Says blocked, still gets resolved on clients

Windows 10 Pro
USG as router
RPI 4 running fresh install of latest Raspian
Have Ubiquiti USG3 with WAN DNS set to 192.168.0.165 which is a dedicated RPI4 running latest raspian buster with all updates

Actual Behaviour:

Blocked URLs are being resolved somehow

More details:

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . : localdomain
   Description . . . . . . . . . . . : Intel(R) PRO/1000 GT Desktop Adapter
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::8ce9:b30f:56ab:9f19%7(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.0.125(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Monday, March 15, 2021 10:21:19 PM
   Lease Expires . . . . . . . . . . : Tuesday, March 16, 2021 10:21:18 PM
   Default Gateway . . . . . . . . . : 192.168.0.1
   DHCP Server . . . . . . . . . . . : 192.168.0.1
   DHCPv6 IAID . . . . . . . . . . . : 244376250
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1A-86-33-3E-90-E2-BA-03-8B-0A
   DNS Servers . . . . . . . . . . . : 192.168.0.165
   NetBIOS over Tcpip. . . . . . . . : Enabled
   Connection-specific DNS Suffix Search List :
                                       localdomain

nslookup pi.hole
Server:  PiHole
Address:  192.168.0.165
Name:    pi.hole
Address:  192.168.0.165

nslookup flurry.com
Server:  PiHole
Address:  192.168.0.165

Non-authoritative answer:
Name:    flurry.com
Addresses:  ::
          212.82.100.150
          98.136.103.23
          74.6.136.150

When I check the logs I see

Debug Token:

https://tricorder.pi-hole.net/2po23oqcn1

Any help is greatly appreciated.

In your above description, I think you may have mixed up expected and actual behaviour?

Could you provide the output for the following command, run from your RPi 4:

pihole-FTL dhcp-discover

There are several explanations why a blocked domain like flurry.com would still resolve in spite of Pi-hole:

a) A client isn't using Pi-hole for DNS
(from your nslookups, that's not applicable in your case)
b) A client is exempted from filtering via Pi-hole's Group Management
(n.a. for you - from your debug log, you are not using Pi-hole's client-based filtering)
c) A client is using a browser with DoH enabled
(n.a. as that would apply to a browser only and wouldn't affect nslookup, but still worth to verify)
d) A client is using an anti-virus feature like AVG Secure DNS or AVAST Real-Site
f) Your router is intercepting and redirecting DNS traffic in your network to a public DNS server

While only you can check for d), you may run the following command from a client in your network to verify f):

nslookup flurry.com 80.241.218.68

pihole-FTL dhcp-discover
Scanning all your interfaces for DHCP servers
Timeout: 10 seconds

* Received 314 bytes from eth0:192.168.0.1
  Offered IP address: 192.168.0.205
  Server IP address: N/A
  Relay-agent IP address: N/A
  BOOTP server: (empty)
  BOOTP file: (empty)
  DHCP options:
   Message type: DHCPOFFER (2)
   server-identifier: 192.168.0.1
   lease-time: 86400 ( 1d )
   netmask: 255.255.255.0
   router: 192.168.0.1
   dns-server: 192.168.0.1
      renewal-time: 43200 ( 12h )
   rebinding-time: 75600 ( 21h )
   domain-name: "localdomain"
   --- end of options ---

DHCP packets received on interface lo: 0
DHCP packets received on interface wlan0: 0
DHCP packets received on interface eth0: 1

(You can format command output by highlighting some text and selecting the </> Preformatted text option from the menu. I have edited your post accordingly.)

Thank you.

What about the nslookup results?

I believe I have it working now. Not sure what exactly made it start working, but I had just changed the settings for Use Conditional Forwarding as suggested in another thread, and pointed it to

Local network in [CIDR notation] 192.168.0.0/24
IP address of your DHCP server (router) 192.168.0.1

Thanks for your help. If you have any further questions or suggestions I am happy to reply and try.

nslookup flurry.com 80.241.218.68
Server:  dismail.de
Address:  80.241.218.68

Name:    flurry.com
Address:  0.0.0.0

That's good, your router isn't redirecting publically outbound DNS traffic.

I doubt that's related: CF will allow reverse lookups of hostnames for devices in your network. It has no connection to blocking at all.

Your dhcp-discover results show that your router is distributing its own IPv4 address as DNS server via DHCP.

This disagrees with results of nslookups from your initial post:
Those have listed Address: 192.168.0.165 as your DNS server.

How did you configure your client to make use of Pi-hole?

The clients all use DHCP. I have a Ubiquiti USG3 set to use the DNS Server as 192.168.0.16

usg_network_pihole1156×887 74.3 KB

Ran the test again, and it is now showing 192.168.0.165 as it should.

pihole-FTL dhcp-discover
Scanning all your interfaces for DHCP servers
Timeout: 10 seconds

* Received 314 bytes from eth0:192.168.0.1
  Offered IP address: 192.168.0.205
  Server IP address: N/A
  Relay-agent IP address: N/A
  BOOTP server: (empty)
  BOOTP file: (empty)
  DHCP options:
   Message type: DHCPOFFER (2)
   server-identifier: 192.168.0.1
   lease-time: 86400 ( 1d )
   netmask: 255.255.255.0
   router: 192.168.0.1
   dns-server: 192.168.0.165
      renewal-time: 43200 ( 12h )
   rebinding-time: 75600 ( 21h )
   domain-name: "localdomain"
   --- end of options ---

DHCP packets received on interface lo: 0
DHCP packets received on interface wlan0: 0
DHCP packets received on interface eth0: 1

You should be wary about this.
If you didn't change your router's DHCP settings yourself just now, that would imply that your router is changing DHCP all by itself.
That would be a serious flaw of your router's DHCP software.

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.