(Simple Question) How to block all .wpad and .localdomain traffic?


#21

ok, that sounds good, thank you for the help !


#22

So… Can anyone explain my question…?


#23

As soon as you see “wpad.ikjnsdakjnkjnasd is 0.0.0.0” then it is blocked.


#24

Well, if you read the regex tutorial you’ll see that a period matches any character. So yes, the regex

fritz.box

matches

fritz.box

indeed. But it also matches, e.g.,

fritzabox
fritz1box

etc. So in order to make sure that those cases are not matched you have to escape the period.


#25

Sorry for not responding back in a while, got sidetracked by a lot of things.

Doing both (^|\ .)localdomain$ (no space) and ^localdomain($|\ .) (no space) appeared to block most of the traffic, but I noticed that things like “b._dns-sd._udp.localdomain” are still getting through, even whjen I do blacklist that exact domain. Any idea why?


#26

Oh, another thing, I’ve blacklisted a whole bunch of domains ending in .arpa, along with creating ^arpa($|\ .) (no space) and (^|\ .)arpa$ (no space) , however, they still get routed to the next DNS hop (in my case, 1.1.1.1 and 1.0.0.1). Even when I completely blacklisting specific domains, they are still appearing as forwarded to the next DNS hop.

Why are they able to get through?


#27

Check if the domains being passed start with www. A domain with www is different than the same domain without.


#28
Oct 24 19:14:22 dnsmasq[1183]: 415589 192.168.54.100/59733 query[PTR] b._dns-sd._udp.localdomain from 192.168.54.100

Oct 24 19:14:22 dnsmasq[1183]: 415589 192.168.54.100/59733 forwarded b._dns-sd._udp.localdomain to 1.0.0.1

Oct 24 19:14:22 dnsmasq[1183]: 415590 192.168.54.100/55810 query[PTR] db._dns-sd._udp.localdomain from 192.168.54.100 

Oct 24 19:14:22 dnsmasq[1183]: 415590 192.168.54.100/55810 forwarded db._dns-sd._udp.localdomain to 1.0.0.1

Oct 24 19:14:22 dnsmasq[1183]: 415591 192.168.54.100/61950 query[PTR] dr._dns-sd._udp.localdomain from 192.168.54.100

Oct 24 19:14:22 dnsmasq[1183]: 415591 192.168.54.100/61950 forwarded dr._dns-sd._udp.localdomain to 1.0.0.1

Oct 24 19:14:22 dnsmasq[1183]: 415592 192.168.54.100/59184 query[PTR] lb._dns-sd._udp.localdomain from 192.168.54.100

Oct 24 19:14:22 dnsmasq[1183]: 415592 192.168.54.100/59184 forwarded lb._dns-sd._udp.localdomain to 1.0.0.1

Oct 24 19:14:22 dnsmasq[1183]: 415593 192.168.54.100/58287 query[PTR] r._dns-sd._udp.localdomain from 192.168.54.100

Oct 24 19:14:22 dnsmasq[1183]: 415593 192.168.54.100/58287 forwarded r._dns-sd._udp.localdomain to 1.0.0.1

r._dns-sd._udp.localdomain && lb._dns-sd._udp.localdomain && dr._dns-sd._udp.localdomain && db._dns-sd._udp.localdomain && b._dns-sd._udp.localdomain

are all manually specified in the blacklist, but still bypass the block? Not sure how.


#29
Oct 24 20:14:22 dnsmasq[1183]: 416484 192.168.54.100/59733 query[PTR] b._dns-sd._udp.localdomain from 192.168.54.100

Oct 24 20:14:22 dnsmasq[1183]: 416484 192.168.54.100/59733 forwarded b._dns-sd._udp.localdomain to 1.0.0.1

Oct 24 20:14:22 dnsmasq[1183]: 416485 192.168.54.100/55810 query[PTR] db._dns-sd._udp.localdomain from 192.168.54.100

Oct 24 20:14:22 dnsmasq[1183]: 416485 192.168.54.100/55810 forwarded db._dns-sd._udp.localdomain to 1.0.0.1

Oct 24 20:14:22 dnsmasq[1183]: 416486 192.168.54.100/61950 query[PTR] dr._dns-sd._udp.localdomain from 192.168.54.100

Oct 24 20:14:22 dnsmasq[1183]: 416486 192.168.54.100/61950 forwarded dr._dns-sd._udp.localdomain to 1.0.0.1

Oct 24 20:14:22 dnsmasq[1183]: 416487 192.168.54.100/59184 query[PTR] lb._dns-sd._udp.localdomain from 192.168.54.100

Oct 24 20:14:22 dnsmasq[1183]: 416487 192.168.54.100/59184 forwarded lb._dns-sd._udp.localdomain to 1.0.0.1

Oct 24 20:14:22 dnsmasq[1183]: 416488 192.168.54.100/58287 query[PTR] r._dns-sd._udp.localdomain from 192.168.54.100

Oct 24 20:14:22 dnsmasq[1183]: 416488 192.168.54.100/58287 forwarded r._dns-sd._udp.localdomain to 1.0.0.1

All the same domains, all not blocked, later in the day at the exact same minute and second interval? That is strange.


#30
Oct 24 21:14:22 dnsmasq[1183]: 417446 192.168.54.100/59733 query[PTR] b._dns-sd._udp.localdomain from 192.168.54.100

Oct 24 21:14:22 dnsmasq[1183]: 417446 192.168.54.100/59733 forwarded b._dns-sd._udp.localdomain to 1.1.1.1

Oct 24 21:14:22 dnsmasq[1183]: 417447 192.168.54.100/55810 query[PTR] db._dns-sd._udp.localdomain from 192.168.54.100

Oct 24 21:14:22 dnsmasq[1183]: 417447 192.168.54.100/55810 forwarded db._dns-sd._udp.localdomain to 1.1.1.1

Oct 24 21:14:22 dnsmasq[1183]: 417448 192.168.54.100/61950 query[PTR] dr._dns-sd._udp.localdomain from 192.168.54.100

Oct 24 21:14:22 dnsmasq[1183]: 417448 192.168.54.100/61950 forwarded dr._dns-sd._udp.localdomain to 1.1.1.1

Oct 24 21:14:22 dnsmasq[1183]: 417449 192.168.54.100/59184 query[PTR] lb._dns-sd._udp.localdomain from 192.168.54.100

Oct 24 21:14:22 dnsmasq[1183]: 417449 192.168.54.100/59184 forwarded lb._dns-sd._udp.localdomain to 1.1.1.1

Oct 24 21:14:23 dnsmasq[1183]: 417450 192.168.54.100/58287 query[PTR] r._dns-sd._udp.localdomain from 192.168.54.100

Oct 24 21:14:23 dnsmasq[1183]: 417450 192.168.54.100/58287 forwarded r._dns-sd._udp.localdomain to 1.1.1.1

And again…


#31

Honestly. I have no idea what it is, and I just want it stopped. If I don’t know what some DNS entry is on my network, and it isn’t obvious (ex. google.com), I’ll block it and wait until something breaks, so that I can document what it broke for future reference.


#32
Oct 24 18:21:24 dnsmasq[1183]: 414641 192.168.1.100/64878 query[PTR] 1.1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.6.3.8.1.8.5.0.0.8.9.9.4.1.0.0.2.ip6.arpa from 192.168.1.100

Oct 24 18:21:24 dnsmasq[1183]: 414641 192.168.1.100/64878 forwarded 1.1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.6.3.8.1.8.5.0.0.8.9.9.4.1.0.0.2.ip6.arpa to 1.1.1.1

Oct 24 18:21:24 dnsmasq[1183]: 414642 192.168.1.100/22468 query[PTR] 10.35.30.72.in-addr.arpa from 192.168.1.100

Oct 24 18:21:24 dnsmasq[1183]: 414642 192.168.1.100/22468 forwarded 10.35.30.72.in-addr.arpa to 1.1.1.1

Oct 24 18:21:24 dnsmasq[1183]: 414643 192.168.1.100/29602 query[PTR] 9.35.30.72.in-addr.arpa from 192.168.1.100

Oct 24 18:21:24 dnsmasq[1183]: 414643 192.168.1.100/29602 forwarded 9.35.30.72.in-addr.arpa to 1.1.1.1

Oct 24 18:21:24 dnsmasq[1183]: 414644 192.168.1.100/27962 query[PTR] 232.219.138.98.in-addr.arpa from 192.168.1.100

Oct 24 18:21:24 dnsmasq[1183]: 414644 192.168.1.100/27962 forwarded 232.219.138.98.in-addr.arpa to 1.1.1.1

Oct 24 18:21:24 dnsmasq[1183]: 414645 192.168.1.100/53875 query[PTR] 8.246.137.98.in-addr.arpa from 192.168.1.100

Oct 24 18:21:24 dnsmasq[1183]: 414645 192.168.1.100/53875 forwarded 8.246.137.98.in-addr.arpa to 1.1.1.1

Oct 24 18:23:57 dnsmasq[1183]: 414707 192.168.1.100/3846 query[PTR] 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa from 192.168.1.100

Oct 24 18:23:57 dnsmasq[1183]: 414707 192.168.1.100/3846 /etc/pihole/black.list :: is meraki.com

Oct 24 18:23:57 dnsmasq[1183]: 414708 192.168.1.100/17395 query[PTR] 0.0.0.0.in-addr.arpa from 192.168.1.100

Oct 24 18:23:57 dnsmasq[1183]: 414708 192.168.1.100/17395 /etc/pihole/black.list 0.0.0.0 is meraki.com

Oct 24 18:24:11 dnsmasq[1183]: 414719 192.168.54.100/56333 query[PTR] b._dns-sd._udp.0.54.168.192.in-addr.arpa from 192.168.54.100

Oct 24 18:24:11 dnsmasq[1183]: 414719 192.168.54.100/56333 forwarded b._dns-sd._udp.0.54.168.192.in-addr.arpa to 1.1.1.1

Oct 24 18:29:04 dnsmasq[1183]: 414838 192.168.1.100/4950 query[PTR] 0.1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.6.3.8.1.8.5.0.0.8.9.9.4.1.0.0.2.ip6.arpa from 192.168.1.100

Oct 24 18:29:04 dnsmasq[1183]: 414838 192.168.1.100/4950 forwarded 0.1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.6.3.8.1.8.5.0.0.8.9.9.4.1.0.0.2.ip6.arpa to 1.0.0.1

Oct 24 18:34:11 dnsmasq[1183]: 414938 192.168.1.100/3958 query[PTR] 46.4.217.172.in-addr.arpa from 192.168.1.100

Oct 24 18:34:11 dnsmasq[1183]: 414938 192.168.1.100/3958 forwarded 46.4.217.172.in-addr.arpa to 1.1.1.1

Oct 24 18:39:19 dnsmasq[1183]: 415021 192.168.1.100/25436 query[PTR] 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa from 192.168.1.100

Oct 24 18:39:19 dnsmasq[1183]: 415021 192.168.1.100/25436 /etc/pihole/black.list :: is meraki.com

Oct 24 18:39:19 dnsmasq[1183]: 415022 192.168.1.100/47268 query[PTR] 0.0.0.0.in-addr.arpa from 192.168.1.100

Oct 24 18:39:19 dnsmasq[1183]: 415022 192.168.1.100/47268 /etc/pihole/black.list 0.0.0.0 is meraki.com

Oct 24 18:41:53 dnsmasq[1183]: 415056 192.168.1.100/31085 query[PTR] 206.192.58.216.in-addr.arpa from 192.168.1.100

Oct 24 18:41:53 dnsmasq[1183]: 415056 192.168.1.100/31085 forwarded 206.192.58.216.in-addr.arpa to 1.1.1.1

Oct 24 18:44:26 dnsmasq[1183]: 415093 192.168.1.100/36064 query[PTR] 4.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.2.0.1.c.0.0.0.8.9.9.4.1.0.0.2.ip6.arpa from 192.168.1.100

Oct 24 18:44:26 dnsmasq[1183]: 415093 192.168.1.100/36064 forwarded 4.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.2.0.1.c.0.0.0.8.9.9.4.1.0.0.2.ip6.arpa to 1.1.1.1

Oct 24 18:44:26 dnsmasq[1183]: 415093 192.168.1.100/36064 reply 2001:4998:c:1023::4 is media-router-fp1.prod1.media.vip.gq1.yahoo.com

Oct 24 18:44:26 dnsmasq[1183]: 415094 192.168.1.100/49294 query[PTR] 7.246.137.98.in-addr.arpa from 192.168.1.100

Oct 24 18:44:26 dnsmasq[1183]: 415094 192.168.1.100/49294 forwarded 7.246.137.98.in-addr.arpa to 1.1.1.1

Oct 24 18:44:26 dnsmasq[1183]: 415094 192.168.1.100/49294 reply 98.137.246.7 is media-router-fp1.prod1.media.vip.gq1.yahoo.com

Oct 24 18:44:26 dnsmasq[1183]: 415095 192.168.1.100/61800 query[PTR] 231.219.138.98.in-addr.arpa from 192.168.1.100
Oct 24 18:44:26 dnsmasq[1183]: 415095 192.168.1.100/61800 forwarded 231.219.138.98.in-addr.arpa to 1.1.1.1

Oct 24 18:44:26 dnsmasq[1183]: 415095 192.168.1.100/61800 reply 98.138.219.231 is media-router-fp1.prod1.media.vip.ne1.yahoo.com

Oct 24 18:44:26 dnsmasq[1183]: 415096 192.168.1.100/10111 query[PTR] 232.219.138.98.in-addr.arpa from 192.168.1.100

Oct 24 18:44:26 dnsmasq[1183]: 415096 192.168.1.100/10111 forwarded 232.219.138.98.in-addr.arpa to 1.1.1.1

And here are the .arpa things I mentioned earlier. Seems a bit more random

Edit: Thanks to whoever formatted these replies nicely! Didn’t know " ``` " between the paragraph did it!


#33

Oh, just to note, the 1.100 IP is my Meraki MR33 Access Point. The .arpa stuff may be it trying to phone home…?

The 54.100 is my desktop PC, running Windows 8.1 Pro, and temporarily hosting the Pihole server in a virtual machine (different IP address than the host).


#34

Bump? Hopefully someone can answer my last question?


#35

PTR are reverse domain requests. Those are asking if there is a name belonging to that IP.

This mainly used by mailservers (MTA) to check if the senders SMTP is the correct one belonging to that domain.


#36

What are PTR requests? .arpa? .localdomain?


#37

This is typical of PTR requests - this screen is from the dev branch, so it’s not something you will see in V4.0. I don’t have a named local domain, so none of those appear.


#38

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.