No there are no domain-based blocks enabled. To make sure I have deleted all the non-list "Domain management" rules.
@DL6ER I think we might be talking cross purposes. After initially tring to mix domain rules and lists, I am now only using block/allow lists and no individual rules.
Using a fresh container image these are the steps I'm following:
Start a new pihole container (note: podman
is a drop-in replacement for docker
):
podman run -ti -p 5353:53 --env FTLCONF_dns_upstreams=192.168.1.1 docker.io/pihole/pihole:development-v6
Log into the pihole web interface and delete the default blocklist: https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
Add the blocklist: https://gist.githubusercontent.com/jerrykan/511dd4d90740177f17caf0d08ccd58ab/raw/2ac9b41f6a3082a3f0bfe9e08b310c46d353d153/block.list
Add the allowlist: https://gist.githubusercontent.com/jerrykan/511dd4d90740177f17caf0d08ccd58ab/raw/2ac9b41f6a3082a3f0bfe9e08b310c46d353d153/iview.list
Update Gravity:
[i] Upgrading gravity database from version 18 to 19
[i] Neutrino emissions detected...
[✓] Pulling blocklist source list into range
[✓] Preparing new gravity database
[✓] Creating new gravity databases
[i] Using libz compression
[i] Target: https://gist.githubusercontent.com/jerrykan/511dd4d90740177f17caf0d08ccd58ab/raw/2ac9b41f6a3082a3f0bfe9e08b310c46d353d153/block.list
[✓] Status: Retrieval successful
[✓] Parsed 0 exact domains and 1 ABP-style domains (blocking, ignored 0 non-domain entries)
[i] Target: https://gist.githubusercontent.com/jerrykan/511dd4d90740177f17caf0d08ccd58ab/raw/2ac9b41f6a3082a3f0bfe9e08b310c46d353d153/iview.list
[✓] Status: Retrieval successful
[✓] Parsed 5 exact domains and 0 ABP-style domains (allowing, ignored 0 non-domain entries)
[✓] Building tree
[i] Number of gravity domains: 1 (1 unique domains)
[i] Number of exact denied domains: 0
[i] Number of regex denied filters: 0
[i] Number of exact allowed domains: 0
[i] Number of regex allowed filters: 0
[✓] Swapping databases
[✓] The old database remains available
[✓] Cleaning up stray matter
[✓] Done.
Perform a query from my local host:
$ dig @localhost iview-vod-hls.akamaized.net -p 5353 +tcp
; <<>> DiG 9.19.21-1-Debian <<>> @localhost iview-vod-hls.akamaized.net -p 5353 +tcp
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49143
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;iview-vod-hls.akamaized.net. IN A
;; ANSWER SECTION:
iview-vod-hls.akamaized.net. 2 IN A 0.0.0.0
;; Query time: 47 msec
;; SERVER: ::1#5353(localhost) (TCP)
;; WHEN: Thu Mar 28 21:53:39 AEDT 2024
;; MSG SIZE rcvd: 72
The associated debug log:
2024-03-28 10:53:39.292 [389/F237] DEBUG_ANY: TCP worker forked for client 10.0.2.100 on interface with IP 10.0.2.100
2024-03-28 10:53:39.293 [389/F237] DEBUG_ANY: Reopening Gravity database for this fork
2024-03-28 10:53:39.298 [389/F237] DEBUG_QUERIES: Domain suffix is "lan"
2024-03-28 10:53:39.299 [389/F237] DEBUG_QUERIES: **** new TCP IPv4 query[A] query "iview-vod-hls.akamaized.net" from tap0/10.0.2.100#55830 (ID 1, FTL 0, src/dnsmasq/forward.c:2376)
2024-03-28 10:53:39.299 [389/F237] DEBUG_QUERIES: iview-vod-hls.akamaized.net is not known
2024-03-28 10:53:39.301 [389/F237] DEBUG_QUERIES: Checking if "iview-vod-hls.akamaized.net" is in antigravity (exact): yes
2024-03-28 10:53:39.301 [389/F237] DEBUG_QUERIES: Allowing query due to antigravity match (list ID 3)
2024-03-28 10:53:39.302 [389/F237] DEBUG_QUERIES: DNS cache: 10.0.2.100/iview-vod-hls.akamaized.net is not blocked (domainlist ID: -5)
2024-03-28 10:53:39.338 [389/F237] DEBUG_QUERIES: **** forwarded iview-vod-hls.akamaized.net to 192.168.1.1#53 (ID 1, src/dnsmasq/forward.c:2552)
2024-03-28 10:53:39.339 [389/F237] DEBUG_QUERIES: **** got upstream reply from 192.168.1.1#53: iview-vod-hls.akamaized.net is (CNAME) (ID 1, src/dnsmasq/rfc1035.c:845)
2024-03-28 10:53:39.339 [389/F237] DEBUG_QUERIES: Set reply to CNAME (3) in src/dnsmasq_interface.c:2176
2024-03-28 10:53:39.339 [389/F237] DEBUG_QUERIES: FTL_CNAME called with: src = iview-vod-hls.akamaized.net, dst = a1977.dscv.akamai.net, id = 1
2024-03-28 10:53:39.339 [389/F237] DEBUG_QUERIES: a1977.dscv.akamai.net is not known
2024-03-28 10:53:39.339 [389/F237] DEBUG_QUERIES: Checking if "a1977.dscv.akamai.net" is in antigravity (exact): no
2024-03-28 10:53:39.339 [389/F237] DEBUG_QUERIES: Checking if "@@||net^" is in antigravity (ABP): no
2024-03-28 10:53:39.339 [389/F237] DEBUG_QUERIES: Checking if "@@||akamai.net^" is in antigravity (ABP): no
2024-03-28 10:53:39.339 [389/F237] DEBUG_QUERIES: Checking if "@@||dscv.akamai.net^" is in antigravity (ABP): no
2024-03-28 10:53:39.339 [389/F237] DEBUG_QUERIES: Checking if "@@||a1977.dscv.akamai.net^" is in antigravity (ABP): no
2024-03-28 10:53:39.340 [389/F237] DEBUG_QUERIES: Checking if "a1977.dscv.akamai.net" is in gravity (exact): no
2024-03-28 10:53:39.340 [389/F237] DEBUG_QUERIES: Checking if "||net^" is in gravity (ABP): no
2024-03-28 10:53:39.340 [389/F237] DEBUG_QUERIES: DNS cache: 10.0.2.100/a1977.dscv.akamai.net is gravity blocked
2024-03-28 10:53:39.340 [389/F237] DEBUG_QUERIES: Blocking query due to gravity match (list ID 2)
2024-03-28 10:53:39.340 [389/F237] DEBUG_QUERIES: Blocking a1977.dscv.akamai.net as a1977.dscv.akamai.net is gravity blocked (domainlist ID: -4)
2024-03-28 10:53:39.340 [389/F237] DEBUG_QUERIES: Set reply to CNAME (3) in src/dnsmasq_interface.c:1599
2024-03-28 10:53:39.340 [389/F237] DEBUG_QUERIES: Query 1: CNAME iview-vod-hls.akamaized.net ---> a1977.dscv.akamai.net
2024-03-28 10:53:39.340 [389/F237] DEBUG_QUERIES: **** got upstream reply: a1977.dscv.akamai.net is blocked during CNAME inspection (ID 1, src/dnsmasq/rfc1035.c:877)
2024-03-28 10:53:39.340 [389/F237] DEBUG_QUERIES: Preparing reply for "iview-vod-hls.akamaized.net", EDE: N/A
2024-03-28 10:53:39.340 [389/F237] DEBUG_QUERIES: Adding RR: "iview-vod-hls.akamaized.net A 0.0.0.0"
2024-03-28 10:53:39.340 [389/F237] DEBUG_QUERIES: **** got cache reply: iview-vod-hls.akamaized.net is 0.0.0.0 (ID 1, src/dnsmasq_interface.c:406)
2024-03-28 10:53:39.341 [389/F237] DEBUG_ANY: TCP worker terminating (client disconnected)
My reading of the debug log is:
- query for
iview-vod-hls.akamaized.net
received
iview-vod-hls.akamaized.net
is allowed due to an antigravity match
iview-vod-hls.akamaized.net
is a CNAME
that points to a1977.dscv.akamai.net
a1977.dscv.akamai.net
is blocked due to a gravity match
- this results in
iview-vod-hls.akamaized.net
essentially being blocked