Pi-hole: Returning NXDOMAIN is a bad idea

I've found that Amazons Fire TV is spamming my Pi-hole trying to resolve secure-eu.imrworldwide.com every three seconds. Here is how it looks like in the graphs:

The blue spikes is the Fire TV which was not in use throughout the day and should be on silently on standby. However it tries very eager to reach a tracking service. Bad Fire TV! Shame!

By default Pi-hole is returning 0.0.0.0 or :: for blocked domains. But it can be configured to return for example NXDOMAIN instead of a result. An overview over the advantages and disadvantages can be found in the docs (🖇️ 🔐) .

My hope was by sending an NXDOMAIN the process would stop trying to resolve the domain any further. And yeah, it stopped. At least that's what I thought. Actually I've activated the new config shortly after the Fire TV gave up on its own. What a coincidence! And now back to the main topic: Why is sending an NXDOMAIN bad?
Today I needed to whitelist 1drv.ms and onedrive.live.com for a short period of time to have a look at screenshots shared with me. But after whitelisting them I still wasn't able to view them. I queried my Pi-hole with dig and it returned a public IP address. So it should actually work. Normally whitelisting domains has an immediate effect. Then it hit me: NXDOMAIN answers may be cached by the clients. So my laptop didn't try again to query Pi-hole.

But why are regular 0.0.0.0 or :: results not cached? Well, in fact they are! But Pi-hole answers them with a TTL of 2 seconds:

;; ANSWER SECTION:
secure-eu.imrworldwide.com. 2	IN	AAAA	::

The NXDOMAIN TTL is however not in the returned record … because … there is none. The NXDOMAIN TTL is defined in the SOA record which is sometimes not queried by a client. So what TTL is assumed then? I don't actually know. Mine was five minutes. Long story short: Returning NXDOMAIN works but it's not good if you want to dynamically whitelist domains without waiting for a cache expiry. Stay with the default.


Du hast einen Kommentar, einen Wunsch oder eine Verbeserung? Schreib mir doch eine E-Mail! Die Infos dazu stehen hier.

🖇️ = Link zu anderer Webseite
🔐 = Webseite nutzt HTTPS (verschlüsselter Transportweg)
Zurück