Pihole blocks our website but it's not on any blacklist

Expected Behaviour:

To have this website https://www.hollandmarineparts.nl freely available on our network.

Actual Behaviour:

Pi-hole blocks the website even while it's not (and never was) on any blacklist. In the query log I see that sometimes the website is appended by our DNS name. This is very strange, it happens only on this website. So in the query log there are entries like this: https://www.hollandmarineparts.nl.ad.contoso.com

I've noticed that this mostly happens when the website is loaded over http instead of https. We cannot enforce https because it causes redirect loops. The website will be rebuild later this year. Until then I hope we can freely browse the website on our network.

Note that whitelisting the site doesn't help in this case.

Debug Token:

https://tricorder.pi-hole.net/rcdknm7mj9

These tools can help determine why desired content will not load.

I applied the tools and opened the website using Pi-Hole with the stock blocklists and some additional regex. The website opened normally AdamOne Assistant shows the following domains requested.

* www.hollandmarineparts.nl
* ssl.google-analytics.com
* www.youtube.com
* googleads.g.doubleclick.net
* static.doubleclick.net
* yt3.ggpht.com
* i.ytimg.com
* fonts.gstatic.com

This is the tail of the Pi-hole log (as best I can tell, there were other processes doing DNS queries at the same time):

09:23:18: query[A] www.hollandmarineparts.nl from 192.168.0.135
09:23:18: cached www.hollandmarineparts.nl is <CNAME>
09:23:18: cached hosting-1a.mijndomein-ws.nl is 34.240.216.169
09:23:19: query[A] stackpath.bootstrapcdn.com from 192.168.0.135
09:23:19: cached stackpath.bootstrapcdn.com is <CNAME>
09:23:19: cached cds.j3z9t3p6.hwcdn.net is 209.197.3.15
09:23:19: query[A] ajax.googleapis.com from 192.168.0.135
09:23:19: cached ajax.googleapis.com is 172.217.6.10
09:23:19: query[A] cdnjs.cloudflare.com from 192.168.0.135
09:23:19: cached cdnjs.cloudflare.com is 104.17.65.4
09:23:19: cached cdnjs.cloudflare.com is 104.17.64.4
09:23:19: query[A] fonts.googleapis.com from 192.168.0.135
09:23:19: cached fonts.googleapis.com is 172.217.4.42
09:23:19: query[A] fonts.gstatic.com from 192.168.0.135
09:23:19: cached fonts.gstatic.com is <CNAME>
09:23:19: cached gstaticadssl.l.google.com is 172.217.4.67
09:23:19: query[A] hollandmarineparts.nl from 192.168.0.135
09:23:19: cached hollandmarineparts.nl is 34.240.216.169
09:23:19: query[A] ssl.google-analytics.com from 192.168.0.135
09:23:19: gravity blocked ssl.google-analytics.com is 0.0.0.0
09:23:19: query[A] www.youtube.com from 192.168.0.135
09:23:19: cached www.youtube.com is <CNAME>
09:23:19: cached youtube-ui.l.google.com is 172.217.6.14
09:23:19: cached youtube-ui.l.google.com is 172.217.4.206
09:23:19: cached youtube-ui.l.google.com is 172.217.4.78
09:23:19: cached youtube-ui.l.google.com is 172.217.8.206
09:23:19: cached youtube-ui.l.google.com is 172.217.8.174
09:23:19: cached youtube-ui.l.google.com is 172.217.1.46
09:23:19: cached youtube-ui.l.google.com is 172.217.5.14
09:23:19: cached youtube-ui.l.google.com is 172.217.4.46
09:23:19: cached youtube-ui.l.google.com is 216.58.192.174
09:23:19: cached youtube-ui.l.google.com is 216.58.192.142
09:23:19: cached youtube-ui.l.google.com is 172.217.9.78
09:23:19: cached youtube-ui.l.google.com is 172.217.9.46
09:23:19: cached youtube-ui.l.google.com is 172.217.0.14
09:23:20: query[A] googleads.g.doubleclick.net from 192.168.0.135
09:23:20: gravity blocked googleads.g.doubleclick.net is 0.0.0.0
09:23:20: query[A] static.doubleclick.net from 192.168.0.135
09:23:20: gravity blocked static.doubleclick.net is 0.0.0.0
09:23:20: query[A] yt3.ggpht.com from 192.168.0.135
09:23:20: cached yt3.ggpht.com is <CNAME>
09:23:20: cached photos-ugc.l.googleusercontent.com is 172.217.0.1
09:23:20: query[A] i.ytimg.com from 192.168.0.135
09:23:20: cached i.ytimg.com is 172.217.6.22

Are the domains you load similar to what I see, and are any of the content domains being blocked by Pi-Hole?

Are you using any regex entries? I certainly know one of mine will block anything.ad.contoso.com

From the OP debug log:

[2020-02-28 11:31:19.478 31183] Compiled 0 Regex filters and 96 whitelisted domains in 0.2 msec (0 errors)

Seems like you either run an Active Directory controller in your network or your router is assigning ad.contoso.com as a search domain for your network.
As such,.it would seem normal that Windows clients would append that domain to DNS searches on occasions.

It would also seem normal that Pi.hole wouldn't be able to resolve the resulting name and forward it to its upsteam DNS server, and that would very likely fail with no such domain (which is does for me).

So if you are seeing those requests failing, do they really get blocked by Pi-hole, or do they simply get forwarded to answer NXDOMAIN?

If the former, you should follow mmottis advice and check your regex.
EDIT: Does not seem to be the case, as of your debug log qouted above by @jfb.

In the latter case, you could either search if you can
a) ignore it, as most apps should do a DNS lookup without the local domain search suffix after that one fails
b) try to configure your clients to foregoe appending the search domain if not needed (no idea how you'd do that, though)
c) try to extend Pi-hole by a host record for www.hollandmarineparts.nl.ad.contoso.com. Note that this may result in further trouble, as your website (or whatever is residing at that domain) might not at all handle that unusual name well in places.

In any case, your problem seems to apply to your specific network configuration, as I wasn't able to reproduce it with a stock configuration.
Even when artificially introduding a blocking regex, the result would be the same as receiving an NXDOMAIN for the user.

Thank you all. I am testing at home now and I do not see the same behaviour here as on our company network.

Testing via RDP on company network again. I see our default blocking page where you can normally whitelist a site. Screenshot by Lightshot

Also, here's the redacted query log: Screenshot by Lightshot

There are some strange things going on. ALL company traffic goes trough DNS servers 192.168.1.1 and 192.168.1.2, but this request comes from localhost..? Also the request is allowed but it's clearly blocked in the browser. The reply type is NOTIMP. Not implemented?? Why would that be?

Edit: That's actually a 404 error masquerading as a blocked site. http://www.hollandmarineparts.nl is 404ing.

That makes sense. I guess it would 404 if the url got appended with the internal dns name.

And NOTIMP is from the query type of ANY.

Hmm. @ Bucking_Horn our router is indeed assigning ad.contoso.com as search domain from the network, but it has been doing that for ages. I would not know why it will be a problem for only this website. We have 30 users browsing the web every day and only this one has an issue with it.

I have checked DNS records now for the domain hollandmarineparts.nl. I see we are missing an A record for the www subdomain without a wildcard record. I have added the www record now.

Doing nslookup test.hollandmarineparts.nl. returned the ip address of the pi-hole. Doing this in the browser would generate the same 404 error.

It could be that this explains the issue, although www.hollandmarineparts.nl has been functioning correctly all over the world for everyone else. I almost can't believe this was really the issue.

For those of us running Pi-hole that tested and replied to the thread, it works. This leads me to believe it isn't something being blocked by Pi-hole.

pi@noads:~ $ pihole -q hollandmarineparts.nl
  [i] No results found for hollandmarineparts.nl within the block lists

EDIT: probably have to wait till some TTL expires if you made DNS record changes.
Cache is everywhere

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.