Odd whitelisting issue since v4.0.0

elcouz · January 4, 2019, 12:11am

Hello pi-hole experts!

I'm having an issue with pi-hole since upgrading to v4.0.0 months ago and still there in v4.1.1.

I whitelisted a common website that pi-hole said it wasn't in the blacklist. However even with the whitelisting it's still blocked and I must all the time disable Pi-hole temporarily when I need to browse the website and re-enable manually after browsing.

Both digikey.ca and digikey.com are not accessible since i've upgraded to v4 months ago.

So far what I found:

Can't access both digikey.com and ca domain until I disable pihole
Issue appeared since v4.0.0 upgrade...now running v4.1.1
Whitelisting does nothing and I cannot find the domain in the blacklist
I don't have the normal pihole block page when I go to digikey.com , just a dns unresolved error when pihole is active.
using cloudfare DNS from pihole as the dns source

Any clues where to go next?

Thanks a lot!

Laurent

jfb · January 4, 2019, 12:13am

What is the exact URL that is being requested and will not load?

What is the output in your /var/log/pihole.log immediately following that domain request?

elcouz · January 4, 2019, 12:18am

Hello jfb,

digikey.com and digikey.ca

See the attached image for log.

thanks for your help!
Laurent

jfb · January 4, 2019, 12:23am

And there may be the answer. The domains "digikey.com" and "www.digikey.com" are not the same. Your browser is loading "www.digikey.com".

dig +short digikey.com
204.221.76.76

dig +short www.digikey.com
northamerica.digikey.inscname.net.
pciins-046.inscname.net.
a-digikey-001-gyf12.insnw.net.
159.180.84.23

In your log output, "pciins-046.inscname.net" is blocked by Pi-Hole, which is preventing the browser from following the entire CNAME trail to the requested IP address. Whitelist that domain.

To find out which block list is blocking that domain, run this command from the Pi terminal:

pihole -q -adlist pciins-046.inscname.net

These tools are very helpful in solving problems of this type:

elcouz · January 4, 2019, 12:37am

Well that's weird, pihole tell me it's not in any blocklist.

I would find that odd they included a popular website (digikey is mostly for work nothing shady at all) in a blocklist.

Here's the reply.

pihole2

I will test the other domain involved to see if I can catch more clues.

thanks

jfb · January 4, 2019, 12:43am

When I run the same command, I see the domain is contained in a blocklist:

pihole -q -adlist pciins-046.inscname.net
 Match found in https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts:
   pciins-046.inscname.net

This is one of the seven default blocklists.

Since the lists are curated by various individuals, you would need to contact the list maintainer and inquire.

You can also run this command to force a re-load of all your block lists (ignoring any local lists):

pihole -g -f

jfb · January 4, 2019, 12:52am

Also, if you would upload a debug log and post the token, we'll take a look at your configuration, including whitelist and block lists.

elcouz · January 4, 2019, 1:07am

Thanks , it work now.

I learned that DNS reply are somewhat cached...

Added every domain in the whitelist listed with the dig command. Took a good 3-4 mins until it could resolve properly in chrome.

Please disregard previous attempt with -adlist it was a typo. Wrote piciinst instead pciinst.

Thank your for your triple A support. I didn't expect that much help.

I owe you a good beer!

Regards,
Laurent