PI-HOLE not blocking as expected

Alexandru · September 27, 2021, 2:12pm

The issue I am facing:
Just installed pi-hole via bash command and tested on many versions of linux.
On any of them, I can't get blocking to work properly.
After at least 20installs of pi-hole and linux, I choosed to stay on Ubuntu 20.4 on Container (Proxmox)
Now it's blocking part of the domains added via list system. But if I go to Blocklist menu and add a manually domain it never blocks it, even if u update domains list or restart server.

Details about my system:
Now I run on Ubuntu 20.4 on Container (Proxmox). 4GB Ram, 8 x 3.5GHz core, 120GB storage, Dedicated IP with 1gbps internet connection.

Tried also on VM with same configuration but on Centos 7 and 8.

All system was fresh installed for pi-hole installation.

What I have changed since installing Pi-hole:

I've only added some Adlists

Thanks,
Alex.

Later edit: I wanna mention that I don't have any firewall installed on active Ubuntu 20.4 Container.

Alexandru · September 27, 2021, 2:22pm

One more example, i have this list added: https://osint.digitalside.it/Threat-Intel/lists/latestdomains.txt

Sites are still working even if I Updated Gravity lists, and the confirmation message was that all domains added to list.

But some from other lists I think are still blocked, because the Queries Blocked number goes on....

yubiuser · September 27, 2021, 6:22pm

46.9% of your requests were blocked. What domain do you expect to be blocked?

Please upload a debug log and post just the token that is generated after the log is uploaded by running the following command from the Pi-hole host terminal:

pihole -d

or do it through the Web interface:

Tools > Generate Debug Log

Alexandru · September 27, 2021, 7:12pm

As i said, i don't know exactly what is really working, because for example the mentioned list, is active in gravity, but none of it s domains are blocked and i am still able to access them.

Also, i tried to block my domains, one by one from Blacklist, and none of them got blocked.... So i don't really know what are those 50% of blocked queries.

Example: I am able to access amazon.com but it got 2276 blocked hits ...

Also, no idea why the total permitted queries for Wikipedia and the number of blocked queries of amazon are the same. I never opened Wikipedia or smth on any of my devices.

this is the result of pihole -d .

[✓] Your debug token is: https://tricorder.pi-hole.net/zlTEnwEH/
[i] Logs are deleted 48 hours after upload.

Many thanks!

yubiuser · September 28, 2021, 7:31am

You are running an open resolver. Your Pi-hole is accessible from the internet and others are able to use it. Shut down that Pi immeadiatly and close port 53. Otherwise you risk to be part of an DNS amplification attack - a threat to the global DNS infrastructure.

A public facing DNS server likely violates the terms and conditions of your ISP or hosting solution. We at the Pi-hole project do not in any circumstance recommend, condone, or support public facing DNS with the project.

There are far too many ways someone can use it in a DNS based attack.

Companies like CF, OpenDNS, and Google have millions of dollars invested in their DNS server infrastructure to prevent this you as a one off user do not.

The recommended course of action for PERSONAL use is to use a VPN to allow use of pi-hole outside of the LAN there is a very well written guide located here

We do support non-personal use however it is on a case by case basis and should be directed towards the contact us page on https://pi-hole.net

Alexandru · September 28, 2021, 8:30am

I'm trying to configure my server firewall to accept connections only from my router's IP, but since blocking is not working, I disabled all firewall until i get it working. This won't be a public DNS, just my private filters.

yubiuser · September 28, 2021, 8:35am

No matter what you intent it to be, at the moment it is a public DNS. Non-working blocking is no reason to keep port 53 open!

Alexandru · September 28, 2021, 9:43am

Can you please check now if port 53 and everything else looks correct ?

[✓] Your debug token is: https://tricorder.pi-hole.net/CuHtyVHw/
[i] Logs are deleted 48 hours after upload.

yubiuser · September 28, 2021, 10:32am

It is

Let's work on your problem.

Please run from your client

nslookup flurry.com
nslookup pi.hole

-rw-r--r-- 1 root root 1.7K Sep 27 20:55 /etc/dnsmasq.d/01-pihole.conf
   addn-hosts=/etc/pihole/local.list
   addn-hosts=/etc/pihole/custom.list
   localise-queries
   no-resolv
   cache-size=10000
   log-queries
   log-facility=/var/log/pihole.log
   local-ttl=2
   log-async
   except-interface=nonexisting
   except-interface=nonexisting
   except-interface=nonexisting
   except-interface=nonexisting
   except-interface=nonexisting
   except-interface=nonexisting
   except-interface=nonexisting
   except-interface=nonexisting
   except-interface=nonexisting
   domain-needed
   expand-hosts
   bogus-priv
   interface=eth0

This multitude of except-interface=nonexisting looks strange. Remove all except one of them.

Alexandru · September 28, 2021, 12:18pm

Thanks!!!

Removed all extra exept-interface from 01-pihole.conf.

root@pi:~# root@pi:~# nslookup flurry.com
Server:         127.0.0.1
Address:        127.0.0.1#53

Name:   flurry.com
Address: 0.0.0.0
Name:   flurry.com
Address: ::

root@pi:~# nslookup pi.hole
Server:         127.0.0.1
Address:        127.0.0.1#53

Name:   pi.hole
Address: 127.0.0.1
Name:   pi.hole
Address: ::1

And new updated token link:
[✓] Your debug token is: https://tricorder.pi-hole.net/uEmvXJyn/
[i] Logs are deleted 48 hours after upload.

yubiuser · September 28, 2021, 5:41pm

Did you run the commands from a client? It looks like this was done on the system running Pi-hole...

Please re-run on from a client.

But it shows that Pi-hole was blocking flurry.com

Alexandru · September 28, 2021, 6:03pm

nslookup flurry.com
Server:  pi.hole
Address:  212.83.160.236

Name:    flurry.com
Addresses:  ::
          0.0.0.0

nslookup pi.hole
Server:  pi.hole
Address:  212.83.160.236

Name:    pi.hole
Addresses:  fe80::250:56ff:fe01:f0fb
          212.83.160.236

Yes, they were executed from server. Now attached from my pc, using the dns server as default.

LE: added to whitelist flurry.com domain on pi-hole and the output of command from client.

nslookup flurry.com
Server:  pi.hole
Address:  212.83.160.236

Non-authoritative answer:
Name:    flurry.com
Addresses:  98.136.103.23
          212.82.100.150
          74.6.136.150

yubiuser · September 28, 2021, 6:15pm

The client is using Pi-hole as DNS server and it is blocking as expected.

Where do you see still ads and/or which domains should be blocked but aren't?

Alexandru · September 28, 2021, 6:21pm

Well, I'm not really sure anything is working. I still see ads on any device (phone/pc/tv) and if i add a site to Blacklist is still available to access.

yubiuser · September 28, 2021, 6:25pm

If you have visited the domain shortly before your clients might have the IP in their local cache.
Please blacklist a domain and run

nslookup BLACKLISTED_DOMAINS from your client.

Alexandru · September 28, 2021, 6:46pm

blocked domain on pi-hole admin interface and then run the command on my client pc:

nslookup clicksud.org
Server:  pi.hole
Address:  212.83.160.236

Name:    clicksud.org
Addresses:  ::
          0.0.0.0

I notice now that my other domains from blacklist are not accessible so this may be, local cache.

yubiuser · September 28, 2021, 7:06pm

So everything is working now as expected?

Alexandru · September 28, 2021, 9:39pm

Thank you, yes. I guess everything works well now. No other issues.

Many thanks for all your time, patience and advices.

system · October 19, 2021, 9:39pm

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.