How are some websites able to bypass Pi Hole?

I'm talking particularly about this one website: https://irctc.co.in they're doing some weird thing and are able to load google ads even with pi-hole enabled.

The website is more of a Javascript application and they're somehow able to resolve google ads properly despite of pi-hole being enabled and used on devices. Ads on other websites do block just fine for now but this is enough of an alarm.
Example Screenshots:

Ad blocking is a cat and mouse game. Some site are resolving the ad's server side and sending the results as part of their domain. In these cases pi-hole is ineffective since it's only doing client side ad blocking based on the URL's presented by the web site.

I have even seen one site use the obvious http://sitedomain.com/advert to share their ads.

But in my case, sites are resolved from the googleadservices.com domain or doubleclicks.net which are both owned by google adsense (or DFP)

I loaded that website using Google Chrome (latest) and Pi-Hole, and did not see the ads. I would use the tools in this thread to help you determine where the ads are coming from:

DNSThingy shows the following domains requested at that site:

irctc.co.in
www.irctc.co.in
assistant.corover.mobi
www.googletagmanager.com
fonts.gstatic.com
s3.ap-south-1.amazonaws.com
ajax.googleapis.com
maxcdn.bootstrapcdn.com
cdnjs.cloudflare.com
www.googletagservices.com
cdn.jsdelivr.net

1 Like

It may not be the case here, but I believe Firefox (unless told not to do so) uses it's own trusted recursive resolver, which effectively bypasses pihole. I have my network.trr.mode now set to 5.

1 Like

That can be the case I guess, my I had updated my network.trr.mode setting as advised by cloudflare dns to enable DNS over HTTPS I'd give it a shot with 5 to see if that makes a difference.

UPDATE: Thanks for the tip @tomporter518 That just did the trick and ads are blocked not just on the site I mentioned but on a few other sites as well. Thanks again.

I think a more sane solution will be to run the DoH client locally
https://docs.pi-hole.net/guides/dns-over-https/
Then change the firefox network.trr.uri to http://127.0.0.1:5053 but I wonder if that'll work since first requirement of DoH is HTTPS and I'll be adding a local, HTTP uri

This will not work. You can run the DoH client locally on your Pi, as you note, but the only device using that DoH address will be the Pi-Hole. All the network clients query Pi-Hole, which in turn queries your DoH resolver and returns the answer to the client.

If you try to have Firefox query the DoH resolver directly, this bypasses Pi-Hole and you'll be seeing ads again.

Additionally, the 127.0.0.1 IP address is the internal loopback address on the Pi, and is not visible to your Firefox browser.

Correct setup: client > Pi-Hole > DoH server > Pi-Hole > client

Incorrect setup: client > DoH server > client.

1 Like

So that essentially means we should set the firefox network.trr.mode to 5 and call it a day?

Since ad blocking is superior to DoH I'm okay with that.

Yes.

If you set up Cloudflared as your upstream DNS service for Pi-Hole per the link you referenced (Redirecting...), you will have both DoH and ad-blocking.

1 Like

This setup didn't get me all green checks here

(I know, it isn't possible to get encrypted SNI with pihole but it also doesn't give green check for the Secure DNS thing)

What green checks are lacking?

I would go to the Cloudflare site and see if there is additional information for checking your DoH configuration and any support on this topic.

1 Like