Some domains get NXDOMAIN

jpm_odv · October 28, 2021, 10:17am

beside all IoT stuff i have checked every single one of them and all have manual dns setup:

first the pi-hole ip
second: 8.8.8.8

this is also correct for the routher both dns ip are setup to the same Ip's

I still don't understand how dig reddit.com @127.0.0.1 gets affected if one client on the network gets compromised

jpm_odv · October 28, 2021, 10:48am

ps: i have block both ip on wan in an out

yubiuser · October 28, 2021, 7:58pm

I think you misunderstood. It's not like one out of your 100 clients is using CleanBrowsing and therefor affecting Pi-hole. It's one device along the upstream path from your Pi-hole device enforcing that behavior. You wrote you are running Pi-hole in a VM, right? So the path is

VM -> host device -> router -> ISP. Somewhere on those machines the interception happens.

Do you see the CleanBrowsing behavior also on other devices in your network or is it only the Pi-hole VM?

jpm_odv · November 3, 2021, 12:32pm

After more testing i was able to validate that on the SO of the VM (/etc/resolv.conf) the DNS are still the same:
1 -> pi-hole
2 -> router

the router has the setup:
1 -> pi-hole
2 -> 8.8.8.8

all machines that use pi-hole as a dns server have this behavier (EX: reddit.com, NXDOMAIN, even support.nordvpn.com) if on that machines i try the alternative dns server of the router, 8.8.8.8 everything is ok.

with this i think i discarted:
vm, router and ISP i'm not sure how to discart host device but any ideias?

jpm_odv · November 3, 2021, 12:50pm

PS: On another vw on the same host i can get dig reddit.com to work

Bucking_Horn · November 3, 2021, 7:14pm

Such a configuration means your Pi-hole can be by-passed via 8.8.8.8 at any time at a respective client's discretion.

It isn't likely contributing to your observation of upstream DNS returning SOA cleanbrowsing.rpz.noc.org., though.

Who is your ISP?

If you can preclude that your router is using CleanBrowsing DNS services, your current reported observations would suggest something outside of your network (presumably, your ISP) is intercepting and redirecting DNS to CleanBrowsing.

jpm_odv · November 3, 2021, 8:34pm

the reported router configuration it's meant to be in case of the vw, or network, where pi-hole is running goes out.

It has happened more then once, and therefore i need to have an alternative in order not to have the house entirely offline because my vm is out of reach.

As far as ISP, I think, that if this was the case i would have this behavior on all clients, no matter where the dns server, internally is, and that is not the case.

My ISP is MEO/Altice Portugal

Bucking_Horn · November 3, 2021, 8:57pm

I was assuming that all your clients are unable to access the domains you've reported, and all those inaccessible domains return the CleanBrowsing records instead of an actual IP address?

Please elaborate if that is not the case.

I'm not fluent in Portuguese at all, but that ISP seems to offer a parental control feature via an option labeled MEO Safe.
Do you make use of that feature (or a similar one)?

jpm_odv · November 4, 2021, 5:55am

I do not.

Also i'm assuming that even if they activated the service on my connection because of a system mistake this wouldn't be "bypassed" by simply pointing the local dns of a machine to another dns server, or is this a wrong assumption?

Bucking_Horn · November 4, 2021, 8:56am

Pi-hole doesn't make up DNS replies for queries it has forwarded upstream - it returns whatever the upstream returns.

Your dig result indicates that the NXDOMAIN that Pi-hole received was returned by one of CleanBrowsing's DNS server, as suggested by the CleanBrowsing SOA that is present in the NXDOMAIN answer.
As mentioned previously, I can confirm that CleanBrowsing's DNS servers will return the same reply when queried directly.

Since you state that Pi-hole isn't using CleanBrowsing for DNS, something upstream of Pi-hole has to be introducing it.

Furthermore, your result for nslookup reddit.com 8.8.8.8 shows that NXDOMAIN is also returned even when a public DNS server is queried.

This is a strong indication that DNS queries are not going to 8.8.8.8, but to some other DNS server. The presence of a SOA record for CleanBrowsing would again suggest that this other DNS server is a CleanBrowsing one.

The most likely candidates to redirect DNS requests in such a way are your router or your ISP, another one would be a VPN service.

Your original observation "some domains get NXDOMAIN" doesn't mention specific clients.

Are you now saying that you observe those NXDOMAIN replies only on a specific client?

It's not a bypass:
If your router or your ISP would intercept DNS traffic, they would redirect any DNS request to whatever DNS server they've chosen, instead of the one the requesting client intended to use. From a client perspective, it would still seem that it communicates with the intended DNS server.

Are you saying you observe that DNS servers are changing arbitrarily on some of your machines?

jpm_odv · November 16, 2021, 12:31pm

Well after many times hitting a wall i finally have to say that, as probably you all knew, support was right.

My router enable IoT optimizations on one of the vlans and that made it "safe browsing" feature enable.

Not sure why but all traffic got this properties and therefore everything was in "safe-mode"

Thnak you for all your time and i'm sorry for the confusion.

Bucking_Horn · November 16, 2021, 4:27pm

Thank you for taking the time to share that finding with us.

system · December 7, 2021, 4:28pm

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.