Pi-Hole not blocking ads

Help
52

I guess I'm not understanding where the statistics is really an issue. Going through my logs, the router's ip address shows up by itself only for internal systems (for example, there's a trendmicro request that is obviously a part of the router's AI Protection). For all other requests logged on the pihole that use the router's address, there is also a second identical request logged showing the correct ip of the actual originating client. So the only thing that seems slightly off about statistics is the fact that there are sometimes 2 entries for the same request with 1 from the router and 1 from the actual client. Certainly this isn't ideal, but it also doesn't appear to have any real negative consequences as the 'real' requests do appear to be getting logged. I don't know if it's logging both requests because the clients have the pihole as one of their DNS entries directly (since the router is still assigning the pihole to clients due to the DHCP DNS settings), but it does appear that all requests are being logged in a way for me to identify from which client the traffic originated.

As far as the DNS order is concerned, I do get that, which is why I want to set up another pihole for a secondary DNS. If there's 2 piholes listed in the WAN, then there's redundancy in case one or the other is down. I'm guessing that setup would have its own issues with statistics since there's no way of knowing which pihole would be queried by any client at any given point in time, so there would be 2 independently logged systems. In any case, if I have only the pihole listed as the WAN DNS1 with nothing in DNS2, and also set the DHCP DNS to the pihole, then all traffic is being routed through the pihole, regardless of if the request went to the router's ip or the pihole's. But as far as I can see in my logs, every request like that (through the router's ip) has 2 separate requests on the pihole so I seem to be able see the correct origin of every request, regardless of if the client went through the router's DNS proxy or not.

Naturally, with 1.1.1.1 as the secondary DNS on the router's WAN page, this behavior isn't consistent (as requests that get through to 1.1.1.1 won't be logged on the pihole, obviously), but without that as part of the equation, literally the only thing that seems 'off' in the statistics are some "duplicate" entries.

Please forgive me, but I guess I'm not understanding how or where there is an issue, and I am trying hard to determine what that issue could be (beyond 2 entries on some requests), as I do want to make sure I've got everything running correctly without having to switch to the pihole for DCHP (at least for the time being.)

53

So stats get screwed up.
You probably have your router on top in all the stats on the web GUI.

54

I might not understand this bit.
The logs show you from what IP the query came from right ?
My Asus router doesnt do any trendmicro queries (even with Pi-hole configured for WAN DNS):

pi@noads:~ $ grep trendmicro /var/log/pihole.log
pi@noads:~ $
55

In the short period I had Pi-hole configured for WAN DNS, the router weaseled its way up into below stats already:

image

Give it up :smiley:
Go activate Pi-hole DHCP :wink:

56

Just curious, are you also assigning the pihole's ip in the dhcp page (in addition to the wan page) and is DDNS turned off? I found that even with only the pi's ip address in the WAN page, I was still getting ads until I disabled DDNS. In my testing, if DDNS is still running, the trendmicro and that microsoft one I've mentioned before do not show up on the pihole.

On my end, my top 2 permitted domains shown in pihole's dashboard are both trendmicro (one resolves to rgom10-en dot url dot trendmicro dot com while the other resolves to trendmicro dot com dot edgesuite dot net) originating from the router (I believe these would stop if I disabled the router's AI protection.) None of my clients have anything trendmicro installed on them, so I feel confident those are actually originating on the router itself. The most hits I have is 616 on the first trendmico and 308 on the second one. For my top clients, the first ip is my laptop at 2329, with the router's ip coming in at a close 2nd with 2317 and a total of 12404 requests over the last 24 hours.

Ultimately, it does look like the ideal configuration to bypass the Asus router's DNS 'proxy' would be to use the pihole's dhcp server, but I'll need to see if there's a way for there to be a 'backup' in case the pihole is down. Otherwise, short of manually assigning ip addresses on each client, no clients will have any network connectivity (local or otherwise) until pihole is up and running again.

In all honesty, that's the main reason I'm trying to keep dhcp on the router. I figured if something were to go wrong with the pi during a reboot (configuration error or some such on my end), then at least my local clients could talk to each other at a minimum while I work out whatever I might've broken on the pihole end of things. It's also why I've been keeping 1.1.1.1 available on the DNS list on the router, to be absolutely certain that clients can still connect and use the internet even if pihole isn't running. Which is why I also plan to set up a secondary pihole on my network to use as additional DNS server, so all requests will route through one or the other, and if one is offline, the other will 'pick up the slack' so to speak, and the problem of one pihole being down would be invisible to clients.

I've never looked to even see if there is such a thing as a backup (replication?) dhcp server, but if there were such a thing, and it were usable in pihole, then I would feel so much more confident in using pihole for dhcp. Since I'm already planning on putting in a second pihole for backup/additional dns, if that one could also be a 'fall back' dhcp server so if the main one is down, the secondary could temporarily assign ip addresses until the main one comes back online. But honestly, I don't even know if something like that is even possible or exists. I know most networks don't seem to like having 2 dhcp servers on the same network since overlapping ips could be assigned to different clients, but that's the only thing I know of concerning the use of multiple dhcp servers.

See, I have this problem where I can never leave well enough alone! LOL! So I just know at some point, I'm going to be trying something new, and a side effect will wind up taking the pihole down for however long it takes for me to revert or fix whatever the problem is. I'm concerned that if the pihole is providing all the ip addresses, and pihole or the dhcp service isn't running for whatever reason, then I won't be able to ssh into the pi zero to fix the problem (the zero I'm using for pihole is headless.) So my logic is, as long as something else on the network is providing the ip addresses, then as long as the pi zero boots and connects to the network, I should be able to access it through ssh to fix the problems preventing services or whatever from starting.

For my logs, I'm going to try and attach a screenshot to show how I see requests that come from both the router and client at the exact same time. The top-most router entry (akamai) was also called from my laptop, but that entry was on page 2.

pihole-ss01
pihole-ss011920×1048 405 KB

57

So 2329 lookups from the laptop addressing Pi-hole directly are accounted for.
The other lookups the laptop does against the router IP are obscured in the other 2317 lookups from the router where you dont know where coming from.

This is an entirely different subject
But lots of users have two Pi-hole systems for redundancy.
Default time to live for the DHCP leases is 24 hours so plenty of time to turn off DHCP on one Pi and flip it on on the other.
Maybe some leases might expire during the switch over time but the clients dont give up their IP address that easily.

58

Ohw, I have WAN DNS settings still at default on my router.
So the DNS servers are supplied by my ISP modem.
And DHCP is switched off bc I use Pi-hole for that.
And I dont use/have DDNS.

59

I have done this and ads still leaked through

60

Example ???

What does ipconfig /all have to say now about DHCP and DNS servers ?

An nslookup ?

61

Right now with the pi-hole as my DHCP, it said it is 192.168.1.1 which is my router. Here's the result:

Windows IP Configuration

Host Name . . . . . . . . . . . . : DESKTOP-18FPHE1
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Ethernet 2:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) I211 Gigabit Network Connection #2
Physical Address. . . . . . . . . : 30-9C-23-09-90-80
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::a198:a842:b938:99d8%7(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.1.221(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Sunday, February 24, 2019 2:26:59 PM
Lease Expires . . . . . . . . . . : Monday, February 25, 2019 2:26:58 PM
Default Gateway . . . . . . . . . : 192.168.1.1
DHCP Server . . . . . . . . . . . : 192.168.1.1
DHCPv6 IAID . . . . . . . . . . . : 238066723
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-21-67-23-73-4C-CC-6A-F5-30-AB
DNS Servers . . . . . . . . . . . : 192.168.1.252
NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter Local Area Connection* 10:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft Teredo Tunneling Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : 2001:0:9d38:6abd:28d4:2511:d02f:fcd6(Preferred)
Link-local IPv6 Address . . . . . : fe80::28d4:2511:d02f:fcd6%12(Preferred)
Default Gateway . . . . . . . . . : ::
DHCPv6 IAID . . . . . . . . . . . : 201326592
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-21-67-23-73-4C-CC-6A-F5-30-AB
NetBIOS over Tcpip. . . . . . . . : Disabled

62

ns lookup:
Default Server: raspberrypi
Address: 192.168.1.252

63

Are you absolutely sure the DHCP service on the router is disabled ?
This bit:

Can you check again please ?

EDIT:
Ohw on the windows box you can quickly renew lease with:

ipconfig /renew

But the command prompt needs to be started with admin permissions!

64

This is what it looks like right now

Capture_2019_02_24_15_09_51_683
Capture_2019_02_24_15_09_51_683975×907 106 KB

65

Ok I am at a loss.
Right now it appears 192.168.1.1 is handing out DHCP details with the correct DNS server 192.168.1.252 and no second IP for DNS.
If below one blocks on the client to 0.0.0.0, your good to go:

C:\>nslookup doubleclick.com
Server:  noads.dehakkelaar.nl
Address:  10.0.0.2

Name:    doubleclick.com
Addresses:  ::
          0.0.0.0
66

C:>nslookup doubleclick.com
Server: raspberrypi
Address: 192.168.1.252

Non-authoritative answer:
Name: doubleclick.com
Addresses: 2607:f8b0:4005:802::200e
172.217.0.46

67

Dont know what's going on with the Windows client.
Maybe someone else here knows whats up ???
Sorry :frowning:

68

It's cool, thanks for the help. Edit, even in windows I have assigned the pi-hole as the DNS.

1 Like
69

EDIT: appears to be configured correctly :wink:
Wait and maybe someone comes by who knows.

EDIT2: Ohw and last very important one .... have you tried turning it off and on again :wink:

1 Like
70

By unplug and plugging it?

71

Everyting!
Its a joke from the "IT Crowd" series:

1 Like