Odd behaviour from log file

Looks like a dns request (tom.itv.com) is getting forwarded, then blocked, but I can't see the name in the query lists...

Nov 23 12:07:09 dnsmasq[28029]: query[A] tom.itv.com from 192.168.0.127
Nov 23 12:07:09 dnsmasq[28029]: **forwarded tom.itv.com to 1.0.0.1**
Nov 23 12:07:09 dnsmasq[28029]: reply tom.itv.com is <CNAME>
Nov 23 12:07:09 dnsmasq[28029]: reply itv-ads.aimatch.com is blocked during CNAME inspection
Nov 23 12:07:09 dnsmasq[28029]: **exactly blacklisted tom.itv.com is 0.0.0.0**

What name in particular are you looking for? The domain itself is not blocked, but it leads to CNAMES which may be blocked. If a domaing that is not whitelisted leads via CNAME to a blocked domain, the original domain request will be blocked.

https://docs.pi-hole.net/ftldns/configfile/#cname_deep_inspect

dig tom.itv.com

; <<>> DiG 9.16.22-Raspbian <<>> tom.itv.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4552
;; flags: qr rd ra; QUERY: 1, ANSWER: 9, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;tom.itv.com.			IN	A

;; ANSWER SECTION:
tom.itv.com.		3600	IN	CNAME	itv-ads.aimatch.com.
itv-ads.aimatch.com.	60	IN	CNAME	itv-ads.aimatch.net.
itv-ads.aimatch.net.	60	IN	CNAME	itv-tier1.ireland.delivery.aimatch.net.
itv-tier1.ireland.delivery.aimatch.net.	60 IN A	63.32.149.66
itv-tier1.ireland.delivery.aimatch.net.	60 IN A	52.30.11.74
itv-tier1.ireland.delivery.aimatch.net.	60 IN A	52.215.25.175
itv-tier1.ireland.delivery.aimatch.net.	60 IN A	52.49.238.23
itv-tier1.ireland.delivery.aimatch.net.	60 IN A	52.215.162.252
itv-tier1.ireland.delivery.aimatch.net.	60 IN A	52.31.124.209

;; Query time: 219 msec
;; SERVER: 1.0.0.1#53(1.0.0.1)
;; WHEN: Tue Nov 23 12:22:59 CST 2021
;; MSG SIZE  rcvd: 240

If you run the following command, it will show why the CNAME domain was blocked:

pihole -q itv-ads.aimatch.com

The name I'm looking for is 'tom.itv.com'

It was odd that it was forwarded, then apparently blocked due to being blacklisted, but it's not in my blacklist so far as I can see (see bold text).

Nov 23 12:07:09 dnsmasq[28029]: **query[A] tom.itv.com from 192.168.0.127**
Nov 23 12:07:09 dnsmasq[28029]: **forwarded tom.itv.com to 1.0.0.1**
Nov 23 12:07:09 dnsmasq[28029]: reply tom.itv.com is
Nov 23 12:07:09 dnsmasq[28029]: reply itv-ads.aimatch.com is blocked during CNAME inspection
Nov 23 12:07:09 dnsmasq[28029]: **exactly blacklisted tom.itv.com is 0.0.0.0**

Here's the result of 'pihole -q tom.itv.com'

pihole -q tom.itv.com
  [i] No results found for tom.itv.com within the block lists

The output of interest is not for the original domain, it's for the CNAME to that domain. Please post the output of the command shown above.

Also, please generate a debug log, upload it when prompted and post the token URL here.

I'm a bit new to this, so please bear with me.

The name I'm interested in is 'tom.itv.com' , not 'itv-ads.aimatch.com' which is in my blacklist:

Match found in exact blacklist
   itv-ads.aimatch.com

From my original posts, it looks like 'tom.itv.com' is at first queried, then noted as blacklisted, but it is not in my blacklist:
[i] No results found for tom.itv.com within the block lists

The DNS record for tom.itv.com is not pointing to an IP address, but to a CNAME, i.e. yet another domain name or set of domain names.
Pi-hole's log correctly reflects that CNAME resolution.

Note that tracking companies use CNAMEs to by-pass DNS filters.
(And you have correctly observed that tom.itv.com seems harmless enough.)

However, Pi-hole is smart enough to also check whether a CNAME should be blocked, and thus deflects such CNAME cloaking attempts..
In your case, that applies to itv-ads.aimatch.com.

So Pi-hole's log is correctly reflecting what is happening.
I admit it can be tricky to understand that from multiple log lines.
Fortunately, that is quite a bit easier if you look at Pi-hole's UI. :wink:

(EDIT:
Removed sample screenshot of previous Pi-hole version, as jfb's sample below is more up to date.)

2 Likes

Aha!

Many thanks for the explanation. Much appreciated.

This is what you see in the dnsmasq log, which prints out raw data from dnsmasq (the DNS engine running under the hood of Pi-hole).

As @Bucking_Horn noted, in our query log we have more flexibility to show the circumstances under which the domain was blocked, and for this domain the query log shows that the domain itself is not blocked,

1 Like