(Simple Question) How to block all .wpad and .localdomain traffic?


#1

Hey all,

I’ve tried following the documentation over here to block all .wpad and .localdomain traffic, however, I can’t manage to do it? I’m not sure if I’m typing the commands in wrong, or if it just isn’t supported, but it’s not working.

What I want to do is block all traffic with .wpad and .localdomain . Ex. test.localdomain or wpad.test or wpad.localdomain .

I’m not sure what structure of $ or . or / or ^ to use, and i’ve tried following the documentation and Googling, but couldn’t find anything that worked.

Any help is welcome. Thank you :slight_smile:


#2
^wpad\.
(^|\.)localdomain$

in Regex & Wildcard blocking


#3

Here you will find a well hidden gem:

https://docs.pi-hole.net/ftldns/regex/tutorial/


#4

That appears to be the documentation he was trying to follow.


#5

Do both of those commands do the same thing? Is one for Wildcards and the other for Regex? Does one command have to be wildcard, and the other regex? I also tried to read into the differences between the two, and I couldn’t understand it.

I tried to understand it, and even tried to “implement” it into PiHole, but I couldn’t get it to work, which I mentioned in my post.


#6

It was indeed the docs you already found.

They are regex not wildcard. I can’t test it for you right now because I can’t enter myself any regex right now.


#7

Here is a handy site for diagramming your regex expressions.

https://regexper.com


#8

Referring to the relevant blog post I think that a better solution is

^wpad($|\.)

as it catches

wpad
wpad.example.com

but not

wpadexample.com

Please correct me if I’m wrong.


#9

So I added all 3

As regex in the blacklist.

Whenever I search up, for example, wpad.ikjnsdakjnkjnasd (random jargon), the DNS query still gets send, and PiHole doesn’t block it, however, with that same example, if I were to just add the exact phrase to the blacklist, the DNS query does not get send. Why is that?

Using the regex commands given above (taken from tail pihole.log):

Oct 9 08:23:45 dnsmasq[1183]: 54956 192.168.54.100/50434 query[A] wpad.ikjnsdakjnkjnasd from 192.168.54.100
Oct 9 08:23:46 dnsmasq[1183]: 54956 192.168.54.100/50434 <unknown> wpad.ikjnsdakjnkjnasd is 0.0.0.0
Oct 9 08:23:46 dnsmasq[1183]: 54957 192.168.54.100/52293 query[A] duckduckgo.com from 192.168.54.100
Oct 9 08:23:46 dnsmasq[1183]: 54957 192.168.54.100/52293 forwarded duckduckgo.com to 1.0.0.1
Oct 9 08:23:46 dnsmasq[1183]: 54958 192.168.54.100/50434 query[A] wpad.ikjnsdakjnkjnasd from 192.168.54.100
Oct 9 08:23:46 dnsmasq[1183]: 54958 192.168.54.100/50434 <unknown> wpad.ikjnsdakjnkjnasd is 0.0.0.0
Oct 9 08:23:46 dnsmasq[1183]: 54959 192.168.54.100/52293 query[A] duckduckgo.com from 192.168.54.100

Adding the exact URL/phrase/DNS query to the “exact” blacklist (taken from tail pihole.log):

Oct 9 08:23:55 dnsmasq[1183]: 54961 192.168.54.100/52528 query[A] wpad.ikjnsdakjnkjnasd from 192.168.54.100
Oct 9 08:23:55 dnsmasq[1183]: 54961 192.168.54.100/52528 /etc/pihole/black.list wpad.ikjnsdakjnkjnasd is 0.0.0.0
Oct 9 08:23:55 dnsmasq[1183]: 55062 192.168.54.100/52528 query[A] wpad.ikjnsdakjnkjnasd from 192.168.54.100
Oct 9 08:23:55 dnsmasq[1183]: 55062 192.168.54.100/52528 /etc/pihole/black.list wpad.ikjnsdakjnkjnasd is 0.0.0.0
Oct 9 08:23:55 dnsmasq[1183]: 55063 192.168.54.100/52528 query[A] wpad.ikjnsdakjnkjnasd from 192.168.54.100
Oct 9 08:23:55 dnsmasq[1183]: 55063 192.168.54.100/52528 /etc/pihole/black.list wpad.ikjnsdakjnkjnasd is 0.0.0.0


#10

I have added ($|.)fritz.box
because i found lots of different domain names in the log ended in fritz.box


#11

I’m not sure what you’re trying to achieve. Why did you start the regex with an end of string expression ($)?

But then you should escape the period:

fritz\.box

#12

plus this one to perform the check: https://regex101.com/


#13

hmmm… you’r right !!

I just wanna catch all of it, like these
aczjafma.fritz.box
adaway.fritz.box
adffnluqtfhagh.fritz.box
adjatcmdsn.fritz.box
adjyxnctdooyn.fritz.box
adnauseam.fritz.box
aedxjqyvgldlyp.fritz.box
aegjzkljhquljsz.fritz.box
aenlznued.fritz.box
aeqyroa.fritz.box
aexhvbk.fritz.box
aeziguusrtqhuat.fritz.box
afbvpeiiw.fritz.box
afffamsli.fritz.box
aftenbladet.fritz.box
agkdudxztpsfa.fritz.box
agksbddztjijll.fritz.box
agmlvchke.fritz.box

and so on, i am lightyears far of a hero in regex, the syntax i mentioned earlier is not ok as well.


#14

\.fritz\.box$


#15

thanks, but this is the result at regex101.com


There is something with the flags on the right in the red cirkel, how to interpret these ?


#16

What if you click on them?


#17

Why “but”? On the right hand side you see “Full match” multiple times. Job done.


#18



On both seperatly, 1 match, both on is the printscreen from my previous reply


#19

If it is allmatch, does it mean that all is blocked AndrewZ ? that is what i want.
I have 1200 queriesnames to fritz.box


#20

Once you use the right syntax - all of them should be blocked, I believe you can easily test this.