Weird thing started to happen, DNS adds my local domain suffix home to each query

Please follow the below template, it will help us to help you!

DNS adds my local domain suffix home to each query

Expected Behaviour:

PS C:\Users\titus> nslookup google.com
Server:  pi.hole
Address:  192.168.50.55

Name:    google.com
Address:  ::147.24.224.25

Actual Behaviour:

PS C:\Users\titus> nslookup google.com
Server:  pi.hole
Address:  192.168.50.55

Name:    google.com.home
Address:  ::

Debug Token:

https://tricorder.pi-hole.net/MSK6hTC3/

This is the default behavior for nslookup on Windows.

1 Like

I don’t think so, I was able to ping by the name in Windows external sites.
Now I can’t because the name is not resolved

Where do you think the domain name is being added? Pi-hole doesn't do this.

Dan is right in pointing out Windows nslookup behaviour.
You may verify that yourself by looking at Pi-hole's log at /var/log/pihole/pihole.log.

nslookup on Windows will issue as many as four DNS requests for a given domain, requesting A and AAAA records suffixed by the local search domain first, followed by A and AAAA for the domain verbatim:

"Click for Windows nslookup requests from `/var/log/pihole/pihole.log`
Jul 26 09:12:46 dnsmasq[1278]: 4724 192.168.1.21/63016 query[A] google.com.fritz.box from 192.168.1.21
Jul 26 09:12:46 dnsmasq[1278]: 4724 192.168.1.21/63016 forwarded google.com.fritz.box to 192.168.127.1
Jul 26 09:12:46 dnsmasq[1278]: 4724 192.168.1.21/63016 reply google.com.fritz.box is NXDOMAIN

Jul 26 09:12:46 dnsmasq[1278]: 4725 192.168.1.21/63017 query[AAAA] google.com.fritz.box from 192.168.1.21
Jul 26 09:12:46 dnsmasq[1278]: 4725 192.168.1.21/63017 cached google.com.fritz.box is NXDOMAIN

Jul 26 09:12:46 dnsmasq[1278]: 4726 192.168.1.21/63018 query[A] google.com from 192.168.1.21
Jul 26 09:12:46 dnsmasq[1278]: 4726 192.168.1.21/63018 forwarded google.com to 127.0.1.1#5335
Jul 26 09:12:46 dnsmasq[1278]: 4726 192.168.1.21/63018 reply google.com is 142.250.181.206

Jul 26 09:12:46 dnsmasq[1278]: 4727 192.168.1.21/63019 query[AAAA] google.com from 192.168.1.21
Jul 26 09:12:46 dnsmasq[1278]: 4727 192.168.1.21/63019 forwarded google.com to 127.0.1.1#5335
Jul 26 09:12:46 dnsmasq[1278]: 4727 192.168.1.21/63019 reply google.com is 2a00:1450:4005:802::200e
`nslookup` on Linux behaves differently (click for log details)

Depending on the system's ndots configuration, it will try to resolve the given domain verbatim before considering the local search domain at all.
This usually results in fewer requests for the verbatim domain only.

Jul 26 09:40:15 dnsmasq[1278]: 4961 192.168.1.28/57111 query[A] google.com from 192.168.1.28
Jul 26 09:40:15 dnsmasq[1278]: 4961 192.168.1.28/57111 forwarded google.com to 127.0.1.1#5335
Jul 26 09:40:15 dnsmasq[1278]: 4961 192.168.1.28/57111 reply google.com is 142.250.181.206

Jul 26 09:40:15 dnsmasq[1278]: 4962 192.168.1.28/57705 query[AAAA] google.com from 192.168.1.28
Jul 26 09:40:15 dnsmasq[1278]: 4962 192.168.1.28/57705 forwarded google.com to 127.0.1.1#5335
Jul 26 09:40:15 dnsmasq[1278]: 4962 192.168.1.28/57705 reply google.com is 2a00:1450:4005:802::200e

Your debug log shows you've recently started to block all AAAA replies:

*** [ DIAGNOSING ]: Domainlist (0/1 = exact white-/blacklist, 2/3 = regex white-/blacklist)
 id   type  enabled  group_ids  domain              date_added           date_modified
 ---  ----  -------  ---------  ------------------  -------------------  -------------------
 9       3        1  0          .*;querytype=AAAA   2022-07-13 20:40:59  2022-07-13 20:40:59

For you, this changes all your Pi-hole's AAAA replies to ::.

It seems Windows nslookup will still first send those requests for domain plus local search domain, but will abandon further requests for the verbatim domain upon encountering the first IP address reply, which in your case is ::.

Jul 26 10:10:03 dnsmasq[1278]: 5103 192.168.1.21/54919 query[A] google.com.fritz.box from 192.168.1.21
Jul 26 10:10:03 dnsmasq[1278]: 5103 192.168.1.21/54919 forwarded google.com.fritz.box to 192.168.127.1
Jul 26 10:10:03 dnsmasq[1278]: 5103 192.168.1.21/54919 reply google.com.fritz.box is NXDOMAIN
Jul 26 10:10:03 dnsmasq[1278]: 5104 192.168.1.21/54920 query[AAAA] google.com.fritz.box from 192.168.1.21
Jul 26 10:10:03 dnsmasq[1278]: 5104 192.168.1.21/54920 regex blacklisted google.com.fritz.box is ::

It then correctly, but prematurely reports that :: for google.com.fritz.box, but fails to provide the correct answer for the original domain.
I consider this unexpected and unwanted behaviour of Windows nslookup.

This behaviour is specific to that Windows nslookup utility - it doesn't mean that any other software will issue DNS requests in the same way!
Most notably, browsers won't consider the local search domain in the same way as Windows nslookup. Commonly, they tend to append that only for plain domains (i.e. hostnames without a dot).

And as to be expected from the previous unblocked results, the Linux `nslookup` correctly requests the verbatim domain
Jul 26 09:37:04 dnsmasq[1278]: 4833 192.168.1.28/38219 query[A] google.com from 192.168.1.28
Jul 26 09:37:04 dnsmasq[1278]: 4833 192.168.1.28/38219 cached google.com is 142.250.181.206

Jul 26 09:37:04 dnsmasq[1278]: 4834 192.168.1.28/44811 query[AAAA] google.com from 192.168.1.28
Jul 26 09:37:04 dnsmasq[1278]: 4834 192.168.1.28/44811 regex blacklisted google.com is ::

What's your motivation for blocking all AAAA requests?

1 Like

Also consider adding a dot "." at the end of the domain name:

C:\>nslookup google.com.
Server:  pi.hole
Address:  10.0.0.4

Non-authoritative answer:
Name:    google.com
Address:  142.251.39.110
pi@ph5b:~ $ pihole -t
[..]
15:08:56: query[A] google.com from 10.0.0.11
15:08:56: cached google.com is 142.251.39.110
15:08:56: query[AAAA] google.com from 10.0.0.11
15:08:56: cached google.com is 2a00:1450:400e:811::200e

I believe a browser for example will automatically add the trailing dot when its doing DNS lookups.

The DNS root is unnamed, expressed as the empty label terminated by the dot. This is most notable in DNS zone files in which a fully qualified domain name must be specified with a trailing dot. For example, somehost.example.com. explicitly specifies an absolute domain name that ends with the empty top level domain label.

EDIT: For a long time, it was possible to circumvent the ads being displayed on Youtube by just adding that trailing dot to the URL when browsing eg:

https://youtube.com.

But they fixed that when they found out :wink:

You’re right, because, in the same time, my browser was capable to resolve, but by nslookup and ping didn’t. I found that very weird, but now I have the explanation

The reason I'm saying this is because if I change the routers DNS to 1.1.1.1 (so it bypasses pihole) I get this:

PS C:\Users\titus> nslookup google.com
Server: one.one.one.one
Address: 1.1.1.1
Non-authoritative answer:
Name: google.com
Addresses: 2607:f8b0:400b:80f::200e
142.251.33.174

With pi-hole

PS C:\Users\titus> nslookup google.com
Server: pi.hole
Address: 192.168.50.55
Name: google.com.home
Address: ::

That's why I'm confused

It was just a test, I was fed up by the huge number of ipv6 queries from iOt devices but only, that were issues on my LAN when in fact my router has IPV6 disabled. I simply wanted to decrease the useless DNS traffic. Apparently even if I blacklist these queries, the devices keep issuing them.

This is the expected result. Blacklisting a domain does not change client behavior.

For you, this changes all your Pi-hole's AAAA replies to :: .

You're 100% right. I realized that this started when I started to block AAAA queries.
Thanks a lot