Please explain: Difference in blocking IPv4 and IPv6?

Arno · January 28, 2020, 7:22pm

On Pi-hole to rule out bad client configuration.
Same result as before.
Order doesn't seem to make a difference. Request (A) always gets Blocked, request (AAAA) always gets OK.

Did some extra testing. When I execute dig on a non-listed domain IPv4 and IPv6 get 'OK', when I put same domain on exact blacklist IPv4 and IPv6 gets 'Blocked'

So it has to do with regex blocking or CNAME right?
I will test regex now as I did with the exact blacklist to rule out regex blocking (or not).

pihole restartdns
  [✓] Restarting DNS server
dig AAAA brave-browser-apt-release.s3.brave.com

; <<>> DiG 9.11.5-P4-5.1-Debian <<>> AAAA brave-browser-apt-release.s3.brave.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18004
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1472
;; QUESTION SECTION:
;brave-browser-apt-release.s3.brave.com.	IN AAAA

;; ANSWER SECTION:
brave-browser-apt-release.s3.brave.com.	872 IN CNAME u2.shared.global.fastly.net.

;; AUTHORITY SECTION:
fastly.net.		55	IN	SOA	ns1.fastly.net. hostmaster.fastly.com. 2017052201 3600 600 604800 30

;; Query time: 1 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Jan 28 19:33:59 CET 2020
;; MSG SIZE  rcvd: 166



pihole restartdns
  [✓] Restarting DNS server
dig A brave-browser-apt-release.s3.brave.com


; <<>> DiG 9.11.5-P4-5.1-Debian <<>> A brave-browser-apt-release.s3.brave.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1554
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1472
;; QUESTION SECTION:
;brave-browser-apt-release.s3.brave.com.	IN A

;; Query time: 1 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Jan 28 19:34:39 CET 2020
;; MSG SIZE  rcvd: 67

Arno · January 28, 2020, 7:34pm

Regex on blacklist gives same result as exact blacklist. IPv4 and IPv6 both get blocked if on blacklist, and are both allowed if not on any list.

So CNAME is left as the use case where it goes wrong. Or is that too simple thinking?

jpgpi250 · January 28, 2020, 10:54pm

I'm starting to see the similar things.

 pihole -q www.msn.com
 Match found in https://dbl.oisd.nl:
   gstatic.comwww.infinityhr.comwww.microsoft.comwww.msn.comwww.pages01.net

Please explain why the AAAA queries show CNAME in the reply column and the A record shows CNAME in the status column.

Apologies for my ignorance.

DanSchaper · January 28, 2020, 11:00pm

What version are you on? Same as the user that opened this thread?

jpgpi250 · January 28, 2020, 11:02pm

pihole version
Pi-hole version is v4.3.2-391-ge0b3405 (Latest: v4.3.2)
AdminLTE version is v4.3.2-360-g88da85f (Latest: v4.3.2)
FTL version is vDev-44b772b (Latest: v4.3.1)

I'm on the beta5 branch, followed the instructions from the original beta5 announcement.
I ran pihole -up several times today, I got 2 pihole-FTL updates.

Arno · January 28, 2020, 11:04pm

Same here

Arno · January 28, 2020, 11:13pm

Just a thought. I'm no DNS expert.
Is CNAME configured for IPv4 and IPv6 separately? That could explain the difference.

If CNAME is configured only for IPv4 then in my case CNAME get blocked for IPv4 as expected (on regex blacklist).
If CNAME is not configured for IPv6 the first request is allowed (not on any list) and no CNAME to check.

Then the cause is not Pi-hole but the (not well) configured domain.

Again, just a thought...

jpgpi250 · January 28, 2020, 11:13pm

Apologies in advance, if my suggestion turns out to be stupid. Just trying.

In my screenshot, www.msn.com is blocked (type A). Is it possible the log shows the queries, pihole-FTL performs to determine www.msn.com is really a CNAME for gstatic.comwww.infinityhr.comwww.microsoft.comwww.msn.comwww.pages01.net, and never sends the the first 2 AAAA replies to the client?

Apologies for my ignorance.

DanSchaper · January 28, 2020, 11:14pm

That's correct:

dschaper@Mariner-10:/mnt/c/Users/dan$ curl https://dbl.oisd.nl -o oisd.txt
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 23.7M  100 23.7M    0     0  7580k      0  0:00:03  0:00:03 --:--:-- 7580k
dschaper@Mariner-10:/mnt/c/Users/dan$ grep 'www.msn.com' oisd.txt
gstatic.comwww.infinityhr.comwww.microsoft.comwww.msn.comwww.pages01.net

DanSchaper · January 28, 2020, 11:16pm

No, a CNAME just points to another record, there are no A or AAAA specific entries.

DanSchaper · January 28, 2020, 11:26pm

dig www.msn.com

; <<>> DiG 9.11.3-1ubuntu1.11-Ubuntu <<>> www.msn.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14774
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.msn.com.                   IN      A

;; ANSWER SECTION:
www.msn.com.            273     IN      CNAME   www-msn-com.a-0003.a-msedge.net.
www-msn-com.a-0003.a-msedge.net. 235 IN CNAME   a-0003.a-msedge.net.
a-0003.a-msedge.net.    18      IN      A       204.79.197.203

;; Query time: 23 msec
;; SERVER: 192.168.88.1#53(192.168.88.1)
;; WHEN: Tue Jan 28 15:26:06 PST 2020
;; MSG SIZE  rcvd: 104

jpgpi250 · January 28, 2020, 11:39pm

somethin strange I noticed.
dig A www.msn.com, Answer section:

;; ANSWER SECTION:
www.msn.com.            244     IN      CNAME   www-msn-com.a-0003.a-msedge.net.
www-msn-com.a-0003.a-msedge.net. 54 IN  CNAME   a-0003.a-msedge.net.
a-0003.a-msedge.net.    54      IN      A       204.79.197.203

dig AAAA www.msn.com, answer section (NO IP ADDRESS)

;; ANSWER SECTION:
www.msn.com.            166     IN      CNAME   www-msn-com.a-0003.a-msedge.net.
www-msn-com.a-0003.a-msedge.net. 106 IN CNAME   a-0003.a-msedge.net.

verification, to check dig AAAA returns IP addresses -> dig AAAA www.google.com

;; ANSWER SECTION:
www.google.com.         120     IN      AAAA    2a00:1450:400e:806::2004

dig AAAA www.msn.com has NO IP address in the answer section. Significant for this problem?

DanSchaper · January 28, 2020, 11:44pm

That is all correct.

A record for www.msn.com really doesn't exist, it's a CNAME. The IP response is the A record for a-0003.

dschaper@Mariner-10:~$ dig A a-0003.a-msedge.net

; <<>> DiG 9.11.3-1ubuntu1.11-Ubuntu <<>> A a-0003.a-msedge.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26249
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;a-0003.a-msedge.net.           IN      A

;; ANSWER SECTION:
a-0003.a-msedge.net.    11      IN      A       204.79.197.203

;; Query time: 1 msec
;; SERVER: 192.168.88.1#53(192.168.88.1)
;; WHEN: Tue Jan 28 15:43:37 PST 2020
;; MSG SIZE  rcvd: 53

AAAA record for www.msn.com doesn't exist, it's a CNAME. The IPv6 doesn't exist because a-0003 doesn't have one.

dschaper@Mariner-10:~$ dig AAAA a-0003.a-msedge.net

; <<>> DiG 9.11.3-1ubuntu1.11-Ubuntu <<>> AAAA a-0003.a-msedge.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57760
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;a-0003.a-msedge.net.           IN      AAAA

;; Query time: 16 msec
;; SERVER: 192.168.88.1#53(192.168.88.1)
;; WHEN: Tue Jan 28 15:43:30 PST 2020
;; MSG SIZE  rcvd: 37

dig returns the A records as a hint to clients:

dschaper@Mariner-10:~$ dig AAAA www.msn.com

; <<>> DiG 9.11.3-1ubuntu1.11-Ubuntu <<>> AAAA www.msn.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63966
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 2

;; QUESTION SECTION:
;www.msn.com.                   IN      AAAA

;; ANSWER SECTION:
www.msn.com.            240     IN      CNAME   www-msn-com.a-0003.a-msedge.net.
www-msn-com.a-0003.a-msedge.net. 180 IN CNAME   a-0003.a-msedge.net.

;; ADDITIONAL SECTION:
a-0003.a-msedge.net.    179     IN      A       204.79.197.203
a-0003.a-msedge.net.    179     IN      A       204.79.197.203

;; Query time: 15 msec
;; SERVER: 192.168.88.1#53(192.168.88.1)
;; WHEN: Tue Jan 28 15:40:49 PST 2020
;; MSG SIZE  rcvd: 120

Not sure what the google dig is supposed to show?

DanSchaper · January 28, 2020, 11:46pm

And to clarify, there is no such thing as IPv4 and IPv6 for DNS records. They are A and AAAA records and any DNS server can server any of those records. It's up to the client to request the right resource.

jpgpi250 · January 28, 2020, 11:51pm

just to check the dig command returns an IP address, but you have now explained dig AAAA www.msn.com doesn't show an IP address because there is no AAAA record for a-0003.a-msedge.net. Appologies, again, for my ignorance.

Feel free to comment on my (probably stupid) suggestion?:

DanSchaper · January 28, 2020, 11:53pm

It's not a CNAME for that long and seemingly incorrect domain. I think that's a bad entry from the blocklist that concatenated a bunch of other domains without anyone checking to see if it was right or wrong. Tends to happen with lists that are just automated aggregates of other peoples work without any real kind of quality control in the process.

jpgpi250 · January 28, 2020, 11:57pm

@sjhgvr can you have a look at this entry in your blocklist? This to ensure it isn't causing the problem we have been looking at. Thanks.

jfb · January 29, 2020, 12:08am

Please visit the blocklist page on Reddit for issue resolution:

https://www.reddit.com/r/oisd_blocklist/comments/dwxgld/dbloisdnl_internets_1_domain_blocklist/

DL6ER · January 29, 2020, 6:15am

Yes.

Add DEBUG_QUERIES=true to /etc/pihole/pihole-FTL.conf,
Run pihole restartdns reload,
Perform the query of interest, and
Check /var/log/pihole-FTL.log for the requested details.

jpgpi250 · January 29, 2020, 7:16am

I meant the web interface query log, the entries in the screenshot, 2 times AAAA query, 1 time A query is the result of CNAME checking?