Dan is right in pointing out Windows nslookup
behaviour.
You may verify that yourself by looking at Pi-hole's log at /var/log/pihole/pihole.log
.
nslookup
on Windows will issue as many as four DNS requests for a given domain, requesting A and AAAA records suffixed by the local search domain first, followed by A and AAAA for the domain verbatim:
"Click for Windows nslookup requests from `/var/log/pihole/pihole.log`
Jul 26 09:12:46 dnsmasq[1278]: 4724 192.168.1.21/63016 query[A] google.com.fritz.box from 192.168.1.21
Jul 26 09:12:46 dnsmasq[1278]: 4724 192.168.1.21/63016 forwarded google.com.fritz.box to 192.168.127.1
Jul 26 09:12:46 dnsmasq[1278]: 4724 192.168.1.21/63016 reply google.com.fritz.box is NXDOMAIN
Jul 26 09:12:46 dnsmasq[1278]: 4725 192.168.1.21/63017 query[AAAA] google.com.fritz.box from 192.168.1.21
Jul 26 09:12:46 dnsmasq[1278]: 4725 192.168.1.21/63017 cached google.com.fritz.box is NXDOMAIN
Jul 26 09:12:46 dnsmasq[1278]: 4726 192.168.1.21/63018 query[A] google.com from 192.168.1.21
Jul 26 09:12:46 dnsmasq[1278]: 4726 192.168.1.21/63018 forwarded google.com to 127.0.1.1#5335
Jul 26 09:12:46 dnsmasq[1278]: 4726 192.168.1.21/63018 reply google.com is 142.250.181.206
Jul 26 09:12:46 dnsmasq[1278]: 4727 192.168.1.21/63019 query[AAAA] google.com from 192.168.1.21
Jul 26 09:12:46 dnsmasq[1278]: 4727 192.168.1.21/63019 forwarded google.com to 127.0.1.1#5335
Jul 26 09:12:46 dnsmasq[1278]: 4727 192.168.1.21/63019 reply google.com is 2a00:1450:4005:802::200e
`nslookup` on Linux behaves differently (click for log details)
Depending on the system's ndots
configuration, it will try to resolve the given domain verbatim before considering the local search domain at all.
This usually results in fewer requests for the verbatim domain only.
Jul 26 09:40:15 dnsmasq[1278]: 4961 192.168.1.28/57111 query[A] google.com from 192.168.1.28
Jul 26 09:40:15 dnsmasq[1278]: 4961 192.168.1.28/57111 forwarded google.com to 127.0.1.1#5335
Jul 26 09:40:15 dnsmasq[1278]: 4961 192.168.1.28/57111 reply google.com is 142.250.181.206
Jul 26 09:40:15 dnsmasq[1278]: 4962 192.168.1.28/57705 query[AAAA] google.com from 192.168.1.28
Jul 26 09:40:15 dnsmasq[1278]: 4962 192.168.1.28/57705 forwarded google.com to 127.0.1.1#5335
Jul 26 09:40:15 dnsmasq[1278]: 4962 192.168.1.28/57705 reply google.com is 2a00:1450:4005:802::200e
Your debug log shows you've recently started to block all AAAA replies:
*** [ DIAGNOSING ]: Domainlist (0/1 = exact white-/blacklist, 2/3 = regex white-/blacklist)
id type enabled group_ids domain date_added date_modified
--- ---- ------- --------- ------------------ ------------------- -------------------
9 3 1 0 .*;querytype=AAAA 2022-07-13 20:40:59 2022-07-13 20:40:59
For you, this changes all your Pi-hole's AAAA replies to ::
.
It seems Windows nslookup
will still first send those requests for domain plus local search domain, but will abandon further requests for the verbatim domain upon encountering the first IP address reply, which in your case is ::
.
Jul 26 10:10:03 dnsmasq[1278]: 5103 192.168.1.21/54919 query[A] google.com.fritz.box from 192.168.1.21
Jul 26 10:10:03 dnsmasq[1278]: 5103 192.168.1.21/54919 forwarded google.com.fritz.box to 192.168.127.1
Jul 26 10:10:03 dnsmasq[1278]: 5103 192.168.1.21/54919 reply google.com.fritz.box is NXDOMAIN
Jul 26 10:10:03 dnsmasq[1278]: 5104 192.168.1.21/54920 query[AAAA] google.com.fritz.box from 192.168.1.21
Jul 26 10:10:03 dnsmasq[1278]: 5104 192.168.1.21/54920 regex blacklisted google.com.fritz.box is ::
It then correctly, but prematurely reports that ::
for google.com.fritz.box
, but fails to provide the correct answer for the original domain.
I consider this unexpected and unwanted behaviour of Windows nslookup
.
This behaviour is specific to that Windows nslookup
utility - it doesn't mean that any other software will issue DNS requests in the same way!
Most notably, browsers won't consider the local search domain in the same way as Windows nslookup
. Commonly, they tend to append that only for plain domains (i.e. hostnames without a dot).
And as to be expected from the previous unblocked results, the Linux `nslookup` correctly requests the verbatim domain
Jul 26 09:37:04 dnsmasq[1278]: 4833 192.168.1.28/38219 query[A] google.com from 192.168.1.28
Jul 26 09:37:04 dnsmasq[1278]: 4833 192.168.1.28/38219 cached google.com is 142.250.181.206
Jul 26 09:37:04 dnsmasq[1278]: 4834 192.168.1.28/44811 query[AAAA] google.com from 192.168.1.28
Jul 26 09:37:04 dnsmasq[1278]: 4834 192.168.1.28/44811 regex blacklisted google.com is ::
What's your motivation for blocking all AAAA requests?