The issue I am facing:
I have a server set up to run Pi-Hole natively (it also is a router) and this works fine for blocking, and resolving hosts on the network including IPv4 and 6.
What I do not understand is why querying for a random name that definitely does not exist on the network + my domain gives a response that is the IP address of the Pi-Hole host. I am expecting NXDOMAIN
. When the domain is omitted, NXDOMAIN
is returned correctly.
The router/DNS host is 192.168.1.254
.
Querying for randomname.tat.sh
$ dig +all randomname.tat.sh
; <<>> DiG 9.16.27 <<>> +all randomname.tat.sh
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48839
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;randomname.tat.sh. IN A
;; ANSWER SECTION:
randomname.tat.sh. 2 IN A 192.168.1.254
;; Query time: 1 msec
;; SERVER: 192.168.1.254#53(192.168.1.254)
;; WHEN: Thu May 26 20:05:46 EDT 2022
;; MSG SIZE rcvd: 62
$ systemd-resolve --raw randomname.tat.sh | xxd
00000000: 7261 6e64 6f6d 6e61 6d65 2e74 6174 2e73 randomname.tat.s
00000010: 683a 2031 3932 2e31 3638 2e31 2e32 3534 h: 192.168.1.254
00000020: 2020 2020 2020 2020 2020 2020 2020 2020
00000030: 2020 2020 2020 2020 2020 2020 2d2d 206c -- l
00000040: 696e 6b3a 2065 6e70 3131 3773 300a ink: enp117s0.
$ dig +all randomname
; <<>> DiG 9.16.27 <<>> +all randomname
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 40908
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;randomname. IN A
;; Query time: 1 msec
;; SERVER: 192.168.1.254#53(192.168.1.254)
;; WHEN: Thu May 26 20:12:22 EDT 2022
;; MSG SIZE rcvd: 39
Details about my system:
Relevant from DNSMasq config:
bogus-priv
cache-size=10000
dhcp-authoritative
dhcp-broadcast
dhcp-ignore-names=tag:hostname-ignore
dhcp-leasefile=/var/lib/pihole/dhcp.leases
dhcp-name-match=set:hostname-ignore,localhost
dhcp-name-match=set:hostname-ignore,wpad
dhcp-option=option6:dns-server,[::]
dhcp-option=option:router,192.168.1.254
dhcp-range=::100,::1ff,constructor:enp1s0f1,ra-names,slaac,64,3600
dhcp-range=192.168.1.231,192.168.1.251,24h
dhcp-rapid-commit
dnssec
dnssec-check-unsigned
domain-needed
domain=tat.sh
edns-packet-max=1232
expand-hosts
localise-queries
local-service
local=/tat.sh/
local-ttl=2
log-async
log-facility=/var/log/pihole.log
log-queries
no-dhcp-interface=enp1s0f0
no-dhcp-interface=lo
no-dhcp-interface=sit-6rd
no-negcache
no-resolv
ra-param=*,0,0
server=208.67.220.220
server=208.67.222.222
server=2620:119:35::35
server=2620:119:53::53
server=/bind/
server=/invalid/
server=/localhost/
server=/onion/
server=/test/
The Pi-Hole version used is a patched for Gentoo by me. See here if interested. The patches are solely for fixing paths and making it more friendly for both systemd and OpenRC users. The DNSMasq/FTL code is not touched.