QNAME minimization

Hi,

I’d like my DNS queries to use QNAME minimization. It seems like the resolver on the pihole doesn’t do that, because of this test:

$ drill @192.168.1.1 txt qnamemintest.internet.nl
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 52662
;; flags: qr rd ra ; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 2 
;; QUESTION SECTION:
;; qnamemintest.internet.nl.	IN	TXT

;; ANSWER SECTION:
qnamemintest.internet.nl.	10	IN	CNAME	a.b.qnamemin-test.internet.nl.
a.b.qnamemin-test.internet.nl.	10	IN	TXT	"NO - QNAME minimisation is NOT   enabled on your resolver :("

;; AUTHORITY SECTION:
a.b.qnamemin-test.internet.nl.	10	IN	NS	ns.a.b.qnamemin-test.internet.nl.

;; ADDITIONAL SECTION:
ns.a.b.qnamemin-test.internet.nl.	10	IN	A	185.49.140.61
ns.a.b.qnamemin-test.internet.nl.	10	IN	AAAA	2a04:b900::8:0:0:61

;; Query time: 292 msec
;; SERVER: 192.168.1.241
;; WHEN: Mon Mar 16 11:44:56 2020
;; MSG SIZE  rcvd: 206

Note, the drill command comes from apt-get install ldnsutils.

What resolver is the pihole using? Is there a way to turn on QNAME minimization that I have not found yet?

Pi-hole is a forwarding DNS resolver and not a recursive resolver so QNAME minimization does not apply:

https://www.isc.org/blogs/qname-minimization-and-privacy/

The pihole-FTL binary uses embedded dnsmasq.

Yes, run your onw recursive resolver:

https://docs.pi-hole.net/guides/unbound/

Great, thanks for the quick reply!

Unfortunately, I’m using the docker container, so if I install unbound (or my preference: knot), I will lose it on restart, unless I build my own container :frowning:

EDIT: found that someone else is building a pihole container with unbound devonkupiec/pihole-unbound

1 Like

Since Pi-hole is a forwarding resolver, it is using the upstream DNS servers you have specified. These are listed in the web GUI > Settings > DNS, and also in file /etc/pihole/setupVars.conf

For the record with unbound as upstream recursive resolver:

pi@noads:~ $ drill @127.0.0.1 -p 5353 txt qnamemintest.internet.nl
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 65019
;; flags: qr rd ra ; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 2
;; QUESTION SECTION:
;; qnamemintest.internet.nl.    IN      TXT

;; ANSWER SECTION:
qnamemintest.internet.nl.       2       IN      CNAME   a.b.qnamemin-test.internet.nl.
a.b.qnamemin-test.internet.nl.  2       IN      TXT     "HOORAY - QNAME minimisation is enabled on your resolver :)!"

;; AUTHORITY SECTION:
a.b.qnamemin-test.internet.nl.  2       IN      NS      ns.a.b.qnamemin-test.internet.nl.

;; ADDITIONAL SECTION:
ns.a.b.qnamemin-test.internet.nl.       2       IN      A       185.49.140.63
ns.a.b.qnamemin-test.internet.nl.       2       IN      AAAA    2a04:b900::8:0:0:63

;; Query time: 1 msec
;; SERVER: 127.0.0.1
;; WHEN: Mon Mar 16 17:56:41 2020
;; MSG SIZE  rcvd: 207

Or:

pi@noads:~ $ dig +short @127.0.0.1 -p 5353 txt qnamemintest.internet.nl
a.b.qnamemin-test.internet.nl.
"HOORAY - QNAME minimisation is enabled on your resolver :)!"

Ok, it seems that if I have the cloudflare dns servers enabled, then i get QNAME minimization, without having to install unbound:

dig +short @192.168.1.241 txt qnamemintest.internet.nl
a.b.qnamemin-test.internet.nl.
"HOORAY - QNAME minimisation is enabled on your resolver :)!"

When you use an upstream resolver such as Cloudflare, qname minimisation is of no use to you, since qname minimisation happens between the recursive resolver and the authoritative nameservers. When you are using a third party upstream resolver, there is no qname minimisation between you and the upstream resolver. Any qname minimisation would happen between the upstream servers and the nameservers, and you have no involvement in those transactions.