Pi-Hole is used but blacklisted domains aren't blocked

Guy_Forssman · October 29, 2021, 5:58pm

Hi There,

I have a UDM-Pro and a USG running as my main network routers.

I have in this 3 Networks
Guests = 192.168.2.0
LAN = 192.168.1.0
LAN4KIDS = 192.168.3.0

My Pi-Hole v5.6 FTL v5.11 WEB v5.8 is on 192.168.1.5 and uses OPENDNS-Family 208.67.222.123 as DNS.

I can tell Pi-Hole is working for LAN4KIDS as some sites are blocked.
I blacklisted some domains and put them in a School group.
(.|^)youtube.com$ (.|^)m.youtube.com$

I noticed they aren't blocked.
I start searching on the internet and found Pi-hole doesn't block domains as intended - #6 by jfb

In my configuration i have a /etc/pihole/pihole-FTL.conf that only contains privacy=0
and there is no blacklist.txt.

Is this info from previous question still valid and can somebody help me troubleshoot this..

Kind regards
Guy Forssman

jfb · October 29, 2021, 6:05pm

Please upload a debug log and post just the token URL that is generated after the log is uploaded by running the following command from the Pi-hole host terminal:

pihole -d

or do it through the Web interface:

Tools > Generate Debug Log

jfb · October 29, 2021, 6:08pm

The thread you reference was written when an older version of Pi-hole was current (prior to V5.0). With V5.0 and later of Pi-hole, the domains and adlists are no longer in separate text files, they are embedded in an SQL database at /etc/pihole/gravity.db.

jfb · October 29, 2021, 8:17pm

Were you unable to upload your log to our server? That is what produces the token, and putting the log on our server limits the audience to the Pi-hole team (and for only 48 hours). Posting your log publicly provides none of this privacy.

Guy_Forssman · October 29, 2021, 8:36pm

Yes it's uploaded....

https://tricorder.pi-hole.net/Dr30plSj/

It seems that the log contains other dns addresses than the one from Pi-Hole.
Im running Kubuntu 20.04 on the Pi-Hole server but can't seems to find the config file for that one.
systemd-resolve --status | grep 'DNS Servers' -A2
DNS Servers: 1.1.1.1
208.67.222.222
9.9.9.9

jfb · October 29, 2021, 8:48pm

Your school group is disabled. No blocking will be applied to clients in that group:

*** [ DIAGNOSING ]: Groups
   id    enabled  name                                                date_added           date_modified        description                                       
   ----  -------  --------------------------------------------------  -------------------  -------------------  --------------------------------------------------
   0           1  Default                                             2021-10-27 13:43:16  2021-10-27 13:43:16  The default group                                 
   1        0     School                                              2021-10-27 14:28:36  2021-10-29 19:00:01  school

And, your adlist is only applied to the default group, not the school group as well. Did you intend to not have any adlists in the school group?

*** [ DIAGNOSING ]: Adlists
   id     enabled  group_ids     address                                                                                               date_added           date_modified        comment                                           
   -----  -------  ------------  ----------------------------------------------------------------------------------------------------  -------------------  -------------------  --------------------------------------------------
   1            1  0             https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts                                      2021-10-27 13:43:16  2021-10-27 13:43:16  Migrated from /etc/pihole/adlists.list

Guy_Forssman · October 29, 2021, 8:53pm

The school group is enabled between 08 - 19 h with a cron job. I want to block the fun sites between certain hours for my kids.

The question was posted before 19:00

I have uploaded a new log this time with the group enabled.
https://tricorder.pi-hole.net/qXCC50Sy/

jfb · October 29, 2021, 9:04pm

With this group enabled, and from one of the clients in that group, from the command prompt or terminal in that client (and not via ssh to Pi-hole), what are the outputs of the following commands:

nslookup youtube.com

nslookup youtube.com 192.168.1.6

Then from the Pi terminal:

grep youtube.com /var/log/pihole.log | tail -n10

Guy_Forssman · October 29, 2021, 9:10pm

C:\Users\guyf>nslookup youtube
DNS request timed out.
timeout was 2 seconds.
Server: UnKnown
Address: 192.168.1.6

Name: youtube.

C:\Users\guyf>nslookup youtube 192.168.1.6
DNS request timed out.
timeout was 2 seconds.
Server: UnKnown
Address: 192.168.1.6

*** No internal type for both IPv4 and IPv6 Addresses (A+AAAA) records available for youtube

root@NVR:~# grep youtube.com /var/log/pihole.log | tail -n10
root@NVR:~#

Guy_Forssman · October 29, 2021, 9:19pm

I think it has to do with /etc/systemd/resolved.conf

jfb · October 29, 2021, 9:55pm

Are you passing port 53 traffic between VLAN'S?

Guy_Forssman · October 29, 2021, 9:58pm

Don't understand your question completely.

I think I nailed it down to UNFI problem ..because the exact order and dns servers are configured for my main LAN and for some reason they also end up in Pi-Hole

jfb · October 29, 2021, 9:59pm

Does the group blocking work now?

Guy_Forssman · October 29, 2021, 10:00pm

No It doesn't

jfb · October 29, 2021, 10:03pm

If you repeat those nslookup commands, do you still receive no replies?

Guy_Forssman · October 29, 2021, 10:10pm

Yes indeed Server Unknown

jfb · October 29, 2021, 10:17pm

I suspect this a problem with passing DNS (port 53) traffic between your different VLAN's.

system · November 19, 2021, 10:18pm

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.