PiHole + Unbound blocks ads across all my devices (Android, Windows).
Actual Behaviour:
Up until recently PiHole + Unbound has been working just find across all my devices (Android, Windows). I recently changed employers and received a new (Windows) laptop, and unfortunately ads are NOT blocked on this laptop with the same level of performance as the rest of my devices (my personal PC blocks ~75% of adds vs. work laptop blocking only ~20% of ads from an "ad test" website).
My work laptop does employ a VPN (which I can deactivate for now), and when it IS active it looks like a different DNS server is used (not sure there's much I can do about it). Let's ignore this for now and stick with the condition where I'm NOT using the VPN. When I do an ipconig/all the DNS server is listed as 127.0.0.1 on my laptop, but on my personal PC (which works fine with ad blocking) the DNS server is my pi's IP address. Not sure if this helps.
Also nslookup pi.hole on the laptop yields:
Server: localhost
Address: 127.0.0.1
Name: pi.hole
Addresses: [IPv6 address] followed by my pi's IPv4 address
...while on my personal PC (again, ads block fine here) nslookup pi.hole yields:
Server: pi.hole
Address: pi's IPv4 address
Name: pi.hole
Addresses: [IPv6 address] followed by my pi's IPv4 address
If your workplace is using some kind of group policy to ignore DHCP (presumption) then you would need to put some iptables rules down to redirect DNS queries to Pi-hole (of which there are many examples found by googling)
Yep that’s correct mate iptables are applied usually on the router or pfsense/some other firewall box, however that’s all based on my presumption that it’s some GP interference.
Disclaimer: I can’t guarantee I am not talking out of my ass as I am not a network engineer, but hopefully this helps a little
Cool, thanks for the additional info! I have an Asus router running the Merlin firmware, so I think I can apply iptables to it. I've also seen some chatter about using the firmware's "DNSFilter" feature (as opposed to iptables), but I didn't have any success on that front.
Your nslookup results look alright, showing that Pi-hole is somehow used (as pi.hole is only known by Pi-hole), though it would be unusual for a Windows system to return the loopback address as DNS server. Also, it just shows the DNS server used for that specific request - there may be other DNS servers available for your Windows laptop, which then could be used to by-pass Pi-hole on occasions.
Run from that laptop, what DNS servers is the following command returning:
ipconfig /all
We'd just be interested in the DNS server section of that output.
Alternatively, you may check with the following commands (the output of which is a bit more unwieldy, though):
netsh interface ipv4 show dnsservers
netsh interface ipv6 show dnsservers
Another interesting note (not sure it matters). When I disable my laptop's VPN and immediately thereafter run nslookup pi.hole I receive the following response:
Server: pi.hole
Address: [pi's IPv4 address]
Name: pi.hole
Addresses: [IPv6 address] followed by pi's IPv4 address
And if I run the command again a couple seconds later the response changes to:
Server: localhost
Address: 127.0.0.1
Name: pi.hole
Addresses: [IPv6 address] followed by pi's IPv4 address
Bucking_Horn here is what is reported after running ipconfig/all with the VPN disabled:
DNS Servers . . . . . . . . . . . : 127.0.0.1
After running netsh interface ipv4 show dnsservers I found one of the outputs to be this:
After digging some more it looks like my ethernet adapter is currently configured as such:
I'm guessing I should try to convince my IT folks to facilitate changing the assignment from "Manual" to "Automatic (DHCP)" (which requires admin access) and see what happens. I'll report back later.
After some more digging I found that my laptop tends to revert to a "default" configuration when the ethernet connection is renewed. With the VPN disabled here are the settings:
...which reveals why I was previously seeing 127.0.0.1 as the DNS.
And the VPN employs a "PANGP Virtual Ethernet Adapter" that has hard-coded DNS entries. Again, any time I refresh the internet connection the "default" configuration gets reloaded.
So it looks like solutions at the client (laptop) are probably a no-go.
So that leaves possible solutions that might be implemented on the PiHole or the router. @ShrewdGreyhound already mentioned trying iptables on the router. Are there any other suggestions?
Does that section really not include any IPv6 addresses?
If so, that would exclude possible by-passes via IPv6.
As said before, the IPv4 part seems to work, even if a loopback address is unusual for a Windows client:
Your Windows laptop is able to resolve pi.hole, so that means that whatever DNS server on your laptop is handling DNS, it is correctly forwarding DNS requests to Pi-hole - at least for that specfic DNS request.
To be sure, you'd have to find out about the upstream DNS servers that the local DNS server at 127.0.0.1 on your laptop is configured to use.
