PiHole blocking access to a specific website

manumissi0n · November 3, 2021, 6:17pm

I'm having an odd issue: when I try to reach a specific website (www.nrk.no specifically) with any browser, it times out.

I can resolve nrk.no if I do an nslookup for it, and see the request in the QueryLogs panel. But when I try to reach it via browser, nothing logs on PiHole

If I change my laptop's DNS to 1.1.1.1 it works.

I have cleared my laptop's cache, browsers cache and restarted the DNS service multiple times on my Pi

I have only the standard AdList at the moment (removed all the custom ones when troubleshooting)

Debug Token:

https://tricorder.pi-hole.net/iXPf66UC/

jfb · November 3, 2021, 6:33pm

manumissi0n · November 8, 2021, 10:17am

thanks but the issue is not with ads from a specific website. The entire website cannot be reached when using pihole as DNS server

I tried whitelisting the entire domain and subdomains, but it didn't of course help.

I have also run a pihole -r and cleared out all my blacklist entries (/etc/pihole/gravity.db "delete from domainlist where type=1;")

I have read through the link you posted but I didn't find any useful info about a website that completely fails to load

Anything else that I can try?

Bucking_Horn · November 8, 2021, 1:26pm

from the FAQ as linked above:

DNS has no concept of websites or ads or other resources like images or scripts.
It's main purpose is to translate a domain name into IP addresses.
As a filtering DNS resolver, Pi-hole isn't aware of whether a given domain block would block an entire website or a single ad. It just will refuse to reply an IP address for a blocked domain.

The steps detailed in the FAQ will help you to find out what domains are involved and would possibly need to be blocked or (in your case) unblocked.

However, I can confirm www.nrk.no is working for me, and I also use Steven Black's hosts blocklist, with no extra whitelisting.

Since this would suggest that your issue isn't likely related to Pi-hole, are you perhaps using some ad-blocking browser extensions that would interfere?

manumissi0n · November 8, 2021, 2:11pm

Thanks for your reply

The curious thing is that I have tried to tail the pi log when opening the website and nothing comes up related to nrk.no when attempting to reach the site. If I do an nslookup, I can see the request in the pi log, but trying to navigate the website logs nothing.

I have tried with different browsers (with adblockers disabled and edge which has no adblocking software installed) on my laptop and also different devices (ios) and the behaviour is the same when using pi as DNS: not able to browse the website and nothing in the logs

I have installed the ADAMnetworks extension and this is a list of domain that appear when I visit the page (using 1.1.1.1 as dns):

www.nrk.no
static.nrk.no
gfx.nrk.no
innlogging.nrk.no
psapi.nrk.no
p.lp4.io
static.chartbeat.com
nrkno-ssenotifier.nrk.no

I have whitelisted the entire nrk.no domain and subdomains and whitelisted also lp4.io and chartbeat.com to see if it helped, but it did not.

If I try to visit nrk.no with only PI as DNS the list from ADAMnetworks is:

nrk.no
www.nrk.no
(and it doesn't work)

Bucking_Horn · November 8, 2021, 2:28pm

'nothing in the logs' would mean that none of your browsers is using Pi-hole for DNS (but then I'd expect the site to work).
A browser may by-pass Pi-hole by using DNS-over-HTTPS (DoH), so make sure that's disabled.
For Firefox, that's taken care of by Pi-hole setting the appropriate Firefox canary domain.
For other browsers, verify that DoH is disabled in your browser.

manumissi0n · November 8, 2021, 5:22pm

Thanks for your reply

nothing in the logs about that specific request to www.nrk.no.
Everything else is being logged.

DoH is not enabled in any of the browsers. As I mentioned the same issue happens on different browsers on different devices

jfb · November 8, 2021, 5:30pm

If the domain does not appear in the Pi-hole logs, Pi-hole did not receive a request for that domain.

manumissi0n · November 8, 2021, 8:44pm

Right. I noticed my laptop had ipv6 turned off, so I enabled it and now I can see this in the log when I try to visit the site:

Nov  8 21:41:32 dnsmasq[3330]: query[AAAA] www.nrk.no from 2001:XXXX:XXXX:0:XXXX:95a4:d683:3e6b
Nov  8 21:41:32 dnsmasq[3330]: forwarded www.nrk.no to 1.1.1.1
Nov  8 21:41:32 dnsmasq[3330]: reply www.nrk.no is NODATA-IPv6

But the website is still not loading...

manumissi0n · November 8, 2021, 8:56pm

I think I have solved this.

After adding the Cloudflare IPv6 upstream DNS server to my settings I have restarted the DNS resolver and flushed the network table

And it started working:

Nov  8 21:52:53 dnsmasq[4436]: query[AAAA] www.nrk.no from 2001:XXXX:XXXX:0:XXXX:XXXX:XXXX:3e6b
Nov  8 21:52:53 dnsmasq[4436]: cached www.nrk.no is <CNAME>
Nov  8 21:52:53 dnsmasq[4436]: cached www.nrk.no.edgesuite.net is <CNAME>
Nov  8 21:52:53 dnsmasq[4436]: forwarded www.nrk.no to 2606:4700:4700::1111
Nov  8 21:52:53 dnsmasq[4436]: reply www.nrk.no is <CNAME>
Nov  8 21:52:53 dnsmasq[4436]: reply www.nrk.no.edgesuite.net is <CNAME>
Nov  8 21:52:53 dnsmasq[4436]: reply a390.dscr.akamai.net is 2a02:26f0:4300::1724:4cda
Nov  8 21:52:53 dnsmasq[4436]: reply a390.dscr.akamai.net is 2a02:26f0:4300::1724:4d23
Nov  8 21:52:53 dnsmasq[4436]: query[A] a390.dscr.akamai.net from 2001:4651:39aa:0:9458:95a4:d683:3e6b
Nov  8 21:52:53 dnsmasq[4436]: forwarded a390.dscr.akamai.net to 2606:4700:4700::1111
Nov  8 21:52:53 dnsmasq[4436]: reply a390.dscr.akamai.net is 23.36.76.90
Nov  8 21:52:53 dnsmasq[4436]: reply a390.dscr.akamai.net is 23.36.76.162
Nov  8 21:52:53 dnsmasq[4436]: query[AAAA] a390.dscr.akamai.net from 2001:4651:39aa:0:9458:95a4:d683:3e6b
Nov  8 21:52:53 dnsmasq[4436]: cached a390.dscr.akamai.net is 2a02:26f0:4300::1724:4d23
Nov  8 21:52:53 dnsmasq[4436]: cached a390.dscr.akamai.net is 2a02:26f0:4300::1724:4cda
Nov  8 21:52:53 dnsmasq[4436]: query[A] incoming.telemetry.mozilla.org from 2001:4651:39aa:0:9458:95a4:d683:3e6b
Nov  8 21:52:53 dnsmasq[4436]: gravity blocked incoming.telemetry.mozilla.org is 0.0.0.0

Thanks for the help and this great piece of software

Bucking_Horn · November 9, 2021, 8:31am

Adding Cloudflare's IPv6 address (or any other IPv6) to its IPv4 (1.1.1.1) hasn't any bearing on DNS resolution. Both 1.1.1.1 and 2606:4700:4700::1111 would return IPv4 as well as IPv6 addresses for www.nrk.no (as any public resolver would be expected to).

Whatever made your client work as expected, adding an IPv6 upstream to Pi-hole should not have contributed to it.

Those lines are strange, as 1.1.1.1 returns a set of IPv6 addresses for AAAA queries:

:~$ dig -t AAAA www.nrk.no @1.1.1.1

; <<>> DiG 9.11.5-P4-5.1+deb10u5-Debian <<>> -t AAAA www.nrk.no @1.1.1.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9682
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;www.nrk.no.                    IN      AAAA

;; ANSWER SECTION:
www.nrk.no.             7200    IN      CNAME   www.nrk.no.edgesuite.net.
www.nrk.no.edgesuite.net. 21600 IN      CNAME   a390.dscr.akamai.net.
a390.dscr.akamai.net.   20      IN      AAAA    2a02:26f0:e200::217:5258
a390.dscr.akamai.net.   20      IN      AAAA    2a02:26f0:e200::217:5241

;; Query time: 162 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Tue Nov 09 09:16:33 CET 2021
;; MSG SIZE  rcvd: 164

So your observation could either have been a temporary failure, or something could be redirecting your DNS traffic.

But as it's working for you now, there's probably not much use of delving into this any further.

system · November 30, 2021, 8:31am

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.