dig tr.rbxcdn.com
; <<>> DiG 9.11.5-P4-5.1+deb10u5-Raspbian <<>> tr.rbxcdn.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12929
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1472
;; QUESTION SECTION:
;tr.rbxcdn.com. IN A
;; ANSWER SECTION:
tr.rbxcdn.com. 3573 IN CNAME trak.rbxcdn.com.
trak.rbxcdn.com. 273 IN CNAME tr.rbxcdn.com.edgesuite.net.
tr.rbxcdn.com.edgesuite.net. 3482 IN CNAME a1831.d.akamai.net.
a1831.d.akamai.net. 274 IN A 23.223.44.156
a1831.d.akamai.net. 274 IN A 23.223.44.142
;; Query time: 1 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sat Oct 02 02:07:53 BST 2021
;; MSG SIZE rcvd: 163
What leads you to believe that this domain should be blocked by a CNAME?
Let's check each of the CNAMEs to see if it is on your blocklist. From the Pi terminal, run these commands and post the output of the lot:
Edit - missed the first CNAME:
pihole -q trak.rbxcdn.com
pihole -q tr.rbxcdn.com.edgesuite.net
pihole -q a1831.d.akamai.net
I have trak.rbxcdn.com in my blocklist and as you can see it is a CNAME for tr.rbxcdn.com.
tr.rbxcdn.com. 3573 IN CNAME trak.rbxcdn.com.
pihole -q trak.rbxcdn.com
Match found in exact blacklist
trak.rbxcdn.com
Here is an example from the query log of when it use to happen. I replaced the IP with the xx.xx.xx.xx.
2021-09-01 13:38:35 A (IPv4) tr.rbxcdn.com xx.xx.xx.xx Blocked (exact blacklist, CNAME)
You don't need to obfuscate private IP's. Everybody uses the same private IP ranges.
I can confirm this.
Query for aax-eu-retail-direct.amazon-adsystem.comaax-eu.amazon.de, which is CNAME for aax-eu-retail-direct.amazon-adsystem.com.
This should be blocked even by the default Steven's list.
If you query for this domain, what is the result?
dig trak.rbxcdn.com
dig trak.rbxcdn.com
; <<>> DiG 9.11.5-P4-5.1+deb10u5-Raspbian <<>> trak.rbxcdn.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6076
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;trak.rbxcdn.com. IN A
;; ANSWER SECTION:
trak.rbxcdn.com. 2 IN A 0.0.0.0
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sat Oct 02 02:34:34 BST 2021
;; MSG SIZE rcvd: 60
Thanks. That's what we're looking for. We may ask you to do some additional troubleshooting.
Thanks for your report and the information you provided. I'm pretty sure it was broken by the part
This commit also fixes a long-standing bug in caching of CNAME chains leading to a PTR record.
in
because CNAME handling was redesigned. We'll add a proper test to our embedded testing suite to ensure this won't happen again in the future. I'm sorry about that.
You can track the fix here:
@pihole2 It would be really helpful if you could verify that
pihole checkout ftl fix/cname
fixes CNAME inspection for you.
doesn't appear to work
pihole -v
Pi-hole version is v5.5 (Latest: v5.5)
AdminLTE version is v5.7 (Latest: v5.7)
FTL version is fix/cname vDev-8bbc1f2 (Latest: v5.10.2)
domain on list (gstaticadssl.l.google.com)
pihole -q gstaticadssl.l.google.com
Match found in https://www.github.developerdan.com/hosts/lists/ads-and-tracking-extended.txt:
gstaticadssl.l.google.com
dig ...
dig fonts.gstatic.com
; <<>> DiG 9.16.4 <<>> fonts.gstatic.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8380
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1472
;; QUESTION SECTION:
;fonts.gstatic.com. IN A
;; ANSWER SECTION:
fonts.gstatic.com. 192 IN CNAME gstaticadssl.l.google.com.
gstaticadssl.l.google.com. 193 IN A 172.217.168.195
;; Query time: 4 msec
;; SERVER: 192.168.2.57#53(192.168.2.57)
;; WHEN: Sat Oct 02 11:48:25 Romance Daylight Time 2021
;; MSG SIZE rcvd: 98
Ah, yes, that's a very special case of a short CNAME, thanks for testing this. This should obviously work, too. Let me sketch the DNS paths below so it gets obvious what the difference is here:
[A] tr.rbxcdn.com
-> CNAME trak.rbxcdn.com
-> CNAME tr.rbxcdn.com.edgesuite.net.
-> CNAME a1831.d.akamai.net.
-> A 95.101.90.154
-> A 95.101.90.171
whereas the Google CNAME is much simpler:
[A] fonts.gstatic.com.
-> CNAME gstaticadssl.l.google.com.
-> A 142.250.186.163
Please update the branch in a few minutes and try again (version should be e852b71d).
this is working now.
pihole -v
Pi-hole version is v5.5 (Latest: v5.5)
AdminLTE version is v5.7 (Latest: v5.7)
FTL version is fix/cname vDev-e852b71 (Latest: v5.10.2)
dig fonts.gstatic.com
; <<>> DiG 9.16.4 <<>> fonts.gstatic.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54154
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1472
;; QUESTION SECTION:
;fonts.gstatic.com. IN A
;; ANSWER SECTION:
fonts.gstatic.com. 2 IN A 0.0.0.0
;; Query time: 6 msec
;; SERVER: 192.168.2.57#53(192.168.2.57)
;; WHEN: Sat Oct 02 12:33:31 Romance Daylight Time 2021
;; MSG SIZE rcvd: 62
can @yubiuser and @pihole2 test their examples again and report back? Their examples don't apply (trigger CNAME detection) in my environment...
I can confirm this is now working for me. Thank you for fixing this incredibly fast!
When this fix is ported to the main release, what command should I run to revert it back to non-development FTL?
Thanks for letting us know!
Run
pihole checkout master
when the release is announced here.
Tested it, works here.
chrko@ThinkPad-X230:~$ dig aax-eu.amazon.de
; <<>> DiG 9.17.18-1+ubuntu18.04.1+isc+1-Ubuntu <<>> aax-eu.amazon.de
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64992
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1472
;; QUESTION SECTION:
;aax-eu.amazon.de. IN A
;; Query time: 8 msec
;; SERVER: 10.0.1.5#53(10.0.1.5) (UDP)
;; WHEN: Sat Oct 02 14:14:40 CEST 2021
;; MSG SIZE rcvd: 45
Thanks for fixing ... but there is still no new Pi-hole release (beside ftl fix/cname) to fix this broken feature?! Have to say, from the user's point of view, I can't understand this.
DL6ER has informed me (similar question asked) that this has already been merged into development (pihole checkout ftl development), eliminating the need to run this specific branch, also fixing some other minor things.
no release yet? I assume the answer will be, as from all developers (not just pi-hole): It will be relesed when it's ready...
edit
Please note the pi-hole team has taken the necessary steps to ensure this doesn't happen again, see here.
/edit
We've been waiting for this bug to get fixed, too: Garbage response times for many (almost half at times) CNAME answers - #23 by Daxtorim
Seems were ready for the final testing now.
This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.