs.neT

; <<>> DiG 9.11.5-P4-5.1+deb10u7-Debian <<>> gaTeWAY.FE.applE-dNs.neT
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7733
;; flags: qr rd ra; QUERY: 1, ANSWER: 8, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1280
;; QUESTION SECTION:
;gaTeWAY.FE.applE-dNs.neT.	IN	A

;; ANSWER SECTION:
gaTeWAY.FE.applE-dNs.neT. 1655	IN	A	17.248.139.217
gaTeWAY.FE.applE-dNs.neT. 1655	IN	A	17.248.139.215
gaTeWAY.FE.applE-dNs.neT. 1655	IN	A	17.248.139.208
gaTeWAY.FE.applE-dNs.neT. 1655	IN	A	17.248.139.196
gaTeWAY.FE.applE-dNs.neT. 1655	IN	A	17.248.139.203
gaTeWAY.FE.applE-dNs.neT. 1655	IN	A	17.248.139.200
gaTeWAY.FE.applE-dNs.neT. 1655	IN	A	17.248.139.204
gaTeWAY.FE.applE-dNs.neT. 1655	IN	A	17.248.139.2

root@nanopi:~# dig gateway.fe.apple-dns.net

; <<>> DiG 9.11.5-P4-5.1+deb10u7-Debian <<>> gateway.fe.apple-dns.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9418
;; flags: qr rd ra; QUERY: 1, ANSWER: 8, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1280
;; QUESTION SECTION:
;gateway.fe.apple-dns.net.	IN	A

;; ANSWER SECTION:
gateway.fe.apple-dns.net. 1617	IN	A	17.248.139.212
gateway.fe.apple-dns.net. 1617	IN	A	17.248.139.217
gateway.fe.apple-dns.net. 1617	IN	A	17.248.139.215
gateway.fe.apple-dns.net. 1617	IN	A	17.248.139.208
gateway.fe.apple-dns.net. 1617	IN	A	17.248.139.196
gateway.fe.apple-dns.net. 1617	IN	A	17.248.139.203
gateway.fe.apple-dns.net. 1617	IN	A	17.248.139.200
gateway.fe.apple-dns.net. 1617	IN	A	17.248.139.204

root@nanopi:~# tail -n50 /var/log/pihole.log
...
Jun 29 11:07:48 dnsmasq[1200]: query[A] gaTeWAY.FE.applE-dNs.neT from 127.0.0.1
Jun 29 11:07:48 dnsmasq[1200]: cached gaTeWAY.FE.applE-dNs.neT is 17.248.139.217
Jun 29 11:07:48 dnsmasq[1200]: cached gaTeWAY.FE.applE-dNs.neT is 17.248.139.215
Jun 29 11:07:48 dnsmasq[1200]: cached gaTeWAY.FE.applE-dNs.neT is 17.248.139.208
Jun 29 11:07:48 dnsmasq[1200]: cached gaTeWAY.FE.applE-dNs.neT is 17.248.139.196
Jun 29 11:07:48 dnsmasq[1200]: cached gaTeWAY.FE.applE-dNs.neT is 17.248.139.203
Jun 29 11:07:48 dnsmasq[1200]: cached gaTeWAY.FE.applE-dNs.neT is 17.248.139.200
Jun 29 11:07:48 dnsmasq[1200]: cached gaTeWAY.FE.applE-dNs.neT is 17.248.139.204
Jun 29 11:07:48 dnsmasq[1200]: cached gaTeWAY.FE.applE-dNs.neT is 17.248.139.212
...
Jun 29 11:08:26 dnsmasq[1200]: query[A] gateway.fe.apple-dns.net from 127.0.0.1
Jun 29 11:08:26 dnsmasq[1200]: cached gateway.fe.apple-dns.net is 17.248.139.212
Jun 29 11:08:26 dnsmasq[1200]: cached gateway.fe.apple-dns.net is 17.248.139.217
Jun 29 11:08:26 dnsmasq[1200]: cached gateway.fe.apple-dns.net is 17.248.139.215
Jun 29 11:08:26 dnsmasq[1200]: cached gateway.fe.apple-dns.net is 17.248.139.208
Jun 29 11:08:26 dnsmasq[1200]: cached gateway.fe.apple-dns.net is 17.248.139.196
Jun 29 11:08:26 dnsmasq[1200]: cached gateway.fe.apple-dns.net is 17.248.139.203
Jun 29 11:08:26 dnsmasq[1200]: cached gateway.fe.apple-dns.net is 17.248.139.200
Jun 29 11:08:26 dnsmasq[1200]: cached gateway.fe.apple-dns.net is 17.248.139.204

quarius · June 29, 2022, 7:18pm

Thanks a lot for your answer, I executed a DNS query directly from client using pihole IP directly as DNS, all those queries are lower case then.

The case-shuffling happens in my router (Telekom Speedport, DNS rebind activated) that forwards the DNS queries from all clients.

Seems to be off topic now, therefore I will try to find out why this router is changing the case in all DNS queries.

Thanks again and regards!
/C

DanSchaper · June 29, 2022, 7:40pm

Usually it's some sort of security feature. It's an attempt to see if your upstream server is modifying the queries.

With unbound it's called use-caps-for-id.

jfb · June 29, 2022, 7:41pm

I suspect this is a security "feature" of some kind. At the receiving end, all the case is stripped out because DNS is not case sensitive, so the answer will remain the same regardless of case.

Unbound has a similar feature (not enabled by default):

use-caps-for-id:
Use 0x20-encoded random bits in the query to foil spoof at-
tempts. This perturbs the lowercase and uppercase of query
names sent to authority servers and checks if the reply still
has the correct casing. Disabled by default. This feature is
an experimental implementation of draft dns-0x20.

quarius · June 29, 2022, 8:45pm

Thank you both! Sounds very plausible, quite a kind of soft security feature, just wanted to know the origin and exclude and exclude any malware.

system · July 20, 2022, 8:45pm

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.