Group management not working

Updated to latest version.
Pi-hole version is v5.5 (Latest: v5.5)
AdminLTE version is v5.7 (Latest: v5.7)
FTL version is v5.10.2 (Latest: v5.10.2)

Lately I suspected Pihole is not blocking anymore.
Followed Example 4 from the docs.
Flushed caches AFAIK.

On the whitelist:
(.|^)facebook$
star-mini.c10r.facebook.com

These domains are only member of 'Socials' group
Client not member of 'Socials' group.
Client is member of 'Default' group.

Expected Behaviour:

Block domain when domain only member of added group and client not member of that group.

Actual Behaviour:

domain is resolved.

Debug Token:

https://tricorder.pi-hole.net/NgzkXpR7

Pi-hole blocks a domain as long as it is contained in at least one of the blocklists that are configured for a client and that domain is not whitelisted for that client.

So a Default group client will only block matching domains if they are contained in one of the Default group blocklists.

But I rather suspect your issue to be related to your facebook RegEx, as that would match anything that ends in facebook, but not e.g. graph.facebook.com or connect.facebook.net, and also not facebook.com-y.ru (which you probably want to stay blocked?).

You should adjust your RegEx to match your requirements.

Online tools like regex101.com are useful in designing RegEx filters, and Pi-hole's Regex Test mode may also help in assessing your RegEx filters.

Now I got:
(.|^)facebook.com$
(.|^)facebook.net$
star-mini.c10r.facebook.com
on whitelist.

all only in 'Socials' group.
Client not in that group.
Regex test shows match on whitelist.

Why is FB still not blocked? I followed example 4 in docs.

Run from the client you expect to have those domains blocked, what is the output of:

nslookup flurry.com
nslookup connect.facebook.net

Both 0.0.0.0
Query log on pihole: Blocked (gravity)

That is not the complete output, but it already shows that Pi-hole is blocking those domains.

What made you suspect that wouldn't be the case?

facebook.com
Querylog on Pihole: OK answered by localhost#5335

Browser shows FB login page.

The difference I see is connect.facebook.net is in gravity and the others are on whitelist but should be blocked because of the settings in Goup Management.

I repeat: Your nslookup results clearly indicate that Pi-hole is correctly blocking domains as expected.

Some software on your client may bypass Pi-hole.
Most likely, your browser would do so via DNS-over-HTTPS (DoH).
Verify that DoH is disabled in your browsers.

Yes it is.
All the domains typed in the browser are listed in the query log so the Pihole is used.
My current setup of Pihole still allows me to visit FB.
(FB is just an example for my question)

Please provide a fresh debug token.

Also, could you provide an nslookup result for a domain that you expect to be blocked from your client, but observe to be accessible via your client's browser, along with the respective lines from /var/log/pihole.log?

Please share the complete nslookup, including the exact command.

https://tricorder.pi-hole.net/lrRvGOka/

pihole-fb.txt (1.7 KB)

nslookup facebook.com
Server:		127.0.0.53
Address:	127.0.0.53#53

Non-authoritative answer:
www.facebook.com	canonical name = star-mini.c10r.facebook.com.
Name:	star-mini.c10r.facebook.com
Address: 31.13.64.35
Name:	star-mini.c10r.facebook.com
Address: 2a03:2880:f106:83:face:b00c:0:25de
sudo resolvectl status
Global
       LLMNR setting: no                  
MulticastDNS setting: no                  
  DNSOverTLS setting: no                  
      DNSSEC setting: no                  
    DNSSEC supported: no                  
  Current DNS Server: 192.pi.ho.le        
         DNS Servers: 192.pi.ho.le
.....
Link 3 (wlp3s0) <---- wifi card
      Current Scopes: DNS         
DefaultRoute setting: yes         
       LLMNR setting: yes         
MulticastDNS setting: no          
  DNSOverTLS setting: no          
      DNSSEC setting: no          
    DNSSEC supported: no          
  Current DNS Server: 192.pi.ho.le
         DNS Servers: 192.pi.ho.le

Your pihole-fb.txt file doesn't include an entry that would match your nslookup of facebook.com.
Maybe you ran nslookup www.facebook.com instead?

I also note that you've obfuscated origin IP addresses in that file.
Doing so will prevent me from assessing whether DNS requests are processed correctly.
There is no harm in sharing private range IP addresses - they are not publically accessible.

Your client doesn't use Pi-hole for DNS, but rather a local stub resolver at 127.0.0.53.
While this seems to use Pi-hole as its sole upstream (provided that stub resolver is the one that is configured via resolvectl), it may also cache results, e.g. if the client in question very recently had access to other networks as well. This may affect filtering until the respective record is removed from your stub resolver's cache (usually after a DNS record's TTL has expired).

pihole-fb2.txt (1.3 KB)

Oops.

nslookup facebook.com
Server:		127.0.0.53
Address:	127.0.0.53#53

Non-authoritative answer:
Name:	facebook.com
Address: 31.13.64.35
Name:	facebook.com
Address: 2a03:2880:f106:83:face:b00c:0:25de

Changed /etc/resolv.conf manually to 192.168.3.56

nslookup facebook.com
Server:		192.168.3.56
Address:	192.168.3.56#53

Non-authoritative answer:
Name:	facebook.com
Address: 31.13.64.35
Name:	facebook.com
Address: 2a03:2880:f106:83:face:b00c:0:25de

Your client (.102) issuing the nslookup for facebook.com is associated with groups 0,5,6 and 8.

Your whitelist regex entries for facebook are only associated with group 4.

All of your blocklists are associated with the default group (group 0) exclusively.

As far as I can tell, none of those blocklists contains facebook.com or www.facebook.com.
(You should be able to verify this, e.g. by executing pihole -q facebook.com -exact -all).

So your observation is expected, as explained before:

Then I don't understand the concept or missing something obvious.

Only access fb if client is member of group 'fb'.
Example 4 is, I think, what I want to do.

Last sentence:
'Client 2 got the whitelist entry explicitly assigned to. Accordingly, client 2 does not get the domain blocked whereas all remaining clients still see this domain as blocked.'
The table above states blocked 'Client 2 Blocked Yes'??

Can you please tell me how I block fb by default for all clients except when a client is member of group 'fb'?
Thanks.

Whitelisting allows to suspend certain given blocklist entries. It doesn't block anything by itself.

Any domain you expect to be blocked has to appear on at least one of the blocklists you are using (or be manually added to blocked domains by you).

So either pick a blocklist that contains the domains you expect to be blocked, or add the domains to your blacklist.

When I put FB on the blacklist it is blocked for all clients. That's a good step 1.
How can I set it up for group 'FB' so that FB is not blocked?