Pi-hole strange behaviour, h1.tivoservice.com suspect

Please follow the below template, it will help us to help you!

Expected Behaviour:

I had this Rasperry Pi-hole running OK for about two weeks and I was watching the web interface every day, it seemed to run fine. It does block most ads.

Actual Behaviour:

At some point I was no longer able to log in remotely (VNC or SSH) and when I hooked it up to TV, there was no signal. I suspect it had crashed. The only way to recover was to reboot it.

Now it seems to work again, but the graph looks different, and there is a device with activity every hour. Most hits seem to be from a tivo domain, look at the token below and at this screenshot

What is happening here? the Pi seems to block fewer domains, but I still don’t see ads. You can see the gap where the Pi has crashed, and before that and after that there is that strange periodic activity every hour.

EDIT: forgot to mention, but tivoservice.com generates a lot of hits for some reason.

Debug Token:

Your debug token is: https://tricorder.pi-hole.net/fd2dzbe5s6

Your debug log shows a reasonable amount of blocked domains

  [2019-08-10 04:21:44.821 640] /etc/pihole/gravity.list: parsed 114654 domains (took 10645.2 ms)

Some questions:

  • Is there a specific reason you’re showing the long-term statistics?
  • How does the dashboard look like?
  • It may be that your Pi crashed due to another reason (maybe a power issue), the one spike to 700 doesn’t seem that extraordinary.
  • Have you tried to reconnect your devices to the network / restart them? Maybe they just noticed that the Pi-hole wasn’t there any more.
  • Which one?

Here is what I see today. I just woke up, all of us, so this is whatever the deviced in the house did overnight.

2019-08-11 07:00:00 PTR 10.1.0.10.in-addr.arpa localhost OK (cached)
|2019-08-11 07:00:00|PTR|100.1.0.10.in-addr.arpa|localhost|OK (cached)||
|2019-08-11 07:00:00|PTR|11.1.0.10.in-addr.arpa|localhost|OK (cached)||
|2019-08-11 07:00:00|PTR|101.1.0.10.in-addr.arpa|localhost|OK (cached)||
|2019-08-11 07:00:00|PTR|220.220.67.208.in-addr.arpa|localhost|OK (cached)||

Thanks

These PTR requests are normal. Pi-hole does them once an hour for all known IP addresses (internal devices + external upstream DNS providers) to check whether a host name has changed and needs to be updated.

Thanks. Interesting that it didn’t do those before. I wonder what changed? You asked how the dashboard looks like. Here it is. The Pi is plougged directly into the router so all devices should use that as DNS.

Do you expect more than three clients on the network (one of them will be the Pi). That’s a pretty small amount of traffic for 24 hours.

These commands will tell you which clients have been active in the last 24 hours:

echo ">top-clients withzero (15)" | nc 127.0.0.1 4711

echo ">top-domains" | nc 127.0.0.1 4711

echo ">top-ads" | nc 127.0.0.1 4711

I expect a LOT of clients, right now I have 18 on WiFi (various laptops, phones, tablets, watches, thermostats, IoT, etc) and probably another 5-6 wired. Here is what I got with those commands (my Pi IP is 10.0.1.101, not sure if I should change the commends or not, I just used as you told me). Since I can only post 5 links (I am a new used), I will try to edit the links

pi@raspberrypi:~ $ echo ">top-clients withzero (15)" | nc 127.0.0.1 4711
0 199 127.0.0.1 localhost
1 55 10.0.1.11 
2 1 10.0.1.100 
3 0 10.0.1.10 
4 0 10.0.1.101 raspberrypi
---EOM---
pi@raspberrypi:~ $ echo ">top-domains" | nc 127.0.0.1 4711
0 27 100.1.0.10.in-addr.arpa
1 27 10.1.0.10.in-addr.arpa
2 27 11.1.0.10.in-addr.arpa
3 26 101.1.0.10_in-addr_arpa
4 23 220.220.67.208_in-addr_arpa
5 23 222.222.67.208_in-addr_arpa
6 6 api_github_com
7 6 s3_amazonaws_com
8 5 www_youtube_com
9 5 www_google_com
---EOM---
pi@raspberrypi:~ $ echo ">top-ads" | nc 127.0.0.1 4711
0 8 googleads.g.doubleclick.net
1 4 static.doubleclick.net
2 3 securepubads.g.doubleclick.net
---EOM---

I don’t think the problem lies in your Pi-Hole. Your debug log shows that Pi-Hole is properly processing received DNS entries. What appears to have happened is that some of the clients are no longer using Pi-Hole (as evidenced from your screen shot from the long term database showing a step traffic change a few days ago). Did you update your router or anything else about that time?

I would test with one of your laptops by manually assigning its DNS to Pi-Hole. If the device connects to Pi-Hole for DNS, then you likely have a router configuration problem.

Edit - what is client 10.0.1.11? That seems to have some activity on the Pi-Hole? Is this a TIVO device?

Hi, I may have found the issue. Or at least one issue.

At some point I had issues with the router (Apple Airport Extreme about 10 year old) and I decided to resset and re-enter all settings. I think I made a typo and for the DNS IP I put 100.0.1.101 but my Pi-hole is 10.0.1.101

So that means the router was using the backup DNS server ( and Open-DNS) but for some strange reason my router still blocked almost all ads during this time. That is really interesting.

There should be no “backup” server assigned. Clients will use any and all DNS servers they find.

Interesting. I think I read somewhere that you need a backup DNS. What happens if the Pi crashed or lost power, all network is down without a DNS? Thanks

Yes. But Pi’s rarely crash, and if it loses power it is likely the rest of your network equipment has lost power.

Everything is back to normal. What an embarrasing typo in the IP.