Tpc.googlesyndication.com and googleads.g.doubleclick.net getting through

Krowi · August 7, 2020, 1:43pm

Expected Behaviour:

Pihole blocks tpc.googlesyndication.com and googleads.g.doubleclick.net getting through

Actual Behaviour:

tpc.googlesyndication.com and googleads.g.doubleclick.net getting through

Debug Token:

https://tricorder.pi-hole.net/jlze6994r8

I've installe pi-hole today and for some reason, tpc.googlesyndication.com and googleads.g.doubleclick.net are getting through. The site I test is https://www.demorgen.be/.

Something I noticed is that these ads are all loaded inside an amp-img.

jfb · August 7, 2020, 2:40pm

A few thoughts:

You are using block lists that are questionable.

https://dbl.oisd.nl/
https://dbl.oisd.nl/light/

The list maintainer selectively whitelists domains and does not publicize the domains they choose to whitelist. Domains that you would expect to be blocked are not always blocked. I would ditch these lists and select from more reputable lists here: https://wally3k.github.io

Of the two questionable blocklists, only the second one is enabled. Let's check that list to see if it contains the two domains; and find it does.

pihole -q tpc.googlesyndication.com
 Match found in https://dbl.oisd.nl/light/:
   tpc.googlesyndication.com 
   tpc.googlesyndication.com.proxy.c9w.net

pihole -q googleads.g.doubleclick.net
Match found in **https://dbl.oisd.nl/light/** :
googleads.g.doubleclick.net

The regex you have crafted are incorrect:

You have .*googlesyndication.* , which does not block tpc.googlesyndication.com

Add googlesyndication.com as a wildcard blacklist entry, and Pi-hole will convert that to the following regex which does block that domain.

(\.|^)googlesyndication\.com$

If the browser you are using is able to load these domains, then the DNS queries for that browser are not going to Pi-hole. This can be caused by a few things:

The browser is using a DNS other than the DNS provided by the client OS (i.e. DNS over HTTPS).
The client is not using Pi-hole for DNS resolution.

From the client command prompt or terminal (and not via ssh into the Pi terminal), what are the outputs of the following:

nslookup pi.hole

nslookup tpc.googlesyndication.com 192.168.178.13

Krowi · August 7, 2020, 3:00pm

I've removed the block list and moved to https://adaway.org/hosts.txt
I've ran your test and this returned:

pihole -q tpc.googlesyndication.com
Match found in regex blacklist
  (\.|^)googlesyndication\.com$
Match found in https://adaway.org/hosts.txt:
  tpc.googlesyndication.com

pihole -q googleads.g.doubleclick.net
Match found in https://adaway.org/hosts.txt:
  googleads.g.doubleclick.net

I've removed the regex as suggested and match is confirmed in 2.
nslookup pi.hole returns this the following:

Server:  raspberrypi
Address:  2a02:578:857c:e00:6bee:313f:5c48:e6c6

Name:    pi.hole
Addresses:  2a02:578:857c:e00:6bee:313f:5c48:e6c6
          192.168.178.13

nslookup tpc.googlesyndication.com 192.168.178.13 gives this:

Server:  raspberrypi
Address:  192.168.178.13

Name:    tpc.googlesyndication.com
Addresses:  ::
          0.0.0.0

jfb · August 7, 2020, 3:18pm

This confirms that Pi-hole is blocking that domain and the client is using Pi-hole for DNS.

Either the browser is using an alternate DNS, or the ads are coming from other domains.

Krowi · August 10, 2020, 6:15am

It somehow got fixed by restarting the troubled pc. It was a company pc which was running under a VPN before. Restarting removed the VPN and now adds are gone. Not sure if it will return after enabling the VPN but now I probably know the cause at least.

jfb · August 10, 2020, 2:48pm

It will. When a client device is on a VPN service, the DNS for that device moves to the DNS of the VPN service as well, to prevent DNS traffic outside the VPN tunnel.