diff --git a/docs/ftldns/blockingmode.md b/docs/ftldns/blockingmode.md index d243287..de6c68e 100644 --- a/docs/ftldns/blockingmode.md +++ b/docs/ftldns/blockingmode.md @@ -2,80 +2,13 @@ Pi-hole *FTL*DNS supports two different methods for blocking queries. Both have This setting can be updated by sending `SIGHUP` to `pihole-FTL` (`sudo killall -SIGHUP pihole-FTL`). -## Pi-hole's IP blocking -`/etc/pihole/pihole-FTL.conf` setting: -``` -BLOCKINGMODE=IP -``` - -Queries will be answered with the local IP addresses of your Pi-hole (as configured in your `setupVars.conf` file) -``` -;; QUESTION SECTION: -;doubleclick.net. IN ANY - -;; ANSWER SECTION: -doubleclick.net. 2 IN A 192.168.2.11 -doubleclick.net. 2 IN AAAA fda2:2001:4756:0:ab27:beff:ef37:4242 -``` - -##### Advantage -- Shows blocking page from which blocked webpages can be whitelisted - -##### Disadvantages -- Requires a webserver to run on your Pi-hole -- May cause time-outs for HTTPS content even with properly configured firewall rules -- May cause problems with alternating prefixes on IPv6 addresses (see `IP-AAAA-NODATA`) - -## Pi-hole's IPv6 NODATA blocking -`/etc/pihole/pihole-FTL.conf` setting: -``` -BLOCKINGMODE=IP-NODATA-AAAA -``` - -Queries will be answered with the local IPv4 addresses of your Pi-hole (as configured in your `setupVars.conf` file). AAAA queries will answered with `NODATA-IPV6` and clients will only try to reach your Pi-hole over your static IPv4 address -``` -;; QUESTION SECTION: -;doubleclick.net. IN ANY - -;; ANSWER SECTION: -doubleclick.net. 2 IN A 192.168.2.11 -``` - -##### Advantage -- Shows blocking page from which blocked webpages can be whitelisted -- Serves IPv4-only replies and hence mitigates issues with rotating IPv6 prefixes - -##### Disadvantages -- Requires a webserver to run on your Pi-hole -- May cause time-outs for HTTPS content even with properly configured firewall rules - -## Pi-hole's NXDOMAIN blocking -`/etc/pihole/pihole-FTL.conf` setting: -``` -BLOCKINGMODE=NXDOMAIN -``` -Queries will be answered with an empty response (no answer section) and status `NXDOMAIN` (*no such domain*) -``` -;; QUESTION SECTION: -;doubleclick.net. IN ANY -``` - -##### Advantages -- The client does not even try to establish a connection for the requested website -- Speedup and less traffic -- Solves potential HTTPS timeouts as requests are never performed -- No need to run a webserver on your Pi-hole (reduces complexity when running other web services on the same machine) - -##### Disadvantage -- Blocking page cannot be shown and whitelisting has to be performed from the dashboard or CLI - -## Pi-hole's unspecified IP blocking +## Pi-hole's unspecified IP blocking (default) `/etc/pihole/pihole-FTL.conf` setting: ``` BLOCKINGMODE=NULL ``` -Queries will be answered with the unspecified address +Blocked queries will be answered with the unspecified address ``` ;; QUESTION SECTION: ;doubleclick.net. IN ANY @@ -87,7 +20,76 @@ doubleclick.net. 2 IN AAAA :: Following [RFC 3513, Internet Protocol Version 6 (IPv6) Addressing Architecture, section 2.5.2](https://tools.ietf.org/html/rfc3513#section-2.5.2), the address `0:0:0:0:0:0:0:0` (or `::` for short) is the unspecified address. It must never be assigned to any node and indicates the absence of an address. Following [RFC1122, section 3.2](https://tools.ietf.org/html/rfc1122#section-3.2), the address `0.0.0.0` can be understood as the IPv4 equivalent of `::`. +##### Advantages +- The client does not even try to establish a connection for the requested website +- Speedup and less traffic +- Solves potential HTTPS timeouts as requests are never performed +- No need to run a webserver on your Pi-hole (reduces complexity when running other web services on the same machine) + +##### Disadvantage +- Blocking page cannot be shown and whitelisting has to be performed from the dashboard or CLI + + +## Pi-hole's IP (IPv6 NODATA) blocking +`/etc/pihole/pihole-FTL.conf` setting: +``` +BLOCKINGMODE=IP-NODATA-AAAA +``` + +Blocked queries will be answered with the local IPv4 addresses of your Pi-hole (as configured in your `setupVars.conf` file). Blocked AAAA queries will answered with `NODATA-IPV6` and clients will only try to reach your Pi-hole over its static IPv4 address +``` +;; QUESTION SECTION: +;doubleclick.net. IN ANY + +;; ANSWER SECTION: +doubleclick.net. 2 IN A 192.168.2.11 +``` + +##### Advantage +- Shows blocking page from which blocked domains can be whitelisted +- Serves IPv4-only replies and hence mitigates issues with rotating IPv6 prefixes + +##### Disadvantages +- Requires a webserver to run on your Pi-hole +- May cause time-outs for HTTPS content even with properly configured firewall rules + + +## Pi-hole's full IP blocking +`/etc/pihole/pihole-FTL.conf` setting: +``` +BLOCKINGMODE=IP +``` + +Blocked queries will be answered with the local IP addresses of your Pi-hole (as configured in your `setupVars.conf` file) +``` +;; QUESTION SECTION: +;doubleclick.net. IN ANY + +;; ANSWER SECTION: +doubleclick.net. 2 IN A 192.168.2.11 +doubleclick.net. 2 IN AAAA fda2:2001:4756:0:ab27:beff:ef37:4242 +``` +##### Advantage +- Shows blocking page from which blocked domains can be whitelisted + +##### Disadvantages +- Requires a webserver to run on your Pi-hole +- May cause time-outs for HTTPS content even with properly configured firewall rules +- May cause problems with alternating prefixes on IPv6 addresses (see `IP-AAAA-NODATA`) + + +## Pi-hole's NXDOMAIN blocking +`/etc/pihole/pihole-FTL.conf` setting: +``` +BLOCKINGMODE=NXDOMAIN +``` +Blocked queries will be answered with an empty response (no answer section) and status `NXDOMAIN` (*no such domain*) +``` +;; QUESTION SECTION: +;doubleclick.net. IN ANY +``` + ##### Advantages & Disadvantages -Similar to `NXDOMAIN` blocking. However, it is more experimental than `NXDOMAIN` as it is not clear if all clients behave correctly when receiving these addresses. +Similar to `NULL` blocking, but experiments suggest that clients may try to resolve blocked domains more often compared to `NULL` blocking. {!abbreviations.md!} diff --git a/docs/ftldns/configfile.md b/docs/ftldns/configfile.md index b42d3fc..1ae6674 100644 --- a/docs/ftldns/configfile.md +++ b/docs/ftldns/configfile.md @@ -72,7 +72,7 @@ Which privacy level is used? Should `FTL` ignore queries coming from the local machine? ### BLOCKINGMODE -`BLOCKINGMODE=IP|IP-AAAA-NODATA|NXDOMAIN|NULL` +`BLOCKINGMODE=NULL|IP-AAAA-NODATA|IP|NXDOMAIN` How should `FTL` reply to blocked queries?