Pi-Hole passing blacklisted sites/pages to Macbook (OSX 10.12)

Please follow the below template, it will help us to help you!

Expected Behaviour:.

All devices in the house are performing as expected with the pi-hole. Using NS lookup on the Mac for doubleclick.com returns the genuine doubleclick IP and the DNS server as the Rpi. Doing the exact same on a Ubuntu box returns the RPi IP for the Doubleclick IP and also (obviously) lists the RPi as the DNS Server

Actual Behaviour:

Mac to follow the same as all other devices on the network

Debug Token:

a00rvk92y6

I just experience the same behavior (but not on a Mac but on an Arch machine).
I performed a DNS lookup via dig for a domain which is listed below "Top blocked domains". It states the IP of my Pi Hole rasperry as DNS server, but nevertheless resolves the domain name to the actual IP of the domain (instead of resolving to localhost / the PI Hole IP).

How to further debug/fix this?

I've just had a look through my own debug log that has been created - when I surfed to some know ad-sites during the 60 seconds it doesn't look like any of those sites have been passed to the Pi-Hole for resolution (one if the sites I browsed to was doubleclick.com)

From the logs I can see that my Mac actually sent a DNS request to debug.opendns.com. I have captured some of these packets on Wireshark also and they appear to be encrypted.

I will await feedback from the devs here but looking at my logs I think my Mac (company issued) must be running an encrypted DNS service behind the scenes. So despite it showing the RPi as the DNS server its actually encapsulating all requests and sending them onto this debug.opendns.com for resolution.

whats even more interesting is that despite the debug log showing queries coming from my Mac to the openDNS service (which I never requested) is that the Mac's IP doesn't show as a client on the query log at all. Despite the DNS traffic going through the Pi

This sounds like we've got different issues I guess.
I will nevertheless tell you my finding in case it helps:

I just noticed that the domains get correctly pi holed when using the raspi IP directly like dig @raspi doubleclick.com

My PC is configured to use the DNS server he gets by the router via DHCP. The router is configured to use the raspi as DNS server,
Now, when I do dig @router doubleclick.com the domain resolves to the real IP, so it looks like in my case the router is not behaving as I expected.

Edit (read your additional comment):

whats even more interesting is that despite the debug log showing queries coming from my Mac to the openDNS service (which I never requested) is that the Mac's IP doesn't show as a client on the query log at all. Despite the DNS traffic going through the Pi

Same for me. Queries from my pc show up as queries from the IP of my router (probably since the router is forwarding DNS queries to the pi, instead of the pi receiving queries directly by the clients).

Oh wow, I just found this at the website of my router manufacturer:

For security reasons, the FRITZ!Box suppresses DNS responses that refer to IP addresses in its own home network. This is a security function of the FRITZ!Box to protect against what are known as "DNS rebinding attacks".

So in my case the following DNS Query does not work by design:
PC -> Router -> Pi -> Router -> PC
because the router does not return internal IP's as response.

However I don't see an option how to force my router to tell the address of the DNS server via DHCP. It looks like the router's DNS behavior is intended to always go through the router which then forwards queries to the configured DNS...

Let's see how to workaround this :slight_smile:

Check for a DNS Rebinding setting in the router, or update the firmware as I've heard some newer firmwares expose the setting while older versions don't.

Check for DNS Rebinding in the router. Also, some antivirus software makes you use their "Secure DNS" by default, which you many find in their settings. Check the Pi-hole log (via pihole -t) to find the queries and post a snippet here so we can try to find out why FTL is not adding it as a client.

Ok so - I made a rocky mistake when looking through the query logs. I hadn't noticed for two reasons - I was looking for Host IP and not he Host Name and secondly the DNS query shows as being different slightly different to the debug.opendns.com - However it is logging correctly

I can confirm there is no DNS rebinding on my router (Cisco 897VA)