Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
Add new DoH resolver #27
@jedisct1 would you mind looking at the PR? looks good to me.
@Belphemur I've never setup a PiHole, so forgive my ignorance but isn't the PiHole logging number of blocked requests as well as top users by IP address and has a full query log? and can this be turned off?
Edit: Is the PiHole web server meant to be open to the internet? http://dns.aaflalo.me/
I'm awfully sorry for the delay :(
Your resolver has been added.
In order to show the certificates hashes, set the
@jedisct1 Thanks for taking the time to merge it :)
@publicarray Yep it's normal, the basic idea of PiHole is to change the DNS record of the blocked domain to the IP of the server. The server will give back a specific page hosted by the server if accessed using http (will of course fail for https).
This is how Open DNS made it in order to make money by displaying ads at a time where HTTPS wasn't widely deployed. But I don't think this is a good idea in all other contexts. Especially not in 2018.
This is lying, returning a fake IP. It breaks DNSSEC. Downstream resolvers may cache it. Applications will still consider the lookup as successful (RBL lists...)
And as HTTP (not S) websites are disappearing, users see security warnings that don't make any sense.
DNS defines a
If accessing something is refused no matter what the reason is, that standard return code should be used instead of pretending nothing happened and return a lie.
@jedisct1 I completely agree.
They only added in the latest dev (FTLDNS (their own fork of dnsmasq)) version the possibility to sent a REFUSED answer.
I'm waiting for it to be a little bit more stable (last time I tried, the DNS server crashed) to use it because I agree, this is how it should be.
Edit: seems to be more stable now, I've enable it to return NXDOMAIN for blocked domains.