Only Default pi-hole group works?

Harvo · June 22, 2021, 4:00pm

I've installed the latest version of pi-hole in the last few days.
I can get all of the features (Adlist, blacklist, whitelist) to work for clients who are a member of the 'Default' group working fine.

However I have created other groups and these don't seem to take effect at all. Only when I apply the domain/client to the Default group do I see it take effect. As soon as the client is removed from the default group, and put in another group, no filtering takes place regardless of what domains or Adlists are applied to that group.

I must be missing something really obvious! I've tried restarting services and refreshing DNS but can't get it to take effect. Any tips please?

I've uploaded a debug log https://tricorder.pi-hole.net/xf3j8juzwf. My phone is in a group called 'new' (only) and there is one blacklisted domain associated with that group. I can access that domain even though it is blacklisted.

Im using the web interface only but placing at the debug it looks like the group, device etc are all OK to my untrained eye, so what am i missing?

Thanks!

yubiuser · June 22, 2021, 7:40pm

How did you let your clients know about Pi-hole?
From your debug log, your router advertises only itself as DNS server.

*** [ DIAGNOSING ]: Discovering active DHCP servers (takes 10 seconds)
   Scanning all your interfaces for DHCP servers
   Timeout: 10 seconds
   
   * Received 300 bytes from wlan0:192.168.1.1
     Offered IP address: 192.168.1.10
     Server IP address: 192.168.1.1
     Relay-agent IP address: N/A
     BOOTP server: (empty)
     BOOTP file: (empty)
     DHCP options:
      Message type: DHCPOFFER (2)
      server-identifier: 192.168.1.1
      lease-time: Infinite
      netmask: 255.255.255.0
      broadcast: 192.168.1.255
      router: 192.168.1.1
      dns-server: 192.168.1.1
      domain-name: "broadband"
      ntp-server: 192.168.1.1

So clients will send DNS requests to your router, wich I presume, will send the requests to Pi-hole. This is supported by

   [2021-06-22 16:21:49.620 30531M] Imported 10475 queries from the long-term database
   [2021-06-22 16:21:49.621 30531M]  -> Total DNS queries: 10475
   [2021-06-22 16:21:49.621 30531M]  -> Cached DNS queries: 763
   [2021-06-22 16:21:49.621 30531M]  -> Forwarded DNS queries: 9608
   [2021-06-22 16:21:49.621 30531M]  -> Blocked DNS queries: 36
   [2021-06-22 16:21:49.621 30531M]  -> Unknown DNS queries: 0
   [2021-06-22 16:21:49.621 30531M]  -> Unique domains: 1568
   [2021-06-22 16:21:49.621 30531M]  -> Unique clients: 2

From Pi-hole's view, all requests are coming from the router, meaning it can not distinguish different clients. For the group management to work, your need to distribute Pi-hole's IP as DNS server via DHCP (or configure every client manually), so it does know "the real" source of the requests.

Harvo · June 22, 2021, 9:00pm

I've been testing this with one device with manually configured DNS set only to use pi-hole; everything else is going direct through my router and upstream DNS currently.
I can see the DNS requests coming in via the logs, pi-hole knows the device name and I can see it successfully passing the requests upstream. When I apply rules to the default group and join that device to the group, the rules take effect.

yubiuser · June 23, 2021, 7:27am

Thanks for mentioning the manual DNS configuration.

I guess we are talking about the device 192.168.1.109 ?

Which is the blacklisted domain you are able to access?

*** [ DIAGNOSING ]: Groups
   id    enabled  name                                                date_added           date_modified        description                                       
   ----  -------  --------------------------------------------------  -------------------  -------------------  --------------------------------------------------
   0           1  Default                                             2021-06-19 14:44:29  2021-06-19 14:44:29  The default group                                 
   1           1  Unfiltered                                          2021-06-19 15:10:21  2021-06-19 15:13:28  Unfiltered; Logs Only                             
   2           1  Filtered                                            2021-06-19 15:41:25  2021-06-19 15:41:25  Ad List applied                                   
   3           1  new                                                 2021-06-22 14:41:52  2021-06-22 14:41:52                                                    

*** [ DIAGNOSING ]: Domainlist (0/1 = exact white-/blacklist, 2/3 = regex white-/blacklist)
   id    type  enabled  group_ids     domain                                                                                                date_added           date_modified        comment                                           
   ----  ----  -------  ------------  ----------------------------------------------------------------------------------------------------  -------------------  -------------------  --------------------------------------------------
   1        3        1  2,3           (\.|^)bbc\.co\.uk$                                                                                    2021-06-19 15:33:15  2021-06-22 16:27:03  test                                              
   2        3        1  2             (\.|^)sky\.com$                                                                                       2021-06-19 15:38:00  2021-06-19 15:42:02                                                    
   5        3        1  2             (\.|^)googlesyndication\.com$                                                                         2021-06-19 15:59:34  2021-06-19 15:59:53  G Ads                                             
   9        3        1  2             (\.|^)green\.com$                                                                                     2021-06-19 16:19:11  2021-06-19 16:20:09                                                    
   10      2         1  0             (\.|^)itv\.com$                                                                                       2021-06-22 14:17:49  2021-06-22 14:17:49

Your phone is in group 3 only. The only blacklist regex associated with this group is (\.|^)bbc\.co\.uk$ .

Edit: copy past error on my side ~~If bbc.co.uk is the domain you wanted to blacklist, please not that the above regex does not cover this domain (see https://regex101.com/r/9mvupK/1)~~

Harvo · June 23, 2021, 8:12am

OK, as a side point, I added bbc.co.uk using the web front end and it created the regex for it... however, I don't think this is the problem.

I've just added 192.168.1.109 (harvs-iphone) to the "default" group and browsed to bbc.co.uk, as you can see from the log, this is still unblocked (as expected).

2021-06-23 09:03:26	HTTPS	idcta.api.bbc.co.uk	Harvs-iPhone.broadband	OK (forwarded to resolver2.opendns.com#53)

Now, I've added the bbc.co.uk domain to the "default" group and browsed again, this time you can see that it does block it (as expected)

2021-06-23 09:07:05	HTTPS	www.bbc.co.uk	Harvs-iPhone.broadband	Blocked (regex blacklist)

Finally to confirm I've removed 192.168.1.109 from the "default" group and it continues to block the domain (not expected):

2021-06-23 09:09:28	A	a1.api.bbc.co.uk	Harvs-iPhone.broadband	Blocked (regex blacklist)

It's leading me to think that pi-hole isn't recognising the device / the groups it is in, despite it appearing in the logs correctly and appearing in the clients list. Any tips to debug further are greatly appreciated!

Thanks

Harvo · June 23, 2021, 8:19am

Bingo! I think i've got it - I've gone back into 'clients' and found my device by MAC address instead of IP and it now accepts the Group assignments and works as expected.

Thanks for your help

yubiuser · June 23, 2021, 10:03am

Glad it worked

system · July 14, 2021, 10:04am

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.