Anybody having trouble with windows update. Mine hasn't run for over 4 days (using beta5 in production). I'm having trouble identifying the domain I have to whitelist.
I assume this is caused by the new CNAME blocking feature, A better web interface is on the way, making it easier to identify this, but unfortunately, it doesn't work for me (yet).
is working here, could check and install latest update just fine
Works fine for me.
It's NOT that easy anymore with the new CNAME blocking...
Check the domains that come from the Windows box. If not blocked, you may have to dig that domain to see the related CNAMEs and check each of those. Or just disable your Pi-Hole for a few minutes to run the Windows updates.
No problems with my win 10 machines.
Are you perhaps blocking any *.dscg3.akamai.net domins? These CNAME's belong to some of the update domains.
For no apparent reason ,the new branch (new/CNAME_inspection_details), that didn't work for me, suddenly started to produce results.
I didn't change a thing, no clue as to why it suddenly worked.
The result of the new query log feature:
Spybot Anti-Beacon
It took me less than 2 minutes to identify the culprit. This feature is a great addition to pihole.
You shouldn't need to whitelist the CNAME. That will open up that for any domain that points to the CNAME. You just need to whitelist the target domain and leave the CNAME alone.
I agree.
The dilemma is, when I run pihole -q, the domain apparently isn't on any blocklist
pihole -q slscr.update.microsoft.com
[i] No results found for slscr.update.microsoft.com within the block lists
So I would be whitelisting something NOT on any blocklist. Is that wise?
Yes, if you want to access them.
You want to see blog.site but that CNAMEs to bad.tracker. If you whitelist bad.tracker then any domain that points will now be allowed. Just whitelist blog.site and only that domain will be allowed.
Thanks for the advice. I will change the whitelist entry.
So just for clarity, if any domain in the request chain is on the block/regex list, the entire request will be blackholed correct? In your example above, bad.tracker is on the block/regex list let’s say. The original request for blog.site gets dumped? That’s my understanding of the additional CNAME check. It’s just an additional check to see if the DNS request is going through one or more referrals to additional domains and otherwise obfuscating the true IP requested.
Whitelist overrides all.
If blog.site CNAMEs to bad.tracker and bad.tracker is on block/black/regex then blog.site will be killed and noted as blocked due to CNAME.
If blog.site is added to whitelist then it will be allowed. Implementation details are that once a whitelisted domain is seen then all further checks are skipped and the actual IP is returned.
Edit: To add more, only blog.site will be allowed. Any other domain that CNAMEs to bad.tracker will be killed.
Ok perfect, I assumed as much. Thanks for taking the time to explain further. Cheers
Sure, there was a lot of discussion in trying to get the implementation right. It's a big change so there will be a lot of "unlearning" of old ways to use the new features.