Yes, a little. I probably should write a longer article for the blog, but I not want to sound too miserable about technology out there and constantly piss off other people who are working hard on their software projects.
The problem I see with Pi-Hole is that it is sitting someone in the middle of the network and is just catching DNS packets and depending on a blacklist won’t forward the queries any more.
It acts as an authoritative name server on behalf of other domains. The deliberately send you a spoofed response and tell you that “some-porn-site.com” does not exist although it might exist. That is exactly the same method that an attacker would use to lead you to a faked website and not the one of your bank.
You don’t see that the DNSSEC validation process fails because no DNS resolver in a mobile or desktop operating system validated the signatures. But IPFire does. We at least make sure that the firewall has received a correct and valid, non-spoofed response. Transport over the local network might still be under control of an attacker, but that is a lot less likely.
When Pi-Hole sits in front of IPFire, it simply won’t forward any DNSSEC signatures to unbound which then cannot validate a DNS response. It will instead send a NXDOMAIN response for domains that should be blocked. Those need to be signed, too, because otherwise an attacker could just filter DNS queries and not respond to them. Your browser will receive a different error code which is SRVFAIL in case of the signature not being validated, but will unfortunately show you the same error page which says that the website “was not found”.
That is a huge problem and a “bug” in the browsers that Pi-Hole is taking advantage of. Hopefully operating systems will soon validate DNSSEC signatures and this will no longer work.
I think that the proper way is to use the proxy which will let the browser know that something has been filtered and present a proper error message that says exactly that to the user, too. This is not complicated to configure at all and complies with Internet RFCs.
Breaking DNS is a sensitive issue for me. There are many players who break it in one way or the other. Unfortunately DNS is becoming more and more important because we put more and more information into DNS records that are simply needed to run the Internet.
I want to be able to access the whole Internet - wherever I am.
And although I see the point of filtering porn websites in a school, there is a better way how to do that and breaking DNS isn’t it.
EDIT: I also had a look at pi-hole’s code and thank god I was sitting down…