Subdomains not being blocked V3.1.4

Mamak · September 9, 2017, 1:07pm

Expected Behaviour:

using blacklist that contains domain.tld should get pi-hole block both "domain.tld" and any "anything.domain.tld" subdomains

Actual Behaviour:

Only the "domain.tld" is blocked

Debug Token:

Token ID : uur1g5qqb3

Hello, I installed Pi-hole a couple of weeks ago. This is working fine with adds blocking. Then I figured out that I could use it to also blackhole porn domains. I searched for lists and found Chad Mayfield's one Blocking porn with Pi-hole – Chad Mayfield
Yet, for some reason pi-hole is not enforcing the wildcard blocking that has been implemented as of Version 3.0

I am running it on a Raspberry Pi (one of the first generation). Lists take a while to compile but then it works fine. I also did see the dnsmask based solution but I fear this could be a real performance burden to add 1.7Million of entries in the wildcard-blacklist file...

As a conclusion, is this exected or not ? Should we modify the Chad's blacklists ?

Thank you !

Here are logs that shows it (50.131 is the client - 50.1 is the router+default gateway - 50.55 is the Pi-hole)
Sep 8 23:29:25 dnsmasq[4743]: query[A] myfreecams.com from 192.168.50.131
Sep 8 23:29:25 dnsmasq[4743]: /etc/pihole/gravity.list myfreecams.com is 192.168.50.55
Sep 8 23:29:25 dnsmasq[4743]: query[A] myfreecams.com from 192.168.50.131
Sep 8 23:29:25 dnsmasq[4743]: /etc/pihole/gravity.list myfreecams.com is 192.168.50.55
Sep 8 23:29:25 dnsmasq[4743]: query[AAAA] myfreecams.com from 192.168.50.131
Sep 8 23:29:25 dnsmasq[4743]: forwarded myfreecams.com to 192.168.50.1
Sep 8 23:29:25 dnsmasq[4743]: query[AAAA] myfreecams.com from 192.168.50.131
Sep 8 23:29:25 dnsmasq[4743]: forwarded myfreecams.com to 192.168.50.1
Sep 8 23:29:25 dnsmasq[4743]: reply myfreecams.com is NODATA-IPv6
Sep 8 23:29:30 dnsmasq[4743]: query[A] www.myfreecams.com from 192.168.50.131
Sep 8 23:29:30 dnsmasq[4743]: forwarded www.myfreecams.com to 192.168.50.1
Sep 8 23:29:30 dnsmasq[4743]: reply www.myfreecams.com is 207.229.73.118
Sep 8 23:29:30 dnsmasq[4743]: reply www.myfreecams.com is 207.229.73.117
Sep 8 23:29:30 dnsmasq[4743]: query[A] www.myfreecams.com from 192.168.50.131
Sep 8 23:29:30 dnsmasq[4743]: cached www.myfreecams.com is 207.229.73.117
Sep 8 23:29:30 dnsmasq[4743]: cached www.myfreecams.com is 207.229.73.118

I made another test with yes24.com today
C:\Windows\System32>nslookup yes24.com
Serveur : raspberry
Address: 192.168.50.55

Nom : yes24.com
Address: 192.168.50.55 <== expected and the browser shows the "blockpage"

C:\Windows\System32>nslookup www.yes24.com
Serveur : raspberry
Address: 192.168.50.55

Réponse ne faisant pas autorité :
Nom : www.yes24.com
Address: 61.111.13.51 <== unexpected !

Mcat12 · September 9, 2017, 6:27pm

Are you adding the domains to the blacklist, or the wildcard list? Wildcard blocking only works if you add it to the latter.

Mamak · September 9, 2017, 6:36pm

Hi
As I tried to explain, I am using a blacklist that can be updated. I do not manually key them in.
For instance with the graphical interface I navigate through "Settings > Pi-Hole's Block Lists > Lists used to generate Pi-hole's Gravity" and then I add the URL to download the blacklist (e.g. https://raw.githubusercontent.com/chadmayfield/my-pihole-blocklists/master/lists/pi_blocklist_porn_top1m.list or https://raw.githubusercontent.com/chadmayfield/my-pihole-blocklists/master/lists/pi_blocklist_porn_all.list)

If this does not work, this is painfull as adding 1.7M entries in the dnsmasq configuration file may really be a performance issue, right ?

Mcat12 · September 9, 2017, 7:24pm

Ad list domains do not currently get wildcard blocked. Adding that many domains to the wildcard list might slow performance and is usually not necessary.

Mamak · September 9, 2017, 9:12pm

OK I wasn't sure of the "wildcard blacklist is now part of the implementation" that was claimed as of V3.1

Regarding the utility of subdomains, in case of porn this seems to be quite mandatory (just for youporn, there are the www.xxx, cdn1.xxx, cdn2.xxx, etc.) So I understand I have not other solution than finding another list.

Technically, provided I submit a FR, would it be possible for pi-hole to handle blacklist as "wildcard" or not ? If not I won't post a FR. If yes, I will. if not, I'll go fetch another porn/childhoodprotection-blacklist that has every subdomains.

I understand also that this is a corner use case (although I think this would be a kind of killer app)

Mcat12 · September 10, 2017, 3:14am

A feature request to have some ad lists handled as wildcard? Sure, open a FR and we'll look into it. No guarantees on when the feature might be released though!

Mamak · September 10, 2017, 9:19am

OK, I will then. No matter when this is enforced

On the other hand, I subscribed to a free openDNS account and I now forward requests to their DNS. This works fine but I'd rather use my ISP's servers for they are usefull in case of internal CDN requests.

johnjames · October 18, 2017, 7:47pm

Hi Mamak
I arrived to this thread because I have exactly the same use-case and question as you!
So did you find any porn/childhoodprotection-blacklist that includes subdomains like www ?
Or did you settle for OpenDNS? Me too I'd rather use my ISP's DNS server

Mamak · October 18, 2017, 8:37pm

Hey John James,
Well I ended up by using OpenDNS servers They are slow but for what I do this is enough.
Mamak !