Pihole is NOT blocking blacklisted domains

daquezada · August 6, 2024, 4:59pm

I am experiencing an issue with my pihole; it is not blocking my blacklisted domains.

Although the PiHole acknowledges that the list is in and working, the machines are still able to access the blacklisted site.

This is the output from the PiHole:

piadmin@pihole01:~$ nslookup discord.com
Server:		10.0.100.20
Address:	10.0.100.20#53

Name:	discord.com
Address: 0.0.0.0
Name:	discord.com
Address: ::

piadmin@pihole01:~$ pihole-FTL regex-test discord.com

[i] Loading regex filters from database...
    Compiled 2 black- and 0 whitelist regex filters in 4.489 msec

[i] Checking domain against blacklist...
    (\.|^)discord\.com$ matches (regex blacklist, DB ID 44)
    Time: 0.025 msec
[i] Checking domain against whitelist...
    Time: 0.000 msec
piadmin@pihole01:~$

Now this is the ouput from a machine that uses the PiHole as a DNS server:

daquezada@mac01 ~ $nslookup discord.com
Server:		10.0.100.20
Address:	10.0.100.20#53

Non-authoritative answer:
Name:	discord.com
Address: 162.159.137.232
Name:	discord.com
Address: 162.159.138.232
Name:	discord.com
Address: 162.159.128.233
Name:	discord.com
Address: 162.159.135.232
Name:	discord.com
Address: 162.159.136.232

daquezada@mac01 ~ $

I have read other posts regarding similar issues and tried all the suggestions there, but nothing seems to work.

Please advise, and thanks in advance for your help.

Bucking_Horn · August 6, 2024, 5:30pm

Please upload a debug log and post just the token URL that is generated after the log is uploaded by running the following command from the Pi-hole host terminal:

pihole -d

or do it through the Web interface:

Tools > Generate Debug Log

daquezada · August 6, 2024, 6:17pm

@Bucking_Horn Thanks for your help, here is the token URL you requested:

https://tricorder.pi-hole.net/54xHUd4M/

jfb · August 6, 2024, 8:48pm

Why do you have two IP's assigned to the eth0 interface on the Pi?

*** [ DIAGNOSING ]: Setup variables
    PIHOLE_INTERFACE=eth0

*** [ DIAGNOSING ]: Network interfaces and addresses

   2: eth0@if274: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
       inet 10.0.100.21/27 metric 1024 brd 10.0.100.31 scope global dynamic eth0
          valid_lft 74145sec preferred_lft 74145sec
       inet 10.0.100.20/27 scope global secondary eth0
          valid_lft forever preferred_lft forever

Open a terminal window to the Pi and start tailing the Pi-hole log with the command pihole -t.

The, while still tailing, run the nslookup command from the client again. Do you see a burst of activity in the log, including the nslookup command from the client?

daquezada · August 6, 2024, 9:33pm

The two IPs are because I am running two PiHoles using keepalived; 10.0.100.21/27 is the physical address and 10.0.100.20/27 is the virtual address.

I do see the activity, and stuff been block, but I don’t see the nslookup queries from the devices in question.

jfb · August 6, 2024, 11:39pm

If you don't see the queries in the Pi-hole log, Pi-hole did not process the queries.

daquezada · August 7, 2024, 12:13am

The Pihole is set as my default DNS server, so if the PiHole is not processing the queries then who is?

And why the nslookup shows de PiHole as the one who resolved the query?

Bucking_Horn · August 7, 2024, 10:57am

Then please also share a debug token for the other instance.

And assuming the second Pi-hole would reside at 10.0.100.5, please share the output of the following commands:

nslookup discord.com 10.0.100.21

nslookup discord.com 10.0.100.5

Each command should register with up to 4 DNS requests in the respective Pi-hole's Query Log.

daquezada · August 7, 2024, 2:41pm

Hi @Bucking_Horn ,

Thanks again for your help.

Find the below the output of the commands you asked me to run:

piadmin@rpi01:~ $ nslookup discord.com 10.0.100.21
Server: 10.0.100.21
Address: 10.0.100.21#53

Name: discord.com
Address: 0.0.0.0
Name: discord.com
Address: ::

piadmin@rpi01:~ $ nslookup discord.com 10.0.100.5
Server: 10.0.100.5
Address: 10.0.100.5#53

Name: discord.com
Address: 0.0.0.0
Name: discord.com
Address: ::

piadmin@rpi01:~ $

Here is the debug token of the second PiHole:

https://tricorder.pi-hole.net/HPHQIdue/

Bucking_Horn · August 8, 2024, 11:18pm

Both of your Pi-hole's have an entry to block discord.com:

((\.|^)discord\.com$

And your nslookup results demonstrates that each of them correctly blocks discord.com, as would be expected.

You haven't disclosed what the Query Logs look like, but the replies would imply that both nslookups registered with the respective Pi-hole.

Please run that nslookup against your .20 virtual keepalived IP and share the results, also watching your Pi-holes' Query Log for the respective DNS requests.

daquezada · August 9, 2024, 5:52pm

Hi @Bucking_Horn ,

Here is the nslookup you requested from two diferent machines:

From winpc02:

daquezada@winpc02 ~ $nslookup discord.com 10.0.100.20
Server: 10.0.100.20
Address: 10.0.100.20#53

Non-authoritative answer:
Name: discord.com
Address: 162.159.135.232
Name: discord.com
Address: 162.159.138.232
Name: discord.com
Address: 162.159.136.232
Name: discord.com
Address: 162.159.137.232
Name: discord.com
Address: 162.159.128.233

daquezada@winpc02 ~ $

From rpi02:

piadmin@rpi02:~ $ nslookup discord.com 10.0.100.20
Server: 10.0.100.20
Address: 10.0.100.20#53

Name: discord.com
Address: 0.0.0.0
Name: discord.com
Address: ::

piadmin@rpi02:~ $

Bucking_Horn · August 9, 2024, 6:10pm

It would be crucial to carefully watch your Pi-hole's Query Log whether those lookups would register.

Run from your Pi-hole host machines, what is the output of:

sudo grep discord.com /var/log/pihole/pihole.log

daquezada · August 10, 2024, 1:12pm

I just came to an interesting discovery!

I have four VLANs on my network:

10.0.1.0/27 (Default)
10.0.100.0/27 (MGMT)
10.0.105.0/27 (Standard)
10.0.107.0/27 (IoT)

They are pretty much configured the same way, with Standard and IoT being the ones that are configured the same way.

This issue only occurs on the Standard VLAN! See below:

From 10.0.1.0/27 (Default):

daquezada@mac01 ~ $nslookup discord.com
Server:		10.0.100.20
Address:	10.0.100.20#53

Name:	discord.com
Address: 0.0.0.0

From 10.0.100.0/27 (MGMT):

daquezada@mac01 ~ $nslookup discord.com
Server:		10.0.100.20
Address:	10.0.100.20#53

Name:	discord.com
Address: 0.0.0.0

From 10.0.107.0/27 (IoT):

daquezada@mac01 ~ $nslookup discord.com
Server:		10.0.100.20
Address:	10.0.100.20#53

Name:	discord.com
Address: 0.0.0.0

And finally, from 10.0.105.0/27 (Standard):

daquezada@mac01 ~ $nslookup discord.com
Server:		10.0.100.20
Address:	10.0.100.20#53

Non-authoritative answer:
Name:	discord.com
Address: 162.159.137.232
Name:	discord.com
Address: 162.159.138.232
Name:	discord.com
Address: 162.159.136.232
Name:	discord.com
Address: 162.159.128.233
Name:	discord.com
Address: 162.159.135.232

daquezada@mac01 ~ $nslookup discord.com
Server:		10.0.100.21
Address:	10.0.100.21#53

Non-authoritative answer:
Name:	discord.com
Address: 162.159.135.232
Name:	discord.com
Address: 162.159.128.233
Name:	discord.com
Address: 162.159.136.232
Name:	discord.com
Address: 162.159.138.232
Name:	discord.com
Address: 162.159.137.232

daquezada · August 10, 2024, 1:21pm

daquezada · August 10, 2024, 1:21pm

Bucking_Horn · August 10, 2024, 1:33pm

You haven't disclosed that yet for the nslookups above, but assuming that they did not register with Pi-hole, that would be a strong indication that your router may forcefully redirect DNS requests from one of your subnets to a DNS resolver of its own choice.

You should check your router's firewall configuration in that regard.

daquezada · August 10, 2024, 1:33pm

@jfb and @Bucking_Horn ,

I am happy to report that I have fixed the issue.

I resolved it by disabling Content Filtering on UniFi network:

piadmin@pihole01:~$ sudo grep discord.com /var/log/pihole/pihole.log
Aug 10 08:19:46 dnsmasq[325]: query[A] discord.com from 10.0.100.6
Aug 10 08:19:46 dnsmasq[325]: regex blacklisted discord.com is 0.0.0.0
Aug 10 08:19:46 dnsmasq[325]: query[AAAA] discord.com from 10.0.100.6
Aug 10 08:19:46 dnsmasq[325]: regex blacklisted discord.com is ::
Aug 10 08:24:34 dnsmasq[325]: query[A] discord.com from 10.0.100.13
Aug 10 08:24:34 dnsmasq[325]: regex blacklisted discord.com is 0.0.0.0
Aug 10 08:25:53 dnsmasq[325]: query[A] discord.com from 10.0.107.17
Aug 10 08:25:53 dnsmasq[325]: regex blacklisted discord.com is 0.0.0.0
Aug 10 08:27:44 dnsmasq[325]: query[A] discord.com from 10.0.1.13
Aug 10 08:27:44 dnsmasq[325]: regex blacklisted discord.com is 0.0.0.0
Aug 10 08:30:18 dnsmasq[325]: query[A] discord.com from 10.0.1.13
Aug 10 08:30:18 dnsmasq[325]: regex blacklisted discord.com is 0.0.0.0
Aug 10 08:47:48 dnsmasq[325]: query[A] discord.com from 10.0.1.13
Aug 10 08:47:48 dnsmasq[325]: regex blacklisted discord.com is 0.0.0.0
Aug 10 08:48:53 dnsmasq[325]: query[A] discord.com from 10.0.1.13
Aug 10 08:48:53 dnsmasq[325]: regex blacklisted discord.com is 0.0.0.0
Aug 10 08:50:02 dnsmasq[325]: query[A] discord.com from 10.0.100.13
Aug 10 08:50:02 dnsmasq[325]: regex blacklisted discord.com is 0.0.0.0
Aug 10 08:50:49 dnsmasq[325]: query[A] discord.com from 10.0.107.17
Aug 10 08:50:49 dnsmasq[325]: regex blacklisted discord.com is 0.0.0.0
Aug 10 09:26:33 dnsmasq[325]: query[A] discord.com from 10.0.105.7
Aug 10 09:26:33 dnsmasq[325]: regex blacklisted discord.com is 0.0.0.0
Aug 10 09:27:07 dnsmasq[325]: query[A] discord.com from 10.0.105.7
Aug 10 09:27:07 dnsmasq[325]: regex blacklisted discord.com is 0.0.0.0
Aug 10 09:27:07 dnsmasq[325]: query[HTTPS] discord.com from 10.0.105.7
Aug 10 09:27:07 dnsmasq[325]: regex blacklisted discord.com is NODATA
piadmin@pihole01:~$

daquezada · August 10, 2024, 1:34pm

system · August 31, 2024, 1:35pm

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.