NOT an expert, but my interpretation is:
your dig commands got to @127.0.0.1 -p 5353
, witch is probably unbound (from the additional info in the topic title.
Unbound doesn't whitelist or blacklist, it forwards the requests coming from pihole-FTL
to verify whitelisting and blacklisting, you should use dig @127.0.0.1 -p 53
OR dig @<your pihole IP address> -p 53
, that is where the clients are sending their request to, and this will give you the answer you expect, based on your whitelist and blacklist.
I have unbound running on IPv6 fdaa:bbcc:ddee:2::5552, port 5552
pihole is running on 192.168.2.57
, the IP used as DNS server for all clients
I have ligatus.com blocked
output from a query to unbound:
dig @fdaa:bbcc:ddee:2::5552 -p 5552 ligatus.com
; <<>> DiG 9.10.3-P4-Raspbian <<>> @fdaa:bbcc:ddee:2::5552 -p 5552 ligatus.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22619
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1472
;; QUESTION SECTION:
;ligatus.com. IN A
;; ANSWER SECTION:
ligatus.com. 3572 IN A 35.189.193.103
;; Query time: 0 msec
;; SERVER: fdaa:bbcc:ddee:2::5552#5552(fdaa:bbcc:ddee:2::5552)
;; WHEN: Tue Sep 11 10:57:38 CEST 2018
;; MSG SIZE rcvd: 56
returns IP 35.189.193.103, the real answer.
output from a query to pihole-FTL (all the clients use this):
dig @192.168.2.57 -p 53 ligatus.com
; <<>> DiG 9.10.3-P4-Raspbian <<>> @192.168.2.57 -p 53 ligatus.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10103
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;ligatus.com. IN A
;; ANSWER SECTION:
ligatus.com. 2 IN A 0.0.0.0
;; Query time: 0 msec
;; SERVER: 192.168.2.57#53(192.168.2.57)
;; WHEN: Tue Sep 11 11:01:34 CEST 2018
;; MSG SIZE rcvd: 56
returns 0.0.0.0, the answer, as presented to the clients, using 192.168.2.57
(pihole) as DNS server
edit
the whitelist isn't even used by pihole-FTL, is is used to build gravity.list
. The gravity.list
and black.list
are processed by pihole-FTL. If a DNS entry is in that list, the request doesn't even go to unbound, but 0.0.0.0 is replied immediately (OR the appropriate reply for the BLOCKINGMODE you use). Only requests that aren't in the above mentioned lists are forwarded to unbound e.g.
blocked entry (in gravity.list
OR black.list
):
client -> pihole-FTL -> client
unblocked entry (NOT in gravity.list
OR black.list
):
client -> pihole-FTL -> unbound -> DNS servers -> unbound -> pihole-FTL -> client
/edit