iOS evading PiHole?

Today I noticed ads in apps on two iOS devices on my network where they are normally none.

One is an iPhoneSE 2020 running iOS 15.1 and the other an iPadMini2 with iOS 12.5.4.

On both devices I checked in the wifi settings that the PiHole on my network is the preferred DNS and that seems to be correct.

When I check in the logs of the pihole, I also do not see the devices appear in the logs.

There is no Tor/VPN or anything like that installed and all my other devices show up just fine in the logs.

Anyone here an idea where to look?

Do you use Private Relay?

not that I am aware off; also I don't think that that is even an option in iOS12.5.4...

Are you seeing ads in all apps on those devices, or just selected apps?

What apps are showing ads, and can you provide a screen shot of the ads on the IOS devices? You can paste images directly into your reply.

I don't have so many apps that show ads. Just two; one on the iPhone and one on the iPad...

Here is a screenshot from the phone;

1 Like

hey @jfb, thnx for the suggestion. Most of the steps in that tutorial I already tried.

But the problem here is different: my iphone says in it settings that it uses the pihole as DNS (10.13.37.3 on my network), but it isn't.

I can tell for two reasons:

  • Ads are still shown
  • the iPhone does not show up in the logs, or as connected client.

This is unusual.
None of my Apple devices see ads.

Under Wi-Fi do you have 'Private Wi-Fi Address' enabled?
Also, do you have 'Limit IP Address Tracking' enabled?

But I also send DNS searches from devices that are not manually configured to my OpenWRT router and it is configured to send DNS searches to the Pi-hole.

And then again: an app does not need a DNS search to add ads. It is built into the app; and I pay for all my apps; no free apps.

e.g. If I watch YouTube on the app I get ads. If I watch YouTube with 'The Brave Browser' or 'Safari' I do not.

I can watch entire movies 'with ads' and not one break occurs.

I did have 'Private Wi-Fi Address' enabled. But switching it off made no difference...
Also, 'Limit IP Address Tracking' applies to cellular data only afaik? But I couldn't find this option anywhere in my settings.

I am also pretty sure that the ads are not part of the app as they used to be blocked... until recently.

Another "funny" observation; I have a WireguardVPN + PiHole thnx to Mistborn. When I enable my VPN; the ads dissapear... :face_with_raised_eyebrow:

Does the iPad have cellular?
How fast is your internet?

How good is the WiFi coverage?

Any chance you are on a 5G network, Not AT&T's 5Ge, a true 5G.

I ask because iOS, by default, will switch from WiFi to 5G or, even LTE, for data if it thinks the 5G is faster using WiFi Assist and will in another setting prefer 5G over WiFi.

Heya, the iPad does not have cellular. Wifi and internet are very good and there is no 5G here.

I have two Hail Marys:
Is there any chance you turned on WiFi hotspot on the phone and used it on the tablet and forgot to turn it off?

The last one is to show us your logs; just this part:

Just to be sure the Apple devices are not using Pi-hole at all for anything.

Most people use their Pi-hole as a DHCP server but I'm using a Pi Zero W (over WiFi, no dongle) so OpenWrt handles DHCP and it is configured to look at the Pi-hole for DNS lookups (just in case some friends are over). So you can see some traffic to Pi-hole
comes from the router.

You can also see that Apple Devices have names and not just ip addresses.

P.S. I just reread your OP:
What do you mean by "preferred DNS"? the only other place for preferred DNS' is in the Pi-hole. And that is only if you enabled IPV6. This is another reason the router should point to the Pi-hole. If an IPV6 request is made, then it goes to the router, which directs it to Pi-hole.

What handles DHCP on your network? See, you cannot turn off IPV6 on iOS. So if the app is asking over IPV6 then it is going to that server.

Actually, that makes sense. Because your VPN 'most likely' uses IPV4 It is going through the Pi-hole. But if your app using is using IPV6 it is going to bypass the Pi-hole. It is going upstream, probably to your gateway.

After that, I'm lost.
Good Luck.

1 Like

@dosch Is this solved? If so please mark which ever post is the solution so people know for future :wink:

I didn't have time yet to carefully test @LilRedDog suggestions. As soon as I did I'll post back. :slight_smile:

With preferred DNS I mean that I set the PiHole as the DNS server in the router. IPv6 is not active on the router. Should I change this?

Aha, so probably these are all IPv6 request that bypass the pihole as the router and the pihole have ipv6 turned off...?

So the solution is to

  • turn on IPv6 on my router
  • turn on IPv6 on the pihole

and probably it is better if I let the pihole handle DHCP, instead of my router.

Most devices / browsers are only using IPv4 when IPv6 fails. With IPv6 you don't really have a V6 DHCP server, so DNS information is not provided the same way. If you enable IPv6 on the Pi-Hole it will advertise on the network it is providing IPv6 DNS. However, your router receives IPv6 DNS information from your ISP. Routers will pas this DNS info along with the prefix delegation info. Thus, devices might use the Pi-Hole or they might use the DNS provided by the ISP. The link below describes how to strip off the IPv6 DNS info from the ISP for EdgeRouter devices.

https://community.ui.com/questions/How-to-make-IPv6-DNS-requests-to-use-my-preferred-IPv6-DNS-servers-on-EdgeRouter-X/de0b6a6d-8b7e-4cab-b752-73f98bcb8346

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.