Pi-Hole No Longer Blocks Via CNAME

The pi-hole is no longer blocking websites via the CNAME inspection. I did use the beta version of the latest release. According to my logs, the last time a CNAME block occurred was on September 6th. Not sure if this corresponds to a beta update. I checked regularly for beta updates and would update the pi-hole.

Below are several domains which use to be blocked via CNAME. I have quite a few more but they are no longer being blocked via CNAME.

drfdisvc.walmart.com
tr.rbxcdn.com blocked by trak.rbxcdn.com
prod-cleo.malwarebytes.com
link.fandangonow.com
info.acacompliancegroup.com
info.acaglobal.com
backstory.ebay.com
i.pinimg.com

Current Version below.

Please provide some outputs showing the following:

Complete output of a dig for one of the domains.

Matching log entries from the dnsmasq log at /var/log/pihole.log showing query, forward and response for that dig.

Also, please generate a debug log, upload it when prompted and post the token here.

Where do I provide the token at? Do I private message you?

Thanks!

You can post the token publicly. Only a few members on the Pi-hole team have access to the log via that token, and the uploaded log is auto-deleted after 48 hours.

Your debug token is: https://tricorder.pi-hole.net/V7OCj8Kb/

How do I do a dig for one of the domains?

dig tr.rbxcdn.com

dig tr.rbxcdn.com

; <<>> DiG 9.11.5-P4-5.1+deb10u5-Raspbian <<>> tr.rbxcdn.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12929
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1472
;; QUESTION SECTION:
;tr.rbxcdn.com. IN A

;; ANSWER SECTION:
tr.rbxcdn.com. 3573 IN CNAME trak.rbxcdn.com.
trak.rbxcdn.com. 273 IN CNAME tr.rbxcdn.com.edgesuite.net.
tr.rbxcdn.com.edgesuite.net. 3482 IN CNAME a1831.d.akamai.net.
a1831.d.akamai.net. 274 IN A 23.223.44.156
a1831.d.akamai.net. 274 IN A 23.223.44.142

;; Query time: 1 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sat Oct 02 02:07:53 BST 2021
;; MSG SIZE rcvd: 163

What leads you to believe that this domain should be blocked by a CNAME?

Let's check each of the CNAMEs to see if it is on your blocklist. From the Pi terminal, run these commands and post the output of the lot:

Edit - missed the first CNAME:

pihole -q trak.rbxcdn.com

pihole -q tr.rbxcdn.com.edgesuite.net

pihole -q a1831.d.akamai.net

I have trak.rbxcdn.com in my blocklist and as you can see it is a CNAME for tr.rbxcdn.com.

tr.rbxcdn.com. 3573 IN CNAME trak.rbxcdn.com.

pihole -q trak.rbxcdn.com
Match found in exact blacklist
trak.rbxcdn.com

Here is an example from the query log of when it use to happen. I replaced the IP with the xx.xx.xx.xx.

2021-09-01 13:38:35 A (IPv4) tr.rbxcdn.com xx.xx.xx.xx Blocked (exact blacklist, CNAME)

You don't need to obfuscate private IP's. Everybody uses the same private IP ranges.

I can confirm this.
Query for aax-eu-retail-direct.amazon-adsystem.com aax-eu.amazon.de, which is CNAME for aax-eu-retail-direct.amazon-adsystem.com.

This should be blocked even by the default Steven's list.

If you query for this domain, what is the result?

dig trak.rbxcdn.com

dig trak.rbxcdn.com

; <<>> DiG 9.11.5-P4-5.1+deb10u5-Raspbian <<>> trak.rbxcdn.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6076
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;trak.rbxcdn.com. IN A

;; ANSWER SECTION:
trak.rbxcdn.com. 2 IN A 0.0.0.0

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sat Oct 02 02:34:34 BST 2021
;; MSG SIZE rcvd: 60

Thanks. That's what we're looking for. We may ask you to do some additional troubleshooting.

Thanks for your report and the information you provided. I'm pretty sure it was broken by the part

This commit also fixes a long-standing bug in caching of CNAME chains leading to a PTR record.

in

because CNAME handling was redesigned. We'll add a proper test to our embedded testing suite to ensure this won't happen again in the future. I'm sorry about that.

You can track the fix here:


@pihole2 It would be really helpful if you could verify that

pihole checkout ftl fix/cname

fixes CNAME inspection for you.

doesn't appear to work

pihole -v
Pi-hole version is v5.5 (Latest: v5.5)
AdminLTE version is v5.7 (Latest: v5.7)
FTL version is fix/cname vDev-8bbc1f2 (Latest: v5.10.2)

domain on list (gstaticadssl.l.google.com)

pihole -q gstaticadssl.l.google.com
 Match found in https://www.github.developerdan.com/hosts/lists/ads-and-tracking-extended.txt:
   gstaticadssl.l.google.com

dig ...

dig fonts.gstatic.com

; <<>> DiG 9.16.4 <<>> fonts.gstatic.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8380
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1472
;; QUESTION SECTION:
;fonts.gstatic.com.             IN      A

;; ANSWER SECTION:
fonts.gstatic.com.      192     IN      CNAME   gstaticadssl.l.google.com.
gstaticadssl.l.google.com. 193  IN      A       172.217.168.195

;; Query time: 4 msec
;; SERVER: 192.168.2.57#53(192.168.2.57)
;; WHEN: Sat Oct 02 11:48:25 Romance Daylight Time 2021
;; MSG SIZE  rcvd: 98

Ah, yes, that's a very special case of a short CNAME, thanks for testing this. This should obviously work, too. Let me sketch the DNS paths below so it gets obvious what the difference is here:

[A] tr.rbxcdn.com
      -> CNAME trak.rbxcdn.com
        -> CNAME tr.rbxcdn.com.edgesuite.net.
          -> CNAME a1831.d.akamai.net.
            -> A 95.101.90.154
            -> A 95.101.90.171

whereas the Google CNAME is much simpler:

[A] fonts.gstatic.com.
      -> CNAME gstaticadssl.l.google.com.
        -> A 142.250.186.163

Please update the branch in a few minutes and try again (version should be e852b71d).

this is working now.

pihole -v
Pi-hole version is v5.5 (Latest: v5.5)
AdminLTE version is v5.7 (Latest: v5.7)
FTL version is fix/cname vDev-e852b71 (Latest: v5.10.2)

dig fonts.gstatic.com

; <<>> DiG 9.16.4 <<>> fonts.gstatic.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54154
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1472
;; QUESTION SECTION:
;fonts.gstatic.com.             IN      A

;; ANSWER SECTION:
fonts.gstatic.com.      2       IN      A       0.0.0.0

;; Query time: 6 msec
;; SERVER: 192.168.2.57#53(192.168.2.57)
;; WHEN: Sat Oct 02 12:33:31 Romance Daylight Time 2021
;; MSG SIZE  rcvd: 62

can @yubiuser and @pihole2 test their examples again and report back? Their examples don't apply (trigger CNAME detection) in my environment...