Questions about the way Pi-Hole uses the Upstream DNS Servers.
I use 4 upstream DNS servers. How does Pi-Hole decides which one to use? Round-Robin? Response-Time? It seems that some are used more frequently than others.
Pi-Hole sends the DNS request to one oft the known upstream DNS Servers. What happens when the server don't know the answer or the response is blacklisted (because of a filter or local law...). Does Pi-Hole asks another upstream DNS server until a valid response or is the destination unrechable?
I guess it's possible that different upstream servers give different answers. How can I find that out and how is the best way to handle that. Is there a way or tool to compare the response of a bunch of dns servers? Here in germany it starts that the first ISPs are forced to block access to some known warez sites with DNS blacklisting. But I'm sure it's just the beginning and other "unwanted" sites will follow.
If a response is stored in the Pi-Hole cache, how does Pi-Hole determines how long to store it?
You will see the status Blocked (external) next to that query in the Pi-Hole query log. I do not believe that another server will be queried, since this is not a SERVFAIL or REFUSED (see documentation above).
Dig those servers directly. You can add the "@" modifier to dig as follows.
dig pi-hole.net @1.1.1.1
If all you want is the IP and none of the rest of the query, add +short
dig pi-hole.net +short @1.1.1.1
You can batch dig, so if you wanted to do this with a number of domains, you would dig the entire file:
dig -f filename-here +short @1.1.1.1
The TTL (time to live) is specified by the upstream resolver. When you run a dig command, you will see this TTL in the answer section. In the example below, it is 128 seconds.
dig pi-hole.net @1.1.1.1
...
;; ANSWER SECTION:
pi-hole.net. 128 IN A 206.189.252.21
If you repeat the query within the TTL, you will see the TTL countdown. When it gets to zero, the next dig gets the full value.
For domains on the block list, the default TTL is 2 seconds.
Thanks for the very capable answer. The informations help me a lot !!!
If I understand it right...
a requesting client gets the info that the request is on the DNS servers blacklist and not just an "request unknown" answer?
Is this the usual way for ISPs to let the client know the request is on the blacklist? I thought they just drop the request and give an "unknown" back.
But good to know that Pi-hole can log the "blocked external" info, that is an easy way to check DNS servers how they respond on blocked requests.
