Pi-hole + Unbound with a Speedport Smart 4 on a VM

Help
1

Hello everyone,
I have problems actually blocking ads with pi-hole.
I am currently running pi-hole together with unbound on a VM running Ubuntu 24.04.1 LTS (Server).
My router is a Telekom Speedport Smart 4.
I have pi-hole set up as DHCP-server and disabled the DHCP-server in the router. I set up pi-hole as preferred DNSv4 and DNSv6 servers inside my router. The option for the router to use a ULA is turned on. The upstream DNS servers inside pi-hole for IPv4 are 127.0.0.1#5335 and not set for IPv6.
For unbound I used the default config file as proposed here.

Pi-hole versions:

nslookup gives the following output:

$ nslookup flurry.com
Server:		192.168.2.1
Address:	192.168.2.1#53

Name:	flurry.com
Address: 0.0.0.0
Name:	flurry.com
Address: ::

nslookup flurry.com pi.hole
Server:		pi.hole
Address:	fd3e:ced5:18b3:1:a00:27ff:fe50:ba1a#53

Name:	flurry.com
Address: 0.0.0.0
Name:	flurry.com
Address: ::

So it seems like it should be working, but somehow I still get ads served after all.

Expected Behaviour:

I expect pi-hole to block ads and have them not shown.

Actual Behaviour:

When visiting pages with my laptop, pi-hole logs show blocked queries, but the corresponding ads are still served. When visiting the same pages with my phone, ads are shown, but pi-hole logs are not showing blocked queries either.

Debug Token:

https://tricorder.pi-hole.net/gJSoxlQ6/

I am totally lost at this point. Any help is highly appreciated!

Edit: Some information I wanted to add, but forgot to put in the original post:
The connection to my laptop is wired. The laptop runs Ubuntu 24.04.1 LTS. One problem I just noticed is, that /etc/resolv.conf shows too many DNS servers configured.

The phone is on wifi. The private DNS setting on the phone is set to off.

2

Your debug log shows that your Pi-hole host machine is aware of three IPv6 DNS server addresses:

*** [ DIAGNOSING ]: contents of /etc

lrwxrwxrwx 1 root root 39 Aug 27 14:21 /etc/resolv.conf -> ../run/systemd/resolve/stub-resolv.conf
   nameserver 192.168.2.1
   nameserver fe80::1%2
   nameserver 2003:<redacted>1a
   nameserver 2003:<redacted>1a
   search speedport.ip

Likely, all of those belong to your router, demonstrating that your router is advertising its own IPv6 address as DNS server, allowing your clients to by-pass Pi-hole.

You'd have to find a way to configure your router to stop advertising its own IPv6 as DNS server, or to advertise your Pi-hole host machine's IPv6.

You'd have to consult your router's documentation sources on further details for its IPv6 configuration options.

If your router doesn't support configuring IPv6 DNS, you could consider disabling IPv6 altogether, provided you'd not depend on IPv6 for reasons.

If your router doesn't support that either, your IPv6-capable clients will always be able to bypass Pi-hole via IPv6.

You could then try to mitigate this, by setting Pi-hole as the only upstream of your router, but note that you won't be able to attribute DNS requests to original individual IPv6 clients in that configuration.

3

Thank you for your reply!

Yes, they belong to my router. The 2 nameservers above the search line might be from the pi-hole however.

I thought I had disabled my routers IPv6 DNS, when I set my preferred DNSv4 and DNSv6 servers to the pi-hole, see screenshot below.

speedport
speedport529×673 44 KB

But apparently this is not enough. I will look through the documentation, as you proposed.

4

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.