www.goooooooooooooooooooooooooooooooooooooooooooooooooooooooooogle.com on my pihole:
and checked it is there
pi@raspberrypi:~ $ pihole -q www.goooooooooooooooo
Match found in Blacklist
www.goooooooooooooooooooooooooooooooooooooooooooooooooooooooooogle.com
and restarted the pi, but DNS requests continue to be sent out:
pi@raspberrypi:~ $ sudo grep goooooooo /var/log/pihole.log
Feb 26 06:05:44 dnsmasq[537]: query[A] www.goooooooooooooooooooooooooooooooooooooooooooooooooooooooooogle.com from 192.168.0.205
Feb 26 06:05:44 dnsmasq[537]: forwarded www.goooooooooooooooooooooooooooooooooooooooooooooooooooooooooogle.com to 1.0.0.1
Feb 26 06:05:44 dnsmasq[537]: forwarded www.goooooooooooooooooooooooooooooooooooooooooooooooooooooooooogle.com to 1.1.1.1
Feb 26 06:05:44 dnsmasq[537]: forwarded www.goooooooooooooooooooooooooooooooooooooooooooooooooooooooooogle.com to 1.0.0.1
Feb 26 10:03:18 dnsmasq[537]: query[A] www.goooooooooooooooooooooooooooooooooooooooooooooooooooooooooogle.com from 192.168.0.205
Feb 26 10:03:18 dnsmasq[537]: forwarded www.goooooooooooooooooooooooooooooooooooooooooooooooooooooooooogle.com to 1.0.0.1
Feb 26 10:03:18 dnsmasq[537]: reply www.goooooooooooooooooooooooooooooooooooooooooooooooooooooooooogle.com is <CNAME>
Feb 26 10:03:18 dnsmasq[537]: reply goooooooooooooooooooooooooooooooooooooooooooooooooooooooooogle.com is 184.168.221.42
Feb 26 10:03:21 dnsmasq[537]: query[A] www.goooooooooooooooooooooooooooooooooooooooooooooooooooooooooogle.com from 192.168.0.205
Feb 26 10:03:21 dnsmasq[537]: forwarded www.goooooooooooooooooooooooooooooooooooooooooooooooooooooooooogle.com to 1.0.0.1
Feb 26 10:03:21 dnsmasq[537]: reply www.goooooooooooooooooooooooooooooooooooooooooooooooooooooooooogle.com is <CNAME>
Feb 26 10:03:21 dnsmasq[537]: reply goooooooooooooooooooooooooooooooooooooooooooooooooooooooooogle.com is 184.168.221.42
Feb 26 14:43:54 dnsmasq[537]: query[A] www.goooooooooooooooooooooooooooooooooooooooooooooooooooooooooogle.com from 192.168.0.205
Feb 26 14:43:54 dnsmasq[537]: forwarded www.goooooooooooooooooooooooooooooooooooooooooooooooooooooooooogle.com to 1.0.0.1
Feb 26 14:43:54 dnsmasq[537]: forwarded www.goooooooooooooooooooooooooooooooooooooooooooooooooooooooooogle.com to 1.1.1.1
Feb 26 14:43:54 dnsmasq[537]: forwarded www.goooooooooooooooooooooooooooooooooooooooooooooooooooooooooogle.com to 1.0.0.1
Feb 26 14:43:54 dnsmasq[537]: reply www.goooooooooooooooooooooooooooooooooooooooooooooooooooooooooogle.com is <CNAME>
Feb 26 14:43:54 dnsmasq[537]: reply goooooooooooooooooooooooooooooooooooooooooooooooooooooooooogle.com is 184.168.221.42
Feb 26 17:39:30 dnsmasq[537]: query[A] www.goooooooooooooooooooooooooooooooooooooooooooooooooooooooooogle.com from 192.168.0.205
Feb 26 17:39:30 dnsmasq[537]: forwarded www.goooooooooooooooooooooooooooooooooooooooooooooooooooooooooogle.com to 1.1.1.1
Feb 26 17:39:30 dnsmasq[537]: reply www.goooooooooooooooooooooooooooooooooooooooooooooooooooooooooogle.com is <CNAME>
Feb 26 17:39:30 dnsmasq[537]: reply goooooooooooooooooooooooooooooooooooooooooooooooooooooooooogle.com is 184.168.221.47
Is there something else I need to do? I've no idea what the site is, but the requests are coming from a Samsung phone and generate IPS alerts of "non-Compliant DNS traffic "
Those both show the domain is being blocked by Pi-hole. If you go to the query log on the Pi-hole admin interface you should see those two queries in red and showing they were blocked.
Can you confirm that is what is showing on the web interface?
Looks like that should be working then. You should be able to click on the domain name in that display and drill down to only show that domain. I'd keep an eye on it and see if there are any more OK responses now.
The queries that you show blocked in the latest output from the query log are both coming from localhost, not from the phone. Are the queries from the phone being blocked?
I guess we will have to wait and see, but I've just tried in a web browser from my laptop and it was successfully blocked. I don't know the phone app that is generating the query. This was highlighted by my unifi IPS filter that logs the query as
PS Alert 1: Potential Corporate Privacy Violation. Signature ET DNS Non-DNS or Non-Compliant DNS traffic on DNS port Reserved Bit Set. From: 192.168.0.32:41634, to: 1.1.1.1:53, protocol: UDP
So the queries from the phone are still not being blocked:
pi@raspberrypi:~ $ sudo grep goooooooo /var/log/pihole.log
Feb 26 06:05:44 dnsmasq[537]: query[A] www.goooooooooooooooooooooooooooooooooooooooooooooooooooooooooogle.com from 192.168.0.205
Feb 26 06:05:44 dnsmasq[537]: forwarded www.goooooooooooooooooooooooooooooooooooooooooooooooooooooooooogle.com to 1.0.0.1
Feb 26 06:05:44 dnsmasq[537]: forwarded www.goooooooooooooooooooooooooooooooooooooooooooooooooooooooooogle.com to 1.1.1.1
Feb 26 06:05:44 dnsmasq[537]: forwarded www.goooooooooooooooooooooooooooooooooooooooooooooooooooooooooogle.com to 1.0.0.1
Feb 26 10:03:18 dnsmasq[537]: query[A] www.goooooooooooooooooooooooooooooooooooooooooooooooooooooooooogle.com from 192.168.0.205
Feb 26 10:03:18 dnsmasq[537]: forwarded www.goooooooooooooooooooooooooooooooooooooooooooooooooooooooooogle.com to 1.0.0.1
Feb 26 10:03:18 dnsmasq[537]: reply www.goooooooooooooooooooooooooooooooooooooooooooooooooooooooooogle.com is <CNAME>
Feb 26 10:03:18 dnsmasq[537]: reply goooooooooooooooooooooooooooooooooooooooooooooooooooooooooogle.com is 184.168.221.42
Feb 26 10:03:21 dnsmasq[537]: query[A] www.goooooooooooooooooooooooooooooooooooooooooooooooooooooooooogle.com from 192.168.0.205
Feb 26 10:03:21 dnsmasq[537]: forwarded www.goooooooooooooooooooooooooooooooooooooooooooooooooooooooooogle.com to 1.0.0.1
Feb 26 10:03:21 dnsmasq[537]: reply www.goooooooooooooooooooooooooooooooooooooooooooooooooooooooooogle.com is <CNAME>
Feb 26 10:03:21 dnsmasq[537]: reply goooooooooooooooooooooooooooooooooooooooooooooooooooooooooogle.com is 184.168.221.42
Feb 26 14:43:54 dnsmasq[537]: query[A] www.goooooooooooooooooooooooooooooooooooooooooooooooooooooooooogle.com from 192.168.0.205
Feb 26 14:43:54 dnsmasq[537]: forwarded www.goooooooooooooooooooooooooooooooooooooooooooooooooooooooooogle.com to 1.0.0.1
Feb 26 14:43:54 dnsmasq[537]: forwarded www.goooooooooooooooooooooooooooooooooooooooooooooooooooooooooogle.com to 1.1.1.1
Feb 26 14:43:54 dnsmasq[537]: forwarded www.goooooooooooooooooooooooooooooooooooooooooooooooooooooooooogle.com to 1.0.0.1
Feb 26 14:43:54 dnsmasq[537]: reply www.goooooooooooooooooooooooooooooooooooooooooooooooooooooooooogle.com is <CNAME>
Feb 26 14:43:54 dnsmasq[537]: reply goooooooooooooooooooooooooooooooooooooooooooooooooooooooooogle.com is 184.168.221.42
Feb 26 17:39:30 dnsmasq[537]: query[A] www.goooooooooooooooooooooooooooooooooooooooooooooooooooooooooogle.com from 192.168.0.205
Feb 26 17:39:30 dnsmasq[537]: forwarded www.goooooooooooooooooooooooooooooooooooooooooooooooooooooooooogle.com to 1.1.1.1
Feb 26 17:39:30 dnsmasq[537]: reply www.goooooooooooooooooooooooooooooooooooooooooooooooooooooooooogle.com is <CNAME>
Feb 26 17:39:30 dnsmasq[537]: reply goooooooooooooooooooooooooooooooooooooooooooooooooooooooooogle.com is 184.168.221.47
Feb 26 18:36:09 dnsmasq[537]: query[A] www.goooooooooooooooooooooooooooooooooooooooooooooooooooooooooogle.com from 127.0.0.1
Feb 26 18:36:09 dnsmasq[537]: /etc/pihole/black.list www.goooooooooooooooooooooooooooooooooooooooooooooooooooooooooogle.com is 0.0.0.0
Feb 26 18:36:33 dnsmasq[537]: query[A] www.goooooooooooooooooooooooooooooooooooooooooooooooooooooooooogle.com from 192.168.0.32
Feb 26 18:36:33 dnsmasq[537]: /etc/pihole/black.list www.goooooooooooooooooooooooooooooooooooooooooooooooooooooooooogle.com is 0.0.0.0
Feb 26 19:11:03 dnsmasq[537]: query[A] www.goooooooooooooooooooooooooooooooooooooooooooooooooooooooooogle.com from 127.0.0.1
Feb 26 19:11:03 dnsmasq[537]: /etc/pihole/black.list www.goooooooooooooooooooooooooooooooooooooooooooooooooooooooooogle.com is 0.0.0.0
Feb 26 19:11:05 dnsmasq[537]: query[A] www.goooooooooooooooooooooooooooooooooooooooooooooooooooooooooogle.com from 127.0.0.1
Feb 26 19:11:05 dnsmasq[537]: /etc/pihole/black.list www.goooooooooooooooooooooooooooooooooooooooooooooooooooooooooogle.com is 0.0.0.0
Feb 26 19:32:50 dnsmasq[537]: query[A] www.goooooooooooooooooooooooooooooooooooooooooooooooooooooooooogle.com from 192.168.0.196
Feb 26 19:32:50 dnsmasq[537]: /etc/pihole/black.list www.goooooooooooooooooooooooooooooooooooooooooooooooooooooooooogle.com is 0.0.0.0
Feb 26 20:30:37 dnsmasq[537]: query[A] www.goooooooooooooooooooooooooooooooooooooooooooooooooooooooooogle.com from 192.168.0.205
Feb 26 20:30:37 dnsmasq[537]: forwarded www.goooooooooooooooooooooooooooooooooooooooooooooooooooooooooogle.com to 1.0.0.1
Feb 26 20:30:37 dnsmasq[537]: reply www.goooooooooooooooooooooooooooooooooooooooooooooooooooooooooogle.com is <CNAME>
Feb 26 20:30:37 dnsmasq[537]: reply goooooooooooooooooooooooooooooooooooooooooooooooooooooooooogle.com is 184.168.221.42
The five blacklisted queries were generated by the tests we did and by me trying to use the url in a browser on my laptop. The last (forwarded) query was from the phone. Could the phone queries be malformed in some way, so that pi-hole is not matching them to the blacklist?
yes, I noticed that the "reply" was missing the www.
I've just accessed the www.goooo...ogle.com url from chrome on the phone and it got through to the godaddy site. On the pi-hole log it lists this query as gooo...ogle.com, without the www.
thanks Pisome -- very helpful indeed. I'll try that if the bare domain isn't enough. This is very odd: the same link used under chrome from my laptop is blocked, so it seems to be device dependent. I think the fact that the same dns query raises an IPS alert as it passes through my router has to be a clue.