Pi-hole barely works on one device, doesn't work on all others

ibleedlemonade · July 21, 2018, 1:27am

Please follow the below template, it will help us to help you!

Expected Behaviour:

Pi-hole should be blocking ads on all my devices on all websites (excluding Facebook, YouTube, etc.).

Actual Behaviour:

Pi-hole sometimes blocks ads and sometimes doesn't.

My Windows desktop computer that's connected via cable to my router can access pi.hole and when I go to the the pi-hole ad testing site the ad that's supposed to be on that page doesn't appear, and the third-party site recommended to test pi-hole with also says ad blocking is enabled.

But when I go on speedtest.net shortly after, I get shown every ad possible.

Now if I wait a minute or two and visit the same sites again, the first site I visited suddenly starts displaying ads, and the third-party pi-hole test site says I have no ad blocking installed. (This loops. A few minutes after it completely stops working, it starts almost-working again.)

An android phone and a laptop I have can't access pi.hole and no ads are blocked for them either.
Screenshot from a network info app from the phone:

Router settings:

The DHCP server on the Pi-hole is turned on and the gateway address is my router address.

I've tried running ipconfig /flushdns, ipconfig /release, and ipconfig /renew.
I've also tried pihole -r on my Pi.

This is the output of ipconfig /all:

Windows IP Configuration

Host Name . . . . . . . . . . . . : DESKTOP-J8Q3PDQ
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : lan

Ethernet adapter Ethernet:

Connection-specific DNS Suffix . : lan
Description . . . . . . . . . . . : Realtek PCIe GBE Family Controller
Physical Address. . . . . . . . . : 74-D4-35-10-AD-34
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::31ae:df62:fee2:90b0%27(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.1.236(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Saturday, July 21, 2018 2:09:52 AM
Lease Expires . . . . . . . . . . : Sunday, July 22, 2018 2:11:58 AM
Default Gateway . . . . . . . . . : 192.168.1.1
DHCP Server . . . . . . . . . . . : 192.168.1.8
DHCPv6 IAID . . . . . . . . . . . : 460641333
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-22-A2-AA-36-74-D4-35-10-AD-34
DNS Servers . . . . . . . . . . . : fe80::1%27
192.168.1.8
NetBIOS over Tcpip. . . . . . . . : Enabled

Thank you for any help!

Debug Token:

os3qb6j4ys

jfb · July 21, 2018, 5:38am

It looks like you have a DNS sneak path around your PiHole. The behavior you are describing with ad-blocking is consistent with a DNS path around the PiHole. Sometimes the DNS goes through the PiHole (and is filtered), other times it doesn't.

If you use DNSThingy (Chrome extension), you can see which domains are trying to load on a site. Then you can compare that list to what is being queried in your PiHole (either through the query log or tailing the pi-hole log). I suspect you will find that none of the Speedtest domains are being queried to the PiHole. Here's what DNSThingy shows for domains at "speedtest.net" on my machine. On your PiHole, you should see a DNS request for each of those domains, and those that are on the block list (the ad-servers) will be pi-holed.zx

www.speedtest.net
b.cdnst.net
www.googletagmanager.com
c.evidon.com
l.betrad.com
speedtest.nebraskalink.com
speedtest.jagwireless.net
speedtest.spiral-communications.com
speedtest.gpcom.com
ookla1.speedtest.abbnetworks.net
st-lnk-1.binary.net
lnk1.speedtest.allophone.net
ajax.googleapis.com

robgill · July 21, 2018, 9:12am

This line stands out :

Windows appears to be looking to your router as an IPv6 DNS server. It may be forwarding requests over IPv6 to your ISP. Effectively bypassing your Pi-hole.

ibleedlemonade · July 21, 2018, 10:49am

Alright, I installed DNSThingy and went through the log looking up the domains DNSThingy detects and it looks like sometimes when I open speedtest nothing goes through the Pi-hole at all while other times half of the domains get to the Pi-hole and it blocks the ones that got to it successfully.

I've refreshed speedtest multiple times on multiple devices and these are the only Google domains in my log:

As far as I know there should be many more domains than this.

Regarding the IPv6 DNS, I went through my router settings and don't see anything related to IPv6 and according to https://ipleak.net/ I don't have a public IPv6 address, if that even matters in this case.
I also made sure IPv6 blocking is enabled by using pihole -r and IPv6 support is enabled in the DHCP settings.

jfb · July 21, 2018, 7:20pm

I still think you have a sneak DNS path around your pihole. Time for some basic troubleshooting. Here's what I would do.

Get the router, phone and laptop off the pihole for now (point them to 1.1.1.1 or something similar) or just turn off the client wireless radios. That leaves just one device using the pihole for DNS, if I read your post correctly.
Install wireshark or similar packet sniffer on your windows machine, this will let you see every packet leaving that machine. When you get it installed, you will want to capture "port 53", which is what the client uses for DNS lookups.
On your windows machine, check the properties of your lan connection and turn off the IPV6 option if it's on.
On your Windows machine, flush your DNS cache as you did before, then release and renew your DHCP lease just to make sure you're cleaned up there. Then flush all the caches on whichever browser you are going to use for this test.
On your pihole admin dashboard, under settings, select "disable query logging and flush logs." After that completes, re-enable query logging. This starts you with a fresh log.
While running wireshark capturing Port 53, load "speedtest.net" on your windows machine and see what packets are going out from your client machine to DNS server(s) and the reply. If all are going to the PiHole, the destination from your machine to the pihole should be in every request. If not, you will be able to see where DNS queries are going. If you expand the port capture to ports 53 and 80, you will see the http requests as well.

As an example, I ran Wireshark on a Mac while loading "speedtest.net", collecting ports 53 and 80, then filtered the display to DNS only and exported to a text file. Notice that all of the DNS queries are between my client (IP xxx.135) and the pihole (IP xxx.100). The null returns of 0.0.0.0 indicate that an address is pi-holed (I have selected this in my pi-hole setup file "/etc/pihole/pihole-FTL.conf").

No.     Time           Source                Destination           Protocol Length Info
    267 0.297875       192.168.0.135         192.168.0.100         DNS      85     Standard query 0x8891 A www.googletagservices.com

Frame 267: 85 bytes on wire (680 bits), 85 bytes captured (680 bits)
Ethernet II, Src: Apple_30:c1:77 (88:53:95:30:c1:77), Dst: Raspberr_f0:4a:90 (b8:27:eb:f0:4a:90)
Internet Protocol Version 4, Src: 192.168.0.135, Dst: 192.168.0.100
User Datagram Protocol, Src Port: 49211, Dst Port: 53
Domain Name System (query)

No.     Time           Source                Destination           Protocol Length Info
    268 0.298357       192.168.0.135         192.168.0.100         DNS      84     Standard query 0x7bcf A www.googletagmanager.com

Frame 268: 84 bytes on wire (672 bits), 84 bytes captured (672 bits)
Ethernet II, Src: Apple_30:c1:77 (88:53:95:30:c1:77), Dst: Raspberr_f0:4a:90 (b8:27:eb:f0:4a:90)
Internet Protocol Version 4, Src: 192.168.0.135, Dst: 192.168.0.100
User Datagram Protocol, Src Port: 59000, Dst Port: 53
Domain Name System (query)

No.     Time           Source                Destination           Protocol Length Info
    269 0.303905       192.168.0.100         192.168.0.135         DNS      101    Standard query response 0x8891 A www.googletagservices.com A 0.0.0.0

Frame 269: 101 bytes on wire (808 bits), 101 bytes captured (808 bits)
Ethernet II, Src: Raspberr_f0:4a:90 (b8:27:eb:f0:4a:90), Dst: Apple_30:c1:77 (88:53:95:30:c1:77)
Internet Protocol Version 4, Src: 192.168.0.100, Dst: 192.168.0.135
User Datagram Protocol, Src Port: 53, Dst Port: 49211
Domain Name System (response)

No.     Time           Source                Destination           Protocol Length Info
    270 0.306129       192.168.0.100         192.168.0.135         DNS      100    Standard query response 0x7bcf A www.googletagmanager.com A 0.0.0.0

Frame 270: 100 bytes on wire (800 bits), 100 bytes captured (800 bits)
Ethernet II, Src: Raspberr_f0:4a:90 (b8:27:eb:f0:4a:90), Dst: Apple_30:c1:77 (88:53:95:30:c1:77)
Internet Protocol Version 4, Src: 192.168.0.100, Dst: 192.168.0.135
User Datagram Protocol, Src Port: 53, Dst Port: 59000
Domain Name System (response)

No.     Time           Source                Destination           Protocol Length Info
    674 0.463544       192.168.0.135         192.168.0.100         DNS      72     Standard query 0x0dcc A l.betrad.com

Frame 674: 72 bytes on wire (576 bits), 72 bytes captured (576 bits)
Ethernet II, Src: Apple_30:c1:77 (88:53:95:30:c1:77), Dst: Raspberr_f0:4a:90 (b8:27:eb:f0:4a:90)
Internet Protocol Version 4, Src: 192.168.0.135, Dst: 192.168.0.100
User Datagram Protocol, Src Port: 56243, Dst Port: 53
Domain Name System (query)

No.     Time           Source                Destination           Protocol Length Info
    702 0.468917       192.168.0.100         192.168.0.135         DNS      88     Standard query response 0x0dcc A l.betrad.com A 0.0.0.0

Frame 702: 88 bytes on wire (704 bits), 88 bytes captured (704 bits)
Ethernet II, Src: Raspberr_f0:4a:90 (b8:27:eb:f0:4a:90), Dst: Apple_30:c1:77 (88:53:95:30:c1:77)
Internet Protocol Version 4, Src: 192.168.0.100, Dst: 192.168.0.135
User Datagram Protocol, Src Port: 53, Dst Port: 56243
Domain Name System (response)

No.     Time           Source                Destination           Protocol Length Info
   1253 2.704021       192.168.0.135         192.168.0.100         DNS      70     Standard query 0x4529 A binary.net

Frame 1253: 70 bytes on wire (560 bits), 70 bytes captured (560 bits)
Ethernet II, Src: Apple_30:c1:77 (88:53:95:30:c1:77), Dst: Raspberr_f0:4a:90 (b8:27:eb:f0:4a:90)
Internet Protocol Version 4, Src: 192.168.0.135, Dst: 192.168.0.100
User Datagram Protocol, Src Port: 50433, Dst Port: 53
Domain Name System (query)

ibleedlemonade · July 21, 2018, 8:59pm

I followed all of your instructions and I think I'm close to the root of the problem.

I did 2 tests capturing port 53 and 80, the first test has IPv6 disabled on my computer while the second has it enabled.
I'll only paste a small piece of the log as it's really big and the source/destination are the same in the entire log.

Test 1 (IPv6 disabled):

No.     Time           Source                Destination           Protocol Length Info
      1 0.000000       192.168.1.8           192.168.1.236         DNS      143    Standard query response 0x14a4 No such name A wpad.lan SOA a.root-servers.net

Frame 1: 143 bytes on wire (1144 bits), 143 bytes captured (1144 bits) on interface 0
Ethernet II, Src: Raspberr_0a:ef:7c (b8:27:eb:0a:ef:7c), Dst: Giga-Byt_10:ad:34 (74:d4:35:10:ad:34)
Internet Protocol Version 4, Src: 192.168.1.8, Dst: 192.168.1.236
User Datagram Protocol, Src Port: 53, Dst Port: 60727
Domain Name System (response)

No.     Time           Source                Destination           Protocol Length Info
      2 0.000784       192.168.1.8           192.168.1.236         DNS      93     Standard query response 0xd4ae A api.protonmail.ch A 185.70.40.185

Frame 2: 93 bytes on wire (744 bits), 93 bytes captured (744 bits) on interface 0
Ethernet II, Src: Raspberr_0a:ef:7c (b8:27:eb:0a:ef:7c), Dst: Giga-Byt_10:ad:34 (74:d4:35:10:ad:34)
Internet Protocol Version 4, Src: 192.168.1.8, Dst: 192.168.1.236
User Datagram Protocol, Src Port: 53, Dst Port: 55875
Domain Name System (response)

No.     Time           Source                Destination           Protocol Length Info
      3 0.008977       192.168.1.8           192.168.1.236         DNS      89     Standard query response 0xa6eb A www.google.hr A 216.58.214.67

Frame 3: 89 bytes on wire (712 bits), 89 bytes captured (712 bits) on interface 0
Ethernet II, Src: Raspberr_0a:ef:7c (b8:27:eb:0a:ef:7c), Dst: Giga-Byt_10:ad:34 (74:d4:35:10:ad:34)
Internet Protocol Version 4, Src: 192.168.1.8, Dst: 192.168.1.236
User Datagram Protocol, Src Port: 53, Dst Port: 62270
Domain Name System (response)

No.     Time           Source                Destination           Protocol Length Info
      4 0.014546       192.168.1.8           192.168.1.236         DNS      184    Standard query response 0xa4f0 A raw.githubusercontent.com CNAME github.map.fastly.net A 151.101.0.133 A 151.101.64.133 A 151.101.128.133 A 151.101.192.133

Frame 4: 184 bytes on wire (1472 bits), 184 bytes captured (1472 bits) on interface 0
Ethernet II, Src: Raspberr_0a:ef:7c (b8:27:eb:0a:ef:7c), Dst: Giga-Byt_10:ad:34 (74:d4:35:10:ad:34)
Internet Protocol Version 4, Src: 192.168.1.8, Dst: 192.168.1.236
User Datagram Protocol, Src Port: 53, Dst Port: 64336
Domain Name System (response)

No.     Time           Source                Destination           Protocol Length Info
     15 0.188951       192.168.1.236         192.168.1.8           DNS      75     Standard query 0x0620 A ssl.gstatic.com

Frame 15: 75 bytes on wire (600 bits), 75 bytes captured (600 bits) on interface 0
Ethernet II, Src: Giga-Byt_10:ad:34 (74:d4:35:10:ad:34), Dst: Raspberr_0a:ef:7c (b8:27:eb:0a:ef:7c)
Internet Protocol Version 4, Src: 192.168.1.236, Dst: 192.168.1.8
User Datagram Protocol, Src Port: 52189, Dst Port: 53
Domain Name System (query)

No.     Time           Source                Destination           Protocol Length Info
     16 0.250948       192.168.1.8           192.168.1.236         DNS      91     Standard query response 0x0620 A ssl.gstatic.com A 172.217.21.227

Frame 16: 91 bytes on wire (728 bits), 91 bytes captured (728 bits) on interface 0
Ethernet II, Src: Raspberr_0a:ef:7c (b8:27:eb:0a:ef:7c), Dst: Giga-Byt_10:ad:34 (74:d4:35:10:ad:34)
Internet Protocol Version 4, Src: 192.168.1.8, Dst: 192.168.1.236
User Datagram Protocol, Src Port: 53, Dst Port: 52189

Test 2 (IPv6 enabled):

No.     Time           Source                Destination           Protocol Length Info
     13 0.072925       fe80::31ae:df62:fee2:90b0 fe80::1               DNS      97     Standard query 0x7591 A www.speedtest.net

Frame 13: 97 bytes on wire (776 bits), 97 bytes captured (776 bits) on interface 0
Ethernet II, Src: Giga-Byt_10:ad:34 (74:d4:35:10:ad:34), Dst: Zte_3d:58:ff (9c:6f:52:3d:58:ff)
Internet Protocol Version 6, Src: fe80::31ae:df62:fee2:90b0, Dst: fe80::1
User Datagram Protocol, Src Port: 65230, Dst Port: 53
Domain Name System (query)

No.     Time           Source                Destination           Protocol Length Info
     15 0.132411       fe80::1               fe80::31ae:df62:fee2:90b0 DNS      558    Standard query response 0x7591 A www.speedtest.net CNAME zd.map.fastly.net A 151.101.194.219 A 151.101.2.219 A 151.101.66.219 A 151.101.130.219 NS d.gtld-servers.net NS j.gtld-servers.net NS f.gtld-servers.net NS i.gtld-servers.net NS m.gtld-servers.net NS k.gtld-servers.net NS e.gtld-servers.net NS b.gtld-servers.net NS c.gtld-servers.net NS h.gtld-servers.net NS a.gtld-servers.net NS l.gtld-servers.net NS g.gtld-servers.net A 192.35.51.30 AAAA 2001:503:d414::30 A 192.42.93.30 AAAA 2001:503:eea3::30 A 192.54.112.30 AAAA 2001:502:8cc::30 A 192.33.14.30

Frame 15: 558 bytes on wire (4464 bits), 558 bytes captured (4464 bits) on interface 0
Ethernet II, Src: Zte_3d:58:ff (9c:6f:52:3d:58:ff), Dst: Giga-Byt_10:ad:34 (74:d4:35:10:ad:34)
Internet Protocol Version 6, Src: fe80::1, Dst: fe80::31ae:df62:fee2:90b0
User Datagram Protocol, Src Port: 53, Dst Port: 65230
Domain Name System (response)

No.     Time           Source                Destination           Protocol Length Info
     37 0.567905       fe80::31ae:df62:fee2:90b0 fe80::1               DNS      102    Standard query 0xc1d6 A zdstatic.speedtest.net

Frame 37: 102 bytes on wire (816 bits), 102 bytes captured (816 bits) on interface 0
Ethernet II, Src: Giga-Byt_10:ad:34 (74:d4:35:10:ad:34), Dst: Zte_3d:58:ff (9c:6f:52:3d:58:ff)
Internet Protocol Version 6, Src: fe80::31ae:df62:fee2:90b0, Dst: fe80::1
User Datagram Protocol, Src Port: 54869, Dst Port: 53
Domain Name System (query)

No.     Time           Source                Destination           Protocol Length Info
     40 0.572238       fe80::31ae:df62:fee2:90b0 fe80::1               DNS      91     Standard query 0xdb84 A b.cdnst.net

Frame 40: 91 bytes on wire (728 bits), 91 bytes captured (728 bits) on interface 0
Ethernet II, Src: Giga-Byt_10:ad:34 (74:d4:35:10:ad:34), Dst: Zte_3d:58:ff (9c:6f:52:3d:58:ff)
Internet Protocol Version 6, Src: fe80::31ae:df62:fee2:90b0, Dst: fe80::1
User Datagram Protocol, Src Port: 56785, Dst Port: 53
Domain Name System (query)

No.     Time           Source                Destination           Protocol Length Info
     53 0.629636       fe80::1               fe80::31ae:df62:fee2:90b0 DNS      552    Standard query response 0xdb84 A b.cdnst.net CNAME zd.map.fastly.net A 151.101.2.219 A 151.101.66.219 A 151.101.130.219 A 151.101.194.219 NS f.gtld-servers.net NS c.gtld-servers.net NS l.gtld-servers.net NS e.gtld-servers.net NS i.gtld-servers.net NS j.gtld-servers.net NS g.gtld-servers.net NS a.gtld-servers.net NS h.gtld-servers.net NS b.gtld-servers.net NS k.gtld-servers.net NS d.gtld-servers.net NS m.gtld-servers.net A 192.35.51.30 AAAA 2001:503:d414::30 A 192.42.93.30 AAAA 2001:503:eea3::30 A 192.54.112.30 AAAA 2001:502:8cc::30 A 192.33.14.30

Frame 53: 552 bytes on wire (4416 bits), 552 bytes captured (4416 bits) on interface 0
Ethernet II, Src: Zte_3d:58:ff (9c:6f:52:3d:58:ff), Dst: Giga-Byt_10:ad:34 (74:d4:35:10:ad:34)
Internet Protocol Version 6, Src: fe80::1, Dst: fe80::31ae:df62:fee2:90b0
User Datagram Protocol, Src Port: 53, Dst Port: 56785
Domain Name System (response)

If I disable IPv6, all of the DNS queries go to my pi-hole and back to me, and the ads are blocked.
But if I enable IPv6, it looks like all my DNS queries go to my router (I don't know how IPv6 works, I'm guessing fe80::1 is the router.) instead of the Pi.

I've been browsing for a little bit with IPv6 disabled on my Windows machine and it looks like everything works as it should now, but what about the other devices?

jfb · July 21, 2018, 9:30pm

That's good progress.

You likely don't need IPV6, so just keep it disabled and your PiHole will work as desired. I don't know what kind of router you have, but sometimes IPV6 settings are buried in multiple menus. If you need IPV6 on a device you'll have to figure out how to keep your router from routing it to a non-PiHole DNS.
For the other devices, since you are using your PiHole as the DHCP server, they get their DNS address directly from the PiHole along with their lease. I would renew their lease/flush cache and check for IPV6. How to do this depends on your devices. If the laptop is Windows, do the same as you did on the first Windows machine. For Android, I think just powering it off and on will clear caches and renew the lease, but after you do that if there is a selection in WIFI for renewing the lease, use that after restart. Also check on your phone to ensure it doesn't have manual DNS entered, it should be automatic and come from the DHCP server (looks like it does from the screen shot).
Make your DHCP leases on your PiHole reasonably short (like a day). I see that was the previous setting on your router DHCP.
Work on devices one at a time until you get them all working. Easier to troubleshoot one problem at a time.
I have 26 devices on my home network, and it seems they all work differently. IOT devices (Amazon stuff, speakers, etc.) all seem to work fine after a restart after I change something on my network. PC's are different than Macs, iPhones are different than Android phones, etc. Just tackle them one at a time.

ibleedlemonade · July 21, 2018, 10:57pm

Thank you so much for your help with this! I think I have everything figured out now.

I rebooted my android and it still wasn't blocking anything so I opened a terminal on the phone and wrote getprop net.dns1 and getprop net.dns2 which surprisingly gave me fe80::1 as my dns1 and 192.168.1.8 as my dns2, the same DNS config I had on my Windows machine prior to disabling IPv6. The network app I used in the OP showed me completely wrong information!

Basically, I'm convinced this is a problem with my router and since for some reason my ISP hasn't given me full admin access to it, my next step is to talk to them and get the IPv6 settings enabled so I can disable DHCPv6.

jfb · July 21, 2018, 11:22pm

You're welcome.

I suspect that since your router was providing DHCP services in the past, it pushed this DNS to all your network devices. Or it could be pushing this regardless of your settings? That would be weird.

Do you have the option of getting your own router, not one provided by the ISP? My preference is to own both my modem and router, so I have control over at least some of it. The ISP still provisions the modem, but once it hits the router I control all of that.

ibleedlemonade · July 22, 2018, 1:47am

I might honestly have to read up on doing that if my ISP won't cooperate with me. The "admin" login they gave me doesn't even have port forwarding enabled even though I know the router is capable of it

system · August 12, 2018, 1:47am

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.