Use-application-dns.net found in adlists

DanSchaper · April 10, 2021, 5:52pm

Found the discussion on this:

github.com/pi-hole/pi-hole

Preventing Firefox to switch to DoH does not work by default

opened 09:53PM - 25 Feb 20 UTC

closed 04:15AM - 26 Feb 20 UTC

luzat

triage: Issue Investigating

**In raising this issue, I confirm the following:** - [X] I have read and und…erstood the [contributors guide](https://github.com/pi-hole/pi-hole/blob/master/CONTRIBUTING.md). - [X] The issue I am reporting can be *replicated*. - [X] The issue I am reporting isn't a duplicate (see [FAQs](https://github.com/pi-hole/pi-hole/wiki/FAQs), [closed issues](https://github.com/pi-hole/pi-hole/issues?utf8=%E2%9C%93&q=is%3Aissue%20is%3Aclosed%20), and [open issues](https://github.com/pi-hole/pi-hole/issues)). **How familiar are you with the the source code relevant to this issue?:** 1 --- **Expected behaviour:** When runnig a query (`dig -t A use-application-dns.net`, `dig -t AAAA use-applications-dns.net`) against Pi-hole I expect to get `NXDOMAIN` (or similar) to indicate that DoH should not be used by Firefox ([canary domain](https://support.mozilla.org/en-US/kb/canary-domain-use-application-dnsnet)). **Actual behaviour:** `0.0.0.0` and `::` respectively are returned. **Steps to reproduce:** Install most recent Pi-hole (9e490775ff3b20f378acc9db7cec2ae6023fff7f). `/etc/dnsmasq.d/01-pihole.conf` will contain `server=/use-application-dns.net/`. Make sure Pi-hole is your resolve and try to resolve `use-application-dns.net`. **Debug token provided by [uploading `pihole -d` log](https://discourse.pi-hole.net/t/the-pihole-command-with-examples/738#debug):** https://tricorder.pi-hole.net/1xa35wpouj **Troubleshooting undertaken, and/or other relevant information:** The problem seems to be that blacklists take place first and the default list contains a blacklist entry in [StevenBlack's list](https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts). Adding a whitelist entry for `use-application-dns.net` makes the resolver return `NXDOMAIN` anyway. Maybe this should be the default; otherwise the setting in `01-pihole.conf` introduced by #2916 is probably useless by default.

I think the gist of the discussion was that whitelisting use-application-dns.net should preclude any list provider from erroneously adding the domain. My quick tests shows that works:

dan@raspberrypi:~ $ pihole -q -exact use-application-dns.net
  [i] No exact results found for use-application-dns.net within the block lists

dan@raspberrypi:~ $ dig use-application-dns.net @127.0.0.1

; <<>> DiG 9.11.5-P4-5.1+deb10u3-Raspbian <<>> use-application-dns.net @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 13841
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

dan@raspberrypi:~ $ pihole -w use-application-dns.net
  [i] Adding use-application-dns.net to the whitelist...
  [✓] Reloading DNS lists

dan@raspberrypi:~ $ dig use-application-dns.net @127.0.0.1

; <<>> DiG 9.11.5-P4-5.1+deb10u3-Raspbian <<>> use-application-dns.net @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 9818
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

dan@raspberrypi:~ $ pihole -q -exact use-application-dns.net
 Exact match found in exact whitelist
   use-application-dns.net

@jpgpi250 Can you confirm this behavior or find a situation that this would not work?