celzero
Difference in Resolution/Blocking between PiHole and RethinkDNS
blog.joinmastodon.org
blog.joinmastodon.org. 600 CNAME mastodon.github.io.
mastodon.github.io. 3600 A 185.199.108.153
this resolved on Pihole just fine It is blocked on rethinkDNS
Both use the same set of Blocklists, in this case
https://easylist-downloads.adblockplus.org/ruadlist.txt
http://tagesschau-podcast.ard-mcdn.de/
tagesschau-podcast.ard-mcdn.de. 3600 CNAME tagesschaupodcast-stream.trafficmanager.net.
tagesschaupodcast-stream.trafficmanager.net. 60 CNAME tagesschau-podcast.ard-mcdn.de.akamaized.net.
tagesschau-podcast.ard-mcdn.de.akamaized.net. 21600 CNAME a899.dscw4.akamai.net.
a899.dscw4.akamai.net. 20 CNAME a899.dscw4.akamai.net.0.1.cn.akamaitech.net.
a899.dscw4.akamai.net.0.1.cn.akamaitech.net. 20 A 95.101.137.158
a899.dscw4.akamai.net.0.1.cn.akamaitech.net. 20 A 95.101.137.154
This is hit by by
trafficmanager.net
Microsoft/ParentalControl
(DISABLED)
de.akamaized.net
Blocklist (ph00lt0)↗
Same as above, Pihole resolves this. RethinkDNS does not. Is this a caching issue, is this a matter of differences in the way these systems do qname minimisation and resolve from the root down? Are there differences in parsing the Blocklists in ABP format?
is this a matter of differences in the way these systems do qname minimisation and resolve from the root down?
Not qname minimisation but cname cloaking. Pi-Hole probably has a separate setting to enable blocking cname (and https/svcb) cloaked domains? Rethink does this by default (both, the Android app with on-device blocklists and the resolver).
Are there differences in parsing the Blocklists in ABP format?
Yes, Rethink's ABP parser isn't the greatest, but I haven't found the time to debug the exact issues. Given the majority of the blocklists are not in the ABP format, I don't think I'll look at it anytime soon.
- https://github.com/serverless-dns/blocklists/issues/150
Pihole is set to do cname unmasking. That is not the difference i am hunting.
Host-Format, Domain Format can take up a lot of space compared to a simple ||example.org
which hits every subdomain.
Pihole is set to do cname unmasking. That is not the difference i am hunting.
Unsure why pi-hole wouldn't block de.akamized.net (which is part of ph00lt0's blocklist)?[^0] Perhaps pi-hole does full domain match unlike Rethink which does suffix (wildcard) match? For instance, if example.com is present in a blocklist, Rethink (both the Android app and the resolver) will also attribute blocks a.example.com, a.b.example.com, a.b.c.example.com etc to that blocklist.
This change was sometime in 2022, iirc, at the suggestion of many a list maintainers.
[^0]: Looks like de.akamized.net won't be in blocklist's the next update: https://github.com/ph00lt0/blocklist/issues/174
I get it fixed in the list level, still I find it curious. Maybe cache interferes. I would expect that both apps go from TLD to domain to subdomain without short cuts
This is not likely due to cache interference. Most likely Pi Hole isn't either applying cname cloaking on select domains or Rethink's suffix matching is aggressive, which Pi Hole doesn't do (as it has way more RAM to work with than Rethink does on Android devices and can afford to do exact matches and retain the exact copies of lists).
Moving this to discussions as it doesn't like Rethink has a bug here?
If I'm mistaken, let me know, and I'll move it back (or create a new issue based on this report).