Boy, this doesn't look right any more. My PiHole queries

Bucking_Horn · August 10, 2020, 11:40am

The block rate isn't any kind of measure for judging Pi-hole's operation.

It is expected to fluctuate, depending on your network's activity.
Spend a whole day just here in the forums, and block rate while be close to zero.
And you specifically wouldn't want it to be at 100%, as that would mean you can't browse any site at all (if that's what you want, you may just pull the WAN cable from your router).

That said, I am not dismissing your observation altogether.
But to confirm or reject your hypothesis, you'd have to analyse data that would be availabe to you exclusively (and which you may not have collected then).

Meanwhile, to exclude a client bypassing Pi-hole due to configuration errors, you may use the following commands for a precursory check from a client that you expect to use Pi-hole:

nslookup pi.hole

That should return your Pi-hole's IP, and that IP should also match that of the server at the start of the very same reply. If so, it would confirm that your client is using Pi-hole as DNS server.

nslookup flurry.com 192.168.0.xx

Replace 192.168.0.xx with your Pi-hole's actual IP address before executing.
That should return 0.0.0.0 with a default Pi-hole, which would confirm your Pi-hole is blocking domains as expected.

ramoncete · August 10, 2020, 4:30pm

Dear, what happens if it answers

Non-authoritative answer:
Name: flurry.com
Address: 74.6.136.151
Name: flurry.com
Address: 212.82.100.151
Name: flurry.com
Address: 98.136.103.24

BlackHoleSun · August 10, 2020, 4:50pm

This is no surprise and I expect your Pi-Hole works still perfect.

Check your first picture, there are around 60k !! Request and they are all "ok" and not blocked. Rest of the diagram has only small values... Thats why you "only" got 3.6% blocked. Wait 24h and check again

jfb · August 10, 2020, 4:56pm

ramoncete:

Non-authoritative answer:
Name: [flurry.com](http://flurry.com)
Address: 74.6.136.151
Name: [flurry.com](http://flurry.com)
Address: 212.82.100.151
Name: [flurry.com](http://flurry.com)
Address: 98.136.103.24

Since flurry.com is a known ad-serving domain that is contained on most block lists, this domain should be blocked by Pi-hole. What was the full command you ran and the full output - the bit you posted does not indicate which server was queried and which server answered the query.

jfb · August 10, 2020, 4:57pm

This is not the expected reply.

ramoncete · August 10, 2020, 5:00pm

Sorry for the incomplete info here is the total command responses

PKBs-Macbook-Air:~ pkb$ nslookup pi.hole
Server: 192.168.15.10
Address: 192.168.15.10#53
Name: pi.hole
Address: 192.168.15.10

PKBs-Macbook-Air:~ pkb$ nslookup flurry.com 192.168.15.10

Server: 192.168.15.10
Address: 192.168.15.10#53
Non-authoritative answer:
Name: flurry.com
Address: 74.6.136.151
Name: flurry.com
Address: 212.82.100.151
Name: flurry.com
Address: 98.136.103.24

jfb · August 10, 2020, 5:04pm

Both queries were answered by the Pi-hole. The first went to Pi-hole without specifying the IP, which confirms that the Mac is using Pi-hole for DNS.

The second went to Pi-hole, and the answer is not what we expect, as this domain should be blocked. So, let's figure out why it isn't being blocked. From the Pi terminal, what are the full outputs of these commands:

pihole -q -exact flurry.com

grep flurry.com /var/log/pihole.log | tail -n25

ramoncete · August 10, 2020, 5:22pm

Here it is , thank you very much for taking this

Screenshot 2020-08-10 at 12.20.36

Sorry for the image but as I am newbie the forum doesn't let me include more than 5 links

jfb · August 10, 2020, 5:29pm

I bumped you up a level. You can also copy/paste the output text directly into a reply, and format that text block as "pre-formatted text" using the </> icon on the reply window.

ramoncete · August 10, 2020, 5:32pm

Thank you for the bump and the tip... Here they go

pi@raspberrypi:~ $ pihole -q -exact flurry.com
 Exact match for flurry.com found in:
  - https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts 
pi@raspberrypi:~ $ grep flurry.com /var/log/pihole.log | tail -n25
Aug 10 10:07:30 dnsmasq[625]: query[A] data.flurry.com from 192.168.15.2
Aug 10 10:07:30 dnsmasq[625]: forwarded data.flurry.com to 8.8.4.4
Aug 10 10:07:30 dnsmasq[625]: reply data.flurry.com is <CNAME>
Aug 10 11:27:44 dnsmasq[27827]: query[A] flurry.com from 192.168.15.2
Aug 10 11:27:44 dnsmasq[27827]: forwarded flurry.com to 8.8.4.4
Aug 10 11:27:44 dnsmasq[27827]: reply flurry.com is 74.6.136.151
Aug 10 11:27:44 dnsmasq[27827]: reply flurry.com is 212.82.100.151
Aug 10 11:27:44 dnsmasq[27827]: reply flurry.com is 98.136.103.24
Aug 10 11:31:17 dnsmasq[27827]: query[A] flurry.com from 192.168.15.2
Aug 10 11:31:17 dnsmasq[27827]: cached flurry.com is 98.136.103.24
Aug 10 11:31:17 dnsmasq[27827]: cached flurry.com is 212.82.100.151
Aug 10 11:31:17 dnsmasq[27827]: cached flurry.com is 74.6.136.151
Aug 10 11:31:17 dnsmasq[27827]: query[A] www.flurry.com from 192.168.15.2
Aug 10 11:31:17 dnsmasq[27827]: forwarded www.flurry.com to 8.8.4.4
Aug 10 11:31:17 dnsmasq[27827]: reply www.flurry.com is <CNAME>
Aug 10 11:31:18 dnsmasq[27827]: query[A] data.flurry.com from 192.168.15.2
Aug 10 11:31:18 dnsmasq[27827]: forwarded data.flurry.com to 8.8.4.4
Aug 10 11:31:18 dnsmasq[27827]: reply data.flurry.com is <CNAME>
Aug 10 11:32:45 dnsmasq[27827]: query[A] flurry.com from 192.168.15.10
Aug 10 11:32:45 dnsmasq[27827]: gravity blocked flurry.com is 0.0.0.0
Aug 10 11:34:37 dnsmasq[27827]: query[A] flurry.com from 192.168.15.2
Aug 10 11:34:37 dnsmasq[27827]: forwarded flurry.com to 8.8.8.8
Aug 10 11:34:37 dnsmasq[27827]: reply flurry.com is 212.82.100.151
Aug 10 11:34:37 dnsmasq[27827]: reply flurry.com is 74.6.136.151
Aug 10 11:34:37 dnsmasq[27827]: reply flurry.com is 98.136.103.24
pi@raspberrypi:~ $

jfb · August 10, 2020, 5:32pm

Please generate a fresh debug log, upload it and post the token. We need a fresh look at your groups.

ramoncete · August 10, 2020, 5:38pm

In the oven...
Meanwhile I explain to you what i did, I created one group under the name of ROUTER-LINKSYS and populated it with everything that comes from 192.168.15.2

ramoncete · August 10, 2020, 5:39pm

Here is the debug token I have got
[✓] Your debug token is: https://tricorder.pi-hole.net/j8okta9e5g

jfb · August 10, 2020, 5:46pm

You have added a new group, but all your blocking is assigned to the default group (0). All the clients on the new group 1 (which appears to cover your entire network), have no blocking applied:

*** [ DIAGNOSING ]: Domainlist (0/1 = exact white-/blacklist, 2/3 = regex white-/blacklist)
   id    type  enabled  group_ids     domain                                                                                                date_added           date_modified        comment                                           
   ----  ----  -------  ------------  ----------------------------------------------------------------------------------------------------  -------------------  -------------------  --------------------------------------------------
   2      1          1  0             r2---sn-5muxa-hxml.googlevideo.com                                                                    2020-08-09 19:44:10  2020-08-09 19:44:10  Added from Query Log                              
   3      1          1  0             r3---sn-5muxa-hxms.googlevideo.com                                                                    2020-08-09 19:44:16  2020-08-09 19:44:16  Added from Query Log                              
   4      1          1  0             r1---sn-ug5onuxajv-hxml.googlevideo.com                                                               2020-08-09 19:54:20  2020-08-09 19:54:20  Added from Query Log                              
   5      1          1  0             r1---sn-5muxa-hxms.googlevideo.com                                                                    2020-08-09 19:54:26  2020-08-09 19:54:26  Added from Query Log                              
   6      1          1  0             arbz.info                                                                                             2020-08-09 20:59:33  2020-08-09 20:59:33  Added from Query Log                              
   8        3        1  0             (\.|^)den01-search\.spotxchange\.com$                                                                 2020-08-10 11:03:38  2020-08-10 11:03:38                                                    
   10       3        1  0             (\.|^)origin\.360yield\.com$                                                                          2020-08-10 11:08:55  2020-08-10 11:08:55

*** [ DIAGNOSING ]: Clients
   id    group_ids     ip                                                                                                    date_added           date_modified        comment                                           
   ----  ------------  ----------------------------------------------------------------------------------------------------  -------------------  -------------------  --------------------------------------------------
   1     1             192.168.15.2                                                                                          2020-08-10 09:13:01  2020-08-10 09:13:17  Router Linksys

ramoncete · August 10, 2020, 5:52pm

Ok... sorry for the error, no groups better then?

jfb · August 10, 2020, 5:55pm

I don't understand your purpose in adding a new group. It appears that in your network, all the queries to Pi-hole appear to originate from the router IP, so group management is not effective (all your clients are in a single group by default).

I would eliminate the client mapping for the router to the new group, and eliminate the new group. This will apply all your existing blocking to all clients and your Pi-hole will work correctly.

If you do want to be able to apply blocking to individual clients, you will have to make some changes in your network so Pi-hole can see individual IPs. Then, you can put individual IP's in groups.

ramoncete · August 10, 2020, 6:00pm

Understood, I was only doing some tests, as you say most the queries originated from the clients of that group. Thank you for your prompt and great answers. I already deleted the group and as you said the Pi/hole now is doing its job perfectly. Thankyou again.

darkcloud · August 10, 2020, 11:37pm

heheheh, oh i most certainly would not want it to be 100%.

i just cant make out how the pie chart looks different and the 24hr query chart is less busy after the only change to my environment was a firmware update to my router necessitating setting it up again.

here's my updated info: screencaps:

the forward destinations for my router rt-ac68u went from 72.2%green to blue 1.7%
the local host is now green and 90.6%
last night local host was the baby blue, looks like 25%

only change i did was fiddle with using a DNS filter hoping to route all dns requests from my lan, to my pihole.

nslookup pi.hole and nslookup flurry.com 192.168.0.xx

worked fine, i wish there was a way to run these commands out of my iphone or anything equivalent?

i have an iphone connected to my router via wifi.

jfb · August 10, 2020, 11:38pm

This would be the first place to look

system · August 31, 2020, 11:38pm

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.