Why is Local DNS AAAA record forwarded / exposed?

When I add a custom DNS record, I don't understand why Pi-hole resolves the A record correctly but forwards the AAAA one.

From the logs:

Jan 14 07:40:09: query[A] h3.example.com from 172.20.0.1
Jan 14 07:40:09: /etc/pihole/custom.list h3.example.com is 1.2.3.4 
Jan 14 07:40:09: query[AAAA] h3.example.com from 172.20.0.1
Jan 14 07:40:09: forwarded h3.example.com to 8.8.8.8 Jan 14 07:40:09: reply h3.example.com is NODATA-IPv6

Why would Pi-hole assume that it knows my A record but Google knows my AAAA record?

image1018×316 22.4 KB

Expected Behaviour:

I'd expect the Pi-hole to realize that it knows this domain name, and it doesn't know an AAAA record for it, and therefore return something like NODATA-IPv6 itself.

If the domain name is matched locally, I'd expect it to be resolved locally.

Actual Behaviour:

The Pi-hole forwards my internal names to the internet in a fruitless attempt to find an AAAA record.

This is on a brand new Docker instance running v5.17.2. Reproduction steps below.

Debug Token:

https://tricorder.pi-hole.net/EapsEzzA/

To Reproduce

version: "3"
services:
  pihole:
    container_name: pihole
    image: pihole/pihole:latest
    ports:
      - "53:53/tcp"
      - "53:53/udp"
      - "8085:80/tcp"
    environment:
      TZ: 'America/Los_Angeles'
      WEBPASSWORD: 'change me'
    volumes:
      - './etc-pihole:/etc/pihole'
      - './etc-dnsmasq.d:/etc/dnsmasq.d'
    restart: unless-stopped

$ nslookup
> server 172.20.0.2
Default server: 172.20.0.2
Address: 172.20.0.2#53
> h3.example.com
Server:		172.20.0.2
Address:	172.20.0.2#53

Name:	h3.example.com
Address: 1.2.3.4

Jan 14 08:24:38 dnsmasq[1698]: query[A] pi.hole from 127.0.0.1
Jan 14 08:24:38 dnsmasq[1698]: Pi-hole hostname pi.hole is 0.0.0.0
Jan 14 08:25:08 dnsmasq[1698]: query[A] pi.hole from 127.0.0.1
Jan 14 08:25:08 dnsmasq[1698]: Pi-hole hostname pi.hole is 0.0.0.0
Jan 14 08:25:11 dnsmasq[1698]: query[A] h3.example.com from 172.20.0.1
Jan 14 08:25:11 dnsmasq[1698]: /etc/pihole/custom.list h3.example.com is 1.2.3.4
Jan 14 08:25:11 dnsmasq[1698]: query[AAAA] h3.example.com from 172.20.0.1
Jan 14 08:25:11 dnsmasq[1698]: forwarded h3.example.com to 8.8.8.8
Jan 14 08:25:11 dnsmasq[1698]: forwarded h3.example.com to 8.8.4.4
Jan 14 08:25:11 dnsmasq[1698]: reply h3.example.com is NODATA-IPv6

> set type=AAAA
> h3.example.com
Server:		172.20.0.2
Address:	172.20.0.2#53

Non-authoritative answer:
*** Can't find h3.example.com: No answer

That is the expected behavior when you've configured a shadow A record only for a public domain.

How do I configure Pi-hole to return NODATA-IPv6 for the AAAA record? Or is there another way I can configure it to not forward internal names to the public internet?

EDIT: ah, will try to understand this: [SOLVED] disable AAAA response for a given domain - #8 by DL6ER

Gotta say, I'm surprised that leaking AAAA names is intentional, especially since Pi-hole considers itself authoritative (for the A record anyway). Is this described more anywhere? I'd like to learn more.

Thanks!

So far, you've only shared that you created an A record only for what appears to be a public domain.

Above question may suggest you own a public domain (e.g. mydomain.com) and you would want Pi-hole to handle resolution of hosts from your internal subdomain (e.g. laptop.internal.mydomain.com).

In that case, you'd need to make Pi-hole aware that it should not forward requests for names from that domain via a custom dnsmasq configuration, e.g.

# keep internal.mydomain.com local
local=/internal.mydomain.com/

Fantastic, exactly right. That works.

Thank you!

Jan 14 11:22:47: query[A] h3.example.com from 172.26.0.1
Jan 14 11:22:47: /etc/pihole/custom.list h3.example.com is 100.124.11.136
Jan 14 11:22:47: query[AAAA] h3.example.com from 172.26.0.1
Jan 14 11:22:47: config h3.example.com is NODATA-IPv6

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.