Sometime when blocking a subdomain, the same request for the same subdomain is requested with a lan, is this still blocked even with a "lan" extension ? And No idea why the second request is slower.
example:
2024-12-18 13:03:33
A fb788ee3e13c37e386c4fc5c50068dbd4f2d37ac192335d0d1dfd07cb52635b.us-east-1.prod.service.minerva.devices.a2z.com.lan Device1.lan 172.9 ms
Query received on: 2024-12-18 13:03:33.068
Client: Device1.lan (10.10.10.249)
Query Status: Served from cache
Reply: NXDOMAIN
Database ID: 22152869
2024-12-18 13:03:29
A fb788ee3e13c37e386c4fc5c50068dbd4f2d37ac192335d0d1dfd07cb52635b.us-east-1.prod.service.minerva.devices.a2z.com Device1.lan 0.6 ms
Query received on: 2024-12-18 13:03:29.074
Client: Device1.lan (10.10.10.249)
Query Status: Blocked (regex)
Query was blocked, search lists
Reply: IP
Database ID: 22152867
Your above output structure is taken from a beta v6 Pi-hole, so I classified your topic accordingly.
Run from the machine hosting your Pi-hole, please share the result of:
pihole-FTL sqlite3 /etc/pihole/pihole-FTL.db "SELECT id, domain, client, reply_type, round(reply_time*1000,1) FROM queries WHERE id=22152869 OR id=22152867;"
Please try to run that again, a few times if necessary.
If it doesn't come up with a reply, please upload a debug log and post just the token URL that is generated after the log is uploaded by running the following command from the Pi-hole host terminal:
I can access the database by the Query Log, Advance filtering with no issues.
Bare-metal or in some virtualisation environment? Bare-metal !
Raspberry Pi 4 Model B
Bookworm 12
8gig ram
32gig SD
redback@raspberrypi:~ $ ls -lah /etc/pihole/pihole-FTL.db
-rw-r----- 1 pihole pihole 638M Dec 19 05:16 /etc/pihole/pihole-FTL.db
Is it feasible for users to store certain specifications in their profile for admin access in case they desire to know the user's setup?
I can run that statement on my Pi-hole without issues, but can trigger an unable to open database file error by pointing sqlite3 to a non-existing database (e.g. /etc/pihole-FTL.db).
In your case, that's in the correct location, and permissions are also ok.
That leaves your user to check.
What groups does your redback user belong to?
Would running the command with sudo work?
sudo pihole-FTL sqlite3 /etc/pihole/pihole-FTL.db "SELECT id, domain, client, reply_type, round(reply_time*1000,1) FROM queries WHERE id=22152869 OR id=22152867;"
Just for clarification I'm accessing the raspberry pi from ssh redback@raspberrypi on the macOS.
The browser accesses the Pi-hole on https://pi.hole/admin/
Probably not, since I'd fear relevant information to be too dynamic, so it would need constant upgrading. Some people drop only one or two questions a year, and also, quite a few questions arise around Pi-holes running at a friend's or family's place, so looking at some static profile information would be pretty useless, even misleading.
E.g. via getent group | grep :redback, but don't share the details, as they may contain passwords.
As for your original observation, let's have a look at the complete records and share:
sudo pihole-FTL sqlite3 /etc/pihole/pihole-FTL.db "SELECT * FROM queries WHERE id=22152869 OR id=22152867;"
That would rob us from analysing your issue, and I currently don't see any indication why that would be necessary.
Those database results confirm your screenshots:
The query for ...a2z.com was recorded as blocked by a regex filter, apparently with id 517888.
I also noticed you are using regex excessively, I count around 21,000 regex entries.
You should note that regex evalution is computationally expensive, and such a large amount of regex may slow down DNS resolution considerably, as all of them would have to be evaluated for any domain that's not blocked.
However, your regex with that id is missing from your debug log:
id type enabled group_ids domain date_added date_modified comment
----- ---- ------- --------- ------------------------ ------------------- ------------------- ------------------
517887 3 1 0 ^(.*\.)?minently\.com$ 2024-08-28 15:19:59 2024-08-28 15:19:59 Trackers and Ads M
517889 3 1 0 ^(.*\.)?minewhat\.com$ 2024-08-28 15:19:59 2024-08-28 15:19:59 Trackers and Ads M
Did you perhaps alter your regex before you ran the debug log?
When running through a VPN it really doesn't make much of a differences, since external DNS are the users biggest factor in response time, I have change the router VPN location and the DNS response can be good or terrible. Regex, catch non American domains which most blacklist are based on and some that are not on the blacklist.
As your regex shown in your screenshot is matching com at the end of line, i.e. it won't match lan at the end, and thus the expanded domain won't be blocked.
As for the longer reply time for the allowed lookup:
Your large amount of regex filters may have contributed here, as all regex would have to be evaluated for allowed domains.
I am not sure whether that's actually the case here, though, as the database status column is 3, indicating the reply was sourced from Pi-hole's cache.
