Domain being blocked but shown as not blocked in query


#1

I have the problem that despite the domain is added to blacklist (Pi-hole) and is actually blocked by returning a NULL IP address, it is not shown in the query overview in the webinterface as being blocked.

domain: android.clients.google.com which is a CNAME for android.l.google.com

I am currently running developer version: Pi-hole Version vDev (development, v3.3.1-467-ga896153) Web Interface Version vDev (devel, v3.3-325-g33fc600) FTL Version vDev (development, vDev-7a74acc)


AdGuard Home
#4

Run pihole -d for a debug token.


#5

Thanks I don’t think that is anything wrong with my config.

Have been busy with Netguard lately to control my Android device and make more secure and controllable. I have sometimes that I am playing chess on several levels at the same time.
Controlling Netguard with Pi-hole to have work like I want to have it and then at the same time Netguard altering it some give absolute control. This all without rooting.

I will look at some avenues what can cause this domain being blocked but also being offered a blockable.


#6

I could test it a bit more and it now appears that every entry in the blacklist (not gravity or regex) is shown as a green line and falsely followed by the blacklist button.

I am running the latest DEV

Pi-hole Version vDev (development, v3.3.1-467-ga896153) Web Interface Version vDev (devel, v3.3-325-g33fc600) FTL Version vDev (development, vDev-cdcc178)


#7

Can you post an example screen shot please?


#8
 pihole -b block-me.local
  [i] Adding block-me.local to blacklist...
  [i] block-me.local does not exist in whitelist, no need to remove!

Present in the blaclist list and in both blacklist files.


#10

block-me.local is not the best example but I tried many others before. Strange thing is that the log shows:

Oct  7 00:08:54 dnsmasq[1778]: query[A] block-me.local from 192.168.21.40
Oct  7 00:08:54 dnsmasq[1778]: /etc/pihole/regex.list block-me.local is 0.0.0.0

Correct blocking but the same problem of the line staying green.

Oct  6 23:27:54 dnsmasq[26112]: query[A] android.clients.google.com from 192.168.21.40
Oct  6 23:27:54 dnsmasq[26112]: (null) android.clients.google.com is 0.0.0.0

#11

I did an update of the DEV version and got the first time an error but all seemed to be OK and FTL was updated.

pihole -up
  [i] Checking for updates...
fatal: unable to access 'https://github.com/pi-hole/pi-hole.git/': Could not resolve host: github.com
  [i] Pi-hole Core:     up to date
  [i] Web Interface:    up to date
  [i] FTL:              update available

  [i] FTL out of date, it will be updated by the installer.

Just checking if the the error was still present I ran it 15 minutes later and got to my surprise an other update while there are none for Pi-hole Core in DEV if I interpreted it well on github.

pihole -up
  [i] Checking for updates...
  [i] Pi-hole Core:     update available
  [i] Web Interface:    up to date
  [i] FTL:              up to date

  [i] Pi-hole core files out of date, updating local repo.
  [â] Check for existing repository in /etc/.pihole
  [â] Update repo in /etc/.pihole

The up-to-date lines where green and the update available lines where yellow. If there was uncertainly about a update the line should have been red and shown an error?


#12

#13

Hahaha It is a long time I was a programmer and I stopped with that when I had to learn Cobol.
I think that was the first time my forehead came in direct contact with the keyboard due a extreme local gravity.

I was instructed…we got one byte and we have to define each bit to separate boolean and use that in the program…hey we have now computers that have more can 4KB memory and I was sitting behind a Ericsson IBM PC with a whopping 512KB upgraded to 640KB. If you where really lucky you had EMS memory swapped under the 1024 KB. Even the memory of the Hercules video card (32 KB) was not safe and we needed only 4KB so the unused 28KB was also swapped in so plenty of memory…that where times. :rofl:

When I glance at the code you linked to I should have had a red line.

Ps. I used the Windows XP trick…if the system does strange things you can’t explain reboot it. After that I could again add lines the the adlists under system in the web interface but I did not solve the my main problem.


#14

This thread seems to have gone all over the place (and into the past).
The original issue is that blocked domains don’t show as blocked in the query log. Is this still happening?
If so, run pihole -d for a debug token and share the query lines in /var/log/pihole.log where the blocked queries happen.


#15

So I have gvt1.com in blacklist in the web-interface and in the two blacklist files. In the webinterface I trigger a restart DNSmasq to clear the cache.

I enter on the prompt nslookup gvt1.com and in the query list it showed as cached (???) and the line is green including a button that I can blacklist it.

Log shows:

Oct 10 22:55:54 dnsmasq[26719]: query[A] gvt1.com from 192.168.xx.xx
Oct 10 22:55:54 dnsmasq[26719]: (null) gvt1.com is 0.0.0.0

#16

After you did this, did you reload the page? Try with clearing the browser cache and reloading the page.


#17

I am using dig and nslookup. It is blocked as advertised but the WEB interface represents it wrongly.

Using my backup Pi-hole, which was on master master (FTL-4.0) and tested it:

So that is represented as expected.

Now, after updating my backup Pi-hole to development devel development it is represented wrongly:


#18

I got similar problem, sometimes it’s blocked and other times not, a part of log yesterday

cat /var/log/pihole.log.1 | grep dss

Oct 10 08:05:56 dnsmasq[3942]: 1036114 192.168.178.133/58838 reply gstaticadssl.l.google.com is 216.58.211.99
Oct 10 08:17:39 dnsmasq[3942]: 1036460 192.168.178.133/53177 reply gstaticadssl.l.google.com is 172.217.20.99
Oct 10 08:18:50 dnsmasq[3942]: 1036608 192.168.178.133/54361 reply gstaticadssl.l.google.com is 172.217.20.99
Oct 10 08:18:50 dnsmasq[3942]: 1036609 192.168.178.133/56663 query[A] gstaticadssl.l.google.com from 192.168.178.133
Oct 10 08:18:50 dnsmasq[3942]: 1036609 192.168.178.133/56663 /etc/pihole/gravity.list gstaticadssl.l.google.com is 0.0.0.0
Oct 10 08:28:35 dnsmasq[3942]: 1036866 192.168.178.133/54022 reply gstaticadssl.l.google.com is 172.217.20.99
Oct 10 08:39:32 dnsmasq[3942]: 1037151 192.168.178.133/51172 reply gstaticadssl.l.google.com is 172.217.20.99
Oct 10 09:01:32 dnsmasq[3942]: 1037974 192.168.178.133/50340 reply gstaticadssl.l.google.com is 172.217.20.99
Oct 10 10:58:33 dnsmasq[3942]: 1041453 192.168.178.133/49398 reply gstaticadssl.l.google.com is 172.217.20.99
Oct 10 11:05:20 dnsmasq[3942]: 1041648 192.168.178.133/54801 reply gstaticadssl.l.google.com is 216.58.211.99
Oct 10 11:18:44 dnsmasq[3942]: 1042014 192.168.178.133/57676 reply gstaticadssl.l.google.com is 172.217.17.131
Oct 10 11:38:17 dnsmasq[3942]: 1042565 192.168.178.133/61392 reply gstaticadssl.l.google.com is 172.217.20.99
Oct 10 12:25:05 dnsmasq[3942]: 1043931 192.168.178.41/61172 reply gstaticadssl.l.google.com is 172.217.20.99
Oct 10 12:46:35 dnsmasq[3942]: 1044921 127.0.0.1/38690 query[A] gstaticadssl.l.google.com from 127.0.0.1
Oct 10 12:46:35 dnsmasq[3942]: 1044921 127.0.0.1/38690 /etc/pihole/black.list gstaticadssl.l.google.com is 0.0.0.0
Oct 10 12:46:35 dnsmasq[3942]: 1044922 127.0.0.1/50215 query[AAAA] gstaticadssl.l.google.com from 127.0.0.1
Oct 10 12:46:35 dnsmasq[3942]: 1044922 127.0.0.1/50215 /etc/pihole/black.list gstaticadssl.l.google.com is ::
Oct 10 12:46:35 dnsmasq[3942]: 1044923 127.0.0.1/53850 query[MX] gstaticadssl.l.google.com from 127.0.0.1
Oct 10 12:46:35 dnsmasq[3942]: 1044923 127.0.0.1/53850 forwarded gstaticadssl.l.google.com to 192.168.178.44
Oct 10 13:38:43 dnsmasq[3942]: 1047155 127.0.0.1/47757 query[A] gstaticadssl.l.google.com from 127.0.0.1
Oct 10 13:38:43 dnsmasq[3942]: 1047155 127.0.0.1/47757 /etc/pihole/black.list gstaticadssl.l.google.com is 0.0.0.0
Oct 10 13:38:43 dnsmasq[3942]: 1047156 127.0.0.1/47757 query[AAAA] gstaticadssl.l.google.com from 127.0.0.1
Oct 10 13:38:43 dnsmasq[3942]: 1047156 127.0.0.1/47757 /etc/pihole/black.list gstaticadssl.l.google.com is ::
Oct 10 14:07:19 dnsmasq[3942]: 1051919 192.168.178.133/61710 reply gstaticadssl.l.google.com is 216.58.211.99
Oct 10 14:07:19 dnsmasq[3942]: 1051920 192.168.178.133/55329 query[A] gstaticadssl.l.google.com from 192.168.178.133
Oct 10 14:07:19 dnsmasq[3942]: 1051920 192.168.178.133/55329 /etc/pihole/black.list gstaticadssl.l.google.com is 0.0.0.0
Oct 10 14:52:44 dnsmasq[3942]: 1053659 192.168.178.133/64502 reply gstaticadssl.l.google.com is 216.58.211.99
Oct 10 15:04:41 dnsmasq[3942]: 1053989 192.168.178.133/62880 reply gstaticadssl.l.google.com is 216.58.211.99
Oct 10 15:28:05 dnsmasq[3942]: 1054739 192.168.178.133/49164 reply gstaticadssl.l.google.com is 172.217.20.99
Oct 10 15:28:05 dnsmasq[3942]: 1054740 192.168.178.133/65398 query[A] gstaticadssl.l.google.com from 192.168.178.133
Oct 10 15:28:05 dnsmasq[3942]: 1054740 192.168.178.133/65398 /etc/pihole/black.list gstaticadssl.l.google.com is 0.0.0.0
Oct 10 15:43:16 dnsmasq[3942]: 1055242 192.168.178.133/49952 reply gstaticadssl.l.google.com is 172.217.19.195
Oct 10 15:43:16 dnsmasq[3942]: 1055243 192.168.178.133/57952 query[A] gstaticadssl.l.google.com from 192.168.178.133
Oct 10 15:43:16 dnsmasq[3942]: 1055243 192.168.178.133/57952 /etc/pihole/black.list gstaticadssl.l.google.com is 0.0.0.0
Oct 10 16:14:56 dnsmasq[3942]: 1056370 192.168.178.133/55637 reply gstaticadssl.l.google.com is 172.217.20.67
Oct 10 16:19:16 dnsmasq[3942]: 1056536 192.168.178.133/50116 reply gstaticadssl.l.google.com is 172.217.20.99
Oct 10 16:24:52 dnsmasq[3942]: 1056741 192.168.178.133/52659 reply gstaticadssl.l.google.com is 172.217.20.99
Oct 10 16:31:07 dnsmasq[3942]: 1056964 192.168.178.133/60800 reply gstaticadssl.l.google.com is 216.58.211.99
Oct 10 16:36:53 dnsmasq[3942]: 1057562 192.168.178.133/50967 reply gstaticadssl.l.google.com is 172.217.20.99
Oct 10 17:49:08 dnsmasq[3942]: 1059843 192.168.178.133/60839 reply gstaticadssl.l.google.com is 216.58.211.99
Oct 10 18:00:35 dnsmasq[3942]: 1060282 192.168.178.133/53553 reply gstaticadssl.l.google.com is 108.177.127.94
Oct 10 18:00:35 dnsmasq[3942]: 1060284 192.168.178.133/49929 query[A] gstaticadssl.l.google.com from 192.168.178.133
Oct 10 18:00:35 dnsmasq[3942]: 1060284 192.168.178.133/49929 /etc/pihole/black.list gstaticadssl.l.google.com is 0.0.0.0
Oct 10 18:15:20 dnsmasq[3942]: 1060740 192.168.178.133/50879 reply gstaticadssl.l.google.com is 172.217.20.99
Oct 10 19:05:18 dnsmasq[3942]: 1062294 192.168.178.133/50486 reply gstaticadssl.l.google.com is 172.217.20.67
Oct 10 19:14:07 dnsmasq[3942]: 1062567 192.168.178.133/52697 reply gstaticadssl.l.google.com is 172.217.20.67
Oct 10 20:50:31 dnsmasq[3942]: 1065492 192.168.178.133/53122 reply gstaticadssl.l.google.com is 172.217.20.99
Oct 10 21:16:29 dnsmasq[3942]: 1066302 192.168.178.133/60298 reply gstaticadssl.l.google.com is 172.217.20.99
Oct 10 21:32:13 dnsmasq[3942]: 1066931 192.168.178.133/65012 reply gstaticadssl.l.google.com is 216.58.211.99
Oct 10 21:50:41 dnsmasq[3942]: 1067517 192.168.178.133/55644 reply gstaticadssl.l.google.com is 216.58.211.99

And if i search in the menu (tools --> query list) on ‘dssl’’ :


#19

What if you remove gstaticadssl.l.google.com from your blacklist because this could be conflicting with you gravity.list (normal used list to block).

Which version of Pi-hole are you using? I assume the 4.0 non-development version.


#20

After 3.3.1 updated to:


I made all combinations, only in private blocklist, later added as blacklisted, same results.
I just checked gravity as wel, ofcourse it’s there :smile:
btw, i have nothing else running on this Pi.


#22

The (null) part is what concerns me and what is probably also the cause of the issue - Pi-hole cannot - for an unknown reason - detect from which file the domain was loaded and hence concludes that it is not blocked. Compare with the line

Oct  7 00:08:54 dnsmasq[1778]: /etc/pihole/regex.list block-me.local is 0.0.0.0

where there is a list name instead of a (null). Can you provide more details about your particular configuration?

Also note that every user-provided HOSTS file will be counted as served from cache.

Can you please help us try to narrow down the source of the (null)? Could you add domains for testing and put only one of them in each of the three files containing gv1t.com ? This will allow us to isolate if this is a general issue or if it is caused by some particular configuration we have never tested.


#24

You can see that queries are correctly replied to:

Oct 10 15:43:16 dnsmasq[3942]: 1055243 192.168.178.133/57952 query[A] gstaticadssl.l.google.com from 192.168.178.133
Oct 10 15:43:16 dnsmasq[3942]: 1055243 192.168.178.133/57952 /etc/pihole/black.list gstaticadssl.l.google.com is 0.0.0.0

Note the query ID (the number behind the colon, 1055243 in this case.

The other lines, like

Oct 10 14:52:44 dnsmasq[3942]: 1053659 192.168.178.133/64502 reply gstaticadssl.l.google.com is 216.58.211.99
Oct 10 15:04:41 dnsmasq[3942]: 1053989 192.168.178.133/62880 reply gstaticadssl.l.google.com is 216.58.211.99
Oct 10 15:28:05 dnsmasq[3942]: 1054739 192.168.178.133/49164 reply gstaticadssl.l.google.com is 172.217.20.99

do not show a corresponding query[A] request in your log excerpt, so I assume they are valid (CNAME) replies to queries of another domain. Please post the history of such a query, e.g.

grep 1054739 /var/log/pihole.log.1

#25

The question is, should it be blocked while the domain name is in gravity.list ?


In this case, it isn’t blocked, is that right ?