PiHole working, but not blocking anything on client devices

Please follow the below template, it will help us to help you!

Pi-hole noob with new install... Followed directions from Block ads at home with Pi-hole

If you are Experiencing issues with a Pi-hole install that has non-standard elements (e.g you are using nginx instead of lighttpd, or there is some other aspect of your install that is customised) - please use the Community Help category.

Expected Behaviour:

Pi-hole should be blocking ads, and other items in the adlists. From the client side, there should be no address returned and ads on the web browser pages should be blocked.
-Operating System - Raspberry PI OS Lite (64-bit) (Server), Windows 11 (Client), Android 14 (Client)
-Hardware - Raspberry Pi 4 Model B (Server), PC (Client), Samsung S22 Ultra (Client)
-Pi-Hole Version - Pi-hole - [v5.17.2], FTL - [v5.23], Web Interface - [v5.20.2]

Actual Behaviour:

When using nslookup, on a windows client and android phone, it is coming back with an address not related to the pi-hole and not blocking. This is showing the address, which should be blocked. I have verified that the client is using the pi-hole server address and it was manually configured for testing before deploying to full network. When doing an nslookup on the pi-hole server it is showing 0.0.0.0, but the client is not getting 0's, but is getting a returned address. (nslookup ads.google.com is showing 142.250.72.78, instead of blocking it). The pi-hole seems to be sending requests to the upstream dns servers, instead of looking it up locally in it's files, if it's there, and blocking it.

Debug Token:

https://tricorder.pi-hole.net/8qsaEPeL/

Pi-hole server = 192.168.32.104
ipconfig /all from client windows computer

   Connection-specific DNS Suffix  . : mylan.network
   Description . . . . . . . . . . . : Intel(R) 82599 10 Gigabit Network Connection #2
   Physical Address. . . . . . . . . : 98-B7-85-00-2E-4F
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 192.168.32.20(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Tuesday, November 14, 2023 6:33:37 PM
   Lease Expires . . . . . . . . . . : Wednesday, November 15, 2023 1:33:38 AM
   Default Gateway . . . . . . . . . : 192.168.32.1
   DHCP Server . . . . . . . . . . . : 192.168.32.1
   DNS Servers . . . . . . . . . . . : 192.168.32.104
   NetBIOS over Tcpip. . . . . . . . : Enabled

nslookup from client windows computer

Server:  pi.hole
Address:  192.168.32.104

Non-authoritative answer:
Name:    ads.google.com
Addresses:  2607:f8b0:400f:802::200e
          142.250.69.238

I have also tried doing an ipconfig /flushdns to no avail!

Addresses:  2607:f8b0:400f:802::200e

Looks like IPv6 is active in your network. You should see if you can either specify your Pihole's IPv6 address for IPv6 DNS lookups from whatever device handles DHCP in your network, or you should disable IPv6 on your router.

IPv6, for the lan at least, is disabled on the router though.
https://i.imgur.com/9PGwOw1.png

That 2607:f8b0... address was returned from the dns server when i did an nslookup on the client.

IPv6 has also been disabled on the client for many months now.
https://i.imgur.com/OAi8yD6.png

what's even more odd is that when i do an nslookup on the pi-hole server itself, it's sending a request out to the upstream dns servers and returning the same information, instead of blocking it.

pihole:~ $ nslookup ads.google.com
Server:         1.1.1.2
Address:        1.1.1.2#53

Non-authoritative answer:
Name:   ads.google.com
Address: 142.250.72.14
Name:   ads.google.com
Address: 2607:f8b0:400f:804::200e

When doing a search in the adlists, this is what comes up as a result...
Match found in https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts:
ads.google.com
mail-ads.google.com

Match found in https://raw.githubusercontent.com/ZingyAwesome/easylists-for-pihole/master/easylist.txt:
mail-ads.google.com

You've added some regex whitelist rules, intending to whitelist certain sites, but these have been entered using a ABP format. For example,

@@||twitter.com/*^$document

The unintended result of this is that when parsed as a regex they actually match any and all domains. This means that your Pi-hole is whitelisting any and all domains.

To fix this, open a Pi-hole terminal and view your debug log so you have a reference to work from – the command below will view it, then scroll down so you can see the entries in question.

sudo less -R /var/log/pihole/pihole_debug.log

In the Pi-hole web admin interface, delete all the whitelist regex entries which follow that pattern.

Your Pi-hole should be working again now, check to confirm it is blocking.

Finally, to add the domains back in, copy the domain part from each entry that you have open in your debug log, and add it as an exact whitelist domain in Domains > Domain. If you want to block all subdomains of it too, which may have been the intent in using the ABP format, tick the box that says Add domain as wildcard. Finally, click Add to Whitelist.

I removed all of the regex entries, flushed table, restarted dns resolver, did an ipconfig /flushdns on the client, but yet the client is still resolving blocked addresses.
The pi-hole is showing correctly

pihole:~ $ nslookup ads.google.com
Server:         172.16.43.2
Address:        172.16.43.2#53

Non-authoritative answer:
Name:   ads.google.com
Address: 127.0.0.1
Name:   ads.google.com
Address: ::

But the windows client is resolving...

nslookup ads.google.com
Server:  pi.hole
Address:  192.168.32.104

Non-authoritative answer:
Name:    ads.google.com
Addresses:  2607:f8b0:4023:1004::8a
          2607:f8b0:4023:1004::65
          2607:f8b0:4023:1004::71
          2607:f8b0:4023:1004::8b
          142.250.115.102
          142.250.115.139
          142.250.115.138
          142.250.115.101
          142.250.115.113
          142.250.115.100

I even went into one of the lists and copied a random domain for it, did an nslookup on the client and it resolved.

Generate a new debug log, please.

here is the new debug log
https://tricorder.pi-hole.net/Itd8PdjY/

Is it dnsmasq-pi-hole thats anwering when run below on a client?

nslookup -class=chaos -type=txt version.bind 192.168.32.104

This is what i am getting back when i ran it on my windows client...

>nslookup -class=chaos -type=txt version.bind 192.168.32.104
Server:  pi.hole
Address:  192.168.32.104

Non-authoritative answer:
version.bind    text =

        "unbound 1.13.2"

Thats not Pi-hole answering

C:\>nslookup -class=chaos -type=txt version.bind
Server:  pi.hole
Address:  10.0.0.5

version.bind    text =

        "dnsmasq-pi-hole-v2.89-e1de9c2"

What does below show on the Pi-hole host?

sudo ss -nltup | grep 'State\|pihole-FTL\|unbound'

And below?

sudo rgrep -v '^ *#\|^$' /etc/unbound/unbound.conf*

pihole:~ $ sudo ss -nltup | grep 'State\|pihole-FTL\|unbound'
Netid State  Recv-Q Send-Q Local Address:Port  Peer Address:PortProcess
udp   UNCONN 0      0            0.0.0.0:53         0.0.0.0:*    users:(("pihole-FTL",pid=16283,fd=4))
udp   UNCONN 0      0                  *:53               *:*    users:(("pihole-FTL",pid=16283,fd=6))
tcp   LISTEN 0      32           0.0.0.0:53         0.0.0.0:*    users:(("pihole-FTL",pid=16283,fd=5))
tcp   LISTEN 0      5          127.0.0.1:4711       0.0.0.0:*    users:(("pihole-FTL",pid=16283,fd=10))
tcp   LISTEN 0      5              [::1]:4711          [::]:*    users:(("pihole-FTL",pid=16283,fd=15))
tcp   LISTEN 0      32              [::]:53            [::]:*    users:(("pihole-FTL",pid=16283,fd=7))

pihole:~ $ sudo rgrep -v '^ *#\|^$' /etc/unbound/unbound.conf*
grep: /etc/unbound/unbound.conf*: No such file or directory

Ok not sure whats going on.
But it looks like DNS traffic is intercepted/filtered/redirected somewhere most likely on the router.
Check your router for DNS security or filter settings!

I've been looking, but i can't find anything where the router is intercepting dns traffic.
If it was being intercepted, wouldn't it give me a different server return address when i do an nslookup? Instead of

Server:  pi.hole
Address:  192.168.32.104

wouldn't it show something else like 192.168.32.1, especially if the router was intercepting it?

As in Windows "thinks" it's talking to your Pi-hole at that address but something is intercepting the query and replying instead of your Pi-hole, so the address does not change.

Just to confirm, your Pi-hole is definitely at 192.168.32.104 (your debug log expired, they only exist for 48 hours)?

What does these commands give? You have run one of them before but just want to see the response is the same.

What is responding as the default DNS on Windows

nslookup -class=chaos -type=txt version.bind

What is responding at the address that Pi-hole is running on

nslookup -class=chaos -type=txt version.bind 192.168.32.104

What do you get with this command?

nslookup -class=chaos -type=txt version.bind 198.41.0.4

What does this give?

nslookup -class=chaos -type=txt version.bind 192.33.4.12

Are you running any anti-virus or security software such as Avast or McAfee?

Do you have a different computer available (Windows, Mac or Linux are okay) which is also on your network and using Pi-hole? If so can you please try all these commands on there too? Do you get the same or different results?

Yes, it is still the same address of 192.168.32.104

nslookup -class=chaos -type=txt version.bind
Server:  pi.hole
Address:  192.168.32.104

Non-authoritative answer:
version.bind    text =

        "unbound 1.13.2"

nslookup -class=chaos -type=txt version.bind 198.41.0.4
Server:  a.root-servers.net
Address:  198.41.0.4

Non-authoritative answer:
version.bind    text =

        "unbound 1.13.2"

nslookup -class=chaos -type=txt version.bind 192.33.4.12
Server:  c.root-servers.net
Address:  192.33.4.12

Non-authoritative answer:
version.bind    text =

        "unbound 1.13.2"

I am running AVG, which is now owned by avast.
So, they are pretty similar now.

Result from a second computer...

nslookup -class=chaos -type=txt version.bind
Server:  pi.hole
Address:  192.168.32.104

Non-authoritative answer:
version.bind    text =

        "unbound 1.13.2"

nslookup -class=chaos -type=txt version.bind 198.41.0.4
Server:  a.root-servers.net
Address:  198.41.0.4

Non-authoritative answer:
version.bind    text =

        "unbound 1.13.2"

nslookup -class=chaos -type=txt version.bind 192.33.4.12
Server:  c.root-servers.net
Address:  192.33.4.12

Non-authoritative answer:
version.bind    text =

        "unbound 1.13.2"

Newest debug token is: https://tricorder.pi-hole.net/BMuGkO3Y/

Thankyou for running those tests, that is much appreciated.

The answers show that indeed your computer is hijacking your DNS queries and sending them to different DNS servers instead of Pi-hole and all the test servers. Each command is asking a different DNS server to display a text string showing its version. The answers should be different for each one. But instead, they are all the same because it's the same hijacking DNS server responding each time.

Since you are running AVG then this is very likely the culprit. Is this also running on the second computer that you tried, which also exhibited the same symptoms?

AVG has a feature called "Fake Website Shield". This does exactly what you are seeing – it claims to protect you from DNS hijacking... by hijacking your DNS. I know... that's a marketing masterpiece.

You need to turn this feature OFF and have it stay off in order to use Pi-hole. This page claims to show how to turn it off.

Can you please try turning it off on the main computer that you've been using, and then run the nslookup tests again please?

Every time you enter the URL (web address) of a website, such as www.example.com , into the address bar of your browser, the URL is translated to the IP address (Internet Protocol address) of the web server where the web page that you want to access is stored. Fake Website Shield provides an encrypted connection between your web browser and AVG's own DNS server to prevent hijacking and ensure that the displayed website is the authentic one.

That should be off now

419×532 25.4 KB

nslookup -class=chaos -type=txt version.bind
Server:  pi.hole
Address:  192.168.32.104

version.bind    text =

        "dnsmasq-pi-hole-v2.89-9461807"

nslookup -class=chaos -type=txt version.bind 192.168.32.104
Server:  pi.hole
Address:  192.168.32.104

version.bind    text =

        "dnsmasq-pi-hole-v2.89-9461807"

nslookup -class=chaos -type=txt version.bind 198.41.0.4
in-addr.arpa    nameserver = e.in-addr-servers.arpa
in-addr.arpa    nameserver = f.in-addr-servers.arpa
in-addr.arpa    nameserver = d.in-addr-servers.arpa
in-addr.arpa    nameserver = c.in-addr-servers.arpa
in-addr.arpa    nameserver = b.in-addr-servers.arpa
in-addr.arpa    nameserver = a.in-addr-servers.arpa
e.in-addr-servers.arpa  internet address = 203.119.86.101
e.in-addr-servers.arpa  AAAA IPv6 address = 2001:dd8:6::101
f.in-addr-servers.arpa  internet address = 193.0.9.1
f.in-addr-servers.arpa  AAAA IPv6 address = 2001:67c:e0::1
d.in-addr-servers.arpa  internet address = 200.10.60.53
d.in-addr-servers.arpa  AAAA IPv6 address = 2001:13c7:7010::53
c.in-addr-servers.arpa  internet address = 196.216.169.10
c.in-addr-servers.arpa  AAAA IPv6 address = 2001:43f8:110::10
b.in-addr-servers.arpa  internet address = 199.253.183.183
b.in-addr-servers.arpa  AAAA IPv6 address = 2001:500:87::87
a.in-addr-servers.arpa  internet address = 199.180.182.53
a.in-addr-servers.arpa  AAAA IPv6 address = 2620:37:e000::53
Server:  UnKnown
Address:  198.41.0.4

version.bind    text =

        "ATLAS"

nslookup -class=chaos -type=txt version.bind 192.33.4.12
in-addr.arpa    nameserver = c.in-addr-servers.arpa
in-addr.arpa    nameserver = f.in-addr-servers.arpa
in-addr.arpa    nameserver = e.in-addr-servers.arpa
in-addr.arpa    nameserver = b.in-addr-servers.arpa
in-addr.arpa    nameserver = a.in-addr-servers.arpa
in-addr.arpa    nameserver = d.in-addr-servers.arpa
f.in-addr-servers.arpa  internet address = 193.0.9.1
e.in-addr-servers.arpa  internet address = 203.119.86.101
d.in-addr-servers.arpa  internet address = 200.10.60.53
c.in-addr-servers.arpa  internet address = 196.216.169.10
b.in-addr-servers.arpa  internet address = 199.253.183.183
a.in-addr-servers.arpa  internet address = 199.180.182.53
f.in-addr-servers.arpa  AAAA IPv6 address = 2001:67c:e0::1
e.in-addr-servers.arpa  AAAA IPv6 address = 2001:dd8:6::101
d.in-addr-servers.arpa  AAAA IPv6 address = 2001:13c7:7010::53
c.in-addr-servers.arpa  AAAA IPv6 address = 2001:43f8:110::10
b.in-addr-servers.arpa  AAAA IPv6 address = 2001:500:87::87
a.in-addr-servers.arpa  AAAA IPv6 address = 2620:37:e000::53
Server:  UnKnown
Address:  192.33.4.12

version.bind    text =

        "c-root"

Thankyou, those are the correct responses.

"dnsmasq-pi-hole-v2.89-9461807" – this is Pi-hole responding to the query

"ATLAS" – this is the A root nameserver out on the Internet responding

"c-root" – this is the C root nameserver out on the Internet

These were all previously unreachable because AVG was jacking all your queries and sending them to its own server which replied with "unbound 1.13.2".

Now try using your browser as normal. You should be seeing traffic in your Pi-hole Query Log now, with things being blocked and allowed as normal. If you want to see it in real time, go to Tools > Tail pihole.log and put the window to one side, and browse to some sites. You should see queries appearing in real time. Try a "noisy" site like cnn.com.