Domain blocking does not block

Help Community Help
1

The issue I am facing:
I am trying to configure pihole to block a domain. pihole will accept the domain as entered but when I open a firefox private browser and navigate to that domain the web page loads without issue. I have tried multiple domains and get the same result. I read that a private browser is best to test since the domain should not be cached by the browser and will immediately be updated. I tried flushing the dns record from a command line (ipconfig /flushdns) but it did not change anything so I believe this is a pihole settings issue.

image
image1258Γ—412 16.2 KB

image
image1251Γ—258 8.38 KB

If I add the domain as an exact blacklist it does show up in the list but it still allows the browser to load the page.

image
image1262Γ—241 8.11 KB

I am testing pihole with a near stock installation. The only thing I changed was to add 2 more block lists and a single arbitrary domain. My ultimate goal is to run pihole on my Synology NAS through a docker container but I am testing a more standard setup until I understand how things need to be configured.

Details about my system:
New installation on RPi1B
Pi-hole version is v5.17.3 (Latest: v5.17.3)
web version is v5.21 (Latest: v5.21)
FTL version is v5.25 (Latest: v5.25)
Testing a single Win10 laptop configured to use pihole via manual IP settings

What I have changed since installing Pi-hole:
Added 2 add lists from firebog.net repository
Added 1 domain to test blocking

2

This maybe a firefox setting where it is using DNS over HTTPS. You can check for this in the privacy and security section of FF settings ( near bottom of the page). It should be turned off.

You can also test this but opening a terminal in the machine in question and running dig mediamonkey.com and note the result. If it comes back as 0.0.0.0 then the pi is working and your brower is the offender.

3

When you access mediamonkey.com, do you see the domain on the Query Log?

  • If you do, what is the query status? Is it allowed?
  • If not, Pi-hole is not being used. Your browser (or your PC) is using a different DNS server.
4

I didn't see it blocked or even listed but I could be looking in the wrong spot. I'll try the suggestions of checking browser settings.

5

Firefox did have "Enable DNS over HTTPS using:" set to "Increased Protection". I disabled it and tried again but it still went through. I ran dig and it seems as though pihole is not blocking.


; <<>> DiG 9.16.48-Raspbian <<>> mediamonkey.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19881
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 3b63f84f84b3561fd2619bf065ce8d2bc816cb1790f00caf (good)
;; QUESTION SECTION:
;mediamonkey.com.               IN      A

;; ANSWER SECTION:
mediamonkey.com.        600     IN      A       54.39.221.200

;; Query time: 80 msec
;; SERVER: 192.168.0.1#53(192.168.0.1)
;; WHEN: Thu Feb 15 14:16:11 PST 2024
;; MSG SIZE  rcvd: 88

I see other things that are being blocked on the list so I'm assuming the laptop is pointing to the pihole server correctly. This is what showed up in the query log.

image
image1231Γ—215 12.2 KB

6

Looking at your dig output the server is listed as 192.168.0.1, that is your router. Did you set the pihole to be the dns sever in the router?

7

I did notice that in the dig output but didn't know what was typical. I did not want to touch the router until I had all working. So no, at this point the only thing I have changed is the laptop DNS server setting.

image

I am using a wireless connection but could switch to wired if it mattered. I can make the change on the router if that would be a more representative setup. I only didn't do that because other people are using the connection for their jobs and if I mess it up, even for a short time, I will hear about it for a long time.

8

There maybe something with the interface config? I noticed the those entries that showed block were all IPV6 queries ( AAAA records not A ). Thats a small list so maybe nothing.

If you do the dig command again but specify the pihole does it block it?

dig @192.168.0.201 mediamonkey.com

9 
pi@raspberrypi:/etc/pihole $ dig @192.168.0.201 mediamonkey.com

; <<>> DiG 9.16.48-Raspbian <<>> @192.168.0.201 mediamonkey.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21492
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;mediamonkey.com.               IN      A

;; ANSWER SECTION:
mediamonkey.com.        2       IN      A       0.0.0.0

;; Query time: 39 msec
;; SERVER: 192.168.0.201#53(192.168.0.201)
;; WHEN: Thu Feb 15 14:59:07 PST 2024
;; MSG SIZE  rcvd: 60

image
image1228Γ—82 3.84 KB

I just tried navigating to the web site and it is now blocked. Is there a really long time delay typically? I read in one of the documents here that I need to run the following after every change but when I tried that earlier it didn't make any difference so haven't been trying.

pihole restartdns reload-lists

10

Something with the static config maybe.

you can test the ipv4 and ipv6 by doing a dig -4 mediamonkey.com or dig -6 mediamonkey.com and see if they are different.

Also, when you made the static changes did you disconnect and reconnect?

11

It shouldn't be along delay. If your using just standard pihole setting it should be pretty quick.

12 

; <<>> DiG 9.16.48-Raspbian <<>> -4 mediamonkey.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7673
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: dd69b48b251a268eceab2bd565ce9c5a727a544f5267d70d (good)
;; QUESTION SECTION:
;mediamonkey.com.               IN      A

;; ANSWER SECTION:
mediamonkey.com.        600     IN      A       54.39.221.200

;; Query time: 39 msec
;; SERVER: 192.168.0.1#53(192.168.0.1)
;; WHEN: Thu Feb 15 15:20:58 PST 2024
;; MSG SIZE  rcvd: 88


; <<>> DiG 9.16.48-Raspbian <<>> -6 mediamonkey.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63916
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;mediamonkey.com.               IN      A

;; ANSWER SECTION:
mediamonkey.com.        2       IN      A       0.0.0.0

;; Query time: 39 msec
;; SERVER: ::1#53(::1)
;; WHEN: Thu Feb 15 15:21:31 PST 2024
;; MSG SIZE  rcvd: 60

Looks like IPv4 returns 54.39.221.200 and IPv6 returns 0.0.0.0. I don't see any other differences other than the cookie line whatever that means.

I disconnected and then reconnected and it didn't make any changes to the IP settings.

13

When you look at the server info for both ( below the answer section ), note that the IPV4 used the DNS on your router ( 192.168.0.1 ) while IPV6 used ::1 ( Local host ).

There is something not correct about the interface config for IPV4 on that machine. For whatever reason it is not using your manual settings. Is that a windows machine or something else?

14

The machine I have been testing on is a Win10 machine. I just tried changing the settings in pihole so this one machine would be on a group named "test" and made default unfiltered so I could set the router to use the pihole. I now have the router set such that the DNS should go to the pihole machine.

image
image1231Γ—190 4.96 KB

image
image1221Γ—129 3.88 KB

image
image1227Γ—185 10.4 KB

image
image1230Γ—267 16.5 KB

image

I set the laptop back to automatic DHCP. The DNS server in ipconfig is pointing to 192.168.0.1 (the router) which should presumably redirect to 192.168.0.201.

After these changes, the log shows the new traffic from R7800 (the router) but it's letting it through. I'm not trying to change too much at once but it seemed you were suggesting the laptop might be the issue so going to the router (the final goal) seemed appropriate.

15

In case it helps, this is the full section from DD-WRT

image
image487Γ—791 11.9 KB

16

Ideally when the client gets its lease from the router it will tell it the DNS Server to use as opposed to sending the request to the router and then back the Pihole. That is why you see the traffic from the router.

I'm not familiar with DD-WRT so I coiuld be off here but I believe that use DNSMasq for DNS should not be ticked? You may also want to populate local DNS as the PI's address? Again, not familiar with it.

I did some general searches in the forum and there are a few previous posts on setting up pihole with dd-wrt that may help as well.

17

I'll give that a try. I was wondering if the pihole IP should be in static section below or in local DNS above.

18

Its in the DHCP Sections so I would think its ok.

Not sure if this link will help but it might. It runs through DD-WRT but its also a little dated.

19

I disabled dnsmasq and moved the pihole to local DNS. It didn't initially make any difference. However, after a few minutes more of tinkering (no changes though), domains were blocking. I added netflix.com to the list and it blocked immediately. I disabled and tried and it went through immediately. I don't understand why but it's now working as I expected (I think). I'll monitor this for a bit longer to confirm functionality.

I intend to run pihole through a Docker container on my Synology NAS in the end. Are there any users here that would be familiar with that setup? Now that PiHole is working on the RPI I may be able to migrate to the docker setup on the RPi and then hopefully to the Synology.

20

I'm sure there are. Alot of people use Docker etc. My home network is dirt simple. One Day I may give Docker a shot just to get familiar with it.