Getting only untrusted SSL cert when on my local network - could it be related to the pihole?

tenaki · July 3, 2022, 1:53am

Having a problem that is only occurring on my local network that has a pihole serving DNS as the DHCP server.

SSL certs seem to be serving up stuff from Cisco Umbrella Root CA. Is it related to a badly routed DNS query?

Expected behaviour

No SSL errors when browsing to locations that are working on the same device when outside of the network.

More details

I started this question on reddit with jfb-pihole before realising that this is the more appropriate place...
https://www.reddit.com/r/pihole/comments/vq3lpr/pihole_seems_to_be_serving_up_the_cisco_umbrella/

Thank you!
some logs from /var/log/pihole.log

Jul  3 11:17:10 dnsmasq\[31665\]: query\[A\] partner.googleadservices.com from 192.168.10.124  
Jul  3 11:17:10 dnsmasq\[31665\]: gravity blocked partner.googleadservices.com is 0.0.0.0  
Jul  3 11:17:10 dnsmasq\[31665\]: query\[A\] static.ffx.io from 192.168.10.124  
Jul  3 11:17:10 dnsmasq\[31665\]: forwarded static.ffx.io to 208.67.220.220  
Jul  3 11:17:10 dnsmasq\[31665\]: query\[A\] adservice.google.com from 192.168.10.124  
Jul  3 11:17:10 dnsmasq\[31665\]: gravity blocked adservice.google.com is 0.0.0.0  
Jul  3 11:17:10 dnsmasq\[31665\]: reply static.ffx.io is 146.112.61.104  
Jul  3 11:17:10 dnsmasq\[31665\]: query\[A\] tpc.googlesyndication.com from 192.168.10.124  
Jul  3 11:17:10 dnsmasq\[31665\]: gravity blocked tpc.googlesyndication.com is 0.0.0.0  
Jul  3 11:17:10 dnsmasq\[31665\]: query\[A\] logx.optimizely.com from 192.168.10.124  
Jul  3 11:17:10 dnsmasq\[31665\]: gravity blocked logx.optimizely.com is 0.0.0.0  
Jul  3 11:17:10 dnsmasq\[31665\]: query\[A\] fonts.gstatic.com from 192.168.10.124  
Jul  3 11:17:10 dnsmasq\[31665\]: forwarded fonts.gstatic.com to 208.67.220.220  
Jul  3 11:17:10 dnsmasq\[31665\]: query\[HTTPS\] static.ffx.io from 192.168.10.124  
Jul  3 11:17:10 dnsmasq\[31665\]: forwarded static.ffx.io to 208.67.220.220  
Jul  3 11:17:10 dnsmasq\[31665\]: reply fonts.gstatic.com is <CNAME>  
Jul  3 11:17:10 dnsmasq\[31665\]: reply gstaticadssl.l.google.com is 142.250.70.131  
Jul  3 11:17:10 dnsmasq\[31665\]: query\[HTTPS\] plus.l.google.com from 192.168.10.124  
Jul  3 11:17:10 dnsmasq\[31665\]: forwarded plus.l.google.com to 208.67.220.220  
Jul  3 11:17:10 dnsmasq\[31665\]: reply static.ffx.io is NODATA  
Jul  3 11:17:10 dnsmasq\[31665\]: query\[HTTPS\] prodlb.siteintercept.qualtrics.com.cdn.cloudflare.net from 192.168.10.124  
Jul  3 11:17:10 dnsmasq\[31665\]: forwarded prodlb.siteintercept.qualtrics.com.cdn.cloudflare.net to 208.67.220.220  
Jul  3 11:17:10 dnsmasq\[31665\]: reply plus.l.google.com is NODATA

For this URL:
https://static.ffx.io/images/$width\_40%2C$height\_40/t\_crop\_fill/q\_86%2Cf\_auto/33b115b0e5c54a35a46ba56fdf27341474bb1632

https://imgur.com/038LAQx

And when I do an nslookup...

(base) ➜  ~ nslookup static.ffx.io
Server:		192.168.10.222
Address:	192.168.10.222#53

Non-authoritative answer:
Name:	static.ffx.io
Address: 146.112.61.104

And the corresponding cert
https://imgur.com/YInpi2R

And an actual extract of the cert using the following:
openssl s\_client -showcerts -servername static.ffx.io -connect static.ffx.io:443 > static.ffx.io-cert-extract.txt

CONNECTED(00000005)  
\---  
Certificate chain  
 0 s:C = US, ST = California, L = San Francisco, O = "OpenDNS, Inc.", CN = static.ffx.io  
   i:O = Cisco, CN = Cisco Umbrella Secondary SubCA syd-SG  
\-----BEGIN CERTIFICATE-----  
MIIDRDCCAiygAwIBAgIEYsDxTDANBgkqhkiG9w0BAQsFADBAMQ4wDAYDVQQKDAVD  
aXNjbzEuMCwGA1UEAwwlQ2lzY28gVW1icmVsbGEgU2Vjb25kYXJ5IFN1YkNBIHN5  
ZC1TRzAeFw0yMjA3MDEwMTI4MTdaFw0yMjA3MDYwMTI4MTdaMGoxCzAJBgNVBAYT  
AlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1TYW4gRnJhbmNpc2Nv  
MRYwFAYDVQQKDA1PcGVuRE5TLCBJbmMuMRYwFAYDVQQDDA1zdGF0aWMuZmZ4Lmlv  
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuOVHeRXmFBwxRBEzFnWi  
1v2dOB1rkFtGs35EAVJ6yjxjYvGdN8P6eNHTRpXwKhTcIg6tK2tvV3pwiJ5wPjaC  
tmrbf9LxmEl6P7UcGfLtA4XjZogV1GTFgJKsMUdetvR8vD6Wk3DHr9V5KXRHeSz1  
ytoClPJ0+Ts8+wqRoIlTLLNtLDnwrN0mrt3Sm89HeWMDSaLd82Vqlgxi+SOuYgg3  
xOPNpOdcwPpzoC2HajNzKsO46jVRw+Y4MCJOO6YiQ5otqiM7dj/UzTtiloKowk6e  
LXpybsvkcGanqMkwm6Zn2P6AIMV7v2hSNYC2E2gn1WVrePrYNkQ7llQA4EiLfAJU  
cwIDAQABoxwwGjAYBgNVHREEETAPgg1zdGF0aWMuZmZ4LmlvMA0GCSqGSIb3DQEB  
CwUAA4IBAQAy5QOXhxkxI+tMXA+Q+RA00v94IXgwngbxUUt/5Gjjv8Xt8M+kkdAm  
9o55fjCPitIEzikYd0zflUnOI5diXE6GJM+2ws98DIA4SWOBC1wO5AnHdrbftPQ+  
iYXnkWfUjIF8oUltzDyk9Yoc+8stCFgdeiUn5s6D82eNe51aJebMF3j15HKUmggb  
vaKBhWo2kjcJD54NDVD0TFRagLDrYbX/WbD2mTSY+teflu5OjFm1NBT1VvE15zpM  
7okRWao9PEIY8KC26YiJ9dYgNoPk+o5Y9xEsbJ9UFk9yi5+HCtkQPDtdooEkWN4E  
lF7l1hLNEBayINzEXVSc0+OsRD33o6GB  
\-----END CERTIFICATE-----  
 1 s:O = Cisco, CN = Cisco Umbrella Secondary SubCA syd-SG  
   i:C = US, ST = California, L = San Francisco, O = Cisco, CN = Cisco Umbrella Primary SubCA  
\-----BEGIN CERTIFICATE-----  
MIIENjCCAx6gAwIBAgIRAK7YWmwaj01mhZg7U2xSSDEwDQYJKoZIhvcNAQELBQAw  
cTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNh  
biBGcmFuY2lzY28xDjAMBgNVBAoMBUNpc2NvMSUwIwYDVQQDDBxDaXNjbyBVbWJy  
ZWxsYSBQcmltYXJ5IFN1YkNBMB4XDTIyMDcwMTAxNDQwOVoXDTIyMDcxMjAxNDQw  
OVowQDEOMAwGA1UECgwFQ2lzY28xLjAsBgNVBAMMJUNpc2NvIFVtYnJlbGxhIFNl  
Y29uZGFyeSBTdWJDQSBzeWQtU0cwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK  
AoIBAQC45Ud5FeYUHDFEETMWdaLW/Z04HWuQW0azfkQBUnrKPGNi8Z03w/p40dNG  
lfAqFNwiDq0ra29XenCInnA+NoK2att/0vGYSXo/tRwZ8u0DheNmiBXUZMWAkqwx  
R1629Hy8PpaTcMev1XkpdEd5LPXK2gKU8nT5Ozz7CpGgiVMss20sOfCs3Sau3dKb  
z0d5YwNJot3zZWqWDGL5I65iCDfE482k51zA+nOgLYdqM3Mqw7jqNVHD5jgwIk47  
piJDmi2qIzt2P9TNO2KWgqjCTp4tenJuy+RwZqeoyTCbpmfY/oAgxXu/aFI1gLYT  
aCfVZWt4+tg2RDuWVADgSIt8AlRzAgMBAAGjgfkwgfYwEgYDVR0TAQH/BAgwBgEB  
/wIBADAOBgNVHQ8BAf8EBAMCAYYwHQYDVR0OBBYEFHsW2Nndq9C3pPywQF8vHpQi  
O0WAMB8GA1UdIwQYMBaAFEVf9ZtxMyWpwE48AkTPPOhGBhbEMEwGCCsGAQUFBwEB  
BEAwPjA8BggrBgEFBQcwAoYwaHR0cDovL2NybC5wcm9kLmNhZ2VuZXJhdG9yLnBr  
aS5zdHJsbi5uZXQvY2EucGVtMEIGA1UdHwQ7MDkwN6A1oDOGMWh0dHA6Ly9jcmwu  
cHJvZC5jYWdlbmVyYXRvci5wa2kuc3RybG4ubmV0L2NybC5wZW0wDQYJKoZIhvcN  
AQELBQADggEBAESZtTYJvPx01PMnVQ/15UzJ/vzmDz+0t78B87TqwNYxHG6PkPXY  
U8CmHHOeSiLNGtWf6D/MM1Z3DlyIJ1Y/1z6R72V9LRSqdOxFDaiN0THiB/+rZwME  
J/WC37FjzJx6lcZGTsWXmG1tD+4MHZDLBoouIGAGxZWADVHElS/jFZeNt8SZfBTd  
Lfr/tpc2iK3njDEgWSpLGj2FdL+lCzcRhV3kPYWH9uC3csFxe0PRIEKgwtwydUwp  
c9zuPzTzPytSk0io6KB8c/tMx+fLzla8OBWiXZNDLYR4XJeW+jjoLumfedguZRZV  
ZQODDc9HUQ+DxQ/H4mmtBZ9aXzmi5gI1iHY=  
\-----END CERTIFICATE-----  
 2 s:C = US, ST = California, L = San Francisco, O = Cisco, CN = Cisco Umbrella Primary SubCA  
   i:O = Cisco, CN = Cisco Umbrella Root CA  
\-----BEGIN CERTIFICATE-----  
MIIEuzCCA6OgAwIBAgIJAcQ3zFeNvKYVMA0GCSqGSIb3DQEBCwUAMDExDjAMBgNV  
BAoTBUNpc2NvMR8wHQYDVQQDExZDaXNjbyBVbWJyZWxsYSBSb290IENBMB4XDTE5  
MDUyMTE5NTMxOFoXDTI0MDUyMTE5NTMxOFowcTELMAkGA1UEBhMCVVMxEzARBgNV  
BAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDjAMBgNVBAoM  
BUNpc2NvMSUwIwYDVQQDDBxDaXNjbyBVbWJyZWxsYSBQcmltYXJ5IFN1YkNBMIIB  
IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuFEhA5TkN8CiGmW7XjaUbuve  
U274v0kt6hRW8UUakmbyLnkI4d/BBQrGW71LYiT2QH4UaoYuihTXjuyAlzDxJ9OQ  
Vje2NB9RdE3FcUCISeW5GrQs7vF2xFrjs2TGgG4ZXjE/8WymgFZP50nsTJYf7VqL  
1r6Brs59DAbbQ1rVvsz/DFxoE3ruFagSFcOF07/watUxFrAPV+S/kK6Nb5TqrI1j  
32hK6i49ujavDcbbb12aozwdoyPSyhs4cB0sCXFHK/yEdaE4CNXEAH8EjKUuj6O2  
QUvRtBGM480688BId0T0ws3q+hSzRiVJ+dYCr3iufmTrAMhVwc+EzGjlEfLyXwID  
AQABo4IBlDCCAZAwDgYDVR0PAQH/BAQDAgGGMBIGA1UdEwEB/wQIMAYBAf8CAQEw  
UgYDVR0gBEswSTBHBgorBgEEAQkVAR0AMDkwNwYIKwYBBQUHAgEWK2h0dHA6Ly93  
d3cuY2lzY28uY29tL3NlY3VyaXR5L3BraS9wb2xpY2llcy8wHQYDVR0OBBYEFEVf  
9ZtxMyWpwE48AkTPPOhGBhbEMEwGA1UdHwRFMEMwQaA/oD2GO2h0dHA6Ly93d3cu  
Y2lzY28uY29tL3NlY3VyaXR5L3BraS9jcmwvY2lzY291bWJyZWxsYXJvb3QuY3Js  
MIGHBggrBgEFBQcBAQR7MHkwSQYIKwYBBQUHMAKGPWh0dHA6Ly93d3cuY2lzY28u  
Y29tL3NlY3VyaXR5L3BraS9jZXJ0cy9jaXNjb3VtYnJlbGxhcm9vdC5jZXIwLAYI  
KwYBBQUHMAGGIGh0dHA6Ly9wa2ljdnMuY2lzY28uY29tL3BraS9vY3NwMB8GA1Ud  
IwQYMBaAFENzAN4kukAaQFQsfXzVAEiJDHCkMA0GCSqGSIb3DQEBCwUAA4IBAQC6  
P7ugvpQSkNxrzY1ZM0Nd9Q3LaoTERS4ItcxMsswFPl7ID/3Vk3v3ZT6KgtCZ+Nh0  
MUgZztLATHf42ZppdSkdMf1HfCmLSWORz/eK+fZxztE63M1EGiZJoe8qFKT9z6qx  
iDD989jyjY74sYfiSo5nbhcb5meUrUO6MQvOO5pUnlhWsDiBUg+yBzyfVoLnGRlY  
2t7UZVTUz5kbBNFieTIt86yaYAumgOqriz/dCgQltFySbOkrgg/PN7cRv3IWm84C  
uKQ9prsXbXLLbl8U+bGRH119prl3zJyRnQ0D+ursCqUnIfziBdKv7yLsupGDGt+Q  
oqLzmkMPYE+WZmEi+3j5  
\-----END CERTIFICATE-----  
\---  
Server certificate  
subject=C = US, ST = California, L = San Francisco, O = "OpenDNS, Inc.", CN = static.ffx.io  
issuer=O = Cisco, CN = Cisco Umbrella Secondary SubCA syd-SG  
\---  
No client certificate CA names sent  
\---  
SSL handshake has read 3471 bytes and written 633 bytes  
Verification error: unable to get local issuer certificate  
\---  
New, TLSv1.2, Cipher is AES256-GCM-SHA384  
Server public key is 2048 bit  
Secure Renegotiation IS supported  
Compression: NONE  
Expansion: NONE  
No ALPN negotiated  
SSL-Session:  
Protocol  : TLSv1.2  
Cipher    : AES256-GCM-SHA384  
Session-ID: B6E8ED089657E46751BA6EF2F84938EFFA0CAEFE39CA8109A40EA1EA5FB74429  
Session-ID-ctx:   
Master-Key: F478CFA89D206BB44B102F54F14C179847E63AA0CAB112DD21286D8D2C2EBFC5800D97A2FCE841ECE3AA4471186E3886  
PSK identity: None  
PSK identity hint: None  
SRP username: None  
TLS session ticket lifetime hint: 300 (seconds)  
TLS session ticket:  
0000 - bb db 73 92 83 08 d3 a0-44 3e b1 a8 cc f0 ff e4   ..s.....D>......  
0010 - 61 c2 92 d7 ce d2 a0 aa-1e 4b 0c 2f 99 44 5b 44   a........K./.D\[D  
0020 - 14 7c 3c 18 87 ee 6c c3-e8 d8 25 15 cb b9 7d a5   .|<...l...%...}.  
0030 - f3 14 b1 f4 f4 40 4e cd-8c 2f 52 9d 55 b8 e9 0f   .....@N../R.U...  
0040 - 2c c0 bb f4 7c 1c 50 68-bc 18 c8 51 13 9b ec 14   ,...|.Ph...Q....  
0050 - 8a 0d 66 5d 1e 6e d3 63-9b f0 f5 97 01 56 04 8d   ..f\].n.c.....V..  
0060 - bb cb 74 3a 33 73 d7 5c-40 43 6f 20 7d 35 06 15   ..t:3s.\\@Co }5..  
0070 - 24 31 40 60 4c 93 a9 13-b6 2a 5f 27 77 cc 78 d7   $1@\`L....\*\_'w.x.  
0080 - 29 06 b3 15 1e 2f 8e 76-03 b4 e4 a6 98 dd 72 60   )..../.v......r\`  
0090 - bb 15 8c 4b 97 61 a3 21-ac 5e 20 a3 f0 4d bc 90   ...K.a.!.\^ ..M..  
00a0 - df 31 d6 e9 c7 d9 10 11-46 e9 e1 c4 49 d6 67 b6   .1......F...I.g.  
Start Time: 1656811737  
Timeout   : 7200 (sec)  
Verify return code: 20 (unable to get local issuer certificate)  
Extended master secret: no  
\---  
closed

And here's the token to the uploaded debug log: https://tricorder.pi-hole.net/3RevQ5vN/

Visiting that same link when I'm NOT on my local network (using mobile internet instead), I get a completely different certificate (COMODO) and a completely different DNS lookup

(base) ➜  ~ nslookup static.ffx.io
Server:		fe80::3408:bcff:fe3d:5464%14
Address:	fe80::3408:bcff:fe3d:5464%14#53

Non-authoritative answer:
static.ffx.io	canonical name = static-fastly-prod.ffx.io.
static-fastly-prod.ffx.io	canonical name = nine-publishing.map.fastly.net.
Name:	nine-publishing.map.fastly.net
Address: 151.101.82.133

Any suggestions please?
Thank you!

jfb · July 3, 2022, 3:11am

This is not a problem with Pi-hole. Pi-hole (through your designated upstream DNS server) is correctly resolving the domain. Once the client has the IP in hand, any subsequent connection via SSL is completely separate from Pi-hole, including any required certs.

I will note that I also see different IP's returned depending on which upstream DNS server is used.

root@nanopi:~# dig static.ffx.io

; <<>> DiG 9.11.5-P4-5.1+deb10u7-Debian <<>> static.ffx.io
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59735
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;static.ffx.io.			IN	A

;; ANSWER SECTION:
static.ffx.io.		3600	IN	CNAME	static-fastly-prod.ffx.io.
static-fastly-prod.ffx.io. 3600	IN	CNAME	nine-publishing.map.fastly.net.
nine-publishing.map.fastly.net.	3600 IN	A	199.232.74.133

;; Query time: 375 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sat Jul 02 21:49:58 CDT 2022
;; MSG SIZE  rcvd: 135

root@nanopi:~# dig static.ffx.io @208.67.220.220

; <<>> DiG 9.11.5-P4-5.1+deb10u7-Debian <<>> static.ffx.io @208.67.220.220
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3018
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;static.ffx.io.			IN	A

;; ANSWER SECTION:
static.ffx.io.		300	IN	CNAME	static-fastly-prod.ffx.io.
static-fastly-prod.ffx.io. 300	IN	CNAME	nine-publishing.map.fastly.net.
nine-publishing.map.fastly.net.	30 IN	A	151.101.66.133
nine-publishing.map.fastly.net.	30 IN	A	151.101.130.133
nine-publishing.map.fastly.net.	30 IN	A	151.101.194.133
nine-publishing.map.fastly.net.	30 IN	A	151.101.2.133

;; Query time: 57 msec
;; SERVER: 208.67.220.220#53(208.67.220.220)
;; WHEN: Sat Jul 02 21:50:13 CDT 2022
;; MSG SIZE  rcvd: 183

The same 151 IP is returned from Quad9, Cloudflare or Google in my testing.

In your image of the certificate chain, the problem appears to lie with your umbrella root CA. That's where I would focus.

tenaki · July 3, 2022, 3:39am

That's my major concern at the moment.
When I'm NOT on my local network, then I'm not seeing that Cisco Umbrella Root CA as the root CA for various websites.. When I AM on the local network, then I am seeing it.
I've isolated it in the sense that I've turned off my wifi, and I'm still seeing the problem on my desktop that is directly plugged into my local network, so I'm thinking it isn't the wifi units.

The only thing I've yet to try, is to turn off the pihole - so that it's using whatever my ISP's defined DNS is - or to try a different modem. And I've definitely got no ideas how to not use my current modem...

Any suggestions for other things to try?

tenaki · July 3, 2022, 8:58am

Hi jfb
Your comment about the different IP addresses from the DNS lookup clued me in...
I've been using OpenDNS for my DNS servers, and that's the one giving me the bad IP address.

The OpenDNS lookup

➜  ~ dig static.ffx.io @208.67.222.222

; <<>> DiG 9.10.6 <<>> static.ffx.io @208.67.222.222
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62069
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;static.ffx.io.			IN	A

;; ANSWER SECTION:
static.ffx.io.		0	IN	A	146.112.61.104

;; Query time: 70 msec
;; SERVER: 208.67.222.222#53(208.67.222.222)
;; WHEN: Sun Jul 03 18:53:32 AEST 2022
;; MSG SIZE  rcvd: 58

vs the 8.8.8.8 (google?)

 ➜  ~ dig static.ffx.io @8.8.8.8

; <<>> DiG 9.10.6 <<>> static.ffx.io @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58753
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;static.ffx.io.			IN	A

;; ANSWER SECTION:
static.ffx.io.		300	IN	CNAME	static-fastly-prod.ffx.io.
static-fastly-prod.ffx.io. 300	IN	CNAME	nine-publishing.map.fastly.net.
nine-publishing.map.fastly.net.	30 IN	A	151.101.2.133
nine-publishing.map.fastly.net.	30 IN	A	151.101.66.133
nine-publishing.map.fastly.net.	30 IN	A	151.101.130.133
nine-publishing.map.fastly.net.	30 IN	A	151.101.194.133

;; Query time: 105 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sun Jul 03 18:54:39 AEST 2022
;; MSG SIZE  rcvd: 183

and the 1.1.1.1 (cloud flare)

➜  ~ dig static.ffx.io @1.1.1.1

; <<>> DiG 9.10.6 <<>> static.ffx.io @1.1.1.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20739
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;static.ffx.io.			IN	A

;; ANSWER SECTION:
static.ffx.io.		288	IN	CNAME	static-fastly-prod.ffx.io.
static-fastly-prod.ffx.io. 288	IN	CNAME	nine-publishing.map.fastly.net.
nine-publishing.map.fastly.net.	18 IN	A	151.101.2.133
nine-publishing.map.fastly.net.	18 IN	A	151.101.194.133
nine-publishing.map.fastly.net.	18 IN	A	151.101.66.133
nine-publishing.map.fastly.net.	18 IN	A	151.101.130.133

;; Query time: 6 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Sun Jul 03 18:55:36 AEST 2022
;; MSG SIZE  rcvd: 183

So the part I don't get then... Why is the OpenDNS lookup giving me a different IP address?

I've swapped my pihole's DNS server now to use Cloudflare's and things are working again.

Thank you for the help!