A couple of days ago my computer started showing tings I have not seen for a very long time, ie my pihole has been working perfectly for years.
A little more than a month ago I decided to also include unbound in the setup.
Followed the official instructions (unbound - Pi-hole documentation) and added this inside /etc/unbound/unbound.conf.d/pi-hole.conf
(found here Unbound configuration for Pi-hole + DoT (DNS over TLS) · GitHub
# TLS settings
tls-upstream: yes
tls-cert-bundle: "/etc/ssl/certs/ca-certificates.crt"
forward-zone:
name: "."
# Cloudflare
forward-addr: 1.1.1.1@853
forward-addr: 1.0.0.1@853
# forward-addr: 2606:4700:4700::1111@853
# forward-addr: 2606:4700:4700::1001@853
forward-ssl-upstream: yes
Everything seemed to work fine, dig
commands returned what it should.
So up until a few days ago, when I noticed stuff appearing that has not appeared before.
I checked the pihole gui and on my computer ZERO blocking, but on other clients (cellphones and stuff) there are some, but everything is very strange.
I can see the requests going through the pihole from my computer, but zero blocking.
I do have portmaster, but has set the pihole as dns with dns://192.168.1.20?name=piHole
I also have a docker running unifi controler (for my ubuquity stuff), works perfectly. My pihole is not running on docker, it's "native".
I have a vpn I can connect through from outside, works perfectly (not sure if it still blocks with pihole though, but that is less important right now)
In the web gui I also now se both localhost (172.0.0.1) AND pi.hole and those two makes requests definitely not coming from them. the pi.hole also has no ip, just ::
Shouldn't pi.hole show ip 192.168.1.20?
Maybe one of them is the unbound server that I see the requests?
The ones on pi.hole (without the ip and also some on the localhost) are also NOT marked as unsecure (I never added any certificates for local traffic) like all the other clients does, kinda makes sense since they are on the same machine, maybe?
Ipv6 was suddenly available again on the rpi so I disabled that, again (must have been activated in an apt upgrade, because I checked my other rpi:s and it was reactivated on them also), via cmdline.txt this time so the interface never even gets loaded. Did not change any behavior.
I tried adding my computer as a user, adding it to the default group (before this I had added zero clients and zero groups, everything just worked for years), no change.
Some of the blocking might already be happening by portmaster, but I find it very hard to believe that it suddenly became that efficient and I also see commercials on web pages I have NEVER seen them before.
But interestingly (on my computer):
$ drill pi.hole
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 52203
;; flags: qr rd ra ; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 3
;; QUESTION SECTION:
;; pi.hole. IN A
;; ANSWER SECTION:
pi.hole. 17 IN A 192.168.1.20
;; AUTHORITY SECTION:
;; ADDITIONAL SECTION:
info.portmaster. 0 IN TXT "accepted: allowing dns request"
info.portmaster. 0 IN TXT "freshly resolved by piHole (dns://192.168.1.20:53#config)"
info.portmaster. 0 IN TXT "record valid for 59s"
;; Query time: 19 msec
;; SERVER: 192.168.1.20
;; WHEN: Sat Oct 7 11:23:51 2023
;; MSG SIZE rcvd: 239
$ drill flurry.com
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 19952
;; flags: qr rd ra ; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 3
;; QUESTION SECTION:
;; flurry.com. IN A
;; ANSWER SECTION:
flurry.com. 1 IN A 0.0.0.17
;; AUTHORITY SECTION:
;; ADDITIONAL SECTION:
info.portmaster. 0 IN TXT "blocked: flurry.com. in activated lists AA-AD,AGD,DM-TR,OISD,PL-B,SB-AM,TX-AD and in deactivated lists BT-MSFT, BYX"
info.portmaster. 0 IN TXT "flurry.com. is blocked by filter lists AA-AD, AGD, DM-TR, OISD, PL-B, SB-AM, TX-AD"
info.portmaster. 0 IN TXT "flurry.com. would be blocked by filter lists BT-MSFT, BYX"
;; Query time: 10 msec
;; SERVER: 192.168.1.20
;; WHEN: Sat Oct 7 11:21:34 2023
;; MSG SIZE rcvd: 392
I have no idea what is going on here, please help me sort this mess out. <3