From 50a6b07d81a6bb9f9e6d73d7843d472ed35a7d3e Mon Sep 17 00:00:00 2001 From: DL6ER Date: Sat, 16 Jun 2018 16:32:29 +0200 Subject: [PATCH 1/4] Improve blocking mode page Signed-off-by: DL6ER --- docs/ftldns/blockingmode.md | 98 +++++++++++++++++++------------------ 1 file changed, 50 insertions(+), 48 deletions(-) diff --git a/docs/ftldns/blockingmode.md b/docs/ftldns/blockingmode.md index d243287..2989395 100644 --- a/docs/ftldns/blockingmode.md +++ b/docs/ftldns/blockingmode.md @@ -2,13 +2,36 @@ Pi-hole *FTL*DNS supports two different methods for blocking queries. Both have This setting can be updated by sending `SIGHUP` to `pihole-FTL` (`sudo killall -SIGHUP pihole-FTL`). -## Pi-hole's IP blocking +## Pi-hole's IP (IPv6 NODATA) blocking (default) +`/etc/pihole/pihole-FTL.conf` setting: +``` +BLOCKINGMODE=IP-NODATA-AAAA +``` + +Blocked queries will be answered with the local IPv4 addresses of your Pi-hole (as configured in your `setupVars.conf` file). Blocked AAAA queries will answered with `NODATA-IPV6` and clients will only try to reach your Pi-hole over its static IPv4 address +``` +;; QUESTION SECTION: +;doubleclick.net. IN ANY + +;; ANSWER SECTION: +doubleclick.net. 2 IN A 192.168.2.11 +``` + +##### Advantage +- Shows blocking page from which blocked domains can be whitelisted +- Serves IPv4-only replies and hence mitigates issues with rotating IPv6 prefixes + +##### Disadvantages +- Requires a webserver to run on your Pi-hole +- May cause time-outs for HTTPS content even with properly configured firewall rules + +## Pi-hole's full IP blocking `/etc/pihole/pihole-FTL.conf` setting: ``` BLOCKINGMODE=IP ``` -Queries will be answered with the local IP addresses of your Pi-hole (as configured in your `setupVars.conf` file) +Blocked queries will be answered with the local IP addresses of your Pi-hole (as configured in your `setupVars.conf` file) ``` ;; QUESTION SECTION: ;doubleclick.net. IN ANY @@ -19,63 +42,20 @@ doubleclick.net. 2 IN AAAA fda2:2001:4756:0:ab27:beff:ef37: ``` ##### Advantage -- Shows blocking page from which blocked webpages can be whitelisted +- Shows blocking page from which blocked domains can be whitelisted ##### Disadvantages - Requires a webserver to run on your Pi-hole - May cause time-outs for HTTPS content even with properly configured firewall rules - May cause problems with alternating prefixes on IPv6 addresses (see `IP-AAAA-NODATA`) -## Pi-hole's IPv6 NODATA blocking -`/etc/pihole/pihole-FTL.conf` setting: -``` -BLOCKINGMODE=IP-NODATA-AAAA -``` - -Queries will be answered with the local IPv4 addresses of your Pi-hole (as configured in your `setupVars.conf` file). AAAA queries will answered with `NODATA-IPV6` and clients will only try to reach your Pi-hole over your static IPv4 address -``` -;; QUESTION SECTION: -;doubleclick.net. IN ANY - -;; ANSWER SECTION: -doubleclick.net. 2 IN A 192.168.2.11 -``` - -##### Advantage -- Shows blocking page from which blocked webpages can be whitelisted -- Serves IPv4-only replies and hence mitigates issues with rotating IPv6 prefixes - -##### Disadvantages -- Requires a webserver to run on your Pi-hole -- May cause time-outs for HTTPS content even with properly configured firewall rules - -## Pi-hole's NXDOMAIN blocking -`/etc/pihole/pihole-FTL.conf` setting: -``` -BLOCKINGMODE=NXDOMAIN -``` -Queries will be answered with an empty response (no answer section) and status `NXDOMAIN` (*no such domain*) -``` -;; QUESTION SECTION: -;doubleclick.net. IN ANY -``` - -##### Advantages -- The client does not even try to establish a connection for the requested website -- Speedup and less traffic -- Solves potential HTTPS timeouts as requests are never performed -- No need to run a webserver on your Pi-hole (reduces complexity when running other web services on the same machine) - -##### Disadvantage -- Blocking page cannot be shown and whitelisting has to be performed from the dashboard or CLI - ## Pi-hole's unspecified IP blocking `/etc/pihole/pihole-FTL.conf` setting: ``` BLOCKINGMODE=NULL ``` -Queries will be answered with the unspecified address +Blocked queries will be answered with the unspecified address ``` ;; QUESTION SECTION: ;doubleclick.net. IN ANY @@ -87,7 +67,29 @@ doubleclick.net. 2 IN AAAA :: Following [RFC 3513, Internet Protocol Version 6 (IPv6) Addressing Architecture, section 2.5.2](https://tools.ietf.org/html/rfc3513#section-2.5.2), the address `0:0:0:0:0:0:0:0` (or `::` for short) is the unspecified address. It must never be assigned to any node and indicates the absence of an address. Following [RFC1122, section 3.2](https://tools.ietf.org/html/rfc1122#section-3.2), the address `0.0.0.0` can be understood as the IPv4 equivalent of `::`. +##### Advantages +- The client does not even try to establish a connection for the requested website +- Speedup and less traffic +- Solves potential HTTPS timeouts as requests are never performed +- No need to run a webserver on your Pi-hole (reduces complexity when running other web services on the same machine) + +##### Disadvantage +- Blocking page cannot be shown and whitelisting has to be performed from the dashboard or CLI +- Client's may try to resolve blocked domains more often when they think that `NXDOMAIN` cannot be the correct reply + + +## Pi-hole's NXDOMAIN blocking +`/etc/pihole/pihole-FTL.conf` setting: +``` +BLOCKINGMODE=NXDOMAIN +``` +Blocked queries will be answered with an empty response (no answer section) and status `NXDOMAIN` (*no such domain*) +``` +;; QUESTION SECTION: +;doubleclick.net. IN ANY +``` + ##### Advantages & Disadvantages -Similar to `NXDOMAIN` blocking. However, it is more experimental than `NXDOMAIN` as it is not clear if all clients behave correctly when receiving these addresses. +Similar to `NULL` blocking, but experiments suggest that client's may try to resolve blocked domains more often compared to `NULL` blocking. {!abbreviations.md!} From 7ad4bbd626c6353e9230fd18b89080b3c3ffb266 Mon Sep 17 00:00:00 2001 From: DL6ER Date: Sat, 16 Jun 2018 16:34:34 +0200 Subject: [PATCH 2/4] Change default mode in "ftldns/configfile.md" Signed-off-by: DL6ER --- docs/ftldns/configfile.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/ftldns/configfile.md b/docs/ftldns/configfile.md index b42d3fc..6ccf33c 100644 --- a/docs/ftldns/configfile.md +++ b/docs/ftldns/configfile.md @@ -72,7 +72,7 @@ Which privacy level is used? Should `FTL` ignore queries coming from the local machine? ### BLOCKINGMODE -`BLOCKINGMODE=IP|IP-AAAA-NODATA|NXDOMAIN|NULL` +`BLOCKINGMODE=IP-AAAA-NODATA|IP|NXDOMAIN|NULL` How should `FTL` reply to blocked queries? From 6516e28458ae0645c1832c882e1d1feed7ec5a1a Mon Sep 17 00:00:00 2001 From: DL6ER Date: Sat, 16 Jun 2018 18:14:07 +0200 Subject: [PATCH 3/4] New default mode is NULL Signed-off-by: DL6ER --- docs/ftldns/blockingmode.md | 97 +++++++++++++++++++------------------ docs/ftldns/configfile.md | 2 +- 2 files changed, 50 insertions(+), 49 deletions(-) diff --git a/docs/ftldns/blockingmode.md b/docs/ftldns/blockingmode.md index 2989395..c39b150 100644 --- a/docs/ftldns/blockingmode.md +++ b/docs/ftldns/blockingmode.md @@ -2,54 +2,7 @@ Pi-hole *FTL*DNS supports two different methods for blocking queries. Both have This setting can be updated by sending `SIGHUP` to `pihole-FTL` (`sudo killall -SIGHUP pihole-FTL`). -## Pi-hole's IP (IPv6 NODATA) blocking (default) -`/etc/pihole/pihole-FTL.conf` setting: -``` -BLOCKINGMODE=IP-NODATA-AAAA -``` - -Blocked queries will be answered with the local IPv4 addresses of your Pi-hole (as configured in your `setupVars.conf` file). Blocked AAAA queries will answered with `NODATA-IPV6` and clients will only try to reach your Pi-hole over its static IPv4 address -``` -;; QUESTION SECTION: -;doubleclick.net. IN ANY - -;; ANSWER SECTION: -doubleclick.net. 2 IN A 192.168.2.11 -``` - -##### Advantage -- Shows blocking page from which blocked domains can be whitelisted -- Serves IPv4-only replies and hence mitigates issues with rotating IPv6 prefixes - -##### Disadvantages -- Requires a webserver to run on your Pi-hole -- May cause time-outs for HTTPS content even with properly configured firewall rules - -## Pi-hole's full IP blocking -`/etc/pihole/pihole-FTL.conf` setting: -``` -BLOCKINGMODE=IP -``` - -Blocked queries will be answered with the local IP addresses of your Pi-hole (as configured in your `setupVars.conf` file) -``` -;; QUESTION SECTION: -;doubleclick.net. IN ANY - -;; ANSWER SECTION: -doubleclick.net. 2 IN A 192.168.2.11 -doubleclick.net. 2 IN AAAA fda2:2001:4756:0:ab27:beff:ef37:4242 -``` - -##### Advantage -- Shows blocking page from which blocked domains can be whitelisted - -##### Disadvantages -- Requires a webserver to run on your Pi-hole -- May cause time-outs for HTTPS content even with properly configured firewall rules -- May cause problems with alternating prefixes on IPv6 addresses (see `IP-AAAA-NODATA`) - -## Pi-hole's unspecified IP blocking +## Pi-hole's unspecified IP blocking (default) `/etc/pihole/pihole-FTL.conf` setting: ``` BLOCKINGMODE=NULL @@ -78,6 +31,54 @@ Following [RFC 3513, Internet Protocol Version 6 (IPv6) Addressing Architecture, - Client's may try to resolve blocked domains more often when they think that `NXDOMAIN` cannot be the correct reply +## Pi-hole's IP (IPv6 NODATA) blocking +`/etc/pihole/pihole-FTL.conf` setting: +``` +BLOCKINGMODE=IP-NODATA-AAAA +``` + +Blocked queries will be answered with the local IPv4 addresses of your Pi-hole (as configured in your `setupVars.conf` file). Blocked AAAA queries will answered with `NODATA-IPV6` and clients will only try to reach your Pi-hole over its static IPv4 address +``` +;; QUESTION SECTION: +;doubleclick.net. IN ANY + +;; ANSWER SECTION: +doubleclick.net. 2 IN A 192.168.2.11 +``` + +##### Advantage +- Shows blocking page from which blocked domains can be whitelisted +- Serves IPv4-only replies and hence mitigates issues with rotating IPv6 prefixes + +##### Disadvantages +- Requires a webserver to run on your Pi-hole +- May cause time-outs for HTTPS content even with properly configured firewall rules + + +## Pi-hole's full IP blocking +`/etc/pihole/pihole-FTL.conf` setting: +``` +BLOCKINGMODE=IP +``` + +Blocked queries will be answered with the local IP addresses of your Pi-hole (as configured in your `setupVars.conf` file) +``` +;; QUESTION SECTION: +;doubleclick.net. IN ANY + +;; ANSWER SECTION: +doubleclick.net. 2 IN A 192.168.2.11 +doubleclick.net. 2 IN AAAA fda2:2001:4756:0:ab27:beff:ef37:4242 +``` +##### Advantage +- Shows blocking page from which blocked domains can be whitelisted + +##### Disadvantages +- Requires a webserver to run on your Pi-hole +- May cause time-outs for HTTPS content even with properly configured firewall rules +- May cause problems with alternating prefixes on IPv6 addresses (see `IP-AAAA-NODATA`) + + ## Pi-hole's NXDOMAIN blocking `/etc/pihole/pihole-FTL.conf` setting: ``` diff --git a/docs/ftldns/configfile.md b/docs/ftldns/configfile.md index 6ccf33c..1ae6674 100644 --- a/docs/ftldns/configfile.md +++ b/docs/ftldns/configfile.md @@ -72,7 +72,7 @@ Which privacy level is used? Should `FTL` ignore queries coming from the local machine? ### BLOCKINGMODE -`BLOCKINGMODE=IP-AAAA-NODATA|IP|NXDOMAIN|NULL` +`BLOCKINGMODE=NULL|IP-AAAA-NODATA|IP|NXDOMAIN` How should `FTL` reply to blocked queries? From c775c99db9867f9d1e2a61383d3e4fd392340860 Mon Sep 17 00:00:00 2001 From: DL6ER Date: Sat, 16 Jun 2018 18:59:18 +0200 Subject: [PATCH 4/4] Review comments Signed-off-by: DL6ER --- docs/ftldns/blockingmode.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/docs/ftldns/blockingmode.md b/docs/ftldns/blockingmode.md index c39b150..de6c68e 100644 --- a/docs/ftldns/blockingmode.md +++ b/docs/ftldns/blockingmode.md @@ -28,7 +28,6 @@ Following [RFC 3513, Internet Protocol Version 6 (IPv6) Addressing Architecture, ##### Disadvantage - Blocking page cannot be shown and whitelisting has to be performed from the dashboard or CLI -- Client's may try to resolve blocked domains more often when they think that `NXDOMAIN` cannot be the correct reply ## Pi-hole's IP (IPv6 NODATA) blocking @@ -91,6 +90,6 @@ Blocked queries will be answered with an empty response (no answer section) and ``` ##### Advantages & Disadvantages -Similar to `NULL` blocking, but experiments suggest that client's may try to resolve blocked domains more often compared to `NULL` blocking. +Similar to `NULL` blocking, but experiments suggest that clients may try to resolve blocked domains more often compared to `NULL` blocking. {!abbreviations.md!}