Blocked pages, even with disabled Pi-Hole and green entries in query log

guest123 · April 24, 2022, 5:47pm

A person in my household is trying to find a job. Many corporate webpages have their job openings listed on other domains. With withelisting and even disabling Pi-Hole blocking (via webinterface) the pages cannot be reached from our network. (They are working using another network - 4G for example)

Expected Behaviour:

Access domains like
jobs.schott.com or https://careers.bachem.com

-operating system: 2 Win 10 PCs, Firefox, Chrome, latest versions, iPhone XR latest version with Firefox Focus and Safari
-hardware: Pi-Hole runs on armbian, OrangePi Zero since many years - typical out of the box setup
-SW: no modifications done, quite a lot of blocklists though

Actual Behaviour:

Pages cannot be reached, Firefox e.g.: "Error: Network timeout. There was an error when connecting to join.schott.com
despite green entries in the query log:

2022-04-24 19:40:34 	A	careers.bachem.com	clientxyz.fritz.box	OK, sent to dns.opendns.com#53	N/A	
2022-04-24 19:40:35 	A	careers.bachem.com	clientxyz.fritz.box	OK, answered by dns.opendns.com#53	CNAME (84.4ms)

2022-04-24 19:46:54 	A	join.schott.com	clientxyz.fritz.box	OK, sent to dns.opendns.com#53	N/A	
2022-04-24 19:46:54 	A	join.schott.com	clientxyz.fritz.box	OK, answered by dns.opendns.com#53	CNAME (8.9ms)

Debug Token:

https://tricorder.pi-hole.net/4IpdQ52R/

guest123 · April 24, 2022, 5:52pm

NS Lookup, maybe this is helpful:

nslookup join.schott.com 208.67.222.222
Server:         208.67.222.222
Address:        208.67.222.222#53

Non-authoritative answer:
join.schott.com canonical name = schott.jobs2web.com.
schott.jobs2web.com     canonical name = rmk12.jobs2web.com.
Name:   rmk12.jobs2web.com
Address: 155.56.230.62

nslookup careers.bachem.com 208.67.222.222
Server:         208.67.222.222
Address:        208.67.222.222#53

Non-authoritative answer:
careers.bachem.com      canonical name = bachem.jobs2web.com.
bachem.jobs2web.com     canonical name = rmk12.jobs2web.com.
Name:   rmk12.jobs2web.com
Address: 155.56.230.62

Seems both companies use the same provider

Bucking_Horn · April 25, 2022, 7:26am

Your log excerpts don't show those domains to be blocked:
Pi-hole has forwarded them upstream to dns.opendns.com#53.

You should be able to verify by running your nslookups through Pi-hole.

guest123 · April 25, 2022, 2:37pm

Thank you, but the nslookups above where already done through Putty / SSH via Pi-Hole.
Still the webpages do not load. I also tried using different upstream DNS servers (incl. rebooting Pi-Hole / Armbian), still cannot access it from my network. Also not when disabling Pi-Hole. Can you point me to other troubleshooting guides maybe if this is not or not obviously a Pi-Hole issue - maybe some traceroute stuff or idk...

Bucking_Horn · April 25, 2022, 8:21pm

Your nslookups show successful resolutions, but they have not been processed by Pi-hole.
You have run them through OpenDNS's server at 208.67.222.222.

guest123 · April 26, 2022, 5:44pm

Thank you for the reply.
Oh okay, sorry.
Same answer when running it through Pi-Hole:

nslookup careers.bachem.com 192.168.178.2
Server:         192.168.178.2
Address:        192.168.178.2#53

Non-authoritative answer:
careers.bachem.com      canonical name = bachem.jobs2web.com.
bachem.jobs2web.com     canonical name = rmk12.jobs2web.com.
Name:   rmk12.jobs2web.com
Address: 155.56.230.62

Also when using Win10 cmd

nslookup join.schott.com 192.168.178.2
Server:  pi.hole
Address:  192.168.178.2

Nicht autorisierende Antwort:
Name:    rmk12.jobs2web.com
Address:  155.56.230.62
Aliases:  join.schott.com
          schott.jobs2web.com

Still the page doesn't load from any device in my network.
Any idea what else I could try?

Bucking_Horn · April 26, 2022, 6:17pm

The domains themselves are not blocked, but they may yet reference third-party resources served via other domains.

The following may help to identify which domains would be involved::

guest123 · May 1, 2022, 8:46am

Thank you again for your help and for pointing me to that page.
I made a step closer, but I am still stuck.

So I installed that "adam:ONE Assistant" and connected my PC to my phone (WIFI hotspot) to load the pages. Got these findings:

join.schott.com
rmkcdn.successfactors.com
csbep-schott-prod.web.app
cdn.recruiting-solutions.org
europe-west1-csbep-75ff0.cloudfunctions.net

and for the other page

careers.bachem.com
rmkcdn.successfactors.com

That was the postive news. Back to home WIFI and to the whitelist, after reading RegEx Tutorial Tutorial - Pi-hole documentation I added these whitelist entries:

RegEx	\.successfactors\.
Exact whitelist	rmkcdn.successfactors.com
Exact whitelist csbep-schott-prod.web.app
RegEx	\.recruiting-solutions\.
RegEx	\.cloudfunctions\.net
Exact whitelist cdn.recruiting-solutions.org
Exact whitelist europe-west1-csbep-75ff0.cloudfunctions.net

I rebooted Pi-Hole and I flushed my Windows DNS cache.
It still does not work. (That is also why I added redundant stuff to the Whitelist since I am not sure if I did something wrong with the RegEx filters)

system · May 22, 2022, 8:47am

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.