New Pi Hole install not showing all requests in logs / web browser not blocking all ads / sporadic nslookup issues

Help
1

I've been using PiHole for years. I've recently installed PiHole on a new Raspberry Pi 4 server, using docker compose. I'm seeing advertising in Chrome on my work Windows 11 computer, which I didn't see with the old server. I've temporarily disabled IPv6 during diagnostics to check that's not the problem.

The behavior I'm seeing makes it look like some queries are going to PiHole, some are going to another DNS server. I've done my best to configure Chrome / Firefox to use the OS DNS, disabling secure DNS, as far as I can see everything should be using PiHole. I've checked the OS and it seems to be using PiHole - details below.

My network is using PiHole DHCP, so the machines get the PiHole DNS IP automatically.

I'd appreciate any help to work through this. I've spent many hours over the past couple of weeks trying to diagnose the problem myself, and haven't solved it yet.

Expected Behaviour:

I expect advertising images served from domains on my block lists to be blocked in my web browser. I also expect the DNS lookup to be shown in the PiHole logs.

Additionally, when I issue an nslookup for a domain on one of my block lists I expect to receive 0.0.0.0

Actual Behaviour:

As an example, when I open stuff.co.nz in the web browser using Chrome I can see advertising. An image from this URL is being displayed at the moment.

https://s0.2mdn.net/simgad/14473468899493315525?sqp=uqWu0g0ICNgEEKABQGQ&rs=AOga4qnsGl144LpdWIYxzFitZy2LkorISw

Searching the PiHole blocklist I can see that domain is on the block list.

Exact match for **s0.2mdn.net** found in: - https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts

I can't see the DNS query for stuff.co.nz in pi hole logs. I have "use secure DNS" turned off in Chrome, and disabled the built in Chrome DNS server.

image
image832×76 2.09 KB

image
image951×113 4.98 KB

Chrome Not Using PiHole?
I wondered if the stuff.co.nz DNS was cached. To check that I tried visiting a random domain that I've probably never been to before - I randomly tried happybirds.com. I can't see any reference to that domain in the GUI query logs or the PiHole log.

> /var/log/pihole# grep happybirds *
(no results)

I can see that the computer I'm using is sending some queries to PiHole (PC is 192.168.1.38). PiHole is 192.168.1.12.

pihole.log:Sep 15 13:51:05 dnsmasq[13534]: query[TXT] debug.opendns.com from 192.168.1.38
pihole.log:Sep 15 13:51:40 dnsmasq[13534]: query[TXT] debug.opendns.com from 192.168.1.38
pihole.log:Sep 15 13:52:03 dnsmasq[13534]: query[A] wpad.home.arpa from 192.168.1.38
pihole.log:Sep 15 13:52:15 dnsmasq[13534]: query[TXT] debug.opendns.com from 192.168.1.38
pihole.log:Sep 15 13:52:32 dnsmasq[13534]: query[A] metadata.google.internal from 192.168.1.38

When I open up a dozen tabs and open a bunch of websites, including some I don't use regularly, I see practically nothing in the PiHole log from this computer / IP.

Checking DNS
The first thing I checked was that PiHole is being used as the DNS server (parts removed for brevity)

>ipconfig /all
Ethernet adapter Ethernet 2:

   Connection-specific DNS Suffix  . : home.arpa
   Description . . . . . . . . . . . : Realtek USB GbE Family Controller #2
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 192.168.1.38(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Friday, 15 September 2023 9:49:47 am
   Lease Expires . . . . . . . . . . : Friday, 15 September 2023 3:34:56 pm
   Default Gateway . . . . . . . . . : 192.168.1.1
   DHCP Server . . . . . . . . . . . : 192.168.1.12
   DNS Servers . . . . . . . . . . . : 192.168.1.12
   NetBIOS over Tcpip. . . . . . . . : Enabled

> netsh int ipv4 show dnsservers
Configuration for interface "Ethernet 2"
    DNS servers configured through DHCP:  192.168.1.12
    Register with which suffix:           Primary only

It looks to me like DNS is set up to point to 192.168.1.12 / PiHole.

Next I opened MS Edge and checked that Secure DNS is enabled. I then opened about ten different websites with random names in tabs - this.com, that.com, fred.com, george.com, etc. Of those ten websites I saw two DNS queries hit PiHole. I am seeing a lot of queries for debug.opendns.com coming from this machine, I assume it's one of the many services running in the background.

Sep 15 13:57:52 dnsmasq[14170]: query[A] www.newshub.co.nz from 192.168.1.38
Sep 15 13:58:06 dnsmasq[13534]: query[TXT] debug.opendns.com from 192.168.1.38
Sep 15 13:58:16 dnsmasq[13534]: query[TXT] debug.opendns.com from 192.168.1.38
Sep 15 13:58:41 dnsmasq[13534]: query[TXT] debug.opendns.com from 192.168.1.38
Sep 15 13:58:41 dnsmasq[13534]: query[AAAA] api-ipv4.opendns.com from 192.168.1.38
Sep 15 13:58:47 dnsmasq[13534]: query[A] bob.com from 192.168.1.38

That shows that at least some traffic is going to PiHole.

nslookup testing
I did some testing with nslookup. When I issue an nslookup for a domain without a trailing dot (noting nslookup unwanted behaviour) I can see the query for the domain with the local connection specific suffix (see ipconfig above) in my pihole logs, which returns nothing. nslookup then queries the primary domain without a suffix but I can't see that in PiHole logs. Again, it looks like another DNS server is being used for some portion of the queries, or PiHole isn't logging some queries.

(nslookup output summarized for brevity, AAAA queries removed as they're essentially a duplicate of the A query)

> nslookup
Default Server:  pi.hole
Address:  192.168.1.12

> set debug

> uy054eprsdoz.appspot.com
uy054eprsdoz.appspot.com.home.arpa, type = A, class = IN  (no answers)
uy054eprsdoz.appspot.com, type = A, class = IN
ANSWERS:
    ->  uy054eprsdoz.appspot.com
        internet address = 146.112.61.107
        ttl = 0 (0 secs)

Here's the pihole log. I can see the query for uy054eprsdoz.appspot.com.home.arpa but there's no query for the base domain uy054eprsdoz.appspot.com

pihole.log:Sep 15 08:06:03 dnsmasq[316]: query[A] uy054eprsdoz.appspot.com.home.arpa from 192.168.1.38
pihole.log:Sep 15 08:06:03 dnsmasq[316]: config uy054eprsdoz.appspot.com.home.arpa is NXDOMAIN
pihole.log:Sep 15 08:06:03 dnsmasq[316]: query[AAAA] uy054eprsdoz.appspot.com.home.arpa from 192.168.1.38
pihole.log:Sep 15 08:06:03 dnsmasq[316]: config uy054eprsdoz.appspot.com.home.arpa is NXDOMAIN

Confirming that domain is in my block list

Exact match for **uy054eprsdoz.appspot.com** found in: - https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts

When I issue an nslookup for another domain on my blacklist including a trailing dot it sometimes seems to work as expected.

> nslookup
Default Server:  pi.hole
Address:  192.168.1.12
> set debug
> armantark.com

Sep 15 08:14:08 dnsmasq[316]: query[A] armantark.com from 192.168.1.38
Sep 15 08:14:08 dnsmasq[316]: gravity blocked armantark.com is 0.0.0.0
Sep 15 08:14:09 dnsmasq[316]: query[AAAA] armantark.com from 192.168.1.38
Sep 15 08:14:09 dnsmasq[316]: gravity blocked armantark.com is ::

> tir94wepsdxox.appspot.com
    QUESTIONS:
        tir94wepsdxox.appspot.com, type = A, class = IN
    ANSWERS:
    ->  tir94wepsdxox.appspot.com
        internet address = 146.112.61.107

image
image952×462 12.1 KB

tir94wepsdxox doesn't show in the PiHole logs at all.

Another PC
What's even more confusing is my personal PC works fine - it uses PiHole consistently and ads are blocked. When I turn it on for the day and visit stuff.co.nz I get a ton of entries in the PiHole logs. This makes me think the problem may be with my work Windows 11 laptop rather than PiHole or my network.

pihole.log:Sep 15 15:27:52 dnsmasq[624]: query[AAAA] www.stuff.co.nz from fd00::xxxx
pihole.log:Sep 15 15:27:52 dnsmasq[625]: query[A] www.stuff.co.nz from fd00::xxxx
pihole.log:Sep 15 15:27:52 dnsmasq[626]: query[HTTPS] www.stuff.co.nz from fd00::xxxx
pihole.log:Sep 15 15:27:53 dnsmasq[633]: query[AAAA] www.stuff.co.nz from fd00::xxxx
pihole.log:Sep 15 15:27:53 dnsmasq[634]: query[A] www.stuff.co.nz from 192.168.1.9
pihole.log:Sep 15 15:27:53 dnsmasq[635]: query[HTTPS] www.stuff.co.nz from 192.168.1.9
pihole.log:Sep 15 15:27:54 dnsmasq[645]: query[AAAA] www.stuff.co.nz from 192.168.1.9
pihole.log:Sep 15 15:27:54 dnsmasq[646]: query[A] www.stuff.co.nz from 2406:e001:a:a200:xxxx
pihole.log:Sep 15 15:27:54 dnsmasq[647]: query[HTTPS] www.stuff.co.nz from 2406:e001:a:a200:xxxx
(etc)

The main difference is I have IPv6 enabled on my home PC.

Ethernet adapter Ethernet:
   Connection-specific DNS Suffix  . : home.arpa
   Description . . . . . . . . . . . : Realtek Gaming 2.5GbE Family Controller
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . : 2406:(removed)
   IPv6 Address. . . . . . . . . . . : fd00::(removed)
   Temporary IPv6 Address. . . . . . : 2406:(removed)
   Temporary IPv6 Address. . . . . . : fd00::(removed)
   Link-local IPv6 Address . . . . . : fe80::(removed)
   IPv4 Address. . . . . . . . . . . : 192.168.1.9(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Friday, 15 September 2023 3:26:00 pm
   Lease Expires . . . . . . . . . . : Friday, 15 September 2023 5:26:00 pm
   Default Gateway . . . . . . . . . : fe80::2e3a:fdff:fed6:429c%5 (router)
                                       fe80::5a3d:7449:3b6b:d1c7%5 (router)
                                       192.168.1.1 (router)
   DHCP Server . . . . . . . . . . . : 192.168.1.12 (PiHole)
   DHCPv6 IAID . . . . . . . . . . . : 1022xxxxx
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-27-4F-(removed)
   DNS Servers . . . . . . . . . . . : 192.168.1.12 (PiHole IPv4)
                                       2406:e001:a:a200:48aa:f9ad:19de:2ee9 (PiHole IPv6)
                                       fd00::6548:c3fd:7bb:98c5 (PiHole IPv6)
   NetBIOS over Tcpip. . . . . . . . : Enabled

Summary
All in all I'm seeing really odd, inconsistent behavior in web browsers and nslookup on my work PC, which my home PC works fine. Even in nslookup which is saying it's using pihole I'm not seeing log entries for all queries, and blocking is sporadic.

Any suggestions how to look further into this would be appreciated.

Debug Token:

https://tricorder.pi-hole.net/FfrA7o2X/

Version

2

That's strong support for your suspicion that clients would by-pass your Pi-hole via alternative DNS resolvers.

Chromium-based browsers may sport another DNS related option occuring with labels similar to "Use a Google DNS service to Help Resolve Navigation Errors".
You may want to check whether that is disabled.

In addition, you wouldn't run some antivirus package like Avast or AVG on that Win11 work machine?
If so, you'd want to verify whether their DNS features like AVG Secure DNS or AVAST Real-Site are disabled, or they would force DNS lookups through their own 'secure' DNS servers.

3

Thanks Bucking_Horn, I appreciate your reply and your help.

I can't find anything like "Use a Google DNS service to Help Resolve Navigation Errors" in the Chrome settings, but that probably wouldn't cause a problem most of the time since I'm going to well known websites.

Antivirus is Windows Defender. I can't see anything suspicious running either. I've stopped all the HP tools, because I don't need them, but looking at the services and everything in the system tray it all looks ok.

This one may end up remaining a mystery.

4

Did you try entering chrome://settings in your browser's address field and go from there yet?

You may have to be as creative searching for that option as G**gle has been in (re)naming it. Just searching for Navigation Errors could be promising, perhaps.

When enabled, Chromium may decide to send DNS requests to G**gle's DNS resolvers if they are not considered successful, which could be the case if Pi-hole blocks a domain.

However, even if that's active, that doesn't quite match your observation, as you report DNS requests never reaching Pi-hole.

Run from an offending client, what is the output of:

nslookup pi.hole

nslookup flurry.com

nslookup flurry.com 80.241.218.68
5

Yeah I tried various searches in the settings, can't find anything in Chrome.

Here's the output you requested. I can see that flurry.com is on both of my blocklists, and nslookup says it's gone to pihole. It's quite odd behavior.

>>nslookup pi.hole
Server:  pi.hole
Address:  192.168.1.12

Name:    pi.hole.home.arpa
Addresses:  fd00::xxx (removed)
          192.168.1.12


>>nslookup flurry.com
Server:  pi.hole
Address:  192.168.1.12

Non-authoritative answer:
Name:    flurry.com
Addresses:  74.6.136.150
          98.136.103.23
          212.82.100.150
          34.225.127.72
          54.161.105.65


>>nslookup flurry.com 80.241.218.68
Server:  dismail.de
Address:  80.241.218.68

Name:    flurry.com
Address:  0.0.0.0
6

Sorry for the late reply.

I'd have expected the second nslookup to have returned 0.0.0.0.

As that has been a few days ago, could you please run

nslookup flurry.com

nslookup flurry.com 192.168.1.12

Aslo, how do those register in your Pi-hole's Query Log?

7

Sorry for the slow reply. Details below. I can confirm flurry.com is on my ad list. I tried this with my work laptop, with a second work laptop from another company (I'm a consultant), and from the Pi Hole.

Summary: my work laptop does not get blocked domains, my second work laptop does get blocked domains, and queries from the pi hole get blocked domains. The issue seems to be with the DNS Suffix Search List, which I can see in "ipconfig /all".

I can see that Windows is appending the DNS Suffix to the queries. Most queries do appear to reach pi hole and appear in the logs, but given Windows is appending a suffix it looks like Pi Hole is not blocking, but is returning the actual IP that should be blocked.

The odd thing is my main work laptop is only sending the query for the domain with the DNS Suffix Search List, whereas my second work laptop is sending queries for 3 of the domains on the "DNS Suffix Search List" and then sends the DNS query for the plain domain without a suffix.

Options I can see:

  • Windows is behaving in a way we don't understand.
  • My work laptop is configured in an usual way that sends the suffix
  • My work laptop has some odd software messing with DNS queries (looks less likely to me)
  • Pi Hole is configured incorrectly (looks less likely to me)
  • Pi Hole cannot handle the domain suffix, even if it's handed out by PiHole DHCP
>> ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : (redacted)
   Primary Dns Suffix  . . . . . . . :
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : home.arpa

First query at 09:10:35 (logs shown below) from work laptop

>> nslookup flurry.com
Server:  pi.hole
Address:  192.168.1.12

Non-authoritative answer:
Name:    flurry.com
Addresses:  44.228.206.170
          54.161.105.65
          74.6.136.150
          98.136.103.23
          212.82.100.150
          13.251.69.97
          18.136.37.69
          34.213.101.254
          34.225.127.72

Second query at 09:10:46 (logs shown below) from work laptop

>>  nslookup flurry.com 192.168.1.12
Server:  pi.hole
Address:  192.168.1.12

Non-authoritative answer:
Name:    flurry.com
Addresses:  13.251.69.97
          18.136.37.69
          34.213.101.254
          34.225.127.72
          44.228.206.170
          54.161.105.65
          74.6.136.150
          98.136.103.23
          212.82.100.150

With a trailing dot after flurry.com at 09:12:00. No logs appeared. From work laptop.

>> nslookup flurry.com. 192.168.1.12
Server:  pi.hole
Address:  192.168.1.12

Non-authoritative answer:
Name:    flurry.com
Addresses:  18.136.37.69
          34.213.101.254
          34.225.127.72
          44.228.206.170
          54.161.105.65
          74.6.136.150
          98.136.103.23
          212.82.100.150
          13.251.69.97

Fourth query from pi hole at 09:16:18

>>nslookup flurry.com. 192.168.1.12
Server:         192.168.1.12
Address:        192.168.1.12#53

Name:   flurry.com
Address: 0.0.0.0
Name:   flurry.com
Address: ::

Logs

pihole.log:Sep 27 09:10:35 dnsmasq[314]: query[A] flurry.com.home.arpa from 192.168.1.38
pihole.log:Sep 27 09:10:35 dnsmasq[314]: config flurry.com.home.arpa is NXDOMAIN
pihole.log:Sep 27 09:10:35 dnsmasq[314]: query[AAAA] flurry.com.home.arpa from 192.168.1.38
pihole.log:Sep 27 09:10:35 dnsmasq[314]: config flurry.com.home.arpa is NXDOMAIN

pihole.log:Sep 27 09:10:46 dnsmasq[314]: query[A] flurry.com.home.arpa from 192.168.1.38
pihole.log:Sep 27 09:10:46 dnsmasq[314]: config flurry.com.home.arpa is NXDOMAIN
pihole.log:Sep 27 09:10:46 dnsmasq[314]: query[AAAA] flurry.com.home.arpa from 192.168.1.38
pihole.log:Sep 27 09:10:46 dnsmasq[314]: config flurry.com.home.arpa is NXDOMAIN

pihole.log:Sep 27 09:16:18 dnsmasq[314]: query[A] flurry.com from 192.168.1.12
pihole.log:Sep 27 09:16:18 dnsmasq[314]: gravity blocked flurry.com is 0.0.0.0
pihole.log:Sep 27 09:16:18 dnsmasq[314]: query[AAAA] flurry.com from 192.168.1.12
pihole.log:Sep 27 09:16:18 dnsmasq[314]: gravity blocked flurry.com is ::

I then did another query for another spam domain from the work laptop, to make sure DNS caching isn't a factor.

>>nslookup uy054eprsdoz.appspot.com 192.168.1.12
Server:  pi.hole
Address:  192.168.1.12

Non-authoritative answer:
Name:    uy054eprsdoz.appspot.com
Addresses:  ::ffff:146.112.61.107
          146.112.61.107

Logs appeared, with the suffix

pihole.log:Sep 27 09:19:49 dnsmasq[314]: config uy054eprsdoz.appspot.com.home.arpa is NXDOMAIN
pihole.log:Sep 27 09:19:49 dnsmasq[314]: query[AAAA] uy054eprsdoz.appspot.com.home.arpa from 192.168.1.38
pihole.log:Sep 27 09:19:49 dnsmasq[314]: config uy054eprsdoz.appspot.com.home.arpa is NXDOMAIN

I then tried from another Windows PC. I can't copy and paste easily, but it has a long list of domains in the "DNS suffix search list" under "Windows IP Configuration", but it's still using the Pi Hole DCHP server.

>>nslookup flurry.com. 192.168.1.12
Server: pi.hole
Address: 192.168.1.12

Name:   flurry.com
Addresses:   ::
             0.0.0.0

Logs

pihole.log:Sep 27 09:34:30 dnsmasq[316]: query[A] flurry.com.redacted1.co.nz from 192.168.1.170
pihole.log:Sep 27 09:34:30 dnsmasq[316]: forwarded flurry.com.redacted1.co.nz to upstream-ipv6-dns
pihole.log:Sep 27 09:34:30 dnsmasq[316]: reply flurry.com.redacted1.co.nz is NXDOMAIN
pihole.log:Sep 27 09:34:30 dnsmasq[316]: query[AAAA] flurry.com.redacted1.co.nz from 192.168.1.170
pihole.log:Sep 27 09:34:30 dnsmasq[316]: cached flurry.com.redacted1.co.nz is NXDOMAIN
pihole.log:Sep 27 09:34:30 dnsmasq[316]: query[A] flurry.com.redacted2.co.nz from 192.168.1.170
pihole.log:Sep 27 09:34:30 dnsmasq[316]: forwarded flurry.com.redacted2.co.nz to upstream-ipv6-dns
pihole.log:Sep 27 09:34:30 dnsmasq[316]: reply flurry.com.redacted2.co.nz is NXDOMAIN
pihole.log:Sep 27 09:34:30 dnsmasq[316]: query[AAAA] flurry.com.redacted2.co.nz from 192.168.1.170
pihole.log:Sep 27 09:34:30 dnsmasq[316]: cached flurry.com.redacted2.co.nz is NXDOMAIN
pihole.log:Sep 27 09:34:30 dnsmasq[316]: query[A] flurry.com.redacted3.com.au from 192.168.1.170
pihole.log:Sep 27 09:34:30 dnsmasq[316]: forwarded flurry.com.redacted3.com.au to upstream-ipv6-dns
pihole.log:Sep 27 09:34:30 dnsmasq[316]: reply flurry.com.redacted3.com.au is NODATA-IPv4
pihole.log:Sep 27 09:34:30 dnsmasq[316]: query[AAAA] flurry.com.redacted3.com.au from 192.168.1.170
pihole.log:Sep 27 09:34:30 dnsmasq[316]: forwarded flurry.com.redacted3.com.au to upstream-ipv6-dns
pihole.log:Sep 27 09:34:30 dnsmasq[316]: reply flurry.com.redacted3.com.au is NODATA-IPv6
pihole.log:Sep 27 09:34:30 dnsmasq[316]: query[A] flurry.com from 192.168.1.170
pihole.log:Sep 27 09:34:30 dnsmasq[316]: gravity blocked flurry.com is 0.0.0.0
pihole.log:Sep 27 09:34:30 dnsmasq[316]: query[AAAA] flurry.com from 192.168.1.170
pihole.log:Sep 27 09:34:30 dnsmasq[316]: gravity blocked flurry.com is ::
8

Not quite - that laptop is sending them for sure, or else you would not see an IP address as answer.

As the corresponding requests do not show up in Pi-hole's Query Log, that confirms that another DNS resolver is answering them.

It would be normal for nslookup to construct and issue additional DNS requests by appending the local search suffix to the requested domain. It would not do so if you were requesting a fully qualified DNS resolution, as you did by appending the trailing dot.
Furthermore, I'd expect those search domain requests to be replied with NXDOMAIN (unless you'd had configured DNS local DNS records).

Your nslookup results from above as well as the log output are consistent with that:

This would strongly suggest a component that intercepts DNS for your work laptop and forwards requests for public domains to an unknown upstream, while leaving local domains as identified by the search domain suffix to the local resolvers.

The most likely candidate would a piece of software interfering with DNS on the offending laptop itself, like an aforementioned antivirus package or some kind of DNS proxy (perhaps set up by the company issuing that work laptop?).

9

Thanks Bucking Horn. I agree, there must be something intercepting DNS requests. I'll consider this solved, but I'll update if I work out what's doing the interception in future.

The laptop doesn't use the antivirus system mentioned earlier, but there's a few bits of corporate software on the laptop that could be doing this. I might be able to work out what it is, but that's not really necessary, and would probably take a lot of effort.

Thanks for your help :slight_smile:

1 Like
10

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.