Boy, this doesn't look right any more. My PiHole queries

Help
1

Expected Behaviour:

I set up Pihole about 2 weeks ago, then set up unbound last week... things were going pretty well overall. Learned some things from this forum thankyou.

I worked on my router yesterday, upgraded the Merlin firmware from old to current.
I had to re-input various settings of course... I noticed on my Pi-hole dashboard, the colors and the block % is waaaaay lower. I had about a 30% block of queries, not any more. And I don't know what's going on sadly... if anyone can be detective for me?

Actual Behaviour:

image
image1090×682 40.3 KB

the "Forward destinations" is 72.2%... that's my router. what does that mean, my router is 'answering' 72.2% of queries stemming from my devices on my network connected to my router?

image

Debug Token:

https://tricorder.pi-hole.net/zqxclpq6ge

2

The block rate isn't any kind of measure for judging Pi-hole's operation.

It is expected to fluctuate, depending on your network's activity.
Spend a whole day just here in the forums, and block rate while be close to zero.
And you specifically wouldn't want it to be at 100%, as that would mean you can't browse any site at all (if that's what you want, you may just pull the WAN cable from your router).

That said, I am not dismissing your observation altogether.
But to confirm or reject your hypothesis, you'd have to analyse data that would be availabe to you exclusively (and which you may not have collected then).

Meanwhile, to exclude a client bypassing Pi-hole due to configuration errors, you may use the following commands for a precursory check from a client that you expect to use Pi-hole:

nslookup pi.hole

That should return your Pi-hole's IP, and that IP should also match that of the server at the start of the very same reply. If so, it would confirm that your client is using Pi-hole as DNS server.

nslookup flurry.com 192.168.0.xx

Replace 192.168.0.xx with your Pi-hole's actual IP address before executing.
That should return 0.0.0.0 with a default Pi-hole, which would confirm your Pi-hole is blocking domains as expected.

3

Dear, what happens if it answers

Non-authoritative answer:
Name: flurry.com
Address: 74.6.136.151
Name: flurry.com
Address: 212.82.100.151
Name: flurry.com
Address: 98.136.103.24

4

This is no surprise and I expect your Pi-Hole works still perfect.

Check your first picture, there are around 60k !! Request and they are all "ok" and not blocked. Rest of the diagram has only small values... Thats why you "only" got 3.6% blocked. Wait 24h and check again

5

Since flurry.com is a known ad-serving domain that is contained on most block lists, this domain should be blocked by Pi-hole. What was the full command you ran and the full output - the bit you posted does not indicate which server was queried and which server answered the query.

6

This is not the expected reply.

8

Sorry for the incomplete info here is the total command responses

PKBs-Macbook-Air:~ pkb$ nslookup pi.hole
Server: 192.168.15.10
Address: 192.168.15.10#53
Name: pi.hole
Address: 192.168.15.10

PKBs-Macbook-Air:~ pkb$ nslookup flurry.com 192.168.15.10

Server: 192.168.15.10
Address: 192.168.15.10#53
Non-authoritative answer:
Name: flurry.com
Address: 74.6.136.151
Name: flurry.com
Address: 212.82.100.151
Name: flurry.com
Address: 98.136.103.24
9

Both queries were answered by the Pi-hole. The first went to Pi-hole without specifying the IP, which confirms that the Mac is using Pi-hole for DNS.

The second went to Pi-hole, and the answer is not what we expect, as this domain should be blocked. So, let's figure out why it isn't being blocked. From the Pi terminal, what are the full outputs of these commands:

pihole -q -exact flurry.com

grep flurry.com /var/log/pihole.log | tail -n25

10

Here it is , thank you very much for taking this

Screenshot 2020-08-10 at 12.20.36

Sorry for the image but as I am newbie the forum doesn't let me include more than 5 links

11

I bumped you up a level. You can also copy/paste the output text directly into a reply, and format that text block as "pre-formatted text" using the </> icon on the reply window.

12

Thank you for the bump and the tip... Here they go

pi@raspberrypi:~ $ pihole -q -exact flurry.com
 Exact match for flurry.com found in:
  - https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts 
pi@raspberrypi:~ $ grep flurry.com /var/log/pihole.log | tail -n25
Aug 10 10:07:30 dnsmasq[625]: query[A] data.flurry.com from 192.168.15.2
Aug 10 10:07:30 dnsmasq[625]: forwarded data.flurry.com to 8.8.4.4
Aug 10 10:07:30 dnsmasq[625]: reply data.flurry.com is <CNAME>
Aug 10 11:27:44 dnsmasq[27827]: query[A] flurry.com from 192.168.15.2
Aug 10 11:27:44 dnsmasq[27827]: forwarded flurry.com to 8.8.4.4
Aug 10 11:27:44 dnsmasq[27827]: reply flurry.com is 74.6.136.151
Aug 10 11:27:44 dnsmasq[27827]: reply flurry.com is 212.82.100.151
Aug 10 11:27:44 dnsmasq[27827]: reply flurry.com is 98.136.103.24
Aug 10 11:31:17 dnsmasq[27827]: query[A] flurry.com from 192.168.15.2
Aug 10 11:31:17 dnsmasq[27827]: cached flurry.com is 98.136.103.24
Aug 10 11:31:17 dnsmasq[27827]: cached flurry.com is 212.82.100.151
Aug 10 11:31:17 dnsmasq[27827]: cached flurry.com is 74.6.136.151
Aug 10 11:31:17 dnsmasq[27827]: query[A] www.flurry.com from 192.168.15.2
Aug 10 11:31:17 dnsmasq[27827]: forwarded www.flurry.com to 8.8.4.4
Aug 10 11:31:17 dnsmasq[27827]: reply www.flurry.com is <CNAME>
Aug 10 11:31:18 dnsmasq[27827]: query[A] data.flurry.com from 192.168.15.2
Aug 10 11:31:18 dnsmasq[27827]: forwarded data.flurry.com to 8.8.4.4
Aug 10 11:31:18 dnsmasq[27827]: reply data.flurry.com is <CNAME>
Aug 10 11:32:45 dnsmasq[27827]: query[A] flurry.com from 192.168.15.10
Aug 10 11:32:45 dnsmasq[27827]: gravity blocked flurry.com is 0.0.0.0
Aug 10 11:34:37 dnsmasq[27827]: query[A] flurry.com from 192.168.15.2
Aug 10 11:34:37 dnsmasq[27827]: forwarded flurry.com to 8.8.8.8
Aug 10 11:34:37 dnsmasq[27827]: reply flurry.com is 212.82.100.151
Aug 10 11:34:37 dnsmasq[27827]: reply flurry.com is 74.6.136.151
Aug 10 11:34:37 dnsmasq[27827]: reply flurry.com is 98.136.103.24
pi@raspberrypi:~ $
13

Please generate a fresh debug log, upload it and post the token. We need a fresh look at your groups.

14

In the oven...
Meanwhile I explain to you what i did, I created one group under the name of ROUTER-LINKSYS and populated it with everything that comes from 192.168.15.2

15

Here is the debug token I have got
[✓] Your debug token is: https://tricorder.pi-hole.net/j8okta9e5g

16

You have added a new group, but all your blocking is assigned to the default group (0). All the clients on the new group 1 (which appears to cover your entire network), have no blocking applied:

*** [ DIAGNOSING ]: Domainlist (0/1 = exact white-/blacklist, 2/3 = regex white-/blacklist)
   id    type  enabled  group_ids     domain                                                                                                date_added           date_modified        comment                                           
   ----  ----  -------  ------------  ----------------------------------------------------------------------------------------------------  -------------------  -------------------  --------------------------------------------------
   2      1          1  0             r2---sn-5muxa-hxml.googlevideo.com                                                                    2020-08-09 19:44:10  2020-08-09 19:44:10  Added from Query Log                              
   3      1          1  0             r3---sn-5muxa-hxms.googlevideo.com                                                                    2020-08-09 19:44:16  2020-08-09 19:44:16  Added from Query Log                              
   4      1          1  0             r1---sn-ug5onuxajv-hxml.googlevideo.com                                                               2020-08-09 19:54:20  2020-08-09 19:54:20  Added from Query Log                              
   5      1          1  0             r1---sn-5muxa-hxms.googlevideo.com                                                                    2020-08-09 19:54:26  2020-08-09 19:54:26  Added from Query Log                              
   6      1          1  0             arbz.info                                                                                             2020-08-09 20:59:33  2020-08-09 20:59:33  Added from Query Log                              
   8        3        1  0             (\.|^)den01-search\.spotxchange\.com$                                                                 2020-08-10 11:03:38  2020-08-10 11:03:38                                                    
   10       3        1  0             (\.|^)origin\.360yield\.com$                                                                          2020-08-10 11:08:55  2020-08-10 11:08:55

*** [ DIAGNOSING ]: Clients
   id    group_ids     ip                                                                                                    date_added           date_modified        comment                                           
   ----  ------------  ----------------------------------------------------------------------------------------------------  -------------------  -------------------  --------------------------------------------------
   1     1             192.168.15.2                                                                                          2020-08-10 09:13:01  2020-08-10 09:13:17  Router Linksys
17

Ok... sorry for the error, no groups better then?

18

I don't understand your purpose in adding a new group. It appears that in your network, all the queries to Pi-hole appear to originate from the router IP, so group management is not effective (all your clients are in a single group by default).

I would eliminate the client mapping for the router to the new group, and eliminate the new group. This will apply all your existing blocking to all clients and your Pi-hole will work correctly.

If you do want to be able to apply blocking to individual clients, you will have to make some changes in your network so Pi-hole can see individual IPs. Then, you can put individual IP's in groups.

1 Like
19

Understood, I was only doing some tests, as you say most the queries originated from the clients of that group. Thank you for your prompt and great answers. I already deleted the group and as you said the Pi/hole now is doing its job perfectly. Thankyou again.

1 Like
20

heheheh, oh i most certainly would not want it to be 100%.

i just cant make out how the pie chart looks different and the 24hr query chart is less busy after the only change to my environment was a firmware update to my router necessitating setting it up again.

here's my updated info: screencaps:

image
image1112×377 27.1 KB

image
image1039×327 21.8 KB

the forward destinations for my router rt-ac68u went from 72.2%green to blue 1.7%
the local host is now green and 90.6%
last night local host was the baby blue, looks like 25%

only change i did was fiddle with using a DNS filter hoping to route all dns requests from my lan, to my pihole.

nslookup pi.hole and nslookup flurry.com 192.168.0.xx

worked fine, i wish there was a way to run these commands out of my iphone or anything equivalent?

i have an iphone connected to my router via wifi.

21

This would be the first place to look