Unexpected response when querying a host that does not exist on my network

Tatsh · May 27, 2022, 12:17am

The issue I am facing:

I have a server set up to run Pi-Hole natively (it also is a router) and this works fine for blocking, and resolving hosts on the network including IPv4 and 6.

What I do not understand is why querying for a random name that definitely does not exist on the network + my domain gives a response that is the IP address of the Pi-Hole host. I am expecting NXDOMAIN. When the domain is omitted, NXDOMAIN is returned correctly.

The router/DNS host is 192.168.1.254.

Querying for randomname.tat.sh

 $ dig +all randomname.tat.sh

; <<>> DiG 9.16.27 <<>> +all randomname.tat.sh
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48839
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;randomname.tat.sh.             IN      A

;; ANSWER SECTION:
randomname.tat.sh.      2       IN      A       192.168.1.254

;; Query time: 1 msec
;; SERVER: 192.168.1.254#53(192.168.1.254)
;; WHEN: Thu May 26 20:05:46 EDT 2022
;; MSG SIZE  rcvd: 62

 $ systemd-resolve --raw randomname.tat.sh | xxd
00000000: 7261 6e64 6f6d 6e61 6d65 2e74 6174 2e73  randomname.tat.s
00000010: 683a 2031 3932 2e31 3638 2e31 2e32 3534  h: 192.168.1.254
00000020: 2020 2020 2020 2020 2020 2020 2020 2020
00000030: 2020 2020 2020 2020 2020 2020 2d2d 206c              -- l
00000040: 696e 6b3a 2065 6e70 3131 3773 300a       ink: enp117s0.

 $ dig +all randomname

; <<>> DiG 9.16.27 <<>> +all randomname
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 40908
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;randomname.                    IN      A

;; Query time: 1 msec
;; SERVER: 192.168.1.254#53(192.168.1.254)
;; WHEN: Thu May 26 20:12:22 EDT 2022
;; MSG SIZE  rcvd: 39

Details about my system:

Relevant from DNSMasq config:

bogus-priv
cache-size=10000
dhcp-authoritative
dhcp-broadcast
dhcp-ignore-names=tag:hostname-ignore
dhcp-leasefile=/var/lib/pihole/dhcp.leases
dhcp-name-match=set:hostname-ignore,localhost
dhcp-name-match=set:hostname-ignore,wpad
dhcp-option=option6:dns-server,[::]
dhcp-option=option:router,192.168.1.254
dhcp-range=::100,::1ff,constructor:enp1s0f1,ra-names,slaac,64,3600
dhcp-range=192.168.1.231,192.168.1.251,24h
dhcp-rapid-commit
dnssec
dnssec-check-unsigned
domain-needed
domain=tat.sh
edns-packet-max=1232
expand-hosts
localise-queries
local-service
local=/tat.sh/
local-ttl=2
log-async
log-facility=/var/log/pihole.log
log-queries
no-dhcp-interface=enp1s0f0
no-dhcp-interface=lo
no-dhcp-interface=sit-6rd
no-negcache
no-resolv
ra-param=*,0,0
server=208.67.220.220
server=208.67.222.222
server=2620:119:35::35
server=2620:119:53::53
server=/bind/
server=/invalid/
server=/localhost/
server=/onion/
server=/test/

The Pi-Hole version used is a patched for Gentoo by me. See here if interested. The patches are solely for fixing paths and making it more friendly for both systemd and OpenRC users. The DNSMasq/FTL code is not touched.

jfb · May 27, 2022, 12:20am

Please upload a debug log and post just the token URL that is generated after the log is uploaded by running the following command from the Pi-hole host terminal:

pihole -d

or do it through the Web interface:

Tools > Generate Debug Log

Tatsh · May 27, 2022, 12:22am

https://tricorder.pi-hole.net/MX0P5pmf/

jfb · May 27, 2022, 12:37am

Your Pi-hole is configured to respond as follows:

-rw-r--r-- 1 root root 325 Apr 11 17:57 /etc/pihole/dnsmasq.d/99-custom.conf
   address=/tat.sh/192.168.1.254

From the dnsmasq manual:

-A, --address=/[/...]/[]

Specify an IP address to return for any host in the given domains. Queries in the domains are never forwarded and always replied to with the specified IP address which may be IPv4 or IPv6. To give both IPv4 and IPv6 addresses for a domain, use repeated --address flags. To include multiple IP addresses for a single query, use --addn-hosts= instead. Note that /etc/hosts and DHCP leases override this for individual names. A common use of this is to redirect the entire doubleclick.net domain to some friendly local web server to avoid banner ads. The domain specification works in the same way as for --server , with the additional facility that /#/ matches any domain. Thus --address=/#/1.2.3.4 will always return 1.2.3.4 for any query not answered from /etc/hosts or DHCP and not sent to an upstream nameserver by a more specific --server directive. As for --server , one or more domains with no address returns a no-such-domain answer, so --address=/example.com/ is equivalent to --server=/example.com/ and returns NXDOMAIN for example.com and all its subdomains. An address specified as '#' translates to the NULL address of 0.0.0.0 and its IPv6 equivalent of :: so --address=/example.com/# will return NULL addresses for example.com and its subdomains. This is partly syntactic sugar for --address=/example.com/0.0.0.0 and --address=/example.com/:: but is also more efficient than including both as separate configuration lines. Note that NULL addresses normally work in the same way as localhost, so beware that clients looking up these names are likely to end up talking to themselves.

Tatsh · May 27, 2022, 12:44am

I think the answer is to use host-record to set A and AAAA.

Edit: dynamic-host is another option. Closing.

Thanks for the help.

system · June 18, 2022, 12:52am

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.