I recently formatted my Pi 3B that had a very very old installation of Raspbian 9 that just had Pihole, and tried to modernize things by installing a fresh Raspberry Pi OS 12 (Raspbian 12 Bookworm), plus Pihole and Unbound. Everything looked good until my SO, who plays some Android games from time to time, realized she was getting ads now.
Expected Behaviour:
Ads in apps are blocked. For instance ads in free games or apps. Instead I get an ad bar at the bottom and some full screen ads after completing some actions.
Actual Behaviour:
Ads are displayed and looking at the query log doesn't show that my android device has blocked any query. Testing was made starting 18:30 and screenshot was taken at around 18:50.
I tried opening the offending app and running this: Test Ad Block - Toolz which showed me a 99% as usual.
If it is of any help, I get these warnings in /var/log/unbound/unbound.log.
Sep 27 19:28:04 unbound[58011:0] warning: subnetcache: serve-expired is set but not working for data originating from the subnet module cache.
Sep 27 19:28:04 unbound[58011:0] warning: subnetcache: prefetch is set but not working for data originating from the subnet module cache.
Both your question's answer and your advice are already in the OP, but here you go:
OnePlus 11 (though it also happens in a Xiaomi Mi 11 Ultra, probably in an OnePlus 5T too) and Private DNS it's already disabled on all devices.
Unfortunately my ISP-provided router doesn't let me change the DNS servers, I can just disable DHCP. I do see in the Android network settings that DNS 1 is my Pi-hole but DNS 2 is 8.8.4.4, just like the linked thread said.
After trying the solution in that thread (declaring a secondary DNS server in Pi-hole) and checking with the Network info app, it looks like the phone now has 2 DNS servers, both Pi-hole.
I'll test a little bit and update the post! Thank you!
BTW, one of those "Network Info" apps showed this and mentions local fe80:: IPv6. AFAIK I'm not using IPv6 anywhere and my router's only displays a IPv4.
(Also, what app do you recommend? there's a lot of them and I needed to download 3 to find one that wasn't trash)
Not sure about that one.
If you install below on the Pi, you can inspect if any RDNSS is advertised via IPv6 RA (Router Advertisement) and from which MAC address it originated:
Scroll down a bit for examples.
I also had a go at it earlier today.
I've always used an app simply called "Network info".
But when I check that app in the store on my phone, it says its not supporting the current Android release.
And if I search for it in the app store its nowhere to be found.
It does still function though.
And before Android 9, you could simply do below in a terminal window:
I've read this git pr and seems like you've wrangled with this issue for quite a long time! Thankfully your changes made it into v6. I'm so eagerly awaiting for it!
I'm not sure what does any of this means. IPv6 goes way over my head.
sudo rdisc6 eth0
Soliciting ff02::2 (ff02::2) on eth0...
Hop limit : 64 ( 0x40)
Stateful address conf. : No
Stateful other conf. : Yes
Mobile home agent : No
Router preference : medium
Neighbor discovery proxy : No
Router lifetime : 0 (0x00000000) seconds
Reachable time : unspecified (0x00000000)
Retransmit time : unspecified (0x00000000)
Source link-layer address: 34:E3:80:XX:XX:XX
MTU : 1500 bytes (valid)
Recursive DNS server : fe80::36e3:80ff:fea6:3900
DNS server lifetime : 1800 (0x00000708) seconds
from fe80::36e3:80ff:fea6:3900
Alright, some days have passed and I can actually see my phone being properly filtered. It went from not appearing in the Top Clients list to go to Top 3... but still, some apps show ads!
I'm going to try Rethink DNS to see what is going on.
EDIT:
Well, damn it. Turns out I whitelisted pagead2.googlesyndication.com because I thought that was impeding LaLigaTV (sports streaming) from working, and I wrongly assigned that rule to the default group instead to just the "SmartTV" group.
But other than that, declaring a secondary DNS for our OnePlus / Xiaomi devices DEFINITELY helped, and I'm not sure the firewall rules I disabled had anything to do with this but I will enable them again and see what happens during the coming days.
I finally called my ISP and asked them to disable the IPv6 DNS server in my router, understandably the super nice tech guy told me they can't do that, and that my problem should be the DHCP server, but that was already disabled... so we messed around the settings trying stuff with no success.
After some time he tried disabling "IPv6 support" in the DHCP settings, even though DHCP was already disabled, and lo and behold, that fixed it! Poor guy was baffled, no one ever asked him to do this before.
Thats a bit wierd as DHCP is IPv4 only.
DHCPv6 exists but works a bit differently than IPv6 RA + SLAAC for advertising DNS, router and a prefix for the hosts to auto construct an IPv6 address with.
Plus some platforms like for example Android dont support DHCPv6.
But yeah for most users its the only solution to disable IPv6 support on the LAN part.
Bit sad to not being able to configure those basic aspects on many router brands.
And it doesnt encourage folks to adopt IPv6 anywhere soon.
To be fair that's what he told me, he could misspoke, it could be named differently or who knows what that option really disables. If only I could have seen the admin interface...
Anyway, the fact is that my android devices no longer get an IPv6 along an IPv4 when connecting to my wi-fi.
I wish I had a router that it wasn't so locked down. I tried to set up my own but apparently is not possible and the ISP doesn't share the parameters to configure a neutral router.
Sorry to keep posting on a solved thread but I wanted to share that, ever since my devices don't get assigned an IPv6, blocked queries reported by Pi-hole went up to 29.5% from about 6%... ~23.5% of blocked queries were bypassing Pi-hole.
