Thanks for the reply.
The router's DHCP pool is configured from 192.168.1.11 to 192.168.1.254. The Pi is using 192.168.1.2 so no device can claim that ip.
That client is using Quad9 for DNS, not Pi-hole. This is not unusual for the Pi (you are better off in many respects having the Pi use a nameserver other than Pi-hole - otherwise Pi-hole can't repair itself, for example).
We want the output of this command from a client computer other than the Pi itself (and not via ssh session to the Pi terminal).
Ok, I used that command from WSL2 after exiting Raspberry.
Not sure I fully understand that.
Firstly, when I setup pi-hole I selected Cloudflare, not Quad9 so I don't know why this DNS is there.
Secondly, you mean that it's better for the pi-hole to point/use a DNS which is not the pi-hole's DNS? i.e., 192.168.1.2? (which is also the pihole IP)
The DNS server you see in the nlsookup from the Pi is not the DNS server you have told Pi-hole to use, it is the DNS server you have told the Pi to use. This will be shown in file /etc/resolv.conf on the Pi.
No, I mean it is better for the Pi-hole host platform (in your case a Pi) to use a different DNS server than Pi-hole. If you point the Pi nameserver to a DNS other than Pi-hole (Pi-hole DNS on the Pi would typically be through the loopback 127.0.0.1 address, since Pi-hole is running on the Pi), you get the following benefits (all assuming that the Pi-hole software has experienced a problem, but the Pi is still running normally):
(1) you can upload a debug log token
(2) you can run a Pi-hole repair
(3) you can connect to an NTP server to set the time on the Pi
(4) you can run Pi OS updates (sudo apt update, etc.)
If your file /etc/resolv.conf on the Pi shows this, the Pi is using Pi-hole for DNS:
nameserver 127.0.0.1
If your Pi shows another nameserver (in your case Quad9), then that is the nameserver (DNS service) that your Pi is using.
If a client cannot connect to the URL http://pi.hole/admin, this is typically because the client's DNS server cannot resolve the domain name pi.hole. The only DNS server that can resolve this domain name to the correct IP is Pi-hole itself, since this name is mapped internally to Pi-hole. In your case, if the client from which you are running the browser is not using Pi-hole for DNS, this is the expected result. If you change the URL to use the IP instead of the Pi-hole domain name, and the client can load the page, that's your problem. Example URL below (substitute your Pi-hole IP):
Which leads me to the next problem I'm facing.
In my Asus RT-AX88U, I set the DNS to the IP address of pi-hole but nothing is being blocked based on the dashboard stats.
See here: https://i.ibb.co/kx9ZqxD/pihole.png
And here: https://i.ibb.co/sPzmhJt/2020-10-09-03-20-16-Window.png
This is based on a youtube video I followed. It doesn't show the same router, but the same concept.
Did I set it incorrectly?
I don't recall setting up the Pi DNS at any point. I simply downloaded the app that installs RaspberryOS from the official site. I then loaded the microSD to the Pi and I SSH to it.
Is there a recommended DNS to use for the Pi?
And once Pi-hole is set up correctly in my router, this means that:
All devices in my house will use the pi-hole DNS to block ads?
Pi (the hosting platform) will use a different DNS?
Edit:
I added the pi-hole IP as the DNS in another location on the router.
I tested it by adding the facebook domain to the Blacklist. It worked. But that's about it, it doesn't use the lists I added in the Group Management to block other things.
It's been a whole day I'm messing around with pi-hole and the only time it shows it's blocking something on the dashboard is when I explicitly entered facebook.com to the blocklist.
In the adlists I have many addresses referring to hosts and domains to block. I have 18 connected devices, it can't be that nothing is being blocked. Those devices, including my PC, must get some traffic from those ads and I should see the Queries Blocked number goes up.
Something is not right with how this is set up.
Is there a bug with the current version?
Your IPv6 DNS servers look ok. fec0:0:0:ffff::1 to ::3 are site-local anycast addresses for DNS servers - long deprecated, but Windows still statically defines them in absence of any other DNS severs.
This would be in line with your network not having IPv6 connectivity, as indicated by your debug log (by link-local fe80 address only, no IPv6 gateway). (And you don't need IPv6 to access the Internet at all.)
In short: Nothing to worry about.
For IPv4 however, there are indeed 3 additional DNS servers: Your router at 192.168.1.1 on your "Ethernet 4" interface, and two public ones on your "Ethernet" interface.
While the latter probably stems from a VPN setup presumably using PIA (privateinternetaccess) as a VPN provider, the former is proving that your router is configured to distribute itself alongside Pi-hole as DNS server.
You should get rid of that router entry in your router's DNS settings, or any client will bypass Pi-hole over time as a client sees fit.
Any contact established via the presumed VPN connection will also not being filtered through Pi-hole.
You'd have to consult your VPN provider if and how you can inject a custom DNS server into your VPN connection.
And finally, you should also heed jfb's above advice on verifying your group management in Pi-hole.
I think the whole setup process got me misled.
I understood that if I set the router's DNS to the pi-hole IP address, then all my devices at home will go through pi-hole.
The youtube videos I've seen were all saying that you either set few clients (devices) to use the pi-hole IP as a DNS or you set the router's DNS to use pi-hole IP to get all the devices covered.
So I don't understand what do I need to do now? No guide is saying to do anything other than those I just mentioned.
I read your explanations but it just doesn't sink in. sorry for being a dumbass. I really don't get it. What steps did I miss?
What does it matter if I have adlists divided into groups, as long as the router is using the pi-hole's IP as a DNS?
I don't use PIA. I have NordVPN software but it's switched off. This is mainly used on my PC and my Nvidia Shield TV.
Other than this, most of my clients don't use a VPN.
I only have my PC and the raspberry connected via Ethernet. All other home clients use WiFi.
Can you please guide me what to do?
And should I enable IPv6?
Please have a look at the debug log on my previous post, as I have done some changes.
I've set Interface listening behavior to Listen on all interfaces, permit all origins
I add to that that your ISP may not even offer IPv6 connectivity at all.
Even if, my recommendation would be to keep it disabled.
IPv6 takes quite a bit to get a grasp of. You should solve your current issues first before introducing any additional challenges by enabling IPv6.
I'll have a look at your current debug log to see if your latest changes would fit jfb's group management advice.
But you'd have to figure your router and VPN by yourself.
I do not know your router nor your VPN provider.
That said, there are some misbehaving routers that will distribute their own IP as additional DNS, no matter what you configure.
By default, all clients belong to the default group, and also all adlists.
This ensures Pi-hole will be filtering all your client DNS requests through all your blocking lists.
There is no need to touch Pi-hole's group management at all.
Now, you've defined four new groups (1 through 4) in addition to the default group (0).
You have then distributed all of your adlists to one or more of your new groups.
This means there are no blocking lists for the default group anymore.
Thus, any client in the default group (which is all clients by default) will not be filtered, and that was demonstrated by your nslookup of flurry.com returning IP addresses.
You'd have to assign all your adlists to the default group as well.
You could also try to assign each of your clients to a specific group, but that comes with its own problems (changing IP addresses), and also any new clients in your network will never be filtered by default (literally).
ok, so I'll remove the groups and set everything to default.
this means that I don't have to manually add clients to the clients list, if I understand correctly.