The Pi-Hole seems to be filtering some trackers but only very rarely ads. All devices are connected to the Pi-Hole according to the web interface. There was a brief, beautiful period where the Pi-Hole seemed to be blocking (at least most) ads, and the query log reflected this, but now it seems that the query log is missing the queries it was previously catching, as in they're not appearing in the log. I've never done a network project before this but it seems to me that some queries are not getting caught by the Pi-Hole, hence not showing up in the query log and not getting blocked.
At a few points in the past 3 days it's worked somewhat, blocking most ads (except on YouTube which had about a 50% success rate) but then inexplicably stops working, without having any settings changed.
Some more information about my setup:
I have a Bluecurve Gateway XB6 (my ISP's propriety modem/router) bridged to a Netgear AX1800 router. All my devices, including the Pi-Hole, are plugged into the Netgear router. At this moment the Pi-Hole is in charge of the DHCP server, but the router has had that privilege in the past with the same outcome.
According to the web app, all my devices are connected to the Pi-Hole but when I run nslookup pi.hole in command prompt I get the following result:
*** UnKnown can't find pi.hole: No response from server
nsloopup flurry.com gives an identical result.
Strangely, canyoublockit.com's extreme test shows favourable results: it seems to block all the ads there. In addition, dnsleaktest.com's test does not show that I have a DNS leak, as all the servers are from the DNS provider I chose (Cloudflare).
Things I've tried in the past 3 days to try to make this work:
Setting every DNS (including secondary and tertiary) in my router to be Pi-Hole's address;
Manually setting the DNS on multiple devices;
Reinstalling Pi-Hole;
Reinstalling Debian;
Setting Pi-Hole as my DHCP server;
Rebooting every device;
Rebooting my modem & router;
Rebooting Pi-Hole;
Flushing network DNS;
Checked that the DNS address is correct;
Re-checked that the DNS address is correct; and
A lot of other things that I've probably forgotten about.
Did you run this on the Pi-hole server or on a client system?
This by default gives a result on the client systems only since the Pi-hole server intentionally is not configured to use itself as DNS server, to prevent bootstrap issues and since you usually don't run a browser and browse ad plagued websites on the server system.
If the command das not work on a client system, this indicates that this client is bypassing/not using Pi-hole.
Your client is using a DNS server at that IPv6 address (I 'd guess that IPv6 address belongs to your router). So your clients are able to by-pass Pi-hole via IPv6.
You'd have to find a way to configure your router to advertise your Pi-hole host machine's IPv6 as DNS server instead of its own.
You'd have to consult your router's documentation sources on further details for its IPv6 configuration options.
If your router doesn't support configuring IPv6 DNS, you could consider disabling IPv6 altogether.
If your router doesn't support that either, your IPv6-capable clients will be able to bypass Pi-hole via IPv6.
Alright, so I enabled IPv6 on my router and set the IPv6 DNS to be the same as my Pi-Hole's (I also manually set the DNS for my deskop, since it wasn't setting to the right DNS on its own). My desktop is showing the following IPv6 DNS, as seen with ipconfig /all.
That DNS is the same as my Pi-Hole's IPv6 address. In addition, when I run nslookup pi.hole on my desktop, instead of returning the "server unknown" error, I get the following:
DNS request timed out.
timeout was 2 seconds.
Server: UnKnown
Address: 2604:3d08:1b7f:8c2a::3
DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
*** Request to UnKnown timed-out
To be safe, I've tried flushing my DNS both on the client and via the Pi-Hole web interface, however, it still does not appear that the Pi-Hole is blocking most ads. It's my understanding that 2604:3d08:1b7f:8c2a::3, the Pi-Hole's IPv6 address, can also be written as 2604:3d08:1b7f:8c2a:0:0:0:3 (added zeroes), which is how I have it recorded in my router's DNS settings. Is that correct? If yes, then I am once again at a dead end and would appreciate some more help.
Thanks for responding. Yes, I ran that on a client system—my Windows desktop to be specific. It does appear to be bypassing the Pi-Hole. Thanks to Bucking_Horn, it seems my desktop was using IPv6 to get around the Pi-Hole, but after enabling IPv6 and setting the router to use the Pi-Hole as the IPv6 DNS the Pi-Hole still isn't blocking ads. You can refer to my last post for more specific information.
Apologies for the late response, I must've missed your reply earlier. If you have anything to add here I'd greatly appreciate it.
You are absolutely right, that is the router's address! It's very strange that it was using that when it was set to automatic DNS, and the router is configured to use the Pi-Hole's. Regardless, with the desktop set to have the proper IPv4 and IPv6 DNS, it still isn't blocking properly. It was blocking for a couple minutes (I checked the query log to be sure I wasn't just getting lucky) before it stopped working again. Ipconfig /all gives me the following results:
That's the right DNS configuration, and it was the same when it was working, so I'm dumbfounded as to why it broke again. Oh and yes, I verified the IPv6 address using ip -6 address on the Pi-Hole host. Is it possibly because of the router? Again, thank you for the help, I greatly appreciate it.
When you say "the router users Pi-hole" do you mean the router is using Pi-hole add upstream DNS by itself or is its DHCP server configured to pass Pi-hole as DNS to clients?
The results for nslookup pi.hole, from my Windows client:
DNS request timed out.
timeout was 2 seconds.
Server: UnKnown
Address: 2604:3d08:1b7f:8c2a::3
DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
*** Request to UnKnown timed-out
And nslookup flurry.com from the same client:
DNS request timed out.
timeout was 2 seconds.
Server: UnKnown
Address: 2604:3d08:1b7f:8c2a::3
DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
*** Request to UnKnown timed-out
Edit: I just checked the Pi-Hole's diagnosis log and found this message from the time of the nslookup:
ignoring query from non-local network 2604:3d08:1b7f:b5cf::6 (logged only once)
That address is my Windows client, which I confirmed by running ipconfig /all in the command prompt. I'm not sure if it's relevant or not but thought I'd include it just in case.
That is the Pi-Hole's IPv6 address. The router's address is fe80::60be:7602:423:aa22. Interestingly, when I set my Windows client to use the router's address as its IPv6 DNS and run nslookup pi.hole in command prompt, I get this instead of the time-out:
When I have the Pi-Hole's IPv6 address set as the IPv6 DNS on my Windows client and run nslookup pi.hole, the following error appears in the Pi-Hole's diagnosis log (in addition to the time-out I receive from command prompt):
ignoring query from non-local network 2604:3d08:1b7f:b5cf::6 (logged only once)
It does not appear when I use my router's address as the DNS, like I did at the start of this post. The IPv6 address in that notification is my Windows client's address. I'm not sure if it's relevant or not but thought I'd include it just in case.
Edit: I'm just now noticing that the Pi-Hole's IPv6 address has changed, so apologies for that! It was probably assigned a new one after spending the better part of a day unplugged. Setting my Windows client's DNS to the new address and running nslookup pi.hole returns an identical message:
DNS request timed out.
timeout was 2 seconds.
Server: UnKnown
Address: 2604:3d08:1b7f:b5cf::3
DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
*** Request to UnKnown timed-out
I'll have to look into setting a dedicated IPv6 address for the Pi-Hole.
Sorry, I'm not clear what the difference between these two is. Could you explain?
Right now, my router is my DHCP server and I have configured the router to automatically assign the Pi-Hole's IPv4 and IPv6 addresses as the IPv4 and IPv6 DNS, respectively. At different times I've had IPv6 disabled and the Pi-Hole set as the DHCP server with the same problem.
Your Windows client is preferring IPv6 over IPv4, so it is sending DNS requests to your Pi-hole's IPv6 address 2604:3d08:1b7f:8c2a::3.
However, as that is a public IPv6 (range 2000::/3), your Windows client is also using its own public IPv6 to send the query.
Now, by its sane and secure default, Pi-hole is configured to answer only local requests.
This would nicely explain the time-outs for your nslookups.
I'd expect them to succeed if directed to your Pi-hole's IPv4 address:
nslookup pi.hole 192.168.1.3
nslookup flurry.com 192.168.1.3
To allow usage of IPv6 transport, you should consider your router to advertise a ULA prefix, and then use your Pi-hole's ULA address (range fd00::/8) as local DNS server for IPv6.
If your router doesn't support ULAs, then you could try to use your Pi-hole's link-local IPv6 address instead (range fe80::/10).
This should usually be fine for most simple home networks, but will break when packets are routed (e.g. when using VLANs, Docker, some WiFi access points, L3 switches, ...).
if the Windows query showed up on your Pi-hole as ignoring query from non-local network 2604:3d08:1b7f:b5cf::6 (logged only once) and you say your Pi-hole's IPv6 address is 2604:3d08:1b7f:8c2a::3 then they're on different subnets. The windows PC is using subnet b5cf and Pi-hole is using 8c2a. We need to find out what the correct prefix should be that's being advertised by your router and why devices have different subnet prefixes. Do you get a /48 from your ISP? Do you have VLANs setup?
