Search using Google.
Raspberry Pi with Pi Hole installed.
Search is being blocked. Network cannot be reached.
Ping cannot resolve www.google.com
I have whitelisted www.google.com.
The only way to resolve this is to add another DNS server to my router, which defeats the purpose of Pi Hole!
This domain is not on your subscribed adlist, nor is it blocked in any of your domain entries.
From the Pi terminal, please post the complete outputs of these commands:
pihole -q -exact www.google.com
nslookup www.google.com 127.0.0.1
And, from the client device that cannot resolve the domain, from the terminal or command prompt on that device:
nslookup www.google.com 192.168.13.14
Noted in your debug log, but unrelated to this problem. You have the following domain entered in both the whitelist and blacklist for the default group.
dbpi
For the first command I get:
Exact match found in exact whitelist
www.google.com
The second one returns:
Server: 127.0.0.1
Address: 127.0.0.1#53
www.google.com canonical name = forcesafesearch.google.com.
** server can't find forcesafesearch.google.com: SERVFAIL
And for the last one:
Server: 192.168.13.14
Address: 192.168.13.14#53
www.google.com canonical name = forcesafesearch.google.com.
** server can't find forcesafesearch.google.com: SERVFAIL
forcesafesearch.google.com is already in the whitelist, and running the first command on this domain returns:
Server: 127.0.0.1
Address: 127.0.0.1#53
** server can't find forcesafesearch.google.com: SERVFAIL
That reply implies that you tried to define a custom CNAME for a public domain, and your debug log confirms you've added some such CNAME records.
Pi-hole's Local CNAME Records prominently disclaims
The target of a
CNAMEmust be a domain that the Pi-hole already has in its cache or is authoritative for. This is a universal limitation ofCNAMErecords.
Adding the respective A and AAAA record definitions could make Pi-hole authoritative for e.g. forcesafesearch.google.com.
If you consider this, you should be aware that when acquiring the IP addresses to add, the IPs you would receive for resolving a given domain may differ from those that someone requesting it from another geographical location may see.
Also, this approach may break as soon as public DNS resolution of such a target domain would change to a different IP.
Yes, I might have accidentally added some CNAME records accidentally. I'll find how to remove those.
As an experiment, I have removed all domains from Pi Hole (i.e. removed the adlist and deleted all items in the whitelist/blacklist. I regenerated gravity. I still get the same issues with forcesafesearch.google.com
That's expected, as the CNAME records you've created would still exist.
The lists that Pi-hole uses have nothing to do with that.
You'd have to remove those CNAME definitions (or add the required A/AAAA records to Pi-hole, with the caveats applying as explained).
Right, I think some of the dnsmasq.d files might have been left over from a previous attempt (?). I am therefore uninstalling, cleaning up, and reinstalling Pi Hole. Wish me luck!
You should check to remove CNAMEs from Pi-hole first.
The link from my initial previous post will take you to Pi-hole's respective UI.
Sorry, I was too quick!
The good news is that nslookup for www.google.com now returns an address.
Google search/mail etc is still not working on the Pi that is using PiHole DNS. I have cleared cache too. Nor is DuckDuckGo.
That last part might be because my clock is out of date on my test Pi. It should be querying the NTP server on reboot...
@Bucking_Horn correctly identified the problem and the issue is resolved. Many thanks 
The issue was indeed the CNAME records. I had not put them there myself (that I know of). I know a while back I had a problem with the Pi, ending up reinstalling Pi Hole, probably losing the matching settings elsewhere. One thing I did notice this time when I uninstalled Pi Hole (with pihole uninstall) it did not remove the Pi Hole-related files in /etc/dnsmasq.d. This is what tripped me up. Perhaps they should be removed on uninstall?
This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.