Conditional Forwarding broke after latest update

fczajka · June 17, 2022, 8:43pm

After updating to:
Pi-hole v5.10
FTLv5.15
Web Interface v5.12
Running on a Raspberry PI4

The conditional forwarding to my local AD DNS server is no longer working.

When I do a NSLOOKUP or DIG they return:

QUESTIONS:
    ad.domain.net, type = A, class = IN
ANSWERS:
->  ad.mydomain.net
    internet address = 0.0.0.0
    ttl = 2 (2 secs)

Other than updating to the latest versions I have done nothing with my configuration for many months other than adding in a couple of regex blacklists.

jfb · June 17, 2022, 9:15pm

Please upload a debug log and post just the token URL that is generated after the log is uploaded by running the following command from the Pi-hole host terminal:

pihole -d

or do it through the Web interface:

Tools > Generate Debug Log

fczajka · June 17, 2022, 9:28pm

https://tricorder.pi-hole.net/tHfOiH2s/

Bucking_Horn · June 18, 2022, 11:29am

If ad.domain.net is indeed your domain name, I'd suspect ad to trigger a match on one your regex blocks.

It's easy enough to find out by yourself by checking ad.domain.net (or whatever your offending domain really is) against Pi-hole's filters via Tools|Search Adlists.

I notice that you may have been trying to ward this off by adding a whitelist entry for your local domain name, and you've done so as an exact match.

Very likely, that would not be enough to get you covered:
Clients may honor your local domain as distributed by the DHCP server by appending that local search domain to a query, e.g. nslookup commonly is configured to do so.
If domain.net would be your local domain, the DNS request that gets actually issued may be for ad.domain.net.domain.net, and that would escape the exact whitelist match.

Try allowing your domains as a plain Regex filter for your ad.domain.net, or just pick a different local domain name that would avoid the ad confusion.

fczajka · June 18, 2022, 10:51pm

You are correct, my AD, as in Active Directory, DNS domain is being filtered by:

Exact match found in regex blacklist
^ad([sxv]?[0-9]|system)_.-{1,}|[_.-]ad([sxv]?[0-9]|system)[_.-]

So, I have added this to the whitelist and seems to be working:
[a-za-z]+\.sike\.net

I notice that you may have been trying to ward this off by adding a whitelist entry for your local domain name, and you've done so as an exact match.

I added that in as a troubleshooting step it wasn't there until after the upgrade. I wonder what changed between the versions to get this stricter enforcement of the rules.

Thank you very much for your time!

system · July 9, 2022, 10:52pm

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.