Pi-hole Not Blocking Ads

jgalley · September 14, 2023, 3:29am

Hey all, I recently set up a pi with Pi-hole but am not seeing the results as expected. I've blocked entire domains in an attempt to verify Pi-hole is operating as intended, but am still able to access the domains from any device on my network. From the GUI, Pi-hole claims to be blocking ~50% of queries, but I am not seeing those results on the clients. I have looked through forum posts to see if anyone else has a similar issue and circumstance as me, but most seem to have issues with IPv6 taking over, and I do not think that is my problem.

Expected Behaviour:

To start, I have AT&T Fiber, which requires the use of their router that has the correct fiber adapter, and their service does not allow me to set the Pi-hole as the DNS server, so I have disabled DHCP and IPv6 on the router. I am using a Libre Computer Le Potato as my Pi-hole server, and I have enabled the DHCP server and set it to route out to the router.

If I am understanding the capabilities of pi-hole correctly, then for domains that are blacklisted, the clients should not be able to access those domains at all.

If I'm not mistaken, when performing nslookup on the clients, the Server should be the pi-hole, and the Address should match my pi-hole address.

Actual Behaviour:

After blacklisting sites such as instagram, google, baidu.com (I keep getting queries from this domain, and pi-hole claims to be blocking all queries from baidu) I am still able to access the websites. None of my devices seem to be having ads blocked on any sites, using the default adblock lists provided in the setup.

When performing nslookup on the pi-hole, the server points to my router, and the address matches, which is expected.

When performing nslookup on clients, the server points to "UnKnown" and the address points to some unknown IP, and not the IP of my Pi-hole.

I'm not all that familiar with Linux or Pi-hole, so hopefully this all makes sense and someone can point me in the right direction to start properly blocking ads network-wide. Any help is appreciated!

Debug Token:

https://tricorder.pi-hole.net/8GHc9uLn/

rdwebdesign · September 14, 2023, 3:58am

Your debug log shows Pi-hole is working and blocking domains.
If you want to read your last debug log, you can access it at /var/log/pihole/pihole_debug.log.

The last part of the log (-----tail of pihole.log------) shows the client 192.168.1.189 requested a domain and the the domain was blocked (0.0.0.0):

   Sep 13 23:16:13 dnsmasq[4842]: query[A] www.baidu.com from 192.168.1.189
   Sep 13 23:16:13 dnsmasq[4842]: exactly blacklisted www.baidu.com is 0.0.0.0

At least 2 other devices are also using Pi-hole (192.168.1.67 and 192.168.1.210), but your last image shows a Windows client is not using Pi-hole as DNS server. Maybe it is still using the previous DHCP information.

Did you renew the DHCP lease on your devices after changing the DHCP server from the router to Pi-hole?

jgalley · September 14, 2023, 1:03pm

I manually reset the router to force devices to use the pi-hole as the DNS on the day I set it up, which additionally it's been running for just about a week now so all DHCP leases should be reset and using the pi-hole, as the router and pi both are set for a 24 hour lease. I'm not sure why some devices are using the pi-hole and others are not - of the IP's you listed I can recognize one, but the others are listed as unknown or I just don't recognize what the hostname is. I'll have to dig around and see if I can figure out what those are. Sure enough, trying to navigate to Baidu using the device I recognize, it is blocked.

In the pi-hole clients list all of my Windows devices show up in green and claim to be using Pi-hole, yet are not actually using it based on that last image. I tested on my laptop and my desktop and both were able to navigate to the page.

rdwebdesign · September 14, 2023, 5:35pm

Just check your Windows devices using ipconfig /all on the command line to confirm which DNS servers are being used.

Your image shows the Windows machine is using 103.86.96.100 as DNS server.

Are you using a VPN?

jgalley · September 15, 2023, 4:34pm

Ahhh yes I am. When the VPN is disabled nslookup now points to pi-hole and everything seems to be blocked properly. Any idea how I can continue to use my VPN as well as benefitting from pi-hole?

jgalley · September 18, 2023, 4:23pm

I think I've made some progress to routing traffic through the Pi while using my VPN - I set up openVPN on the pi and changed the VPN protocol to use openVPN, with the VPN's custom DNS pointing to my pi on each windows device. When I perform the nslookup command on the windows device I now see the server as my pi, but I'm running into other issues:

I am still able to access websites on the blacklist, so traffic from my windows devices are still not properly routing through the Pi.