I recently started using Pi hole on my network and I have noticed that blocked sites results in NET::ERR_CERT_COMMON_NAME_INVALID
Is this normal? Would it be possible to have a more user friendly page, something to tell you its blocked by the pi?
You're probably not using the default blocking mode but that's something the debug log would have showed us.
If you're trying to use IP blocking mode then this is what will happen for the majority of sites now. You're effectively performing a man in the middle attack for HTTPS/TLS when you try to intercept encrypted traffic and replace the servers with your own. That's why IP blocking mode is not the default mode anymore.
So I haven't blocked anything explicitly but I guess one of my adlists blocked this particular one. (swedroid.se). I run pihole using the following docker-compose file, I haven't changed any settings:
version: '3.6'
services:
pihole:
image: pihole/pihole:latest
container_name: pihole
restart: unless-stopped
hostname: pihole
volumes:
- ./pihole/pihole/:/etc/pihole/
- ./pihole/dnsmasq.d/:/etc/dnsmasq.d/
cap_add:
- NET_ADMIN
environment:
- ServerIP=192.168.1.138
- TZ=Europe/Berlin
- PIHOLE_DNS_=1.1.1.1
- WEBPASSWORD=SomePassword #Replace this
network_mode: "host"
I just took a debug log:
[2021-05-18 16:38:18.637 337M] BLOCKINGMODE: Null IPs for blocked domains
Not sure what that means.
(Using v 5.3.1)
You don't have to guess - you may use Tools | Query Lists to find out whether that domain is on one of your blocklists.
1 Like
But then everything is fine. Would be nice with a blocking page but I thought there was something built in. Like a toggle in the UI. Will have to do some more reading.
NULL blocking mode means the Pi-hole returns 0.0.0.0 as the address for blocked domains. That is a null IP address and your screenshots show that your android was able to connect to some server. Those are two conditions that can not happen together.
As for blocking pages, that doesn't work for HTTPS sites as I've explained previously. You can not imitate an HTTPS/TLS site unless you do some trickery with certificates and Certificate Authority setups to break encryption.
Hm okay..so what does that mean? Its using some other dns server? I don't have any other dns server configured on my network... When I check the logs it looks like the requests are coming as they should. If I unblock swedroid.se on my pi it works fine again from my phone.
Ok that is fine, I am not blocking any pages, it was one my lists which for some reason had it on there.
Edit:
Bah, I found the issue. Turns out I was still using Adaway on my phone and its included web server (its supposed to help if host file blocking causes app freeze). That was the one that was causing the issue, I have the same list there that also blocked swedroid.
We can close this thread. 
That means that an IP address other than 0.0.0.0 was returned.
You can try blocking it again and doing a dig or nslookup to see what IP address is being returned, and what the IP of the DNS server is that is answering the dig or nslookup.
Edit: Or you can use the Android browser and tap on the Advanced link to show what the contents of the certificate are that is trying to be served for that domain.
This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.