I've never seen a legit unicode domain personally, but, is this not compatible with whitelisting specific domains? (in pihole, anyways...)

I have, but I live in Norway, where we have æøå in the standard alphabet. I suspect it’s more common still in Asian countries, because at least in Norwegian, there are standard ascii replacements for all the extra letters, å = aa, ø = oe, æ = ae

Here in Sweden I have never encountered a single legit IDN domain.

I know http://www.xn--sknetrafiken-ucb.se, but like many it just redirects to an ASCII version. (Does it look weird seeing "Skane" when you know it ought to be "Skaane"?)

Similarly for a power company, http://xn--rsted-uua.dk, just a redirect, but they do use it on adverts and my electricity bill.

Some that don't redirect: http://xn--mgk--jra.dk/ https://www.xn---strm-uuae.dk/ https://xn--magnusbrth-85a.se/

(HN has converted the displayed URLs to Punycode, presumably as a quick security measure without reference to the reasonable characters for each TLD.)

rødt.no comes to mind, but I know I’ve seen others.

www.hörby.se

You probably don't want to remove the dots on that one.

In countries that use diacritical characters, umlauts etc., unicode domains are somewhat common (but are often just an alias for a non-unicode primary domain).

I've yet to see a legit unicode domain, and my country doesn't speak English as a first language.

To tell you the truth IDN domains feel like a failure, a gimmick. Their biggest market probably was meant to be countries that don't use the Latin alphabet, and they've failed spectacularly.

If you use Firefox, for your own security, set network.IDN_show_punycode to true.

There are a few in Roman-lettered Europe, but they're not exactly common. Many are redirects to an ASCII domain.

They seem to be used in Russia a little more, especially with the .рф TLD[1], although many are still just redirects.

I have no idea what the text means, but these sites look reasonable: https://www.xn--80aicstx0byb.xn--p1ai/ http://xn--j1abth1c.xn--p1ai/ https://xn--d1ai6ai.xn--p1ai/

[1] https://en.wikipedia.org/wiki/.%D1%80%D1%84

(HN seems to have translated these to Punycode, presumably a quick security measure without respect for non-ASCII languages.)

it used to be possible to block this with a patched dnsmasq that allows setting a regex, but the fork is not maintained and merging the patches to upstream is also not much fun.

so I hacked something together that uses the linux kernel NFQUEUE: https://github.com/DyslexicAtheist/nfq

this way I have guarantee that these domains will never be resolved (which is what I want :))

I predict that blacklisting unicode domains will become a "best practice" for security, but that eventually their use will become normal and accepted when the security issues have been worked out (perhaps by something as simple as using a different background color for unicode characters in the browser's location bar).

indeed those would get thrown under the bus. it's a trade-off and depends on how paranoid you want to be.

Two ideas to lessen the trade-off:

1. Use a browser extension that throws a warning on all unicode domains (maybe even with unicode highlighting). Drawback: Needs to be done per-device.

2. Let your pihole MitM all https traffic with a certificate you do NOT trust (maybe create one per domain, so you can add it to the trusted list); if the connection is over http, upgrade it to https (if the server doesn't speak https, proxy it). Drawback: It's much more complicated, and if your bank happens to be called e.g. "Bank of Zürich" you still need to take a look at the IDN to determine if you're on the right website (or add an exception).

Modification of 2nd idea. Run two dnsmasq servers: one which would do resolving and listening on loopback interface, and other listening 53/udp with no-resolv, whitelist of IDNs and filtering rules to pass normal and block other punycode DNs.

I came up with another "solution" using the linux kernel NFQUEUE: https://news.ycombinator.com/item?id=22003933