Anybody having trouble with windows update. Mine hasn't run for over 4 days (using beta5 in production). I'm having trouble identifying the domain I have to whitelist.
I assume this is caused by the new CNAME blocking feature, A better web interface is on the way, making it easier to identify this, but unfortunately, it doesn't work for me (yet).
Check the domains that come from the Windows box. If not blocked, you may have to dig that domain to see the related CNAMEs and check each of those. Or just disable your Pi-Hole for a few minutes to run the Windows updates.
For no apparent reason ,the new branch (new/CNAME_inspection_details), that didn't work for me, suddenly started to produce results.
I didn't change a thing, no clue as to why it suddenly worked.
You shouldn't need to whitelist the CNAME. That will open up that for any domain that points to the CNAME. You just need to whitelist the target domain and leave the CNAME alone.
You want to see blog.site but that CNAMEs to bad.tracker. If you whitelist bad.tracker then any domain that points will now be allowed. Just whitelist blog.site and only that domain will be allowed.
So just for clarity, if any domain in the request chain is on the block/regex list, the entire request will be blackholed correct? In your example above, bad.tracker is on the block/regex list let’s say. The original request for blog.site gets dumped? That’s my understanding of the additional CNAME check. It’s just an additional check to see if the DNS request is going through one or more referrals to additional domains and otherwise obfuscating the true IP requested.
If blog.site CNAMEs to bad.tracker and bad.tracker is on block/black/regex then blog.site will be killed and noted as blocked due to CNAME.
If blog.site is added to whitelist then it will be allowed. Implementation details are that once a whitelisted domain is seen then all further checks are skipped and the actual IP is returned.
Edit: To add more, only blog.site will be allowed. Any other domain that CNAMEs to bad.tracker will be killed.
Sure, there was a lot of discussion in trying to get the implementation right. It's a big change so there will be a lot of "unlearning" of old ways to use the new features.