Blacklisting and Whitelisting doesn´t work

MH14 · September 11, 2018, 8:34am

Please follow the below template, it will help us to help you!

Expected Behaviour:

Blacklisting and Whitelisting should work.

Actual Behaviour:

Dashboard shows Top Permitted Domains with *fritz.box but only from my Huawei P10 Plus as Client
log-ingestion-eu.samsungacr.com is on my Blocklist and it will be forwarded.
dig @127.0.0.1 -p 5353 log-ingestion-eu.samsungacr.com gives me an IP and not NXDOMAIN
The Imageboard pr0gramm.com will be blocked since the Update in 4.0. I have every Subdomain on Whitelist and pihole still block. The command: dig @127.0.0.1 -p 5353 pr0gramm.com and with www.pr0gramm.com pull out the IP 37.48.82.97.
I deleted every Cache several times from Windows, Chrome, pihole but the result is the same.
I also deleted the mentioned domains several times and added them again via the dashboard or via the command pihole -w.

Debug Token:

dd9ofaxnk0

Thanks! Unbenannt

jpgpi250 · September 11, 2018, 9:08am

NOT an expert, but my interpretation is:
your dig commands got to @127.0.0.1 -p 5353, witch is probably unbound (from the additional info in the topic title.
Unbound doesn't whitelist or blacklist, it forwards the requests coming from pihole-FTL
to verify whitelisting and blacklisting, you should use dig @127.0.0.1 -p 53 OR dig @<your pihole IP address> -p 53, that is where the clients are sending their request to, and this will give you the answer you expect, based on your whitelist and blacklist.

I have unbound running on IPv6 fdaa:bbcc:ddee:2::5552, port 5552
pihole is running on 192.168.2.57, the IP used as DNS server for all clients
I have ligatus.com blocked

output from a query to unbound:

dig @fdaa:bbcc:ddee:2::5552 -p 5552 ligatus.com

; <<>> DiG 9.10.3-P4-Raspbian <<>> @fdaa:bbcc:ddee:2::5552 -p 5552 ligatus.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22619
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1472
;; QUESTION SECTION:
;ligatus.com.                   IN      A

;; ANSWER SECTION:
ligatus.com.            3572    IN      A       35.189.193.103

;; Query time: 0 msec
;; SERVER: fdaa:bbcc:ddee:2::5552#5552(fdaa:bbcc:ddee:2::5552)
;; WHEN: Tue Sep 11 10:57:38 CEST 2018
;; MSG SIZE  rcvd: 56

returns IP 35.189.193.103, the real answer.

output from a query to pihole-FTL (all the clients use this):

dig @192.168.2.57 -p 53 ligatus.com

; <<>> DiG 9.10.3-P4-Raspbian <<>> @192.168.2.57 -p 53 ligatus.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10103
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;ligatus.com.                   IN      A

;; ANSWER SECTION:
ligatus.com.            2       IN      A       0.0.0.0

;; Query time: 0 msec
;; SERVER: 192.168.2.57#53(192.168.2.57)
;; WHEN: Tue Sep 11 11:01:34 CEST 2018
;; MSG SIZE  rcvd: 56

returns 0.0.0.0, the answer, as presented to the clients, using 192.168.2.57 (pihole) as DNS server

edit
the whitelist isn't even used by pihole-FTL, is is used to build gravity.list. The gravity.list and black.list are processed by pihole-FTL. If a DNS entry is in that list, the request doesn't even go to unbound, but 0.0.0.0 is replied immediately (OR the appropriate reply for the BLOCKINGMODE you use). Only requests that aren't in the above mentioned lists are forwarded to unbound e.g.
blocked entry (in gravity.list OR black.list):
client -> pihole-FTL -> client
unblocked entry (NOT in gravity.list OR black.list):
client -> pihole-FTL -> unbound -> DNS servers -> unbound -> pihole-FTL -> client
/edit

MH14 · September 14, 2018, 10:39am

Thanks first for the technical explanation! I've done the dig command with my Rpi IP and get at pr0gramm.com 0.0.0.0 and at www.pr0gramm.com 37.48.82.97. I have both variants of the domain in the whitelist but I still can not open them. Means to me, whitelist does not work. Before the update to 4.0 ran without problems with and without unbound. I also tested different blocking modes but the result was the same. Is it HTTPS or Chrome? As a layman I can not understand, but only pass on the problem and hope that you have a solution ready or can find / make.

pi@raspberrypi:~ $ dig @192.168.178.32 -p 53 pr0gramm.com

; <<>> DiG 9.10.3-P4-Raspbian <<>> @192.168.178.32 -p 53 pr0gramm.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53151
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;pr0gramm.com. IN A

;; ANSWER SECTION:
pr0gramm.com. 2 IN A 0.0.0.0

;; Query time: 0 msec
;; SERVER: 192.168.178.32#53(192.168.178.32)
;; WHEN: Fri Sep 14 12:38:07 CEST 2018
;; MSG SIZE rcvd: 57

pi@raspberrypi:~ $ dig @192.168.178.32 -p 53 www.pr0gramm.com

; <<>> DiG 9.10.3-P4-Raspbian <<>> @192.168.178.32 -p 53 www.pr0gramm.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14844
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.pr0gramm.com. IN A

;; ANSWER SECTION:
www.pr0gramm.com. 3134 IN A 37.48.82.97

;; Query time: 0 msec
;; SERVER: 192.168.178.32#53(192.168.178.32)
;; WHEN: Fri Sep 14 12:38:08 CEST 2018
;; MSG SIZE rcvd: 61

Thanks for your time.

jpgpi250 · September 14, 2018, 1:03pm

www.pr0gramm.com redirects automatically to pr0gramm.com

what is the result of pihole -q -adlist pr0gramm.com
are you sure pr0gramm.com isn't in the black.list
are you using wildcards (not officially supported in pihole v4, but used in pihole v3)
do you have entries in /etc/pihole/regex.list

generate a debug log, so pihole support can have a look (webinterface / tools / generate debug log). I can't access the result, but pihole support can...

MH14 · September 22, 2018, 12:49pm

Hi, sorry I was on the heat up on assembly.
Before the update to 4.0, the page ran without problems

The result is :
pihole -q -adlist pr0gramm.com
Match found in Whitelist
img.pr0gramm.com
thumb.pr0gramm.com
full.pr0gramm.com
pr0gramm.com
www.pr0gramm.com
vid.pr0gramm.com

Match found in https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts :
miner.pr0gramm.com
app.pr0gramm.com
escobar.pr0gramm.com
m.pr0gramm.com
www-tb7c.pr0gramm.com
Match found in https://ncloud.zaclys.com/index.php/s/MPYSjLkb8cE8gPN/download:
ner.pr0gramm.com
umb.pr0gramm.com
r.pr0gramm.com
ll.pr0gramm.com
d.pr0gramm.com
w.pr0gramm.com
ner.pr0gramm.com
.pr0gramm.com
cobar.pr0gramm.com
atar.pr0gramm.com
g.pr0gramm.com
rensohn.pr0gramm.com
ns.pr0gramm.com
w-tb7c.pr0gramm.com
pr0gramm.com
p.pr0gramm.com
Match found in https://adblock.mahakala.is/:
app.pr0gramm.com
avatar.pr0gramm.com
escobar.pr0gramm.com
full.pr0gramm.com
hans.pr0gramm.com
hurensohn.pr0gramm.com
miner.pr0gramm.com
ww.pr0gramm.com
www-tb7c.pr0gramm.com
Match found in https://fanboy.co.nz/r/fanboy-ultimate.txt:
miner.pr0gramm.com
Match found in https://hostsfile.mine.nu/hosts0.txt:
app.pr0gramm.com
avatar.pr0gramm.com
escobar.pr0gramm.com
full.pr0gramm.com
hans.pr0gramm.com
hurensohn.pr0gramm.com
img.pr0gramm.com
m.pr0gramm.com
miner.pr0gramm.com
pr0gramm.com
thumb.pr0gramm.com
vid.pr0gramm.com
ww.pr0gramm.com
www-tb7c.pr0gramm.com
www.pr0gramm.com

From this Site is have the regex list in my pihole. GitHub - mmotti/pihole-regex: Custom regex filter list for use with Pi-hole.
And I have log-ingestion-eu.samsungacr.com on the blocklist but that will also be redirected.
I had changed the Blocking Modes but this changed nothing.
If i open pr0gramm.com oder www.pr0gramm.com pihole has also an entry of www.google.com blocked but google.com and www.google.com are in the Whitelist.

[✓] Your debug token is: 1g79u6in3s

Thanks for ideas or help!

jfb · September 22, 2018, 3:42pm

You aren't on 4.0. You are on the development branch, which has the V4 features with some additional development code. I don't know if this was your intent, but be aware that with development code comes some potential problems. If you wish to return to the stable 4.0 master, use pihole checkout master

*** [ DIAGNOSING ]: Core version
[i] Core: v3.3.1 (https://discourse.pi-hole.net/t/how-do-i-update-pi-hole/249)
[i] Branch: development (https://discourse.pi-hole.net/t/the-pihole-command-with-examples/738#checkout)
[i] Commit: v3.3.1-467-ga896153

*** [ DIAGNOSING ]: Web version
[i] Web: v3.3 (https://discourse.pi-hole.net/t/how-do-i-update-pi-hole/249)
[i] Branch: devel (https://discourse.pi-hole.net/t/the-pihole-command-with-examples/738#checkout)
[i] Commit: v3.3-323-ga87d4e97

*** [ DIAGNOSING ]: FTL version
[✓] FTL: vDev-a4eabb7 (https://discourse.pi-hole.net/t/how-do-i-update-pi-hole/249)

MH14 · September 22, 2018, 4:48pm

Yes, i know that im on dev because since 4.0 i got several problems with some domains. I was testing if changing to dev it was better with the domains. I tryed to checkout master but i got an error.
/etc/.pihole/automated install/basic-install.sh: line 34: setupVars: readonly variable

Mcat12 · September 22, 2018, 8:24pm

The checkout bug will be fixed by this PR:

github.com/pi-hole/pi-hole

Fix checkout error due to readonly variable

pi-hole:development ← pi-hole:fix/checkout-readonly

opened 02:14AM - 02 Sep 18 UTC

AzureMarker

+6 -1

**By submitting this pull request, I confirm the following:** *please fill any… appropriate checkboxes, e.g: [X]* - [x] I have read and understood the [contributors guide](https://github.com/pi-hole/pi-hole/blob/master/CONTRIBUTING.md), as well as this entire template. - [x] I have made only one major change in my proposed changes. - [x] I have commented my proposed changes within the code. - [x] I have tested my proposed changes, and have included unit tests where possible. - [x] I am willing to help maintain this change if there are issues with it later. - [x] I give this submission freely and claim no ownership. - [x] It is compatible with the [EUPL 1.2 license](https://opensource.org/licenses/EUPL-1.1) - [x] I have squashed any insignificant commits. ([`git rebase`](http://gitready.com/advanced/2009/02/10/squashing-commits-with-rebase.html)) --- **What does this PR aim to accomplish?:** Fix this `pihole checkout` error: ``` $ pihole checkout master /etc/.pihole/automated install/basic-install.sh: line 34: setupVars: readonly variable ``` **How does this PR accomplish the above?:** Change the `setupVars` variable in `pihole` from read only to not read only. **What documentation changes (if any) are needed to support this PR?:** None, this issue is only in dev.

MH14 · September 23, 2018, 8:47am

Very, very cool! I manually deleted the entry in the gravity.list and the page works again !!

I have in the Gravity.list but still various entries that start with ."domain". Is that perhaps an option, Domains the only one "." anticipate, delete directly at the list creation in order to avoid mistakes?

I have already tried various things but I did not have that on the list.
Thanks msatter!

Lethal · October 8, 2018, 4:46pm

I would like to add that, on the latest development branch, the blacklist feature is not working for me either.

jfb · October 8, 2018, 4:46pm

What problems are you experiencing with blacklists on dev branch?

Lethal · October 8, 2018, 7:15pm

Blacklisted items are resolved to their corresponding IP address. Even after waiting >48 hours for devices to clear their cache (even though they shouldn't be cached because I used the dev branch only after upgrading straight from v4.0), it still resolves them. This is not the case with v4.0.

The only way to block them is through a gravity list.

I posted to this topic because the OP was on the dev branch as well and was having the same issue. If you would like me to make a new thread I'd be happy to.

jfb · October 8, 2018, 7:57pm

Can you provide some examples from your logs, screens? This will help the devs analyze and duplicate the problem.

Lethal · October 15, 2018, 8:49pm

Debug Token: 45mk3jgat5

As far as I can tell, the pihole actually does block these requests but it does not register in the Web GUI as such.

For testing purposes, google.com and www.google.com were placed into the blacklist. Upon trying to access either of these, it shows in the Admin Console, "OK (cached)", indicating that the request was successful.

Upon visiting these sites, the connection is correctly refused.
In Chrome, "google.com refused to connect", indicating that it functions as it should. It seems to be a GUI issue.

jfb · October 15, 2018, 8:54pm

Your problem appears similar to this open thread:

https://discourse.pi-hole.net/t/domain-being-blocked-but-shown-as-not-blocked-in-query/13272/61

system · November 5, 2018, 10:22pm

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.