Unable to Access websites blocked by ISP/GOVERNMENT via pihole

Expected Behaviour:

I can access websites that got blocked by the government and ISP. everything works fine when i change my local computer DNS to google DNS / cloudfare DNS. i am expecting that when i am connected via pihole, it should be able to access all the blocked websites.

Actual Behaviour:

I got my pihole installed on the raspberry pi4 , it works great as an adblocker. i am using google dns as the upstream provider. but i can not access all websites that are blocked by the government when im using my raspberrypi4's IP address as the DNS on my computer. i tried switching to cloudfare as the upstream DNS provider, didn't go well too. Im pretty sure the websites aren't blocked by the pihole, since i can see the "OK" Status on the query log.

i wonder how to solve this . Since i assume that when im connected via pihole, it is using my ISP's DNS instead of the Assigned upstream DNS providers.

You can see which upstream providers are answering individual queries in the Query Log. Eg you will see something like OK (answered by dns.google#53).

When an ISP blocks a particular site/domain, its not only done through DNS.
They also sniff traffic for unencrypted SNI during the SSL/TLS handshake that allows them to filter on their firewall:

Plus they most often also break the routing to that site IP address if its not hosted on like for example Cloudflare etc.

well, then why does changing my default DNS to google DNS through my local computer settings able to bypass the blocked sites?

ok , later i will post a screenshot when i am trying to access the blocked sites and a normal website on my query log.

Some ISPs will block domains the same way that Pi-hole does – by returning a non-routable 0.0.0.0 address when you query their DNS for that domain. They still can route to that domain, so, if you use a different DNS provider that is returning the real IP, you'll be able to reach it via the ISP that is otherwise blocking in this way.

If you put the appropriate DNS provider in Pi-hole's upstream setting, Pi-hole will use that DNS server. If the DNS server is returning the real IP you will see it as a green entry for Type A, Domain name, Status OK, Reply IP. If the DNS server is returning a non-routable 0.0.0.0 you will see it as a red entry for Type A, Domain name, Status Blocked (external, NULL), Reply IP.

The reason I gave my earlier reply is that your symptoms imply that some of your queries are in fact not going through your Pi-hole. This could be because your computer has an additional DNS server configured without you you realising it, or even that it's using IPv6 to also continue using your router which is then asking the ISP DNS.

If you are making some queries that are not behaving the way you expect, and they are also not showing up in the Query log, this is a good indicator that this is what's going on.

If all your queries are showing up in Pi-hole, you can check if the third-party DNS's reply matches your expectations. Perhaps they are blocking some domains this way too.

You can use the command below several times in succession to see which DNS server or servers are being used by that computer, and the IP address received for the domain in question (example.com here). You should be seeing your Pi-hole's IP for the lookup, and the domain and its IP below that, and the Pi-hole should also be showing these queries in the Query Log.

nslookup example.com

EDIT: when you change the DNS server on the Pi-hole and check on the computer, the computer itself may have cached the earlier result for some time, eg an hour. Perhaps this is what you're seeing. In Windows you can flush this cache with the command

ipconfig /flushdns

On the Pi-hole you don't really need to do this, but for completeness you can flush the cache by going to Settings > System > Restart DNS Resolver or using the command

pihole restartdns

hi i forget to tell you something.

i installed the pihole by following the steps here GitHub - geerlingguy/internet-pi: Raspberry Pi config for all things Internet. (grafana + pihole). which i believe it installs the grafana + pihole inside a docker container.

when i used the "dig" command on my client terminal, the DNS server shows 127.0.0.1 .

is this might be affecting my DNS configuration?

cheers

Possibly, I don't know enough about Docker networking to know what to expect, and it would depend where the client sits in all this.

The page says to us Pi-hole as your router's upstream, so if you've done this, perhaps your router continues to use your ISP's DNS too without your knowledge. Some ISP-supplied routers are configured like this. It would mean some queries are sent to your Pi-hole (and then to Google and not blocked), and other queries go to your ISP (and get blocked).

When you do a dig or nslookup of the domain on your computer, you should see the entry in Pi-hole's Query Log every time. If you're not seeing it in there every time then it looks like your router is sending some of those queries to your ISP and that's the cause of your issue.

Try an Extended Test at DNS leak test. It's not really testing for leaks here, just testing what DNS servers it sees you using. You should just be seeing your Pi-hole's upstream provider company in the results. If your ISP is in there too, that further supports the router misbehaving.