Pi-hole + Unifi + IPv6 - domains (regex) not getting blocked

Gagnismathr · March 27, 2025, 12:25pm

Hello

I am running a Unifi Network with a Cloud Gateway Ultra (Native Unifi OS).
My Pi-hole is running as a Proxmox LXC on a Debian Proxmox install (VM running on Synology-Server).

My Unifi Device is the DHCP Server and I am blocking Ads by using Pi-hole as a DNS (IPv4 set in Network Settings).
In Pi-hole i configrued conditional forwarding: true,192.168.1.0/24,192.168.1.1,local

I Also tried adding the local IPv6 adress of the Pi-hole server to my unifi config but it did not change anything.
I think also with only specifying the IPv4 address AAAA records are blocked (if i look at the statistics).

My problem is now that custom added domains (i. e. (^|.)instagram.(com|net|org|tv|co|co.uk)$ ) do not work. What can i try? My mac / iphone show the pihole ipv4 as dns ...

Bucking_Horn · March 27, 2025, 12:26pm

Please upload a debug log and post just the token URL that is generated after the log is uploaded by running the following command from the Pi-hole host terminal:

pihole -d

or if you run your Pi-hole as a Docker container:

docker exec -it <pihole-container-name-or-id> pihole -d

where you substitute <pihole-container-name-or-id> as required.

Gagnismathr · March 27, 2025, 12:29pm

https://tricorder.pi-hole.net/yY3F8zs7/

Thank you

Bucking_Horn · March 27, 2025, 12:39pm

Your (^|\.)instagram\.(com|net|org|tv|co|co\.uk)$ regex is activated and correctly configured for the default group.

Run from your Pi-hole machine, what's the output of

pihole-FTL regex-test www.instagram.co.uk

And run from a client in your network, what's the output of

nslookup pi.hole

nslookup www.instagram.co.uk

Gagnismathr · March 27, 2025, 12:39pm

root@pihole:/etc/pihole# pihole-FTL regex-test www.instagram.co.uk
[i] Loading regex filters from database...
    Compiled 8 deny and 1 allow regex in 3.156 msec

[i] Checking domain against deny regex...
    (^|\.)instagram\.(com|net|org|tv|co|co\.uk)$ matches (regex blacklist, DB ID 27)
    Time: 0.064 msec
[i] Checking domain against allow regex...
    Time: 0.002 msec

Bucking_Horn · March 27, 2025, 12:42pm

So this confirms your regex is correctly matching www.instagram.co.uk.
What about the nslookups?

Gagnismathr · March 27, 2025, 12:43pm

Sorry

jonas@MacBook-Pro-M4 ~ % nslookup www.instagram.co.uk

Server: 192.168.1.115

Address: 192.168.1.115#53

Name: www.instagram.co.uk

Address: 0.0.0.0

jonas@MacBook-Pro-M4 ~ % nslookup 192.168.1.115

Server: 192.168.1.115

Address: 192.168.1.115#53

115.1.168.192.in-addr.arpa name = pi.hole.

jonas@MacBook-Pro-M4 ~ % nslookup pi.hole

Server: 192.168.1.115

Address: 192.168.1.115#53

Name: pi.hole

Address: 0.0.0.0

jonas@MacBook-Pro-M4 ~ %

Bucking_Horn · March 27, 2025, 12:55pm

Unrelated to your issue:
A default Pi-hole would contextually answer requests for pi.hole with its own IP address.

Yours answers 0.0.0.0, as you have enabled dns.reply.host.force4 without providing dns.reply.host.IPv4:

       [dns.reply.host]
         force4 = true ### CHANGED, default = false
         IPv4 = ""

You should disable dns.reply.host.force4:

sudo pihole-FTL --config dns.reply.host.force4 false

Your nslookup result demonstrates that Pi-hole has blocked www.instagram.co.uk as 0.0.0.0.

Why do you think that Pi-hole wouldn't apply your regex filter?

Gagnismathr · March 27, 2025, 1:18pm

Ok - your last question pointed me into the right direction …
I set 9.9.9.9 as secondary dns in my unifi setup - to cover a pihole outage - but it seems that it just used the secondary dns once a site was blocked …

Is there another way to have a fallback option or do i need to buy a raspberry and set up a second pihole?

Thank you

system · April 17, 2025, 1:19pm

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.