Last week, I noticed use-application-dns.net is on a blocklist.
When firefox does the query, to check if it can use DoH, the reply is 0.0.0.0 (BLOCKINGMODE=NULL), as opposed to the required NXDOMAIN reply. The blocklist entry appears to have precedence over the 'server=/use-application-dns.net/' setting, that was added last year to /etc/dnsmasq.d/01-pihole.conf.
I know the instant reaction will be 'do NOT use sh**ty blocklists', and I fully support this point of view, however, you cannot expect all users to check whether 'use-application-dns.net' has been added to a blocklist they happened to use, after every (sunday automatic) gravity run.
There are multiple options to ensure this domain doesn't end up in the gravity database:
- ensure the domain isn't included, when the database is build. Probably NOT the best idea, since every new entry would need to be compared to this domain (and hopefully / possibly additional canary domains in the future)
- Make FTL smart enough to respond with NXDOMAIN for entries in a new database table, containing these entries. The entries in this table could be pre-populated (pihole-FTL creates the database, if it doesn't exist), no web interface required, so the domain entries would remain under control of the developers.
- Create a new database table, containing the NXDOMAIN(s), again, can be prepopulated, and remove the entries in this table from the gravity table, after the new temp gravity database has been fully populated, before switching the database (tmp -> active). This method is probably the most efficient, at this time (only one canary domain), it would require only one additional sqlite3 'delete from' instruction.
I'm aware this will be a controversial request, but it may help users, that install an use pihole without ever looking back.