Pihole Receiving Queries But Not Blocking Anything

Birthday_Cakeman · November 16, 2023, 9:47pm

Hello,

I have been using Pi-Hole for many years now, and I have a decent experience working with it.

Today I found some additional Regex Filters on the web that I figured I might as well add to my configuration to improve its already fantastic blocking abilities. After doing so, my Pi-Hole simply stopped blocking anything whatsoever. Ever since, I've watched my block percentage go down very steadily.

I can confirm that, without a doubt, it is being distributed as the only DNS server on my network. I'm using a Juniper switch to do so, which is configured via CLI, if you'd like proof of that. But I didn't touch the DHCP config, and it worked just fine before touching the filters on the server.

For the queries that don't get blocked, I have an Unbound server hosted on the same device on port 5353 that Pi-Hole is configured to forward requests onto. I also have Conditional Forwarding enabled to forward internal domain queries to my Active Directory server for name resolution.

I have tried rebooting the device by powering it down, waiting 30 seconds and plugging it back in. I've tried running pihole -r on the host device and performing a repair, with no changes.

This is a network wide issue. Not only is it with my client machine, but all other devices on the network as well. Any and all help is greatly appreciated.

Expected Behavior:

Block inbound queries that match the block lists that I have configured along with the Regex filters, as one would expect. Then the queries that need permitted continue on to my locally hosted Unbound server for resolution.

Actual Behavior:

I'm seeing many queries hit the device, many of which should be blocked, but they are never blocked. Even when I manually add a domain to the block list statically that I find in the query log, it doesn't get blocked.

Debug Token:

https://tricorder.pi-hole.net/qM5iAvYt/

Birthday_Cakeman · November 16, 2023, 9:52pm

I often see the output of the echo ">stats >quit" | nc localhost 4711 command requested on here, so here it is:

domains_being_blocked 813971
dns_queries_today 50904
ads_blocked_today 2840
ads_percentage_today 5.579129
unique_domains 5364
queries_forwarded 24120
queries_cached 23674
clients_ever_seen 22
unique_clients 22
dns_queries_all_types 50904
reply_UNKNOWN 785
reply_NODATA 6349
reply_NXDOMAIN 10627
reply_CNAME 16669
reply_IP 10801
reply_DOMAIN 4670
reply_RRNAME 24
reply_SERVFAIL 731
reply_REFUSED 0
reply_NOTIMP 0
reply_OTHER 0
reply_DNSSEC 0
reply_NONE 0
reply_BLOB 248
dns_queries_all_replies 50904
privacy_level 0
status enabled

chrislph · November 16, 2023, 10:02pm

You have a whitelist regex entry which is

^(.*?)(?:(snort.org)(.*))?$

This regex is malformed and actually matches any domain which means that all domains are now whitelisted, and whitelists always take priority over blocklists or blacklisted domains.

Remove that entry and try again – does that fix it?

Birthday_Cakeman · November 16, 2023, 10:05pm

Oh my God, I am such an IDIOT. Thank you so much for your quick reply.

That was in my list but was disabled, and when I was going through the filters, I noticed that one was disabled, but thought it must've been by mistake, since I want to have snort.org and its subdomains whitelisted. No wonder it was disabled!

I have since deleted that entry, and it worked straight away. Thank you so much!

chrislph · November 16, 2023, 10:16pm

No problem! There are some other regexes on there which aren't really doing what they look to have been intended to do. Eg something like

*.abc.example.com

is intended to match wildcard subdomains, but the * and . have special meanings which make it work differently to how it might seem. The safest way to do it, and the way to whitelist snort.org and its subdomains, is to go to Domains > Domain > [x] Add domain as wildcard and enter snort.org and Add to Whitelist. That will add a regex whitelist entry for

(\.|^)snort\.org$

and that will match the domain plus any subdomains too.

Be wary of importing regexes, they're really best used one at a time to fix specific concerns for your own setup, eg to blacklist something that slipped through the lists or as you're doing with snort there.

Birthday_Cakeman · November 16, 2023, 10:29pm

Thank you so much for the advice. In all honestly, I am fully aware of what a wildcard domain is, and what they are used for, as I deal with that at work all the time. Not sure what I was thinking when I configure snort.org like I did lol.

I have taken your advice, and I've added snort.org as a Wildcard domain. Thank you so much once again!

chrislph · November 16, 2023, 10:38pm

You're very welcome, thanks.

system · December 7, 2023, 10:38pm

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.