Facebook is not blocked anymore

mbj1703 · July 12, 2022, 10:28pm

Hi there,

my pihole is not blocking some pages anymore. One is facebook.com.
What I changed is changing my Unifi USG to UDM.

My setup: Unifi UDM is doing DHCP and hand out two DNS Server, which are two independet piholes.
Both are running and using unbound.
When I go to tools/network, all green.

Now I'm entering facebook.com on my Mac and the page is loading (some on iPhone).
When I do a nslookup on facebook.com, I got no IP 0.0.0.0.
When I ping facebook.com I got unfortunately a return of the correct IP.

What's wrong?

jfb · July 12, 2022, 10:37pm

Your MacOS and IOS devices may not be using Pi-hole for DNS.

From the Mac terminal (and not via ssh to the Pi), what is the output of the following:

nslookup facebook.com

scutil --dns | grep nameserver

mbj1703 · July 12, 2022, 10:38pm

as said, nslookup is returning no ip for facebook, so fine.
And for sure, all my devices are using only pihole DNS server.

jfb · July 12, 2022, 10:40pm

Humor me please, and provide the outputs I requested.

mbj1703 · July 12, 2022, 10:41pm

nslookup facebook.com

Server: 192.168.0.2

Address: 192.168.0.2#53

Name: facebook.com

Address: 0.0.0.0

scutil --dns | grep nameserver
  nameserver[0] : 192.168.0.2
  nameserver[1] : 192.168.0.3
  nameserver[0] : 192.168.0.2
  nameserver[1] : 192.168.0.3

192.168.0.2 and 3 are my piholes. As said, all good from the DNS config

mbj1703 · July 12, 2022, 10:42pm

ping facebook.com

PING facebook.com (185.60.216.35): 56 data bytes

64 bytes from 185.60.216.35: icmp_seq=0 ttl=57 time=14.336 ms

64 bytes from 185.60.216.35: icmp_seq=1 ttl=57 time=14.147 ms

64 bytes from 185.60.216.35: icmp_seq=2 ttl=57 time=13.378 ms

^C

--- facebook.com ping statistics ---

3 packets transmitted, 3 packets received, 0.0% packet loss

round-trip min/avg/max/stddev = 13.378/13.954/14.336/0.414 ms

jfb · July 12, 2022, 10:53pm

Run that ping again while you tail the Pi-hole log (pihole -t is the command from the Pi terminal) and see if the query arrives at Pi-hole.

Are you running iCloud Private relay on the devices?

Are you using any browsers that may have private or secure DNS enabled (typically Firefox or Chrome)?

Please generate a debug log from Pi-hole at IP 02, upload that log when prompted and post the token URL here.

mbj1703 · July 12, 2022, 11:09pm

This is the solution. When iCloud Relay is on, pihole is not working correct.

Now the big question, how to use both? Or not possible at all?

jfb · July 12, 2022, 11:12pm

It's one or the other. If iCloud Private Relay is enabled, the client browser (Safari) uses an Apple-provided DNS and does not use Pi-hole.

Of interest, Pi-hole should be blocking iCloud PR by default.

Please provide the debug token so I can look at your particulars.

mbj1703 · July 12, 2022, 11:14pm

https://tricorder.pi-hole.net/R8V7edMI/

DanSchaper · July 12, 2022, 11:15pm

Pi-hole is working correctly, as you have shown with the 0.0.0.0 response for a blocked domain. ICR bypasses Pi-hole completely.

mbj1703 · July 12, 2022, 11:34pm

Tried BLOCK_ICLOUD_PR=true, but not working, so need to turn of ICR at home.

jfb · July 13, 2022, 1:17am

Please run a quick check for me. From the client that is having Facebook issues, and from the terminal or command prompt on that client (and not via ssh to the Pi), what is the output of the following:

nslookup mask.icloud.com

The answer should come back as NXDOMAIN, since that is how Apple checks the DNS resolver to see if PR can be run.

In the query log, you should see the domain blocked as a special domain:

mbj1703 · July 13, 2022, 7:39am

nslookup mask.icloud.com
Server:		192.168.0.2
Address:	192.168.0.2#53

** server can't find mask.icloud.com: NXDOMAIN

system · August 3, 2022, 7:40am

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.