Pi hole is not working for Macbook, works for cellphones and other laptops

Help
1

Please follow the below template, it will help us to help you!

If you are Experiencing issues with a Pi-hole install that has non-standard elements (e.g you are using nginx instead of lighttpd, or there is some other aspect of your install that is customised) - please use the Community Help category.

Expected Behaviour:

Pi hole should block ads on all devices.

Actual Behaviour:

Ads are still being displayed on macbook. Tail Pihole log shows query is blocked for that domain, but ads are being displayed from the same domain when inspected. I have tried manual DNS on router and now using DHCP on Pi hole in both cases all ads are there.

Debug Token:

[https://tricorder.pi-hole.net/8tkgiy2y2c]

2

Let's take a look at the DNS servers being used by the Mac. From the Mac terminal (and not via ssh to the Pi), what are the outputs from the follwoing commands:

nslookup pi.hole

scutil --dns

3 
nslookup pi.hole
Server: 192.168.1.7
Address: 192.168.1.7#53

Name: pi.hole
Address: 192.168.1.7

The default interactive shell is now zsh.
To update your account to use zsh, please run `chsh -s /bin/zsh`.
For more details, please visit https://support.apple.com/kb/HT208050.

Rahuls-Air:~ rahulshelgaonkar$ nslookup pi.hole
Server: 192.168.1.7
Address: 192.168.1.7#53

Name: pi.hole
Address: 192.168.1.7


Rahuls-Air:~ rahulshelgaonkar$ scutil --dns
DNS configuration

resolver #1
  search domain[0] : lan
  nameserver[0] : 192.168.1.7
  if_index : 4 (en0)
  flags    : Request A records
  reach    : 0x00020002 (Reachable,Directly Reachable Address)

resolver #2
  domain   : local
  options  : mdns
  timeout  : 5
  flags    : Request A records
  reach    : 0x00000000 (Not Reachable)
  order    : 300000

resolver #3
  domain   : 254.169.in-addr.arpa
  options  : mdns
  timeout  : 5
  flags    : Request A records
  reach    : 0x00000000 (Not Reachable)
  order    : 300200

resolver #4
  domain   : 8.e.f.ip6.arpa
  options  : mdns
  timeout  : 5
  flags    : Request A records
  reach    : 0x00000000 (Not Reachable)
  order    : 300400

resolver #5
  domain   : 9.e.f.ip6.arpa
  options  : mdns
  timeout  : 5
  flags    : Request A records
  reach    : 0x00000000 (Not Reachable)
  order    : 300600

resolver #6
  domain   : a.e.f.ip6.arpa
  options  : mdns
  timeout  : 5
  flags    : Request A records
  reach    : 0x00000000 (Not Reachable)
  order    : 300800

resolver #7
  domain   : b.e.f.ip6.arpa
  options  : mdns
  timeout  : 5
  flags    : Request A records
  reach    : 0x00000000 (Not Reachable)
  order    : 301000

DNS configuration (for scoped queries)

resolver #1
  search domain[0] : lan
  nameserver[0] : 192.168.1.7
  if_index : 4 (en0)
  flags    : Scoped, Request A records
  reach    : 0x00020002 (Reachable,Directly Reachable Address)
4

This client appears to be using Pi-hole for DNS. What browser are you using and does the browser have DNS over HTTPS enabled? Do you run the Macbook through a VPN service? From the Macbook terminal again, what is the output of"

nslookup flurry.com

5

DNS over HTTPS was not enabled on chrome and firefox. Enabled, cleared cache and restarted, still not working.

nslookup flurry.com

The default interactive shell is now zsh.

To update your account to use zsh, please run chsh -s /bin/zsh.

Rahuls-Air:~ rahulshelgaonkar$ nslookup flurry.com
Server: 192.168.1.7
Address: 192.168.1.7#53
Non-authoritative answer:
Name: flurry.com
Address: 74.6.136.153
Name: flurry.com
Address: 212.82.100.153
Name: flurry.com
Address: 98.136.103.26
6

You don't want DoH enabled. When you do this, the DNS queries for the browser go to a DoH server, and not to your Pi-hole.

This query should be blocked by Pi-hole. Let's look for flurry.com in the Pi-hole log and see why it was not blocked. Please post the outputs of:

grep flurry.com /var/log/pihole.log

pihole -q -exact flurry.com

7 
grep flurry.com /var/log/pihole.log
Jun 11 00:00:31 dnsmasq[651]: query[A] data. **flurry.com** from 192.168.1.233
Jun 11 00:00:31 dnsmasq[651]: gravity blocked data. **flurry.com** is 0.0.0.0
Jun 11 00:02:45 dnsmasq[651]: query[A] data. **flurry.com** from 192.168.1.233
Jun 11 00:02:45 dnsmasq[651]: gravity blocked data. **flurry.com** is 0.0.0.0
Jun 11 01:16:45 dnsmasq[651]: query[A] data. **** from 192.168.1.233
Jun 11 01:16:45 dnsmasq[651]: gravity blocked data. **** is 0.0.0.0
Jun 11 02:31:47 dnsmasq[651]: query[A] data. **** from 192.168.1.233
Jun 11 02:31:47 dnsmasq[651]: gravity blocked data. **** is 0.0.0.0
Jun 11 03:46:25 dnsmasq[651]: query[A] data. **** from 192.168.1.233
Jun 11 03:46:25 dnsmasq[651]: gravity blocked data. **** is 0.0.0.0
Jun 11 12:25:03 dnsmasq[651]: query[A] **** from 192.168.1.245
Jun 11 12:25:03 dnsmasq[651]: gravity blocked **** is 0.0.0.0
Jun 11 12:35:30 dnsmasq[651]: query[A] **** from 192.168.1.245
Jun 11 12:35:30 dnsmasq[651]: gravity blocked **** is 0.0.0.0
Jun 11 12:35:31 dnsmasq[651]: query[A] www. **** from 192.168.1.245
Jun 11 12:35:31 dnsmasq[651]: gravity blocked www. **** is 0.0.0.0
Jun 11 12:35:36 dnsmasq[651]: query[A] data. **** from 192.168.1.245
Jun 11 12:35:36 dnsmasq[651]: gravity blocked data. **** is 0.0.0.0
8

pihole -q -exact flurry.com
Exact matches for flurry.com found in:

Posted only 3 links as new user cannot post more than 5 links in a reply.

9

What is the IP of the Mac?

10

192.168.1.245

11

There does not appear to be a query for flurry.com from that client.

12

Jun 11 12:35:36 dnsmasq[651]: query[A] data. **** from 192.168.1.245
Jun 11 12:35:36 dnsmasq[651]: gravity blocked data. **** is 0.0.0.0

I removed "flurry.com" from the response as it wont allow me to post more than 5 links in a reply

13

If you post the replies as "formatted text" using the </> icon on the reply window, the links will not appear.

Was this request for data.flurry.com, or for flurry.com. These are different domains. The nslookup command was for flurry.com.

14 
type or paste code here
```nslookup flurry.com
Server:		192.168.1.7
Address:	192.168.1.7#53

Non-authoritative answer:
Name:	flurry.com
Address: 98.136.103.26
Name:	flurry.com
Address: 74.6.136.153
Name:	flurry.com
Address: 212.82.100.153


there is no query from macbook for nslookup flurry.com
15

nslookup was for flurry.com

16

What I'm looking for is the matching query from the other end. Do this and post the output

from the Pi terminal, run pihole -t to tail the Pi-hole log. After the tail starts, run nslookup flurry.com from the Mac terminal and then post the outputs of both.

17 
pihole -t
  [i] Press Ctrl-C to exit
11:42:01: gravity blocked mobile.pipe.aria.microsoft.com is 0.0.0.0
11:42:06: query[A] gspe11-ssl.ls.apple.com.edgekey.net from 192.168.1.245
11:42:06: forwarded gspe11-ssl.ls.apple.com.edgekey.net to 208.67.220.220
11:42:06: reply gspe11-ssl.ls.apple.com.edgekey.net is <CNAME>
11:42:06: reply e10499.dsce9.akamaiedge.net is 184.27.221.240
11:42:06: query[A] mesu-cdn.origin-apple.com.akadns.net from 192.168.1.245
11:42:06: forwarded mesu-cdn.origin-apple.com.akadns.net to 208.67.220.220
11:42:06: reply mesu-cdn.origin-apple.com.akadns.net is <CNAME>
11:42:06: reply mesu.g.aaplimg.com is 17.253.25.208
11:42:06: reply mesu.g.aaplimg.com is 17.253.25.207
11:42:16: query[A] teredo.ipv6.microsoft.com from 192.168.1.209
11:42:16: gravity blocked teredo.ipv6.microsoft.com is 0.0.0.0
11:42:18: query[A] flurry.com from 192.168.1.245
11:42:18: gravity blocked flurry.com is 0.0.0.0
11:42:22: query[A] gspe35-ssl.ls.apple.com from 192.168.1.245
11:42:22: forwarded gspe35-ssl.ls.apple.com to 208.67.220.220
11:42:22: reply gspe35-ssl.ls.apple.com is <CNAME>
11:42:22: reply gspe35-ssl.ls-apple.com.akadns.net is <CNAME>
11:42:22: reply gspe35-ssl.ls.apple.com.edgekey.net is <CNAME>
11:42:22: reply e6987.e9.akamaiedge.net is 184.27.221.72
11:42:27: query[A] api-global.netflix.com from 192.168.1.214
11:42:27: cached api-global.netflix.com is <CNAME>
11:42:27: cached api-global.geo.netflix.com is <CNAME>
11:42:27: forwarded api-global.netflix.com to 208.67.220.220
11:42:27: reply api-global.netflix.com is <CNAME>
11:42:27: reply api-global.geo.netflix.com is <CNAME>
11:42:27: reply api-global.us-west-2.prodaa.netflix.com is 52.37.89.199
11:42:27: reply api-global.us-west-2.prodaa.netflix.com is 52.41.85.151
11:42:27: reply api-global.us-west-2.prodaa.netflix.com is 52.41.165.115
11:42:27: reply api-global.us-west-2.prodaa.netflix.com is 52.26.22.158
11:42:27: reply api-global.us-west-2.prodaa.netflix.com is 52.26.150.190
11:42:27: reply api-global.us-west-2.prodaa.netflix.com is 52.27.61.208
11:42:27: reply api-global.us-west-2.prodaa.netflix.com is 52.34.165.205
11:42:27: reply api-global.us-west-2.prodaa.netflix.com is 52.35.174.195
11:42:38: query[A] api.accuweather.com from 192.168.1.233
11:42:38: cached api.accuweather.com is <CNAME>
11:42:38: cached api.accuweather.com.edgekey.net is <CNAME>
11:42:38: forwarded api.accuweather.com to 208.67.220.220
11:42:38: reply api.accuweather.com is <CNAME>
11:42:38: reply api.accuweather.com.edgekey.net is <CNAME>
11:42:38: reply e10414.g.akamaiedge.net is 104.87.13.14
11:42:40: query[A] settings.crashlytics.com from 192.168.1.233
11:42:40: gravity blocked settings.crashlytics.com is 0.0.0.0
11:42:40: query[AAAA] pool.ntp.org from 192.168.1.233
11:42:40: forwarded pool.ntp.org to 208.67.220.220
11:42:40: reply pool.ntp.org is NODATA-IPv6
11:42:40: query[A] googleads.g.doubleclick.net from 192.168.1.233
11:42:40: exactly blacklisted googleads.g.doubleclick.net is 0.0.0.0
11:42:40: query[A] pubads.g.doubleclick.net from 192.168.1.233
11:42:40: gravity blocked pubads.g.doubleclick.net is 0.0.0.0
11:42:41: query[A] events.appsflyer.com from 192.168.1.233
11:42:41: gravity blocked events.appsflyer.com is 0.0.0.0
11:42:41: query[A] sb.scorecardresearch.com from 192.168.1.233
11:42:41: gravity blocked sb.scorecardresearch.com is 0.0.0.0
11:42:41: query[A] api.weathercn.com from 192.168.1.233
11:42:41: forwarded api.weathercn.com to 208.67.220.220
11:42:42: reply api.weathercn.com is <CNAME>
11:42:42: reply cdn-global-api.trafficmanager.cn is <CNAME>
11:42:42: reply api.weathercn.com.edgekey.net is <CNAME>
11:42:42: reply e7708.b.akamaiedge.net is 23.63.218.91
11:42:43: query[A] pubads.g.doubleclick.net from 192.168.1.233
11:42:43: gravity blocked pubads.g.doubleclick.net is 0.0.0.0
11:42:43: query[A] events.appsflyer.com from 192.168.1.233
11:42:43: gravity blocked events.appsflyer.com is 0.0.0.0
11:42:44: query[A] sb.scorecardresearch.com from 192.168.1.233
11:42:44: gravity blocked sb.scorecardresearch.com is 0.0.0.0
11:42:45: query[A] pool.ntp.org from 192.168.1.233
11:42:45: forwarded pool.ntp.org to 208.67.220.220
11:42:45: reply pool.ntp.org is 74.6.168.72
11:42:45: reply pool.ntp.org is 192.111.144.114
11:42:45: reply pool.ntp.org is 216.229.0.49
11:42:45: reply pool.ntp.org is 72.87.88.203
11:42:45: query[A] zwyr157wwiu6eior.com from 192.168.1.233
11:42:45: forwarded zwyr157wwiu6eior.com to 208.67.220.220
11:42:45: reply zwyr157wwiu6eior.com is 104.17.188.107
11:42:45: reply zwyr157wwiu6eior.com is 104.17.187.107
11:42:46: query[A] pubads.g.doubleclick.net from 192.168.1.233
11:42:46: gravity blocked pubads.g.doubleclick.net is 0.0.0.0
11:42:46: query[A] api-global.netflix.com from 192.168.1.214
11:42:46: cached api-global.netflix.com is <CNAME>
11:42:46: cached api-global.geo.netflix.com is <CNAME>
11:42:46: forwarded api-global.netflix.com to 208.67.220.220
11:42:46: reply api-global.netflix.com is <CNAME>
11:42:46: reply api-global.geo.netflix.com is <CNAME>
11:42:46: reply api-global.us-west-2.prodaa.netflix.com is 52.38.170.55
11:42:46: reply api-global.us-west-2.prodaa.netflix.com is 52.41.140.216
11:42:46: reply api-global.us-west-2.prodaa.netflix.com is 52.42.239.65
11:42:46: reply api-global.us-west-2.prodaa.netflix.com is 52.43.208.48
11:42:46: reply api-global.us-west-2.prodaa.netflix.com is 52.89.116.136
11:42:46: reply api-global.us-west-2.prodaa.netflix.com is 54.148.233.120
11:42:46: reply api-global.us-west-2.prodaa.netflix.com is 54.186.225.241
11:42:46: reply api-global.us-west-2.prodaa.netflix.com is 52.37.42.126
11:42:46: query[A] events.appsflyer.com from 192.168.1.233
11:42:46: gravity blocked events.appsflyer.com is 0.0.0.0
11:42:47: query[A] sb.scorecardresearch.com from 192.168.1.233
11:42:47: gravity blocked sb.scorecardresearch.com is 0.0.0.0
11:42:50: query[A] strapi.reddit.com from 192.168.1.233
11:42:50: cached strapi.reddit.com is <CNAME>
11:42:50: forwarded strapi.reddit.com to 208.67.220.220
11:42:50: reply strapi.reddit.com is <CNAME>
11:42:50: reply reddit.map.fastly.net is 151.101.65.140
11:42:50: reply reddit.map.fastly.net is 151.101.129.140
11:42:50: reply reddit.map.fastly.net is 151.101.193.140
11:42:50: reply reddit.map.fastly.net is 151.101.1.140
11:42:55: query[A] beaconqi.qq.com from 192.168.1.233
11:42:55: cached beaconqi.qq.com is 0.0.0.1
11:42:59: query[A] teredo.ipv6.microsoft.com from 192.168.1.209
11:42:59: gravity blocked teredo.ipv6.microsoft.com is 0.0.0.0
11:43:05: query[A] events.mapbox.com from 192.168.1.233
11:43:05: gravity blocked events.mapbox.com is 0.0.0.0
18 
$ nslookup flurry.com
Server:		192.168.1.7
Address:	192.168.1.7#53

Non-authoritative answer:
Name:	flurry.com
Address: 98.136.103.26
Name:	flurry.com
Address: 74.6.136.153
Name:	flurry.com
Address: 212.82.100.153
19

This is puzzling. Pi-hole shows that it received this request, and correctly blocked the request and returned the NULL IP. Yet the client shows that an IP was resolved.

The only way that appears to be possible is if the client is getting DNS resolution from multiple sources. This is what I get when I run a similar test - 155 is the Pi-hole, 135 is the Mac:

nslookup flurry.com
Server: 192.168.0.155
Address: 192.168.0.155#53

Name: flurry.com
Address: 0.0.0.0

Jun 12 12:09:12 dnsmasq[7676]: query[A] flurry.com from 192.168.0.135
Jun 12 12:09:12 dnsmasq[7676]: gravity blocked flurry.com is 0.0.0.0
20

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.