Hi, i've set up an Orange Pi Zero Plus with OpenVPN + Pi-hole following this guide. I've skipped the "Firewall configuration" section since i'm running the board behind a firewalled router and "Only route DNS via VPN" because i want to use the VPN as normal.
192.168.100.104 is the static internal IP of my board.
10.8.0.2 is the DHCP assigned IP address of my phone when connected to my home network via OpenVPN.
I'm 100% sure my phone uses the Pi-hole board as DNS resolver. Thanks in advance
Expected Behaviour:
In-app ads (from games riddled with ads like Helix Jump) should be blocked both if i'm connected to my network via OpenVPN and if i'm connected via local WLAN
Actual Behaviour:
In-app ads are blocked only if i'm connected with OpenVPN. When i'm at home and connected via WLAN in-app ads are normally loaded and pihole -t doesn't show queries from my phone. When i exit from the game and try to load infested websites, ads are blocked as expected.
If you can't see the queries in the log, then the device isn't sending the queries to Pi-hole, or dnsmasq is not listening, however the latter case is not an issue because dnsmasq is told to listen on all interfaces. Perhaps the apps are using local versions of ads for some reason? Do you see ads if you turn off internet connectivity?
Indeed dnsmasq is listening on all interfaces and working, as it blocks other types of ads. I've fired up WireShark on my pc and i couldn't see any traffic on port 53 coming from/to my Android phone. I've triple checked the WiFi settings on said phone:
Network Info II shows that the current DNS server is indeed my Pi-hole board
Running getent | grep 'net\.dns' from a terminal emulator on the phone returns correct DNS server address
When i disable WiFi i can load a-ads.com without problems, when on WiFi connection the page is blocked as expected and a Pi-hole information page comes up.
Also, when on WiFi i can access http://pi.hole while i can not access it if i'm on 3G mobile data connection.
I've then rooted my phone and installed a packet sniffer to intercept all requests from/to my phone and interestingly enough, no DNS requests are made in an attempt to load ads, so your theory of caching would be correct. I still can't explain why requests are sent and blocked as expected when connecting via OpenVPN. Clearly the problem isn't in Pi-hole, so if you want to close this issue or mark it as solved please do. But i'd still like to investigate on why in-app ads manage to escape DNS requests while on WiFi
From a pihole -t perspective, yes. Starting with the game Helix Jump killed (swiped from recents) and with mobile 3G connection, i open Helix Jump and ads load and display normally. Don't see anything on pihole -t logs (of course).
I kill Helix Jump, enable WiFi and check with Network Info II that wlan parameters are correct, then i launch Helix Jump and again ads load normally. Nothing on pihole -t (strange).
I kill Helix Jump once again, but before reopening it i connect to the VPN. In the game no ad is loaded, and i can see attempts to reach ads domains successfully blocked from pihole -t (see 0bin attachment in OP).
The last test is with VPN on but using mobile data. Same behavior as WiFi + VPN, the ads are blocked as expected.
I've uninstalled the game, cleaned the system cache and reinstalled it: the ads still appear and no request is logged on Pi-hole. Clearly it's not caching ads, but rather retrieving them in other ways.
I've downloaded an app wich does traceroute and dig: this app also managed to escape Pi-hole and i could traceroute domains that were supposed to be blocked. I though maybe it used a hardcoded server to dig/traceroute instead of the local resolvers, so i downloaded another dig app which shows the server you're querying and lets you choose from a predefined list of servers available on the device. Then it clicked: the pre-selected server to query was fe80::1%wlan0 instead of 192.168.100.104.
So probably Android has some failover mechanism that switched to DHCPv6 DNS servers which on my router were the ISP-assigned defaults! I then proceeded to change the DHCPv6 DNS servers to static addresses and set the IPv6 equivalent of my Pi-hole board and then it worked.
Oh ok, i might overlooked that. So, if my ISP doesn't provide ipv6 internet access, but on the modem/router they have given me ipv6 is enabled LAN-side, and can't be disabled, should i reconfigure Pi-hole to block also ipv6 requests? Sorry but ipv6 still has me confused.