Hi,
I'd like my DNS queries to use QNAME minimization. It seems like the resolver on the pihole doesn't do that, because of this test:
$ drill @192.168.1.1 txt qnamemintest.internet.nl
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 52662
;; flags: qr rd ra ; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 2
;; QUESTION SECTION:
;; qnamemintest.internet.nl. IN TXT
;; ANSWER SECTION:
qnamemintest.internet.nl. 10 IN CNAME a.b.qnamemin-test.internet.nl.
a.b.qnamemin-test.internet.nl. 10 IN TXT "NO - QNAME minimisation is NOT enabled on your resolver :("
;; AUTHORITY SECTION:
a.b.qnamemin-test.internet.nl. 10 IN NS ns.a.b.qnamemin-test.internet.nl.
;; ADDITIONAL SECTION:
ns.a.b.qnamemin-test.internet.nl. 10 IN A 185.49.140.61
ns.a.b.qnamemin-test.internet.nl. 10 IN AAAA 2a04:b900::8:0:0:61
;; Query time: 292 msec
;; SERVER: 192.168.1.241
;; WHEN: Mon Mar 16 11:44:56 2020
;; MSG SIZE rcvd: 206
Note, the drill command comes from apt-get install ldnsutils.
What resolver is the pihole using? Is there a way to turn on QNAME minimization that I have not found yet?
Pi-hole is a forwarding DNS resolver and not a recursive resolver so QNAME minimization does not apply:
The pihole-FTL binary uses embedded dnsmasq.
Yes, run your onw recursive resolver:
https://docs.pi-hole.net/guides/unbound/
Great, thanks for the quick reply!
Unfortunately, I'm using the docker container, so if I install unbound (or my preference: knot), I will lose it on restart, unless I build my own container
EDIT: found that someone else is building a pihole container with unbound devonkupiec/pihole-unbound
1 Like
jfb
March 16, 2020, 4:05pm
4
Since Pi-hole is a forwarding resolver, it is using the upstream DNS servers you have specified. These are listed in the web GUI > Settings > DNS, and also in file /etc/pihole/setupVars.conf
For the record with unbound as upstream recursive resolver:
pi@noads:~ $ drill @127.0.0.1 -p 5353 txt qnamemintest.internet.nl
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 65019
;; flags: qr rd ra ; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 2
;; QUESTION SECTION:
;; qnamemintest.internet.nl. IN TXT
;; ANSWER SECTION:
qnamemintest.internet.nl. 2 IN CNAME a.b.qnamemin-test.internet.nl.
a.b.qnamemin-test.internet.nl. 2 IN TXT "HOORAY - QNAME minimisation is enabled on your resolver :)!"
;; AUTHORITY SECTION:
a.b.qnamemin-test.internet.nl. 2 IN NS ns.a.b.qnamemin-test.internet.nl.
;; ADDITIONAL SECTION:
ns.a.b.qnamemin-test.internet.nl. 2 IN A 185.49.140.63
ns.a.b.qnamemin-test.internet.nl. 2 IN AAAA 2a04:b900::8:0:0:63
;; Query time: 1 msec
;; SERVER: 127.0.0.1
;; WHEN: Mon Mar 16 17:56:41 2020
;; MSG SIZE rcvd: 207
Or:
pi@noads:~ $ dig +short @127.0.0.1 -p 5353 txt qnamemintest.internet.nl
a.b.qnamemin-test.internet.nl.
"HOORAY - QNAME minimisation is enabled on your resolver :)!"
Ok, it seems that if I have the cloudflare dns servers enabled, then i get QNAME minimization, without having to install unbound:
dig +short @192.168.1.241 txt qnamemintest.internet.nl
a.b.qnamemin-test.internet.nl.
"HOORAY - QNAME minimisation is enabled on your resolver :)!"
1 Like
jfb
March 16, 2020, 10:54pm
7
rantoie:
Ok, it seems that if I have the cloudflare dns servers enabled, then i get QNAME minimization, without having to install unbound:
When you use an upstream resolver such as Cloudflare, qname minimisation is of no use to you, since qname minimisation happens between the recursive resolver and the authoritative nameservers. When you are using a third party upstream resolver, there is no qname minimisation between you and the upstream resolver. Any qname minimisation would happen between the upstream servers and the nameservers, and you have no involvement in those transactions.
