Blacklisted but not blocked

Hi -- I have blacklisted

www.goooooooooooooooooooooooooooooooooooooooooooooooooooooooooogle.com on my pihole:

and checked it is there

 pi@raspberrypi:~ $ pihole -q www.goooooooooooooooo
  Match found in Blacklist
    www.goooooooooooooooooooooooooooooooooooooooooooooooooooooooooogle.com

and restarted the pi, but DNS requests continue to be sent out:

pi@raspberrypi:~ $ sudo grep goooooooo /var/log/pihole.log
Feb 26 06:05:44 dnsmasq[537]: query[A] www.goooooooooooooooooooooooooooooooooooooooooooooooooooooooooogle.com from 192.168.0.205
Feb 26 06:05:44 dnsmasq[537]: forwarded www.goooooooooooooooooooooooooooooooooooooooooooooooooooooooooogle.com to 1.0.0.1
Feb 26 06:05:44 dnsmasq[537]: forwarded www.goooooooooooooooooooooooooooooooooooooooooooooooooooooooooogle.com to 1.1.1.1
Feb 26 06:05:44 dnsmasq[537]: forwarded www.goooooooooooooooooooooooooooooooooooooooooooooooooooooooooogle.com to 1.0.0.1
Feb 26 10:03:18 dnsmasq[537]: query[A] www.goooooooooooooooooooooooooooooooooooooooooooooooooooooooooogle.com from 192.168.0.205
Feb 26 10:03:18 dnsmasq[537]: forwarded www.goooooooooooooooooooooooooooooooooooooooooooooooooooooooooogle.com to 1.0.0.1
Feb 26 10:03:18 dnsmasq[537]: reply www.goooooooooooooooooooooooooooooooooooooooooooooooooooooooooogle.com is <CNAME>
Feb 26 10:03:18 dnsmasq[537]: reply goooooooooooooooooooooooooooooooooooooooooooooooooooooooooogle.com is 184.168.221.42
Feb 26 10:03:21 dnsmasq[537]: query[A] www.goooooooooooooooooooooooooooooooooooooooooooooooooooooooooogle.com from 192.168.0.205
Feb 26 10:03:21 dnsmasq[537]: forwarded www.goooooooooooooooooooooooooooooooooooooooooooooooooooooooooogle.com to 1.0.0.1
Feb 26 10:03:21 dnsmasq[537]: reply www.goooooooooooooooooooooooooooooooooooooooooooooooooooooooooogle.com is <CNAME>
Feb 26 10:03:21 dnsmasq[537]: reply goooooooooooooooooooooooooooooooooooooooooooooooooooooooooogle.com is 184.168.221.42
Feb 26 14:43:54 dnsmasq[537]: query[A] www.goooooooooooooooooooooooooooooooooooooooooooooooooooooooooogle.com from 192.168.0.205
Feb 26 14:43:54 dnsmasq[537]: forwarded www.goooooooooooooooooooooooooooooooooooooooooooooooooooooooooogle.com to 1.0.0.1
Feb 26 14:43:54 dnsmasq[537]: forwarded www.goooooooooooooooooooooooooooooooooooooooooooooooooooooooooogle.com to 1.1.1.1
Feb 26 14:43:54 dnsmasq[537]: forwarded www.goooooooooooooooooooooooooooooooooooooooooooooooooooooooooogle.com to 1.0.0.1
Feb 26 14:43:54 dnsmasq[537]: reply www.goooooooooooooooooooooooooooooooooooooooooooooooooooooooooogle.com is <CNAME>
Feb 26 14:43:54 dnsmasq[537]: reply goooooooooooooooooooooooooooooooooooooooooooooooooooooooooogle.com is 184.168.221.42
Feb 26 17:39:30 dnsmasq[537]: query[A] www.goooooooooooooooooooooooooooooooooooooooooooooooooooooooooogle.com from 192.168.0.205
Feb 26 17:39:30 dnsmasq[537]: forwarded www.goooooooooooooooooooooooooooooooooooooooooooooooooooooooooogle.com to 1.1.1.1
Feb 26 17:39:30 dnsmasq[537]: reply www.goooooooooooooooooooooooooooooooooooooooooooooooooooooooooogle.com is <CNAME>
Feb 26 17:39:30 dnsmasq[537]: reply goooooooooooooooooooooooooooooooooooooooooooooooooooooooooogle.com is 184.168.221.47

Is there something else I need to do? I've no idea what the site is, but the requests are coming from a Samsung phone and generate IPS alerts of "non-Compliant DNS traffic "

Thanks!

Hello, pihole -d token please.

sorry! https://tricorder.pi-hole.net/4qymz7tjnm

Thanks!

Can you run and provide the output from the commands at the terminal of the Pi-hole device:

dig www.goooooooooooooooooooooooooooooooooooooooooooooooooooooooooogle.com @127.0.0.1
dig www.goooooooooooooooooooooooooooooooooooooooooooooooooooooooooogle.com @192.168.0.32

pi@raspberrypi:~ $ dig www.goooooooooooooooooooooooooooooooooooooooooooooooooooooooooogle.com @127.0.0.1

; <<>> DiG 9.11.5-P4-5.1-Raspbian <<>> www.goooooooooooooooooooooooooooooooooooooooooooooooooooooooooogle.com @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1020
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.goooooooooooooooooooooooooooooooooooooooooooooooooooooooooogle.com.        IN A

;; ANSWER SECTION:
www.goooooooooooooooooooooooooooooooooooooooooooooooooooooooooogle.com. 2 IN A 0.0.0.0

;; Query time: 2 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Feb 26 18:36:09 GMT 2020
;; MSG SIZE  rcvd: 115

pi@raspberrypi:~ $ dig www.goooooooooooooooooooooooooooooooooooooooooooooooooooooooooogle.com @192.168.0.32

; <<>> DiG 9.11.5-P4-5.1-Raspbian <<>> www.goooooooooooooooooooooooooooooooooooooooooooooooooooooooooogle.com @192.168.0.32
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16441
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.goooooooooooooooooooooooooooooooooooooooooooooooooooooooooogle.com.        IN A

;; ANSWER SECTION:
www.goooooooooooooooooooooooooooooooooooooooooooooooooooooooooogle.com. 2 IN A 0.0.0.0

;; Query time: 2 msec
;; SERVER: 192.168.0.32#53(192.168.0.32)
;; WHEN: Wed Feb 26 18:36:33 GMT 2020
;; MSG SIZE  rcvd: 115

Those both show the domain is being blocked by Pi-hole. If you go to the query log on the Pi-hole admin interface you should see those two queries in red and showing they were blocked.

Can you confirm that is what is showing on the web interface?

I'll check the queries, but historically this is what I get:

Capture970×63 10.5 KB

Yes, those two queries are indeed blocked:

Capture969×174 28 KB

Looks like that should be working then. You should be able to click on the domain name in that display and drill down to only show that domain. I'd keep an eye on it and see if there are any more OK responses now.

Thanks Dan! What has changed then? The queries from the phone were not blocked a couple of hours ago.

The queries that you show blocked in the latest output from the query log are both coming from localhost, not from the phone. Are the queries from the phone being blocked?

I guess we will have to wait and see, but I've just tried in a web browser from my laptop and it was successfully blocked. I don't know the phone app that is generating the query. This was highlighted by my unifi IPS filter that logs the query as

PS Alert 1: Potential Corporate Privacy Violation. Signature ET DNS Non-DNS or Non-Compliant DNS traffic on DNS port Reserved Bit Set. From: 192.168.0.32:41634, to: 1.1.1.1:53, protocol: UDP

So the queries from the phone are still not being blocked:

pi@raspberrypi:~ $ sudo grep goooooooo /var/log/pihole.log
Feb 26 06:05:44 dnsmasq[537]: query[A] www.goooooooooooooooooooooooooooooooooooooooooooooooooooooooooogle.com from 192.168.0.205
Feb 26 06:05:44 dnsmasq[537]: forwarded www.goooooooooooooooooooooooooooooooooooooooooooooooooooooooooogle.com to 1.0.0.1
Feb 26 06:05:44 dnsmasq[537]: forwarded www.goooooooooooooooooooooooooooooooooooooooooooooooooooooooooogle.com to 1.1.1.1
Feb 26 06:05:44 dnsmasq[537]: forwarded www.goooooooooooooooooooooooooooooooooooooooooooooooooooooooooogle.com to 1.0.0.1
Feb 26 10:03:18 dnsmasq[537]: query[A] www.goooooooooooooooooooooooooooooooooooooooooooooooooooooooooogle.com from 192.168.0.205
Feb 26 10:03:18 dnsmasq[537]: forwarded www.goooooooooooooooooooooooooooooooooooooooooooooooooooooooooogle.com to 1.0.0.1
Feb 26 10:03:18 dnsmasq[537]: reply www.goooooooooooooooooooooooooooooooooooooooooooooooooooooooooogle.com is <CNAME>
Feb 26 10:03:18 dnsmasq[537]: reply goooooooooooooooooooooooooooooooooooooooooooooooooooooooooogle.com is 184.168.221.42
Feb 26 10:03:21 dnsmasq[537]: query[A] www.goooooooooooooooooooooooooooooooooooooooooooooooooooooooooogle.com from 192.168.0.205
Feb 26 10:03:21 dnsmasq[537]: forwarded www.goooooooooooooooooooooooooooooooooooooooooooooooooooooooooogle.com to 1.0.0.1
Feb 26 10:03:21 dnsmasq[537]: reply www.goooooooooooooooooooooooooooooooooooooooooooooooooooooooooogle.com is <CNAME>
Feb 26 10:03:21 dnsmasq[537]: reply goooooooooooooooooooooooooooooooooooooooooooooooooooooooooogle.com is 184.168.221.42
Feb 26 14:43:54 dnsmasq[537]: query[A] www.goooooooooooooooooooooooooooooooooooooooooooooooooooooooooogle.com from 192.168.0.205
Feb 26 14:43:54 dnsmasq[537]: forwarded www.goooooooooooooooooooooooooooooooooooooooooooooooooooooooooogle.com to 1.0.0.1
Feb 26 14:43:54 dnsmasq[537]: forwarded www.goooooooooooooooooooooooooooooooooooooooooooooooooooooooooogle.com to 1.1.1.1
Feb 26 14:43:54 dnsmasq[537]: forwarded www.goooooooooooooooooooooooooooooooooooooooooooooooooooooooooogle.com to 1.0.0.1
Feb 26 14:43:54 dnsmasq[537]: reply www.goooooooooooooooooooooooooooooooooooooooooooooooooooooooooogle.com is <CNAME>
Feb 26 14:43:54 dnsmasq[537]: reply goooooooooooooooooooooooooooooooooooooooooooooooooooooooooogle.com is 184.168.221.42
Feb 26 17:39:30 dnsmasq[537]: query[A] www.goooooooooooooooooooooooooooooooooooooooooooooooooooooooooogle.com from 192.168.0.205
Feb 26 17:39:30 dnsmasq[537]: forwarded www.goooooooooooooooooooooooooooooooooooooooooooooooooooooooooogle.com to 1.1.1.1
Feb 26 17:39:30 dnsmasq[537]: reply www.goooooooooooooooooooooooooooooooooooooooooooooooooooooooooogle.com is <CNAME>
Feb 26 17:39:30 dnsmasq[537]: reply goooooooooooooooooooooooooooooooooooooooooooooooooooooooooogle.com is 184.168.221.47
Feb 26 18:36:09 dnsmasq[537]: query[A] www.goooooooooooooooooooooooooooooooooooooooooooooooooooooooooogle.com from 127.0.0.1
Feb 26 18:36:09 dnsmasq[537]: /etc/pihole/black.list www.goooooooooooooooooooooooooooooooooooooooooooooooooooooooooogle.com is 0.0.0.0
Feb 26 18:36:33 dnsmasq[537]: query[A] www.goooooooooooooooooooooooooooooooooooooooooooooooooooooooooogle.com from 192.168.0.32
Feb 26 18:36:33 dnsmasq[537]: /etc/pihole/black.list www.goooooooooooooooooooooooooooooooooooooooooooooooooooooooooogle.com is 0.0.0.0
Feb 26 19:11:03 dnsmasq[537]: query[A] www.goooooooooooooooooooooooooooooooooooooooooooooooooooooooooogle.com from 127.0.0.1
Feb 26 19:11:03 dnsmasq[537]: /etc/pihole/black.list www.goooooooooooooooooooooooooooooooooooooooooooooooooooooooooogle.com is 0.0.0.0
Feb 26 19:11:05 dnsmasq[537]: query[A] www.goooooooooooooooooooooooooooooooooooooooooooooooooooooooooogle.com from 127.0.0.1
Feb 26 19:11:05 dnsmasq[537]: /etc/pihole/black.list www.goooooooooooooooooooooooooooooooooooooooooooooooooooooooooogle.com is 0.0.0.0
Feb 26 19:32:50 dnsmasq[537]: query[A] www.goooooooooooooooooooooooooooooooooooooooooooooooooooooooooogle.com from 192.168.0.196
Feb 26 19:32:50 dnsmasq[537]: /etc/pihole/black.list www.goooooooooooooooooooooooooooooooooooooooooooooooooooooooooogle.com is 0.0.0.0
Feb 26 20:30:37 dnsmasq[537]: query[A] www.goooooooooooooooooooooooooooooooooooooooooooooooooooooooooogle.com from 192.168.0.205
Feb 26 20:30:37 dnsmasq[537]: forwarded www.goooooooooooooooooooooooooooooooooooooooooooooooooooooooooogle.com to 1.0.0.1
Feb 26 20:30:37 dnsmasq[537]: reply www.goooooooooooooooooooooooooooooooooooooooooooooooooooooooooogle.com is <CNAME>
Feb 26 20:30:37 dnsmasq[537]: reply goooooooooooooooooooooooooooooooooooooooooooooooooooooooooogle.com is 184.168.221.42

The five blacklisted queries were generated by the tests we did and by me trying to use the url in a browser on my laptop. The last (forwarded) query was from the phone. Could the phone queries be malformed in some way, so that pi-hole is not matching them to the blacklist?

What is displayed on the web admin query log?

It could be using UTF-8 characters or something that looks visually the same.

I did find https://www.reddit.com/r/samsunggalaxy/comments/eq0qu5/weird_googleish_domains_from_samsung_galaxy_s10/ that seems to explain it but not sure how to get rid of it, or what happens if it's blocked.

Try adding the bare domain to the blacklist as well. goooooooooooooooooooooooooooooooooooooooooooooooooooooooooogle.com

yes, I noticed that the "reply" was missing the www.

I've just accessed the www.goooo...ogle.com url from chrome on the phone and it got through to the godaddy site. On the pi-hole log it lists this query as gooo...ogle.com, without the www.

Why not using a regex? With

(\.|^)goo(o+)gle\..+$

evering that is not a "normal" google (three or unlimited more o's) will get pi-holed.

thanks Pisome -- very helpful indeed. I'll try that if the bare domain isn't enough. This is very odd: the same link used under chrome from my laptop is blocked, so it seems to be device dependent. I think the fact that the same dns query raises an IPS alert as it passes through my router has to be a clue.