Piholes stopped blocking domains on blacklist

wderuijter · March 10, 2024, 8:49am

The issue I am facing:
Domains blocked in my domain list are still passing through pihole since a while.
For example: tracking.justpremium.com which is on the blocklist but still gets through.
I've been running 2 piholes since years. Since an update/reinstall to Raspberry Pi OS the problem might have began.

Details about my system:
I'm not using pihole as dhcp server, my router does dhcp.
I've set the DNS servers to 192.168.1.2 and 192.168.1.3, both are piholes with the same config and blacklist (cloned with teleporter)

I've checked ipv6, checked my dns server settings, tried nslookup. No change. Removed all blocklists and added a single one again.

Debugtokens are https://tricorder.pi-hole.net/d0CKEBPD/ and https://tricorder.pi-hole.net/poJy8ukC/

Bucking_Horn · March 10, 2024, 9:03am

Run from a machine that you observe to resolve tracking.justpremium.com, what's the output of:

nslookup pi.hole

nslookup flurry.com

nslookup tracking.justpremium.com

wderuijter · March 10, 2024, 9:04am

OK, this has been resolved. I think it had something to do with the groups, clients and lists configuration. I removed all groups , clients and reapplied the lists to all (the default) group. Rebooted the pi's and the blocking started working again.

wderuijter · March 10, 2024, 9:06am

nslookup pi.hole
Server:  pi.hole
Address:  192.168.1.2

Non-authoritative answer:
Name:    pi.hole.mydomain.com
Address:  86.147.147.86

nslookup flurry.com
Server:  pi.hole
Address:  192.168.1.2

Non-authoritative answer:
Name:    flurry.com.mydomain.com
Address:  86.147.147.86

nslookup tracking.justpremium.com
Server:  pi.hole
Address:  192.168.1.2

Non-authoritative answer:
Name:    tracking.justpremium.mydomain.com
Address:  86.147.147.86

@Bucking_Horn thanks for your speedy reply. Is this to be expected if it is working again?
(i've edited my public ip and mydomain.com)

Bucking_Horn · March 10, 2024, 9:31am

Indeed, you configured two clients to be filtered by your group 2 (marketing), but the single blocklist you were using was assigned only to the default blocklist.
For using Pi-hole's group management, you may want to refer to our per-client blocking example.

The latter two of your outputs are NOT ok:
They should have been 0.0.0.0 for the two blocked domains, as your debug log shows your Pi-hole to is configured for its default blocking mode, not to return an IP.
It's also suspicious that the answer is for a public IP.

What client did you run those nslookups from?

wderuijter · March 10, 2024, 9:34am

@Bucking_Horn I ran the nslookup from my windows 11 laptop at 192.168.1.124
No matter what domain name I lookup it shows my own external ip adres.

edit: Perhaps unrelated but I've got a domain name for my external ip address, mydomain.com. I also use some subdomains of that domain name in my internal network, home.mydomain.com for example. I've added home.mydomain.com in pihole's local DNS as a record that points the local ip adres 192.168.1.32. Which is a reverse proxy for several machines in my network pointing it to the correct server.

Bucking_Horn · March 10, 2024, 9:50am

That IP seems to belong to British Telecom's btcentralplus.com.
Is that your public IP?

And how is that Windows machine connected to your network?
Do you run any AV or firewall on that machine?
Was that machine one of your two previous group management clients?

Do those two lookups for flurry.com and tracking.justpremium show up in your Pi-hole's Query Log as blocked?

wderuijter · March 10, 2024, 10:59am

@Bucking_Horn I obscured my own ip address a bit in my posts. But yes, the nslookup gives back my public ip address. My laptop is connected through wifi.

Yes, this laptop was one of my two previous group management clients. It does not have AV or a firewall.

Do those two lookups for flurry.com and tracking.justpremium show up in your Pi-hole's Query Log as blocked?
Yes, I see them in the log and blocking seems to work again.

wderuijter · March 10, 2024, 7:04pm

@Bucking_Horn OK, I think I found the thing why nslookup seems weird: networking - Windows Appending Domain Suffix To All Lookups - Server Fault
Windows always tries to append its suffix first.
And I've got a catchall *.mydomain.com which always forwards to my public ip address where I catch all traffic..
So I've added a dot after the nslookups:

nslookup pi.hole.

nslookup flurry.com.

nslookup tracking.justpremium.com.

Which gives:
Server: pi.hole
Address: 192.168.1.2

Name: pi.hole
Addresses: fe80::d784:5498:7910:d15b
192.168.1.2

nslookup flurry.com.
Server: pi.hole
Address: 192.168.1.2

Name: flurry.com
Addresses: ::
0.0.0.0

nslookup tracking.justpremium.com.
Server: pi.hole
Address: 192.168.1.2

Name: tracking.justpremium.com
Addresses: ::
0.0.0.0

That seems to be right, don't you think so? If not, let me know
Thanks @Bucking_Horn !

system · March 31, 2024, 7:04pm

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.