Pihole suddenly showing very odd behaviour and not blocking (unbound)

A couple of days ago my computer started showing tings I have not seen for a very long time, ie my pihole has been working perfectly for years.

A little more than a month ago I decided to also include unbound in the setup.
Followed the official instructions (unbound - Pi-hole documentation) and added this inside /etc/unbound/unbound.conf.d/pi-hole.conf (found here Unbound configuration for Pi-hole + DoT (DNS over TLS) · GitHub

   # TLS settings
    tls-upstream: yes
    tls-cert-bundle: "/etc/ssl/certs/ca-certificates.crt"

forward-zone:
    name: "."
    # Cloudflare
    forward-addr: 1.1.1.1@853
    forward-addr: 1.0.0.1@853
    # forward-addr: 2606:4700:4700::1111@853
    # forward-addr: 2606:4700:4700::1001@853
    forward-ssl-upstream: yes

Everything seemed to work fine, dig commands returned what it should.
So up until a few days ago, when I noticed stuff appearing that has not appeared before.
I checked the pihole gui and on my computer ZERO blocking, but on other clients (cellphones and stuff) there are some, but everything is very strange.

I can see the requests going through the pihole from my computer, but zero blocking.
I do have portmaster, but has set the pihole as dns with dns://192.168.1.20?name=piHole

I also have a docker running unifi controler (for my ubuquity stuff), works perfectly. My pihole is not running on docker, it's "native".

I have a vpn I can connect through from outside, works perfectly (not sure if it still blocks with pihole though, but that is less important right now)

In the web gui I also now se both localhost (172.0.0.1) AND pi.hole and those two makes requests definitely not coming from them. the pi.hole also has no ip, just ::
Shouldn't pi.hole show ip 192.168.1.20?
Maybe one of them is the unbound server that I see the requests?
The ones on pi.hole (without the ip and also some on the localhost) are also NOT marked as unsecure (I never added any certificates for local traffic) like all the other clients does, kinda makes sense since they are on the same machine, maybe?

Ipv6 was suddenly available again on the rpi so I disabled that, again (must have been activated in an apt upgrade, because I checked my other rpi:s and it was reactivated on them also), via cmdline.txt this time so the interface never even gets loaded. Did not change any behavior.

I tried adding my computer as a user, adding it to the default group (before this I had added zero clients and zero groups, everything just worked for years), no change.

Some of the blocking might already be happening by portmaster, but I find it very hard to believe that it suddenly became that efficient and I also see commercials on web pages I have NEVER seen them before.

But interestingly (on my computer):

$ drill pi.hole
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 52203
;; flags: qr rd ra ; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 3 
;; QUESTION SECTION:
;; pi.hole.     IN      A

;; ANSWER SECTION:
pi.hole.        17      IN      A       192.168.1.20

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:
info.portmaster.        0       IN      TXT     "accepted: allowing dns request"
info.portmaster.        0       IN      TXT     "freshly resolved by piHole (dns://192.168.1.20:53#config)"
info.portmaster.        0       IN      TXT     "record valid for 59s"

;; Query time: 19 msec
;; SERVER: 192.168.1.20
;; WHEN: Sat Oct  7 11:23:51 2023
;; MSG SIZE  rcvd: 239

$ drill flurry.com
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 19952
;; flags: qr rd ra ; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 3 
;; QUESTION SECTION:
;; flurry.com.  IN      A

;; ANSWER SECTION:
flurry.com.     1       IN      A       0.0.0.17

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:
info.portmaster.        0       IN      TXT     "blocked: flurry.com. in activated lists AA-AD,AGD,DM-TR,OISD,PL-B,SB-AM,TX-AD and in deactivated lists BT-MSFT, BYX"
info.portmaster.        0       IN      TXT     "flurry.com. is blocked by filter lists AA-AD, AGD, DM-TR, OISD, PL-B, SB-AM, TX-AD"
info.portmaster.        0       IN      TXT     "flurry.com. would be blocked by filter lists BT-MSFT, BYX"

;; Query time: 10 msec
;; SERVER: 192.168.1.20
;; WHEN: Sat Oct  7 11:21:34 2023
;; MSG SIZE  rcvd: 392

I have no idea what is going on here, please help me sort this mess out. <3

https://tricorder.pi-hole.net/DCVDIJT8/

Those are regular Pi-hole internal requests for DNSSEC validation, see also Understanding DNSSEC validation using Pi-hole’s Query Log - nothing to worry about.

Yes, your dig results confirms that to be the case:

The corresponding request did not register in Pi-hole's Query Log (also indicated by the IP returned, which would have been 0.0.0.0 for a default Pi-hole).

As Portmaster seems to be a kind of client-side firewall software(?), it may well be effective in filtering out DNS requests from your machine before it reaches Pi-hole, especially if it would use the same blocklists.

Disabling IPv6 on your RPi that hosts your Pi-hole won't stop your IPv6 capable clients to talk to an alternate IPv6 address for DNS, if and as potentially provided by your router.

If your router would provide public or even link-local IPv6 connectivity, you'd want to verify that it does not advertise an IPv6 DNS server at all, or your Pi-hole host machine's IPv6.

You'd have to consult your router's documentation sources on further details for its IPv6 DNS configuration options.

Yeah, I forgot to mention that, ipv6 has never been activated on the router, ever. But I thought it could leak over anyway. I was just surprised it was active again, that's why I mentioned it.

I disabled portmaster and redid the drill command and indeed it was blocked by pihole, (I can also see it in the requests as blocked in the webgui).

$ drill flurry.com
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 52420
;; flags: qr aa rd ra ; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 
;; QUESTION SECTION:
;; flurry.com.  IN      A

;; ANSWER SECTION:
flurry.com.     2       IN      A       0.0.0.0

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:

;; Query time: 5 msec
;; SERVER: 192.168.1.20
;; WHEN: Sat Oct  7 14:45:22 2023
;; MSG SIZE  rcvd: 44

this leaves the question, did portmaster REALLY suddenly become super effective or is there something else at play here.
Not sure how to combat this.

What about the localhost (127.0.0.1 in the webgui) that shows requests from all kinds of places, that has NOT been a thing before. Is that the unbound server that responds or something? Suddenly it is top 3 clients with most requests with 4 digit number, it used to be a 2 digit number of requests, or MAYBE just above a hundred or so.
But I am 1000% sure I did not visit f ex the swedish television webpage from my headless rpi server... :-S

That'd remain for you to answer.
At least for the request you've shared, there can be no doubt it was blocked, by Portmaster.
And the ADDITIONAL SECTION suggests that Portmaster would indeed use blocklists to filter DNS, so with regards to DNS filtering, it can be (almost) as effective as Pi-hole when using the same set of blocklists - on that single machine that runs Portmaster, that is.

I see no reason to combat this, except for saving some resources on that machine.
It may even be of advantage if that would be a roaming machine that would leave your home network and use other networks at times.

Just to be sure: It's really 127.0.0.1?

To the same end, please share the output of:

echo ">top-domains >quit" | nc localhost 4711

echo ">top-clients >quit" | nc localhost 4711

localhost is 127.0.0.1 and docker is 172.17.0.1 and on a different subnet
I think that stuff is also in the logfile attached

$ ifconfig
docker0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        inet 172.17.0.1  netmask 255.255.0.0  broadcast 172.17.255.255
        ether 02:42:52:2b:f2:a2  txqueuelen 0  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.1.20  netmask 255.255.255.0  broadcast 192.168.1.255
        ether e4:5f:01:6b:ab:ae  txqueuelen 1000  (Ethernet)
        RX packets 151801  bytes 55449928 (52.8 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 97994  bytes 16545237 (15.7 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 277467  bytes 41630106 (39.7 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 277467  bytes 41630106 (39.7 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
        inet 10.90.172.1  netmask 255.255.255.0  destination 10.90.172.1
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 500  (UNSPEC)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

As for the echo.... ok then...

$ echo ">top-domains >quit" | nc localhost 4711
0 436 nrdp-ipv6.prod.ftl.netflix.com
1 396 89.100.in-addr.arpa
2 299 tv
3 252 nrdp.prod.cloud.netflix.com
4 242 twitch.tv
5 242 eas.outlook.com
6 241 e673.dsce9.akamaiedge.net
7 217 gql.twitch.tv
8 215 safebrowsing.googleapis.com
9 208 lb._dns-sd._udp.11.57.89.100.in-addr.arpa

0 4413 192.168.1.154 Corlis-nya-iPhone.lan
1 2708 192.168.1.10 bednaPC-lan.lan
2 2515 192.168.1.99 tvhub.lan
3 2409 :: pi.hole
4 1100 192.168.1.153 android-9cc796e900874c0b.lan
5 904 192.168.1.152 Marcus-S20.lan
6 649 192.168.1.150 Corlis-iPhone.lan
7 366 127.0.0.1 localhost
8 265 192.168.1.100 piServer.lan
9 16 192.168.1.60 rpi4b8gb.lan

That "tv" thing is new as well, never seen that before.

366 requests from 127.0.0.1 localhost does not seem unusual.

Let's have a look at the domains it has queried:

pihole-FTL sqlite3 /etc/pihole/pihole-FTL.db "SELECT domain, count(domain) FROM queries WHERE timestamp > strftime('%s','now','-1 days') AND client='127.0.0.1' GROUP BY domain;"

I'd expect to see reverse lookups only from that client, so those would be normal.

$ pihole-FTL sqlite3 /etc/pihole/pihole-FTL.db "SELECT domain, count(domain) FROM queries WHERE timestamp > strftime('%s','now','-1 days') AND client='127.0.0.1' GROUP BY domain;"
1.1.168.192.in-addr.arpa|27
1.172.90.10.in-addr.arpa|7
10.1.168.192.in-addr.arpa|23
100.1.168.192.in-addr.arpa|27
150.1.168.192.in-addr.arpa|20
152.1.168.192.in-addr.arpa|27
153.1.168.192.in-addr.arpa|27
154.1.168.192.in-addr.arpa|27
2.172.90.10.in-addr.arpa|4
2.debian.pool.ntp.org|4
20.1.168.192.in-addr.arpa|7
30.1.168.192.in-addr.arpa|5
5.1.168.192.in-addr.arpa|13
60.1.168.192.in-addr.arpa|5
99.1.168.192.in-addr.arpa|22
_http._tcp.archive.raspberrypi.org|2
_http._tcp.deb.debian.org|2
_http._tcp.deb.volian.org|1
_http._tcp.ftp.dk.debian.org|2
_http._tcp.ftp.hr.debian.org|2
_http._tcp.ftp.nl.debian.org|2
_http._tcp.ftp.uio.no|1
_http._tcp.mirror.init7.net|1
_http._tcp.mirror.nl.datapacket.com|1
_http._tcp.mirrors.dotsrc.org|1
_http._tcp.packages.azlux.fr|1
_http._tcp.security.debian.org|2
_https._tcp.debian.mirror.iphh.net|1
_https._tcp.debian.netcologne.de|1
_https._tcp.debian.web.trex.fi|1
_https._tcp.download.docker.com|1
_https._tcp.ftp.acc.umu.se|1
_https._tcp.mirror.23m.com|1
a1ewuiz2p7wdvw-ats.iot.us-west-2.amazonaws.com|2
api.github.com|9
archive.raspberrypi.org|2
c3sdnuexugkg7e.credentials.iot.us-west-2.amazonaws.com|4
cloudaccess.svc.ubnt.com|4
config.ubnt.com|2
deb.volian.org|1
debian.map.fastlydns.net|2
debian.mirror.iphh.net|1
debian.netcologne.de|1
debian.web.trex.fi|1
download.docker.com|1
ftp.acc.umu.se|1
ftp.dk.debian.org|1
ftp.hr.debian.org|1
ftp.nl.debian.org|1
ftp.uio.no|1
fw-update.ubnt.com|2
github.com|9
mirror.23m.com|1
mirror.init7.net|1
mirror.nl.datapacket.com|1
mirrors.dotsrc.org|1
ns1.pi-hole.net|3
packages.azlux.fr|1
probabday.xyz|1
sso.ui.com|1
static.ubnt.com|3
trace.svc.ui.com|10
tricorder.pi-hole.net|1
www.bumboxik.club|1
www.woyaolq.com|1

The regular (non-reverse) lookups seem to be largely for package management stuff.
Are you perhaps running additional software on the same machine that hosts your Pi-hole?

If you can correlate those domains to such software, that would explain those requests.

Nothing more than I already stated.

Docker running unifi, pivpn (openvpn) and pihole (with unbound installed). That's it.

And no, I can not correlate them other than debian witch I assume is the rpi update.
Edit. I also recognize trace.svc.ui.com that is blocked and I think it is unifi trying to connect to some kind of portal.
Earlier i mentioned swedish television being requested. That should have been on either one of the iphones or the tvhub (I do not know, I haven't visited the site or anything around it for months, others in the houshold might though but definitely not from a headless rpi).

www.bumboxik.club and www.woyaolq.com.. I have zero clue what that is.

It quite frankly worries me a bit.

A WHOIS search returned no data. Apparently these domains don't exist.

I''d suspect both those domains to be listed in at least one of your blocklists, and Pi-hole has used them for testing when creating a debug log, which can be seen at least for the former:

*** [ DIAGNOSING ]: Name resolution (IPv4) using a random blocked domain and a known ad-serving domain
[✓] www.bumboxik.club is 0.0.0.0 on lo (127.0.0.1)

Considering the software you've installed, I do not think that those lookups should be reason for concern.

Those would have been DNSSEC validation requests issued by your Pi-hole itself, as mentioned before.
It would be normal for Pi-hole with DNSSEC enabled (which you have) to check on domains as they are requested, and the respective requests would show up in Pi-hole's Query Log as originating from pi.hole at :: with distinctive query types (DS, DNSKEY, NSEC, RRSIG).

Going by the name, it looks like a tv streaming device.
I'd guess it would be responsible for the majority of those tv related requests, which you could check by adopting the SQL statement to match client='192.168.1.99'.

YOU GUYS ARE AWESOME!

YES, OFC!! LOL
Thank you!

Thank you for that info, my brain database is now updated with this knowledge. xD
And yes, everything you say seems to be true.

It was a VERY long time since I actually used SQL, like +15 years ago...

I tried this line, but returned nothing, I have a feeling domain='tv' is incorrect...?

pihole-FTL sqlite3 /etc/pihole/pihole-FTL.db "SELECT domain, count(domain) FROM queries WHERE client='192.168.1.99' AND domain='tv' GROUP BY domain;"

If I remove the client from the search I get: tv|8464
Not sure what that means, but since you say it's normal to see these requests on localhost, I feel calm again.

Thank you for calming me down.

I will try to find out why there are zero blocks when using portmaster, I have a lot of extra block lists on the pihole and I find it VERY unlikely that EVERYTHING suddenly is included in portmaster blocks. This was not the case just 3-4 weeks ago. (yes, I know, I should check the logs a little more often)
But since disabling portmaster enables blocking on my computer via the pihole again, it is definitely something with portmaser and not the pihole.

Thank you again!

Edit
I think I will pay a little visit to this page.. Again, thank you for your work!

Yes, to show the list of domains that 192.168.1.99 has requested, AND domain='tv' should be removed (also, that clause wasn't present in my suggested SQL):

pihole-FTL sqlite3 /etc/pihole/pihole-FTL.db "SELECT domain, count(domain) FROM queries WHERE timestamp > strftime('%s','now','-1 days') AND client='192.168.1.99' GROUP BY domain;"

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.