Please follow the below template, it will help us to help you!
Expected Behaviour:
All sites on blocklist are unreachable. All DNS requests go through pihole. http://www.whatsmydnsserver.com/ only shows Cloudflare DNS servers (as these are what I selected during setup.)
Actual Behaviour:
Some sites on blocklist are reachable seemingly at random. http://www.whatsmydnsserver.com/ is sometimes showing my ISP DNS server is being used instead of Cloudflare.
Debug Token:
txn6nmycd1!
This was driving me nuts for several days!
I have an XB6 cable modem from my ISP (Shaw Cable) and a D-Link DIR-867 router connected to it. The pihole is running on a Raspberry Pi Zero W on the D-Link network. All devices are connected to the D-Link, with none connected directly to the XB6.
Sometimes sites that I know should be blocked would show up. When I checked on whatsmydnsserver.com it would sometimes show the Shaw (ISP) DNS servers either instead of or in addition to the Cloudflare servers.
What appears to be happening is the the D-Link router was using the IPv6 DNS settings, even though I don't have an IPv6 service (my ISP doesn't offer IPv6 services, but it appears that they are using IPv6 for management of the XB6 - the IPv6 gateway and DNS servers are defined, but there is not IPv6 WAN address that I can use.)
http://ipv6-test.com/ shows that "DNS6 + IP4" for DNS is enabled for my connection, so it seems to me like even though I don't have an IPv6 WAN address, the D-Link can still query the IPv6 DNS server for an IPv4 address.
To fix this I disabled external IPv6 on the D-Link (set the IPv6 network type to "Local Connectivity Only" on the Settings >> Internet >> IPv6 page, and now everything works as I expect. It looks like all DNS requests are going to the pihole, and whatsmydnsserver.com only shows Cloudflare servers.
I wasn't able to find any details on anyone else running into or fixing this problem, so I thought I should throw up a quick post summarizing it.