FTLDNS™ and Unbound Combined For Your Own All-Around DNS Solution

How Pi-hole Works

Pi-hole acts as a forwarding DNS server, which means if it doesn’t know where a domain is, it has to forward your query to another server that does.  When you install Pi-hole, it knows where the ad-serving domains are (because you tell it), so it doesn’t forward those requests.  But it doesn’t know where legitimate sites are. Thus these requests are forwarded to an upstream, recursive server.

These servers also don’t know where the real Website exists unless they have been asked to find it before.  The only DNS servers that truly know where a domain is is an authoritative DNS server.  For now, we don’t need to know what an authoritative DNS server is, just that it’s the single source of truth for a domain’s real IP address.

So when you have a Pi-hole in use on your network, the flow of traffic goes like this:

  1. Your client asks the Pi-hole Who is pi-hole.net?
  2. Your Pi-hole will check its cache and reply if the answer is already known.
  3. Your Pi-hole will check the blocking lists and reply if the domain is blocked.
  4. Since neither 2. nor 3. is true in our example, the Pi-hole forwards the request to the configured external upstream DNS server(s).
  5. Upon receiving the answer, your Pi-hole will reply to your client and tell it the answer of its request.
  6. Lastly, your Pi-hole will save the answer in its cache to be able to respond faster if any of your clients queries the same domain again.

The Concern With Upstream Servers

The concern with the existing method lies in step 4.  In today’s world, these upstream servers are known as Google, OpenDNS, and CloudFlare, amongst others.  They advertise themselves as free private DNS servers, but how do you know for certain they are keeping their promise that your information is truly private?

Furthermore, from the point of an attacker, the DNS servers of larger providers are very worthwhile targets, as they only need to poison one DNS server, but millions of users might be affected.  For example, instead of your bank’s actual IP address, you could be sent to a phishing site hosted on some island.  This scenario has already happened and it isn’t unlikely to happen again…

So What Is The Difference Between A Recursive DNS Server and An Authoritative DNS server?

The first distinction we have to be aware of is whether a DNS server is authoritative or not.  If I’m the authoritative server for, e.g., pi-hole.net, then I know which IP is the correct answer for a query.  Recursive name servers, in contrast, resolve any query they receive by consulting the servers authoritative for this query by traversing the domain.  Example: We want to resolve pi-hole.net. On behalf of the client, the recursive DNS server will traverse the path of the domain across the Internet to deliver the answer to the question.

What Is The Solution?

Operating your own local, recursive DNS server.  Think of it as running your own Google or CloudFlare DNS service.  It can run on the same device you are already using Pi-hole for and there are no additional hardware requirements.

This changes the six step procedure mentioned previously to this 12 step process:

How Pi-hole Works With FTLDNS and Unbound

  1. Your client asks the Pi-hole Who is pi-hole.net?
  2. Your Pi-hole will check its cache and reply if the answer is already known.
  3. Your Pi-hole will check the blocking lists and reply if the domain is blocked.
  4. Since neither 2. nor 3. is true in our example, the Pi-hole delegates the request to the (local) recursive DNS resolver.
  5. Your recursive server will send a query to the DNS root servers: “Who is handling .net?”
  6. The root server answers with a referral to the TLD servers for .net.
  7. Your recursive server will send a query to one of the TLD DNS servers for .net: “Who is handling pi-hole.net?”
  8. The TLD server answers with a referral to the authoritative name servers for pi-hole.net.
  9. Your recursive server will send a query to the authoritative name servers: “What is the IP of pi-hole.net?”
  10. The authorative server will answer with the IP address of the domain pi-hole.net.
  11. Your recursive server will send the reply to your Pi-hole which will, in turn, reply to your client and tell it the answer of its request.
  12. Lastly, your Pi-hole will save the answer in its cache to be able to respond faster if any of your clients queries the same domain again.

Step 4 is where the major change happens.  The steps that follow are what the upstream servers would normally handle (along with any data tracking they may or may not be doing).

Recursion is more involved than just asking some upstream server. This has benefits and drawbacks:

Benefit

Privacy – as you’re directly contacting the responsive servers, no server can fully log the exact paths you’re taking, as e.g. the Google DNS servers will only be asked if you want to visit a Google website, but not if you visit the website of your favourite newspaper, etc.

Drawback

Traversing the entire path may be slow, especially the first time you visit a website.  While the bigger DNS providers always have answers for commonly used domains in their cache, you will have to transverse the path if you visit a page for the first time time.  A first request to a formerly unknown TLD may take up to one second (or even more if you’re also using DNSSEC).  Subsequent requests to domains under the same TLD usually complete in < 0.1s. Fortunately, your Pi-hole does efficient caching to minimize the number of queries that will actually have to be performed.

Setting It Up

This blog post won’t go into detail about how to set it up, for that, we have an article you can follow (at this time you’ll need to be participating in our beta test of FTLDNS).

But once complete, you’ll be able to do something like this instead of setting Google as your upstream DNS provider.

Interested in this?

FTLDNS is currently in beta, so we hope you’ll check it out and also help support our endeavors with our one-time fundraising goal of $100,000.

Limited Edition Pi-hole Coins Are Now For Sale

Patrons got first dibs, but there are still plenty of coins available.

These coins are high quality, colored, and textured.  Check out the product page for more information.  Enjoy!

Proceeds from the sales will be used to further develop Pi-hole.

Get Early Access To Our Coins By Signing Up For Patreon

We launched our Patreon page a few days ago.  Patrons of Pi-hole get several benefits: in addition to the rewards already granted by becoming a patron, you’ll also get a flair on our user forums, and early access to things such as first access to our collector’s coins.

Patreon charges you on the first of the month, so if you sign up today, you’ll be just in time.  We’re offering our patrons first dibs on the Pi-hole collector coins we have been teasing.  So if you want one, make sure you sign up for Patreon today.

Finally, here’s what the custom flair on our user forums looks like:

 

Coins, Patreon Feedback Round 2, Plus Our Fundraiser

Separate from Patreon: Collectable Coins Will Be For Sale

These are 2 inch metal coins with color and texture.  Only 300 have been made (seven of which have gone to the developers) and each one has a sequential number printed on it.

If these are a success, we will be designing and selling more coins, but this will be the only limited edition run with sequential numbering, so if you’re a collector or just a die hard fan, you’ll need to act fast.  We’ll do another blog post announcing when they are available for purchase.

Patreon Reward Levels

$15/month Mug-of-the-month Club

We are also running a mug-of-the-month tier for those willing to donate $15 a month.  Each month, we’ll ship out a mug with a new Pi-hole inspired design on it.  Here are just a few we’ve already had commissioned.

and more like these…

$10/month Sticker-of-the-month Club

Get a sheet of 24 stickers each month.

$1-5/month Thank You!

We can’t offer much at this price point, but we do appreciate your help.  You’ll get a special “Patron” flair on our user forums and/or Reddit.  You’ll also get access to our patron-only posts on Patreon.

Our Fundraiser

We’re attempting to raise $100,000 in an effort to develop Pi-hole even more. Patreon is an extended effort to offer you tangible rewards for supporting us.

One-time funding goal for developing full time, faster updates, faster bug fixes, quicker support response times, more features, more platforms natively supported…

$12,018 of $100,000 raised
$
Personal Info

Donation Total: $25.00

If you’d like to support the development of Pi-hole, use the form above to send us a donation (monthly or a one-time).

You can also help us out by becoming a patron or purchasing items/services through our affiliate links below.

  • Bitcoin 33v5DGMGwYiDDJsKExksY1jhZbhGqF1SVe
  • Bitcoin Cash  qquhjgl9l5yfghu2kmw7q495m4xdgfc4q59zntpjmh
  • Ethereum 0x5Cd7f79D8D542847B2A313297037d3CAc1FeFBB4

We are all volunteers on the project and work on it in our free time.  Your donations will help support our infrastructure and keep us motivated to improve the product.

No registration is needed.

 

NXDOMAIN And Null Blocking With FTLDNS

Pi-hole has traditionally returned a blank HTML page in place of advertisements.  An alternative method is to return NXDOMAINno such domain.  This is a behaviour you asked us to implement and we have listened.

To use it, you’ll need to be running the FTLDNS beta (pihole -up if you’re already on it):

echo "FTLDNS" | sudo tee /etc/pihole/ftlbranch
pihole checkout core FTLDNS 
pihole checkout web FTLDNS

You can also checkout the development branches, but if you want the most up-to-date code, use the FTLDNS branches.

Once you’ve checked out on the new branches,  you need to add this to /etc/pihole/pihole-FTL.conf(note you may need to create this file if it does not exist)

BLOCKINGMODE=NXDOMAIN

or

BLOCKINGMODE=NULL

depending on which method you prefer and then restart FTLDNS (pihole-FTL) to apply the change

sudo service pihole-FTL restart

Continue reading “NXDOMAIN And Null Blocking With FTLDNS”

Patreon Coming Soon: Your Feedback Requested

We’re launching a Patreon page soon, which allows you to get rewards for supporting us.  Take a look at this explainer video if you are unfamiliar with it.

We want your feedback on the reward levels.  Please let us know what you like, what you don’t, or what you like to see.

$1/month Patron Flair

We’ll flair your user on Discourse or Reddit as a Patron of Pi-hole and you have our thanks.

$3/month Insider Information

Get access to our Patron only posts.  We’ll discuss things here before releasing them to the general public.

$10/month Sticker-of-the-month Club

Get a new sheet of 24 stickers every month.

$15/month Mug-of-the-month Club

Each month, we’ll ship out a mug with a new Pi-hole inspired design on it.

Also Available…

We have around 300 custom-made, 2 inch Pi-hole coins, sequenced and everything.  They are dual-sided, colored and look very nice.  If these sell out, we could possibly do a coin-of-the-month club as well.  But for now, there is only one style coin available.

The proceeds from selling these coins will go towards our fundraising goal.

One-time funding goal for developing full time, faster updates, faster bug fixes, quicker support response times, more features, more platforms natively supported…

$12,018 of $100,000 raised
$
Personal Info

Donation Total: $25.00

If you’d like to support the development of Pi-hole, use the form above to send us a donation (monthly or a one-time).

You can also help us out by becoming a patron or purchasing items/services through our affiliate links below.

  • Bitcoin 33v5DGMGwYiDDJsKExksY1jhZbhGqF1SVe
  • Bitcoin Cash  qquhjgl9l5yfghu2kmw7q495m4xdgfc4q59zntpjmh
  • Ethereum 0x5Cd7f79D8D542847B2A313297037d3CAc1FeFBB4

We are all volunteers on the project and work on it in our free time.  Your donations will help support our infrastructure and keep us motivated to improve the product.

No registration is needed.

 

 

Blocking via regex now available in FTLDNS™

We have implemented GNU Extended Regular Expressions for blocking domains into FTLDNS (as used by popular tools such as egrep (or grep -E ...), awk, and emacs).

To try it, you need to be participating in the FTLDNS beta test (see here for more details).  This is a new feature and we invite you to test it out but you should expect some rough edges.   We would also appreciate if you could help us find any bugs or issues you run into.

Reach out to us on Discourse or Reddit with any issues you run into.

Once you’re on the beta testing branch you can configure the regex of your choice in /etc/pihole/pihole-FTL.conf.  In contrast to our already existing wildcard blocking implementation, you can now configure arbitrarily complex blocking filters with Pi-hole FTLDNS.  The following regex:

BLOCKINGREGEX=^ab.+\.com$

will block all domains that start with “ab” (^ab), have at least one further character (.+) and end in “.com” (\.com$).

Examples for what would be blocked by this rule:

  • abc.com
  • abtest.com
  • ab.test.com
  • abr-------.whatever.com

Examples for what would not be blocked by this rule:

  • testab.com (the domain doesn’t start with “ab”)
  • tab.test.com (the domain doesn’t start with “ab”)
  • ab.com (there is no character in between “ab” and “.com”)
  • test.com.something (the domain doesn’t end in “.com”)

Hopefully this illustrates how powerful the new blocking method of FTLDNS is but also why testing its mandatory to ensure it is working correctly in all possible situations.  The potential of this new blocking is huge and may even help with things like this.