Boy, this doesn't look right any more. My PiHole queries

Expected Behaviour:

I set up Pihole about 2 weeks ago, then set up unbound last week... things were going pretty well overall. Learned some things from this forum thankyou.

I worked on my router yesterday, upgraded the Merlin firmware from old to current.
I had to re-input various settings of course... I noticed on my Pi-hole dashboard, the colors and the block % is waaaaay lower. I had about a 30% block of queries, not any more. And I don't know what's going on sadly... if anyone can be detective for me?

Actual Behaviour:

the "Forward destinations" is 72.2%... that's my router. what does that mean, my router is 'answering' 72.2% of queries stemming from my devices on my network connected to my router?


Debug Token:

The block rate isn't any kind of measure for judging Pi-hole's operation.

It is expected to fluctuate, depending on your network's activity.
Spend a whole day just here in the forums, and block rate while be close to zero.
And you specifically wouldn't want it to be at 100%, as that would mean you can't browse any site at all (if that's what you want, you may just pull the WAN cable from your router).

That said, I am not dismissing your observation altogether.
But to confirm or reject your hypothesis, you'd have to analyse data that would be availabe to you exclusively (and which you may not have collected then).

Meanwhile, to exclude a client bypassing Pi-hole due to configuration errors, you may use the following commands for a precursory check from a client that you expect to use Pi-hole:

nslookup pi.hole

That should return your Pi-hole's IP, and that IP should also match that of the server at the start of the very same reply. If so, it would confirm that your client is using Pi-hole as DNS server.

nslookup 192.168.0.xx

Replace 192.168.0.xx with your Pi-hole's actual IP address before executing.
That should return with a default Pi-hole, which would confirm your Pi-hole is blocking domains as expected.

Dear, what happens if it answers

Non-authoritative answer:

This is no surprise and I expect your Pi-Hole works still perfect.

Check your first picture, there are around 60k !! Request and they are all "ok" and not blocked. Rest of the diagram has only small values... Thats why you "only" got 3.6% blocked. Wait 24h and check again

Since is a known ad-serving domain that is contained on most block lists, this domain should be blocked by Pi-hole. What was the full command you ran and the full output - the bit you posted does not indicate which server was queried and which server answered the query.

This is not the expected reply.

Sorry for the incomplete info here is the total command responses

PKBs-Macbook-Air:~ pkb$ nslookup pi.hole
Name: pi.hole
PKBs-Macbook-Air:~ pkb$ nslookup

Non-authoritative answer:

Both queries were answered by the Pi-hole. The first went to Pi-hole without specifying the IP, which confirms that the Mac is using Pi-hole for DNS.

The second went to Pi-hole, and the answer is not what we expect, as this domain should be blocked. So, let's figure out why it isn't being blocked. From the Pi terminal, what are the full outputs of these commands:

pihole -q -exact

grep /var/log/pihole.log | tail -n25

Here it is , thank you very much for taking this

Screenshot 2020-08-10 at 12.20.36

Sorry for the image but as I am newbie the forum doesn't let me include more than 5 links

I bumped you up a level. You can also copy/paste the output text directly into a reply, and format that text block as "pre-formatted text" using the </> icon on the reply window.

Thank you for the bump and the tip... Here they go

pi@raspberrypi:~ $ pihole -q -exact
 Exact match for found in:
pi@raspberrypi:~ $ grep /var/log/pihole.log | tail -n25
Aug 10 10:07:30 dnsmasq[625]: query[A] from
Aug 10 10:07:30 dnsmasq[625]: forwarded to
Aug 10 10:07:30 dnsmasq[625]: reply is <CNAME>
Aug 10 11:27:44 dnsmasq[27827]: query[A] from
Aug 10 11:27:44 dnsmasq[27827]: forwarded to
Aug 10 11:27:44 dnsmasq[27827]: reply is
Aug 10 11:27:44 dnsmasq[27827]: reply is
Aug 10 11:27:44 dnsmasq[27827]: reply is
Aug 10 11:31:17 dnsmasq[27827]: query[A] from
Aug 10 11:31:17 dnsmasq[27827]: cached is
Aug 10 11:31:17 dnsmasq[27827]: cached is
Aug 10 11:31:17 dnsmasq[27827]: cached is
Aug 10 11:31:17 dnsmasq[27827]: query[A] from
Aug 10 11:31:17 dnsmasq[27827]: forwarded to
Aug 10 11:31:17 dnsmasq[27827]: reply is <CNAME>
Aug 10 11:31:18 dnsmasq[27827]: query[A] from
Aug 10 11:31:18 dnsmasq[27827]: forwarded to
Aug 10 11:31:18 dnsmasq[27827]: reply is <CNAME>
Aug 10 11:32:45 dnsmasq[27827]: query[A] from
Aug 10 11:32:45 dnsmasq[27827]: gravity blocked is
Aug 10 11:34:37 dnsmasq[27827]: query[A] from
Aug 10 11:34:37 dnsmasq[27827]: forwarded to
Aug 10 11:34:37 dnsmasq[27827]: reply is
Aug 10 11:34:37 dnsmasq[27827]: reply is
Aug 10 11:34:37 dnsmasq[27827]: reply is
pi@raspberrypi:~ $ 

Please generate a fresh debug log, upload it and post the token. We need a fresh look at your groups.

In the oven...
Meanwhile I explain to you what i did, I created one group under the name of ROUTER-LINKSYS and populated it with everything that comes from

Here is the debug token I have got
[✓] Your debug token is:

You have added a new group, but all your blocking is assigned to the default group (0). All the clients on the new group 1 (which appears to cover your entire network), have no blocking applied:

*** [ DIAGNOSING ]: Domainlist (0/1 = exact white-/blacklist, 2/3 = regex white-/blacklist)
   id    type  enabled  group_ids     domain                                                                                                date_added           date_modified        comment                                           
   ----  ----  -------  ------------  ----------------------------------------------------------------------------------------------------  -------------------  -------------------  --------------------------------------------------
   2      1          1  0                                                                       2020-08-09 19:44:10  2020-08-09 19:44:10  Added from Query Log                              
   3      1          1  0                                                                       2020-08-09 19:44:16  2020-08-09 19:44:16  Added from Query Log                              
   4      1          1  0                                                                  2020-08-09 19:54:20  2020-08-09 19:54:20  Added from Query Log                              
   5      1          1  0                                                                       2020-08-09 19:54:26  2020-08-09 19:54:26  Added from Query Log                              
   6      1          1  0                                                                                                2020-08-09 20:59:33  2020-08-09 20:59:33  Added from Query Log                              
   8        3        1  0             (\.|^)den01-search\.spotxchange\.com$                                                                 2020-08-10 11:03:38  2020-08-10 11:03:38                                                    
   10       3        1  0             (\.|^)origin\.360yield\.com$                                                                          2020-08-10 11:08:55  2020-08-10 11:08:55
*** [ DIAGNOSING ]: Clients
   id    group_ids     ip                                                                                                    date_added           date_modified        comment                                           
   ----  ------------  ----------------------------------------------------------------------------------------------------  -------------------  -------------------  --------------------------------------------------
   1     1                                                                                             2020-08-10 09:13:01  2020-08-10 09:13:17  Router Linksys

Ok... sorry for the error, no groups better then?

I don't understand your purpose in adding a new group. It appears that in your network, all the queries to Pi-hole appear to originate from the router IP, so group management is not effective (all your clients are in a single group by default).

I would eliminate the client mapping for the router to the new group, and eliminate the new group. This will apply all your existing blocking to all clients and your Pi-hole will work correctly.

If you do want to be able to apply blocking to individual clients, you will have to make some changes in your network so Pi-hole can see individual IPs. Then, you can put individual IP's in groups.

1 Like

Understood, I was only doing some tests, as you say most the queries originated from the clients of that group. Thank you for your prompt and great answers. I already deleted the group and as you said the Pi/hole now is doing its job perfectly. Thankyou again.

1 Like

heheheh, oh i most certainly would not want it to be 100%.

i just cant make out how the pie chart looks different and the 24hr query chart is less busy after the only change to my environment was a firmware update to my router necessitating setting it up again.

here's my updated info: screencaps:

the forward destinations for my router rt-ac68u went from 72.2%green to blue 1.7%
the local host is now green and 90.6%
last night local host was the baby blue, looks like 25%

only change i did was fiddle with using a DNS filter hoping to route all dns requests from my lan, to my pihole.

nslookup pi.hole and nslookup 192.168.0.xx 

worked fine, i wish there was a way to run these commands out of my iphone or anything equivalent?

i have an iphone connected to my router via wifi.

This would be the first place to look