Pihole stopped blocking domains, plenty of requests

a15995 · October 30, 2020, 2:51pm

Expected Behaviour:

Pihole is blocking ads clearly in the blacklist database and/or rules.

Actual Behaviour:

Pihole is not blocking ads but has plenty of requests. Log shows status: Unknown(0) but used to show status: Blocked (gravity) on request clearly in the blacklist database. This happened after a day of normal use.

Debug Token:

https://tricorder.pi-hole.net/je5floguyo

I have tried repairing, rebooting and restarting DNS.

The Pihole is running on an Oracle cloud server (Ubuntu 20.04) and is accessed through a Wireguard tunnel. Worked perfectly until now. Nothing else is running on the server besides Wireguard and Pihole.

Thanks,
Søren

DanSchaper · October 30, 2020, 2:53pm

-rw-r--r-- 1 pihole pihole 2551224 Oct 30 13:57 /var/log/pihole.log
   -----head of pihole.log------
   Oct 30 00:00:01 dnsmasq[3538]: query[A] web.facebook.com from 10.66.66.2
   Oct 30 00:00:01 dnsmasq[3538]: config error is REFUSED
   Oct 30 00:00:01 dnsmasq[3538]: query[A] web.facebook.com from 10.66.66.2
   Oct 30 00:00:01 dnsmasq[3538]: config error is REFUSED
   Oct 30 00:00:13 dnsmasq[3538]: query[A] p2pal.myp2pcam.com from 10.66.66.2
   Oct 30 00:00:13 dnsmasq[3538]: config error is REFUSED
   Oct 30 00:00:24 dnsmasq[3538]: query[A] www.privateinternetaccess.com from 10.66.66.2
   Oct 30 00:00:24 dnsmasq[3538]: config error is REFUSED
   Oct 30 00:00:24 dnsmasq[3538]: query[A] serverlist.piaservers.net from 10.66.66.2
   Oct 30 00:00:24 dnsmasq[3538]: config error is REFUSED
   Oct 30 00:00:27 dnsmasq[3538]: query[A] piaproxy.net from 10.66.66.2
   Oct 30 00:00:27 dnsmasq[3538]: config error is REFUSED
   Oct 30 00:01:01 dnsmasq[3538]: query[A] web.facebook.com from 10.66.66.2
   Oct 30 00:01:01 dnsmasq[3538]: config error is REFUSED
   Oct 30 00:01:01 dnsmasq[3538]: query[A] web.facebook.com from 10.66.66.2
   Oct 30 00:01:01 dnsmasq[3538]: config error is REFUSED
   Oct 30 00:01:31 dnsmasq[3538]: query[A] ssl.google-analytics.com from 10.66.66.2
   Oct 30 00:01:31 dnsmasq[3538]: gravity blocked ssl.google-analytics.com is 0.0.0.0
   Oct 30 00:01:33 dnsmasq[3538]: query[A] graph.facebook.com from 10.66.66.2
   Oct 30 00:01:33 dnsmasq[3538]: config error is REFUSED

server=10.66.66.1

Does that upstream work? Does the problem exist without the additional 66 blocklists added?

a15995 · October 31, 2020, 8:06am

The upstream server (my router) used to work but I suspect that changes on the router may have crashed something.

I changed the upstream servers to OpenDNS, Google and Cloudflare in the Pihole GUI. Now everything goes through as e.g.:

2020-10-31 08:49:11 A secure.adnxs.com 10.66.66.2 OK (forwarded) CNAME (1.2ms)

And adnxs.com should be on the blacklist.

Have testet all the blocklists (50 active - 64 in total) and they all respond. The lists are either in this format: "0.0.0.0 cinektyper.blogspot.com" or "127.0.0.1 aintdoinshit.com" or in a format without preceding IP.

I have these two RegEx's on the Whitelist (local adresses - testet to work on other software):

(192)\.(168)\.(1|2|3)\.([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])
(10)\.(0|66)\.(0|66)\.([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])

Disabling those two does not appear to change anything for the better.

What does the "config error is REFUSED" mean?

Thanks,

Bucking_Horn · October 31, 2020, 10:12am

Pretty much what it says: A network connection was refused by an upstream server (or no such server was supplied at all).

Check your group management.
Pi-hole is behaving exactly as you've configured it: Your 10.66.66.2 is assigned to your group 2 (labeled by you as Router), while all your blocklists belong to the Default group exclusively.

I doubt uBlockOrigin/uAssets/master/filters/ are in hosts format (a peek into one of them has shown it isn't). uBO is a browser extensions filtering at URL level, so those definitions won't work with Pi-hole.
Your debug log shows those entries are disabled at the moment, but you may as well remove them completely.

*** [ DIAGNOSING ]: Domainlist (0/1 = exact white-/blacklist, 2/3 = regex white-/blacklist)
  id    type  enabled  group_ids  domain                                                                   
  ----  ----  -------  ---------  -----------------------------------------------------------------------
  199     2         1  0          (192)\.(168)\.(1|2|3)\.([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])
  200     2         1  0          (10)\.(0|6)\.(0)\.([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])

Those attempts at matching some private IPv4 address ranges won't do anything, as IP addresses are not queried for in DNS.

Also, you may want ot reverify your blocking strategy
Your current approach of applying some 60+ blocklists seems to force you to define over 200 whitelist regex expressions in return.

A third-party utility like yubiuser 's adlist tool could provide some insights into your actual blocklist utilisation and help you decide which blocklists to keep.

jfb · October 31, 2020, 6:44pm

Some of your lists are not in the correct format (HOSTS) for Pi-hole and will cause a lot of problems, primarily with false positives. Remove these lists:

  [i] Target: https://www.github.developerdan.com/hosts/lists/ads-and-tracking-extended.txt
  [✓] Status: Retrieval successful
  [i] Received 222157 domains

  [i] Target: https://raw.githubusercontent.com/uBlockOrigin/uAssets/master/filters/annoyances.txt
  [✓] Status: Retrieval successful
  [i] Received 1985 domains, 206 domains invalid!
      Sample of invalid domains:
      - linkurl.org,planetatvonlinehd.com
      - @@||vanar.io^$ghide
      - @@||s0urce.io^$ghide
      - @@||mope.io^$ghide
      - ||holyclock.com^$3p

  [i] Target: https://raw.githubusercontent.com/uBlockOrigin/uAssets/master/filters/badware.txt
  [✓] Status: Retrieval successful
  [i] Received 298 domains, 287 domains invalid!
      Sample of invalid domains:
      - ||download.cnet.com^$document
      - ||com.com^$document
      - ||sourceforge.net^$document
      - ||softonic.com^$document
      - ||flexytalk.net^

  [i] Target: https://raw.githubusercontent.com/uBlockOrigin/uAssets/master/filters/experimental.txt
  [✓] Status: Retrieval successful
  [i] Received 2 domains, 1 domains invalid!
      Sample of invalid domains:
      - ||tags.tiqcdn.com^

  [i] Target: https://raw.githubusercontent.com/uBlockOrigin/uAssets/master/filters/filters.txt
  [✓] Status: Retrieval successful
  [i] Received 10889 domains, 3906 domains invalid!
      Sample of invalid domains:
      - www.google.*
      - *_ad_$media,domain=youtube.com,3p
      - youtube.com,youtube-nocookie.com
      - youtube.com,youtube-nocookie.com
      - youtube.com,youtube-nocookie.com

  [i] Target: https://raw.githubusercontent.com/uBlockOrigin/uAssets/master/filters/privacy.txt
  [✓] Status: Retrieval successful
  [i] Received 44 domains, 37 domains invalid!
      Sample of invalid domains:
      - ||linkedin.com^$3p,important
      - ||taboola.com^$3p
      - ||silkenthreadiness.info^
      - adblockanalytics.com:
      - ||adblockanalytics.com^$3p

  [i] Target: https://raw.githubusercontent.com/uBlockOrigin/uAssets/master/filters/resource-abuse.txt
  [✓] Status: Retrieval successful
  [i] Received 57 domains, 43 domains invalid!
      Sample of invalid domains:
      - ||edgeno.de^$script,3p,domain=~edgemesh.com
      - ||safelinkconverter.com^$script,3p
      - ||monero-miner.net^$3p
      - ||openkatalog.com^$frame
      - .cf^*.wasm$3p

  [i] Target: https://raw.githubusercontent.com/uBlockOrigin/uAssets/master/filters/resources.txt
  [✗] Status: Not found
  [✗] List download failed: no cached list available

  [i] Target: https://raw.githubusercontent.com/uBlockOrigin/uAssets/master/filters/unbreak.txt
  [✓] Status: Retrieval successful
  [i] Received 613 domains, 464 domains invalid!
      Sample of invalid domains:
      - @@||google-analytics.com^$domain=avianca.com|newegg.com
      - ||adf.ly^$badfilter
      - ||cdn.krxd.net^$script,redirect=noopjs,domain=video.foxnews.com
      - ||statcounter.com^$badfilter
      - @@||target.122.2o7.net^$domain=target.com

a15995 · November 2, 2020, 12:55pm

Thanks, Horn!

I realize I wasn't aware of how the groups worked. I get it now and the structure of the Group Management menu makes much more sense.

Also, your point on the private IP's makes a lot of sense since this is a DNS blocker. Should have realized that on my own.

I'll do some garden work on the lists. They were meant to be a "starting point", so point taken.

I'll clean up and return...

/Søren

a15995 · November 2, 2020, 12:56pm

Hi jfb!

I realized the format was wrong with the uBlockOrigin lists and disabled them. I'll remove them.

Thanks,
Søren

a15995 · November 2, 2020, 4:20pm

Thanks for your help guys. Everything is working now and as mentioned, the main reason was that I'd misunderstood the use of Groups and Clients.
/Søren

system · November 23, 2020, 4:20pm

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.