Only my computer and phone should be on Top Clients list
pi.hole is on my Top Clients list three times. It made requests to two domains that are on my blocklist.
csgojackpot.be
mx1.em-consult.com
How does your /etc/resolv.conf look like? Does any IP in here match one on your Pi-hole?
The domain mx1.em-consult.com is strange. It's name suggests to be a mail server, however, it does point to an IP address but it is not the MX record of em-cnsult.com ( MX em-cnsult.com = mail.h-email.net. ). It does not react to simple SMTP tests.
The other domain csgojackpot.be does not even resolve to an IP address ( NXDOMAIN ).
This is what my /etc/resolv.conf looks like. The first two lines are Google IP addresses, I think. The rest could be IPv6 addresses, I'm not sure if they are my addresses or not so I partially censored them.
# Generated by dhcpcd from wlan0.dhcp, wlan0.dhcp6, wlan0.ra
# /etc/resolv.conf.head can replace this line
nameserver 8.8.8.8
nameserver 8.8.4.4
nameserver 2001:xxx:feed::1
nameserver 2001:xxx:feed::2
nameserver 2601:xxx:2080:xxxx:xxxx::
# /etc/resolv.conf.tail can replace this line
Compare against addresses shown by ip addr to check this. It would be the best explanation for the observed behavior.
The only instance of Pi-hole itself issuing DNS requests for blocked domains would be when creating a debug log, to test if blocking works as expected.
*** [ DIAGNOSING ]: Name resolution (IPv4) using a random blocked domain and a known ad-serving domain
[✓] js-validator-stage.appbe.optimizely.com is 0.0.0.0 on lo (127.0.0.1)
[✓] js-validator-stage.appbe.optimizely.com is 0.0.0.0 on wlan0 (192.168.0.151)
[✓] doubleclick.com is 142.250.217.78 via a remote, public DNS server (8.8.8.8)
*** [ DIAGNOSING ]: Name resolution (IPv6) using a random blocked domain and a known ad-serving domain
[✓] api5486.d41.co is :: on lo (::1)
[✓] api5486.d41.co is :: on wlan0 (2601:<redacted>b8)
[✓] api5486.d41.co is :: on wlan0 (fe80:<redacted>:2bef)
[✓] doubleclick.com is 2607:f8b0:400a:80a::200e via a remote, public DNS server (2001:4860:4860::8888)
In conjunction with your screenshots showing low counts of 1, that would suggest that those were the domains that have been used in such a previous debug log run.
I ran ip addr to check and found that nameserver 2601:xxx:2080:xxxx:xxxx:: matched with inet6.
nameserver 2001:xxx:feed::1 and nameserver 2001:xxx:feed::2 are not in ip addr so I don't know where they came from. I'm also running unbound so should I be worried that /etc/resolv.conf has Google DNS?
I think you are right! I just checked query logs of pi.hole and js-validator-stage.appbe.optimizely.com and api5486.d41.co are both on there.
Possibly, though that wold constitute a separate issue.
If you are using unbound on Raspberry Pi OS Bullseye, the recent WARNING: Raspbian October 2021 release bullseye + unbound may affect you as well.
Please open a new topic if you would require additional assistance with that.
This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.