pihole somehow blocking Foundry VTT

Help
1

Expected Behaviour:

Foundry VTT should be able to access any github website without issue.
Docker container * Docker Tag [2025.04.0]* Core [v6.0.6]* FTL [v6.1]* Web interface [v6.1] HOST: Truenas

Actual Behaviour:

somehow my PI-hole is blocking some but not all github that my Foundry VTT needs.
i tried disable blocking, no change.
i tried turning off pi-hole entirely(disable stack) that worked.
i see no DENY in logs, only thing of significance is AAAA being NODATA but surely thats not the reason right?
any thoughts?

a bit more information, Foundry VTT is a RP platform, i was trying to update/install modules and systems but the Foundry VTT installation returned errors.
clean install and everything on foundry VTT and it still happend, asked Foundry folks and apparently turning off pi-hole helped, but i have no idea why since records were green.

Foundry VTT modules are hosted on github, the interesting part is some work, and most dont.

Debug Token:

(https://tricorder.pi-hole.net/eYY0ecEy/)

Slow dns response for jellyseerr container
2

The debug log shows the following warning:

*** [ DIAGNOSING ]: Pi-hole diagnosis messages
   count   last timestamp       type                  message                                                       blob1                 blob2                 blob3                 blob4                 blob5               
   ------  -------------------  --------------------  ------------------------------------------------------------  --------------------  --------------------  --------------------  --------------------  --------------------
   1       2025-04-29 19:15:38  DNSMASQ_WARN          no upstream servers configured        

   -----tail of pihole.log------
   Apr 29 19:23:44 dnsmasq[52]: query[A] pi.hole from 127.0.0.1
   Apr 29 19:23:44 dnsmasq[52]: Pi-hole hostname pi.hole is 127.0.0.1
   Apr 29 19:24:03 dnsmasq[52]: query[A] discourse.pi-hole.net from 192.168.0.80
   Apr 29 19:24:03 dnsmasq[52]: config error is REFUSED (EDE: not ready)
   Apr 29 19:24:03 dnsmasq[52]: query[AAAA] discourse.pi-hole.net from 192.168.0.80
   Apr 29 19:24:03 dnsmasq[52]: config error is REFUSED (EDE: not ready)
   Apr 29 19:24:08 dnsmasq[52]: query[A] ns1.pi-hole.net from 172.23.0.1
   Apr 29 19:24:08 dnsmasq[52]: config error is REFUSED (EDE: not ready)
   Apr 29 19:24:11 dnsmasq[52]: query[A] ns1.pi-hole.net from 172.23.0.1
   Apr 29 19:24:11 dnsmasq[52]: config error is REFUSED (EDE: not ready)

-rwxrwxrwx 1 pihole pihole 55K Apr 29 19:15 /etc/pihole/pihole.toml
   [dns]
     upstreams = []

Doesn't appear you have set up Pi-hole to have the ability to query upstreams for DNS responses.

3

sorry about that, i was messing with settings and had them turned off.
here's a log with google 1+2 and quad ipv4 1+2 turned on.
https://tricorder.pi-hole.net/kTAPrwoP/
and then i provoked the error in question right before i did the log.

4

I see some blocking being done by the upstream server:

  Apr 29 23:18:56 dnsmasq[52]: query[A] www.censuchier.pro from 127.0.0.1
   Apr 29 23:18:56 dnsmasq[52]: forwarded www.censuchier.pro to 149.112.112.112
   Apr 29 23:18:56 dnsmasq[52]: reply www.censuchier.pro is blocked due to upstream response (header)
   Apr 29 23:18:56 dnsmasq[52]: blocked upstream with NXDOMAIN + no RA www.censuchier.pro is 0.0.0.0
   Apr 29 23:18:56 dnsmasq[52]: query[A] www.censuchier.pro from 172.23.0.7
   Apr 29 23:18:56 dnsmasq[52]: forwarded www.censuchier.pro to 149.112.112.112
   Apr 29 23:18:56 dnsmasq[52]: reply www.censuchier.pro is blocked due to upstream response (header)
   Apr 29 23:18:56 dnsmasq[52]: blocked upstream with NXDOMAIN + no RA www.censuchier.pro is 0.0.0.0
   Apr 29 23:18:56 dnsmasq[52]: query[AAAA] entrehilosypotingues.com from ::1
   Apr 29 23:18:56 dnsmasq[52]: forwarded entrehilosypotingues.com to 149.112.112.112
   Apr 29 23:18:56 dnsmasq[52]: reply entrehilosypotingues.com is blocked due to upstream response (header)
   Apr 29 23:18:56 dnsmasq[52]: blocked upstream with NXDOMAIN + no RA entrehilosypotingues.com is ::

Do the queries for the Foundry domains resolve correctly if you remove all the upstreams except for one like 8.8.8.8? That upstream at 149.112.112.112 appears to be opinionated and blocking domains on its own.

5

changed it to only 8.8.8.8
no change.
https://tricorder.pi-hole.net/bwiXxo2y/

6

I don't see any domains being queried in the log provided except for the two domains used in the debug log check. You'll need to provide actual domains that are not working and dig output for those domains.

7

i cant be sure what exactly foundry tries to do, so here's a guess.

im testing using

if im right it should be trying to reach
https://github.com/JPMeehan/talent-psionics/releases/download/2.0.2/module.json
without pihole container it can react this perfectly fine.

here's a dig output from pihole.
; <<>> DiG 9.18.35 <<>> https://github.com/JPMeehan/talent-psionics/releases/download/2.0.2/module.json
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 14786
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;https://github.com/JPMeehan/talent-psionics/releases/download/2.0.2/module.json. IN A

;; AUTHORITY SECTION:
. 86400 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2025043000 1800 900 604800 86400

;; Query time: 4027 msec
;; SERVER: 127.0.0.11#53(127.0.0.11) (UDP)
;; WHEN: Wed Apr 30 17:07:18 CEST 2025
;; MSG SIZE rcvd: 183

8

DNS only knows domain names, that's the github.com part. Anything else is invalid information.

https is the protocol, not part of DNS.
github.com is the domain and what Pi-hole resolves.
/JPMeehan/... those are URL paths and not part of DNS.

So a dig to test would be dig github.com, and I'm guessing that will resolve correctly.

I don't think Pi-hole is involved, or the cause of, any problems with Foundry.

9

that begs the question, why does it work fine if i shut down pihole.

10

I need to know what you define as working and not working. Everything I've seen so far shows Pi-hole is resolving domain names to IP addresses without any issue. Can you provide dig output that shows everything 'working fine' when Pi-hole is off? I can't see how another DNS server could resolve https://github.com/JPMeehan/talent-psionics/releases/download/2.0.2/module.json since that isn't a domain name.

It's hard to troubleshoot vagueness.

11

i got some wireshark information, im no expert at wireshark but i filtered it for host github.com and did the action that causes errors, i don't see any personal information in there other then local ip's so im just gonna dump it here.
foundryerror.json (227.6 KB)

and here's what happens if i disable pi-hole container.
foundrypioff.json (268.4 KB)

EDIT: those logs are incomplete, missing host objects.githubusercontent.com
cant directly upload those here so random share website it is!

i hope that helps with the vagueness, i cannot do a dig since i cannot directly replicate what foundry does, but hopefully that wireshark log will tell you everything that happened from a network perspective.

12

Limewire shows invalid file.

I can not import the two json files in to wireshark.

13

uploaded them to mega instead.

14

From the error json:

         "ip.frag_offset": "0",
          "ip.ttl": "63",
          "ip.proto": "6",
          "ip.checksum": "0x756a",
          "ip.checksum.status": "2",
          "ip.src": "192.168.0.103",
          "ip.addr": "192.168.0.103",
          "ip.src_host": "192.168.0.103",
          "ip.host": "192.168.0.103",
          "ip.dst": "140.82.121.4",
          "ip.addr": "140.82.121.4",
          "ip.dst_host": "140.82.121.4",
          "ip.host": "140.82.121.4",
          "ip.stream": "0"
        },
        "tcp": {
          "tcp.srcport": "37688",
          "tcp.dstport": "443",
          "tcp.port": "37688",
          "tcp.port": "443",
          "tcp.stream": "0",
          "tcp.completeness": "63",
          "tcp.completeness_tree": {
            "tcp.completeness.rst": "1",
            "tcp.completeness.fin": "1",
            "tcp.completeness.data": "1",
            "tcp.completeness.ack": "1",
            "tcp.completeness.syn-ack": "1",
            "tcp.completeness.syn": "1",
            "tcp.completeness.str": "RFDASS"
          },

ip.dst is a github IP address, so Pi-hole properly resolved to GitHub.

15

I need the pcap or a file I can import in to Wireshark.

16
17

Looks like the problem is on the remote end.

image
image2123×667 103 KB

github.com is successfully resolved and connected to. (Client Hello SNI)
You're redirected to objects.githubusercontent.com and that domain name is resolved correctly. SNI passes.

You'll need to ask Foundry what is going on. Send them these caps. All Pi-hole does is resolve github.com and objects.githubusercontent.com to IP addresses and that is working and the SNI passes so you are not being intercepted to a non GitHub server.

18

alright ill give it another go and link this.

1 Like
19

The only thing that comes to mind is the possibility of geoblocking. But using a remote upstream like 8.8.8.8 would make that really hard to do.

20

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.