I have a setup with two pi-holes that I’ve been using for quite some time. I have FQDNs set up as local DNS addresses on the pi-holes to resolve some of my gear to internal LAN addresses. These same FQDNs also exist on the public network where other DNS servers resolve them.
I have Apple devices that do an initial DNS request for these FQDNs to the pi-holes and after the pi-hole offers the A record for the host the Mac then re-requests DNS for the host with a type 63 request which the pi-hole forwards to the public internet, which returns the outside IP and then I am unable to connect since this outside IP is the WAN address of my firewall.
Is there any way to block pi-hole from forwarding these type 63 requests or is there a way to modify the DNS records so that it looks like pi-hole is the SOA for these records for the internal hosts requesting DNS for them?
I’ve tried a lot of client side settings on the Apple devices to try to circumvent this issue (turning off IP privacy, IP tracking settings, trying to use /etc/hosts and so on) but nothing has helped.
The problem is getting really irritating. The only other ways I can see solving it is either using different internal FQDN (which has its own problem since there will then be certificate issues) or building a hairpin on my NAT/firewall to loop the outbound request for connection back so that it succeeeds. All of these options are not ideal.
***@pihole1:~$ sudo more /var/log/pihole/pihole.log | grep firewall.***.net
Dec 18 01:58:11 dnsmasq[28678]: query[HTTPS] firewall.***.net from 10.1.1.64
Dec 18 01:58:11 dnsmasq[28678]: forwarded firewall.***.net to 1.1.1.1
Dec 18 01:58:11 dnsmasq[28678]: query[A] firewall.***.net from 10.1.1.64
Dec 18 01:58:11 dnsmasq[28678]: /etc/pihole/custom.list firewall.***.net is 10.1.1.1
Dec 18 01:58:12 dnsmasq[28678]: reply firewall.***.net is <CNAME>
Dec 18 02:00:33 dnsmasq[28678]: query[HTTPS] firewall.***.net from 10.1.1.65
Dec 18 02:00:33 dnsmasq[28678]: forwarded firewall.***.net to 1.0.0.1
Dec 18 02:00:33 dnsmasq[28678]: query[A] firewall.***.net from 10.1.1.65
Dec 18 02:00:33 dnsmasq[28678]: /etc/pihole/custom.list firewall.***.net is 10.1.1.1
Dec 18 02:00:33 dnsmasq[28678]: reply firewall.***.net is <CNAME>
Dec 18 03:03:51 dnsmasq[28678]: query[HTTPS] firewall.***.net from 10.1.1.65
Dec 18 03:03:51 dnsmasq[28678]: forwarded firewall.***.net to 1.0.0.1
Dec 18 03:03:51 dnsmasq[28678]: query[A] firewall.***.net from 10.1.1.65
Dec 18 03:03:51 dnsmasq[28678]: /etc/pihole/custom.list firewall.***.net is 10.1.1.1
Dec 18 03:03:52 dnsmasq[28678]: reply firewall.***.net is <CNAME>
Dec 18 03:43:14 dnsmasq[28678]: query[HTTPS] firewall.***.net from 10.1.1.50
Dec 18 03:43:14 dnsmasq[28678]: forwarded firewall.***.net to 1.0.0.1
Dec 18 03:43:14 dnsmasq[28678]: query[A] firewall.***.net from 10.1.1.50
Dec 18 03:43:14 dnsmasq[28678]: /etc/pihole/custom.list ***.pagefamily.net is 10.1.1.1
Dec 18 03:43:14 dnsmasq[28678]: reply firewall.***net is <CNAME>
If you are referring to the https queries, those are Type 65.
You can block them all by adding this regex to your blacklist:
.*;querytype=HTTPS
Note that even if you don't block these https queries, they don't resolve to an IP because this query type is not yet a standard, and there are no matching DNS records.
There still seem to be HTTPS type queries being responded to after pi-hole sends them to the upstream DNS provider. Others are being blocked by the Regex expression.
Any further suggestions?
Thanks
Dec 20 15:10:25 dnsmasq[28678]: forwarded firewall.*.net to 1.0.0.1
Dec 20 15:10:25 dnsmasq[28678]: query[A] firewall.*.net from 10.1.1.56
Dec 20 15:10:25 dnsmasq[28678]: /etc/pihole/custom.list firewall.pagefamily.net is 10.1.1.1
Dec 20 15:10:26 dnsmasq[28678]: reply firewall.*.net is <CNAME>
Dec 20 15:11:13 dnsmasq[28678]: query[HTTPS] www.firewall.*.net from 10.1.1.56
Dec 20 15:11:13 dnsmasq[28678]: forwarded www.*.*.net to 1.0.0.1
Dec 20 15:11:13 dnsmasq[28678]: query[A] www.*.*.net from 10.1.1.56
Dec 20 15:11:13 dnsmasq[28678]: forwarded www.*.*.net to 1.0.0.1
Dec 20 15:11:13 dnsmasq[28678]: reply www.*.*.net is NXDOMAIN
Dec 20 15:11:13 dnsmasq[28678]: reply www.*.*.net is NXDOMAIN
Hilariously, Safari (and I assume other things in MacOS Ventura since terminal also behaves this way) is actually taking my request for firewall.x.net and converting it to www.firewall.x.net even though it's not what I requested.
Safari thinks it's smarter than me.
I assume to also block this from getting forwarded to the upstream resolver I would need to modify the regex or add a new one that also blocks ..* HTTPS requests.
Clearly this is a Mac/Safari behavior thing and not a pi-hole thing but I appreciate you answering my questions and trying to steer me towards a solution.
If you entered the regex I provided as a blacklist entry, it will block all https requests.
Please upload a debug log and post just the token URL that is generated after the log is uploaded by running the following command from the Pi-hole host terminal:
I've entered the regex expression as shown in the screenshot below, perhaps I somehow typo'd it. I can see that the pi-hole is blocking some HTTPS requests but some are getting through... not sure why unless it's either that it is a subdomain or that since Pi-hole has a local DNS entry for the domain it is then honoring the other requests.
Mac seems to be requesting A AAAA and HTTPS for lots of things on the newer OS releases at least with Safari, terminal and some of the other tools.
