Domain blocked despite whitelist

t3kg33k · July 23, 2023, 1:14pm

Please follow the below template, it will help us to help you!

If you are Experiencing issues with a Pi-hole install that has non-standard elements (e.g you are using `nginx` instead of `lighttpd`, or there is some other aspect of your install that is customised) - please use the Community Help category.

Expected Behaviour:

Visit protonvpn.com that is whitelisted

Actual Behaviour:

Receiving browser message that the site is not secure. I have added the domain with wildcard to the Whitelist. Watching the log within Pi-hole WebUI displays that it is still being blocked. I can confirm that the site can be visited without issue by pointing my computer to a different external DNS server.

Debug Token:

https://tricorder.pi-hole.net/xIf9XFxn/

chrislph · July 23, 2023, 2:52pm

Your router is the DHCP server and is handing out 4 IP addresses to clients to use as DNS servers:

Your Pi-hole on .12
Something you've called blackhole (in your custom list) on .15
OpenDNS
Cloudflare

You want to make sure that only your Pi-hole is being given out, otherwise clients will be able to bypass Pi-hole. Note that if you are using Proton VPN on a client, that will normally send all traffic from that client, including that client's DNS, through their systems.

Try running each of these commands in a command terminal on that computer where you took the browser screenshot:

nslookup pi.hole

nslookup protonvpn.com

nslookup protonvpn.com 192.168.15.12

nslookup protonvpn.com 192.168.15.15

nslookup protonvpn.com 208.67.220.220

nslookup protonvpn.com 1.1.1.1

The browser error means that the domain protonvpn.com appears to be reachable but that its SSL certificate fails validation.

This could be because something is interfering with the certificate (eg a browser plugin) or redirecting the request somewhere else (eg your ISP). The nslookup commands above take the browser out of the equation may help shed some light on the cause.

If you click Advanced on that error I think it will show you the certificate details (or there is a button to show it), the issuer, the expiry and so on. What does it say? Here's how it looks in Safari (despite saying protonmail this is the certificate for protonvpn):

protonvpn.com

Certificate errors can also be caused by cached data or system time being wrong, but I don't think that applies to you since you mention it works when you use a different external DNS server, and the error references the authority. Out of interest what external DNS server do you use for that workaround and how do you ensure that you're using it?

What is the blackhole system at .15? The Pi-hole itself has this listed as one of its own DNS servers (in its resolv.conf), so when there is any OS or application update it may be used. The name suggests this might cause problems, but that is an assumption without knowing what it does.

t3kg33k · July 23, 2023, 9:36pm

The computer I am using has a static IP. I made sure to change the DNS primary from my Pi-hole to Cloudflare, 1.1.1.1. I confirm the computer is resolving to 1.1.1.1 by running resolvectl from command line.

Bucking_Horn · July 24, 2023, 10:39am

Your browser's message does not seem related to Pi-hole:
As chrislph has pointed out, the browser already talked to protonvpn.com, i.e. it has succesfully resolved that domain and even retrieved that site's SSL certificate. When checking that, the browser concludes that there's something wrong with the certificate, rejecting access with NET::ERR_CERT_AUTHORITY_INVALID.

However, your Pi-hole's Query Log also shows that protonvpn.com has been blocked externally, i.e. by one of Pi-hole's upstream resolvers.

*** [ DIAGNOSING ]: Setup variables
    PIHOLE_DNS_1=208.67.222.222
    PIHOLE_DNS_2=208.67.220.220

In that case, your browser would have resolved protonvpn.com through one of the additional DNS servers that your router is offering (as already mentioned by chrislph).

*** [ DIAGNOSING ]: Discovering active DHCP servers (takes 10 seconds)
   Scanning all your interfaces for DHCP servers
   
   * Received 318 bytes from eno1:192.168.15.1
     Offered IP address: 192.168.15.120
     DHCP options:
      Message type: DHCPOFFER (2)
      dns-server: 192.168.15.12
      dns-server: 192.168.15.15
      dns-server: 208.67.220.220
      dns-server: 1.1.1.1
      router: 192.168.15.1
      --- end of options ---

In any case, both of those observations may be temporary only.

Certificates need to be renewed every now and then, and you could have been lucky enough to try accessing that site at the very time that was happening, or may be the CA was compromised and it took protonvpn.com a while to switch to a new one.
And the OpenDNS servers you are using as Pi-hole's upstream could have been incorrectly blocking that domain for a while (they don't block it currently).
Or, if you'd be using an OpenDNS paid subscription for configurable DNS filtering, your currently configured filters may have included that domain.

After you have sorted your local DNS servers:
Are you still having issues accessing that site?

t3kg33k · July 24, 2023, 9:06pm

Yeah. My bad. I forgot I had put OpenDNS in the DNS Settings of my Pi-hole.
I've since changed from OpenDNS to Cloudflare and protonvpn.com site is now accessible without issues.

system · August 14, 2023, 9:06pm

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.