Unable to block google ads

Expected Behaviour:

Visiting some sites and expecting ads to be blocked. Specifically, Google Ads.

I used the “add domain as wildcard” and added all kinds of combinations of URLs that I see when I hover with the mouse over the visible ads.

Example: googleads.g.doubleclick.net I tried to block exactly this URL and I tried using regex to block it like this (\.|^)googleads\.g\.doubleclick\.net$ or (\.|^)googleads$

But the ads keeps reappearing. My PC is set to use 192.168.1.2 which is the PiHole’s IP Address. My Router is the PiHole as the DNS:

image753×928 37.6 KB

nslookup shows it’s going through pihole, but I still don’t understand why I get the ads showing.

pi@raspberrypi:~ $ nslookup googleads.g.doubleclick.net
Server:         127.0.0.1
Address:        127.0.0.1#53

Name:   googleads.g.doubleclick.net
Address: 0.0.0.0
Name:   googleads.g.doubleclick.net
Address: ::

pi@raspberrypi:~ $

Actual Behaviour:

Google ads are not getting blocked.

Debug Token:

https://tricorder.pi-hole.net/3j5EBDzq/

Router settings look good ... for the IPv4 part.
Except I would restrict the pool range from 192.168.1.50 to 192.168.1.250 instead to also allow to configure devices with a true static IP to be outside above DHCP scope (but within the same subnet).

What does below output?

sudo pihole-FTL dhcp-discover | grep 'dns-server\|Recursive DNS server'

It broadcasts an IPv4 DHCPDISCOVER plus an IPv6 RS (Router Solicitation) via multicast and catches the responses from the router(s) etc.
You can also run it without above grep for you yourself to inspect whats advertised on your LAN via IPv4 DHCP or IPv6 RA (Router Advertisement):

sudo pihole-FTL dhcp-discover

Dont post full unredacted output here for privacy!

Do you mean that by doing so, I can still manually assign static IPs to devices that are below .50?

pi@raspberrypi:~ $ sudo pihole-FTL dhcp-discover | grep 'dns-server\|Recursive DNS server'
   dns-server: 192.168.1.2
pi@raspberrypi:~ $

pi@raspberrypi:~ $ sudo pihole-FTL dhcp-discover
Scanning all your interfaces for DHCP servers and IPv6 routers
Timeout: 6 seconds

* Received 312 bytes from 192.168.1.1 @ eth0
  Offered IP address: 192.168.1.2
  Server IP address: 192.168.1.1
  Relay-agent IP address: N/A
  BOOTP server: (empty)
  BOOTP file: (empty)
  DHCP options:
   Message type: DHCPOFFER (2)
   server-identifier: 192.168.1.1
   lease-time: 86400 ( 1d )
   renewal-time: 43200 ( 12h )
   rebinding-time: 75600 ( 21h )
   netmask: 255.255.255.0
   broadcast: 192.168.1.255
   wpad-server: "\n"
   netbios-ns: 192.168.1.1
   domain-name: "workgroup"
   dns-server: 192.168.1.2
   router: 192.168.1.1
   --- end of options ---

* Received 88 bytes from fe80::6d9:xxxx:xxxx:xxxx @ eth0
  Hop limit: 64
  Stateful address conf.: No
  Stateful other conf.: Yes
  Mobile home agent: No
  Router preference: Medium
  Neighbor discovery proxy: No
  Router lifetime: 600 s
  Reachable time: N/A
  Retransmit time: N/A
  - Prefix: fd00::/64
    Valid lifetime: 600 sec
    Preferred lifetime: 600 sec
    On-link: Yes
    Autonomous address conf.: Yes
  MTU: 1484 bytes (valid)
  Source link-layer address: 04:D9:xx:xx:xx:xx
  DNS search list: workgroup
   DNS search list lifetime: 600 sec

* Received 64 bytes from fe80::b72d:xxxx:xxxx:xxxx @ eth0
  Hop limit: undefined
  Stateful address conf.: No
  Stateful other conf.: Yes
  Mobile home agent: No
  Router preference: Medium
  Neighbor discovery proxy: No
  Router lifetime: 0 s
  Reachable time: N/A
  Retransmit time: N/A
  - Prefix: fd96:b465:xxxx:xxxx::/64
    Valid lifetime: 1800 sec
    Preferred lifetime: 1800 sec
    On-link: Yes
    Autonomous address conf.: Yes
  - Route: fdf6:xxxx:xxx:1::/64
    Route preference: Medium
    Route lifetime: 1800 sec

* Received 88 bytes from fe80::6d9:xxxx:xxxx:xxxx @ eth0
  Hop limit: 64
  Stateful address conf.: No
  Stateful other conf.: Yes
  Mobile home agent: No
  Router preference: Medium
  Neighbor discovery proxy: No
  Router lifetime: 600 s
  Reachable time: N/A
  Retransmit time: N/A
  - Prefix: fd00::/64
    Valid lifetime: 600 sec
    Preferred lifetime: 600 sec
    On-link: Yes
    Autonomous address conf.: Yes
  MTU: 1484 bytes (valid)
  Source link-layer address: 04:D9:F5:xx:xx:xx
  DNS search list: workgroup
   DNS search list lifetime: 600 sec

Received 1 DHCP (IPv4) and 3 RA (IPv6) answers on eth0
pi@raspberrypi:~ $

I garbled some of the addresses with x's

As a side note, I use the Edge browser, and I made sure I have this key/value pair in my Windows registry:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge
BuiltInDnsClientEnabled [DWORD]
Value data: 0

With Firefox browser I don’t get the ads. (I just figured it out now…)

Yes.
I have all my network critical devices configured with manual static IP details on the devices themselves just in case of the DHCP server failing for some reason.

Output looks good.
If you localized it to the browser, try find below setting and make sure its disabled:

Will do. I’ll report back one I get to do it later today.

Are the results good for this? ‘sudo pihole-FTL dhcp-discover’

I can’t seem to use my own specified DNS address because it’s under a managed account (though it’s my account, not an organization account)

image826×101 9.87 KB

So aside from the registry change I’ve done, I don’t know how to execute setp 5: “Select the Enter custom provider drop-down menu and choose Cloudflare (1.1.1.1).”

You might have created that “managed browser” problem when you made that registry edit above. Try removing it or changing back to its original value then restart your browser; although since it’s a policy setting, it may require a reboot to take effect as it’s in the Local Machine hive.

You're not suppose to configure and enable DoH but make sure its disabled/turned off instead:

That setting allows the browser to bypass Pi-hole via DoH:

Do you see the ad domains in your query log? Are they showing as blocked there?

Not exactly.

image412×290 6.94 KB

When I hover with the mouse over the ads, the domain I see is, googleads.g.doubleclick.net however, in the screenshot you can see it shows googleads4 while this appears to get blocked, I don’t see results for googleads

I also notice that the website keeps rotating the URL of the ads, as if they “figure out” that I’m blocking them, so each page refresh, the URL keeps changing and ads are showing up.

This is all very strange, because on my Pihole installation using default block lists, googleads4.g.doubleclick.net (indeed anything at doubleclick.net) is blocked; DIG returns 0.0.0.0 for an answer.

Maybe the ads are coming from a different domain? I don’t see ads on Google.

By “URL keeps rotating” do you mean the domain itself changes? Like it isn’t doubleclick.net? Pi-hole isn't concerned with URLs, it only sees the domains.

Aren’t you blocking the whole of doubleclick.net through wildcard using regex?

exactly. each time I visit, it’s a different domain. all of them appear in the list. this is 99% browser settings that I have to mess with in the windows registry.

Just on a side note:

It would seem Edge considers itself as a managed browser (i.e. to be managed by policies rather than direct user interaction) if it finds at least one Edge related policy, which it seems is just what you've introduced by adding that registry key.

In order for Edge to allow you to control its Use secure DNS option, you'd probably need to remove all Edge policies.

But then your browser seems to show Use secure DNS as off already, and that's already what deHakkelaar had suggested to verify.

Can you give examples of some of the domains?

I think the edge policies is because my windows account is a microsoft/outlook online account, and not a local account.

I believe if I’ll change it to a local account, then I won’t have these policies.

The registry changes are because of this “managed account”, it didn’t introduce the policies, as it seems they were there all along. Well… at least that’s what I observed, but I could be wrong.

So I figured that adding this policy to the registry would solve the issue, but it doesn’t.

Key: DnsOverHttpsMode (string)

Value: off

Source: Microsoft Edge Browser Policy Documentation DnsOverHttpsMode | Microsoft Learn

Description

Control the mode of the DNS-over-HTTPS resolver. Note that this policy will only set the default mode for each query. The mode can be overridden for special types of queries such as requests to resolve a DNS-over-HTTPS server hostname.

The "off" mode will disable DNS-over-HTTPS.

The "automatic" mode will send DNS-over-HTTPS queries first if a DNS-over-HTTPS server is available and may fallback to sending insecure queries on error.

The "secure" mode will only send DNS-over-HTTPS queries and will fail to resolve on error.

If this policy is not configured for managed devices, DNS-over-HTTPS queries will not be sent. Instead, the browser may send DNS requests to a resolver associated with the user's system resolver. This could lead to a less secure or private

Policy options mapping:

• off (off) = Disable DNS-over-HTTPS

• automatic (automatic) = Enable DNS-over-HTTPS with insecure fallback

• secure (secure) = Enable DNS-over-HTTPS without insecure fallback

For example: googleads.g.doubleclick.net
ad.doubleclick.net

Do you see the ad domains in your query log? Are they showing as blocked there?

No, I don't see them in the log.

I was able to set the DNS over https to OFF but it doesn't do anything.

They are not different domains. They are still doubleclick.net. You need to have some idea about what you’re saying.

It means your PC isn’t using Pihole as DNS.

Try setting pihole as your IPv4 DNS in settings.

Note:

Actually, they are different domains.

From DNS point of view, there are no concept of "subdomains". Everything is a different domain and each domain can be served from a different IP.

That's why we need to use a regex to block all subdomains. An exact block would block just a single domain.

You can try these commands to see that google.com, www.google.com and analytics.google.com are different domains, with different IPs:

dig google.com @8.8.8.8
dig www.google.com @8.8.8.8
dig analytics.google.com @8.8.8.8