Pi-hole: Returning NXDOMAIN is a bad ideaSaturday, January 4 2020 · Lesezeit: 2 Minuten · 350 Wörter Achtung! Dieser Artikel ist älter als ein Jahr. Der Inhalt ist möglicherweise nicht mehr aktuell!
I’ve found that Amazons Fire TV is spamming my Pi-hole trying to resolve
secure-eu.imrworldwide.com every three seconds. Here is how it looks like in the graphs:
The blue spikes is the Fire TV which was not in use throughout the day and should be on silently on standby. However it tries very eager to reach a tracking service. Bad Fire TV! Shame!
By default Pi-hole is returning
:: for blocked domains. But it can be configured to return for example
NXDOMAIN instead of a result. An overview over the advantages and disadvantages can be found in the docs (🖇️ 🔐)
My hope was by sending an NXDOMAIN the process would stop trying to resolve the domain any further. And yeah, it stopped. At least that’s what I thought. Actually I’ve activated the new config shortly after the Fire TV gave up on its own. What a coincidence! And now back to the main topic: Why is sending an NXDOMAIN bad?
Today I needed to whitelist
onedrive.live.com for a short period of time to have a look at screenshots shared with me. But after whitelisting them I still wasn’t able to view them. I queried my Pi-hole with
dig and it returned a public IP address. So it should actually work. Normally whitelisting domains has an immediate effect. Then it hit me: NXDOMAIN answers may be cached by the clients. So my laptop didn’t try again to query Pi-hole.
But why are regular
:: results not cached? Well, in fact they are! But Pi-hole answers them with a TTL of 2 seconds:
;; ANSWER SECTION: secure-eu.imrworldwide.com. 2 IN AAAA ::
The NXDOMAIN TTL is however not in the returned record … because … there is none. The NXDOMAIN TTL is defined in the SOA record which is sometimes not queried by a client. So what TTL is assumed then? I don’t actually know. Mine was five minutes. Long story short: Returning NXDOMAIN works but it’s not good if you want to dynamically whitelist domains without waiting for a cache expiry. Stay with the default.
Du hast einen Kommentar, einen Wunsch oder eine Verbesserung? Schreib mir doch eine E-Mail! Die Infos dazu stehen hier.
🖇️ = Link zu anderer Webseite
🔐 = Webseite nutzt HTTPS (verschlüsselter Transportweg) Zurück