Leaderboard

That's why the Block behavior is changed to NXDOMAIN further down. As written, the picture will give you an idea. Pi-Hole points out that NXDOMAIN will trigger more requests from certain applications because of little acceptance. NXDOMAIN can imply a (temporary) error happening, so applications will try again later. Any NOERROR reply is advantageous because applications will try to connect to the returned address instead. With an adblocker it will time out and trigger in-app exception handling instead. The reason why Apple suggests NXDOMAIN is because of UX considerations: If NOERROR is returned, the client will connect and cause a delay, lowering people's acceptance of the feature ("uuh, why is browsing websites with it so slow?"). They seem to have configured the service to immediately forego the VPN if NXDOMAIN is returned; it is a way, though. Sneaky software might even try different domains or even plain IP to connect after a NXDOMAIN, something you can't block without a packet filter. Though, it could be part of normal exception handling as well. The Linux kernel chooses 127.0.0.1 if 0.0.0.0 is used. I don't know what Windows does.