Website blocked although not on a blocklist

Hi guys,

my PiHole is blocking websites, which are not on a blocklist, even after website added to whitelist. They are still blocked even after pihole set to disabled. Tested browsers Brave and Edge. Affected are all devices in my household.
Blocked websites:
revanced.net
rt.com

When I select DNS provider in Brave to Cloudflare, pages load OK.
image

When I select DNS provider in Brave to OS Default (which is PiHole according to my router's DHCP), pages won't load.
image

Pi-hole running on RPi 4.
Upstream DNS Servers: Cloudflare (DNSSEC)
Use DNSSEC is ON

No matter what Upstream DNS Server I choose, or shitch DNSSEC support off, nothing changes.
I did Flush network table, Restart DNS resolver with no change.

When I add Local DNS domain in DNS Records menu, revanced.net load OK, rt.com still won't load. This is really strange behaviour.

You can check how pihole is handing a specific domain using the followig command from the pihole:

pihole -q -exact domain

So try pihole -q -exact revanced.net and see what the results are.

root@raspberrypi:~# pihole -q -exact revanced.net
Exact match found in exact whitelist
revanced.net

So its whitelisted and this is blocked even if pihole is disabled. This doesn't seem like a pihole issue but lets check how it resolves using a different resolver.

From the pihole try:

dig revanced.net
dig @1.1.1.1 revanced.net

root@raspberrypi:~# dig @1.1.1.1 revanced.net

; <<>> DiG 9.16.44-Debian <<>> @1.1.1.1 revanced.net
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2864
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;revanced.net. IN A

;; ANSWER SECTION:
revanced.net. 1 IN A 217.119.121.226

;; Query time: 3 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Fri May 10 13:20:43 BST 2024
;; MSG SIZE rcvd: 46

Also post the dig revanced.net for comparison.

root@raspberrypi:~# dig revanced.net

; <<>> DiG 9.16.44-Debian <<>> revanced.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54823
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;revanced.net. IN A

;; ANSWER SECTION:
revanced.net. 1 IN A 217.119.121.226

;; Query time: 7 msec
;; SERVER: 192.168.2.1#53(192.168.2.1)
;; WHEN: Fri May 10 13:22:59 BST 2024
;; MSG SIZE rcvd: 46

So both resolve the domain just fine. This sounds like a browser related issue. Do you actually see blocked messages in the pihole?

I dont see any error message in Pi-hole. But in this cmd output, the IP address is different from originat website address.

should be 104.21.76.63 and not 217.119.121.226

Output from Pi-Hole Query log

2024-05-10 14:30:19 DS revanced.net pi.hole OK (sent to one.one.one.one#53) N/A
2024-05-10 14:30:19 A revanced.net Lenovo_M90q.local OK (sent to one.one.one.one#53)
BOGUS (NSEC(3) missing) N/A Blacklist
2024-05-10 14:30:19 HTTPS revanced.net Lenovo_M90q.local OK (sent to one.one.one.one#53)
BOGUS (NSEC(3) missing) N/A Blacklist
2024-05-10 14:30:19 DS revanced.net pi.hole OK (sent to one.one.one.one#53) N/A
2024-05-10 14:30:19 HTTPS revanced.net Lenovo_M90q.local OK (sent to one.one.one.one#53)
BOGUS (NSEC(3) missing) N/A Blacklist
2024-05-10 14:30:19 A revanced.net Lenovo_M90q.local OK (sent to one.one.one.one#53)
BOGUS (NSEC(3) missing) N/A Blacklist
2024-05-10 14:30:19 DS revanced.net pi.hole OK (sent to one.one.one.one#53) N/A
2024-05-10 14:30:19 A revanced.net Lenovo_M90q.local OK (sent to one.one.one.one#53)
BOGUS (NSEC(3) missing) N/A Blacklist
2024-05-10 14:30:19 DS revanced.net pi.hole OK (sent to one.one.one.one#53) N/A
2024-05-10 14:30:19 HTTPS revanced.net Lenovo_M90q.local OK (sent to one.one.one.one#53)
BOGUS (NSEC(3) missing) N/A Blacklist
2024-05-10 14:30:19 A revanced.net Lenovo_M90q.local OK (sent to one.one.one.one#53)
BOGUS (NSEC(3) missing) N/A Blacklist
2024-05-10 14:30:19 DS revanced.net pi.hole OK (sent to one.one.one.one#53) N/A
2024-05-10 14:30:19 HTTPS revanced.net Lenovo_M90q.local OK (sent to one.one.one.one#53)
BOGUS (NSEC(3) missing) N/A Blacklist
2024-05-10 14:30:19 A revanced.net Lenovo_M90q.local OK (sent to one.one.one.one#53)
BOGUS (NSEC(3) missing) N/A Blacklist

It is interesting. Doing a host revanced.net gives me:
revanced.net has address 172.67.190.236
revanced.net has address 104.21.76.63
revanced.net has IPv6 address 2606:4700:3036::6815:4c3f
revanced.net has IPv6 address 2606:4700:3037::ac43:beec
revanced.net mail is handled by 58 route1.mx.cloudflare.net.
revanced.net mail is handled by 79 route3.mx.cloudflare.net.
revanced.net mail is handled by 34 route2.mx.cloudflare.net.

and dig gives me the same:

revanced.net. 117 IN A 104.21.76.63
revanced.net. 117 IN A 172.67.190.236

What do you get with this command:

dig +short NS revanced.net

it should come back as:

pat.ns.cloudflare.com.
armfazh.ns.cloudflare.com.

root@raspberrypi:~# dig +short NS revanced.net
armfazh.ns.cloudflare.com.
pat.ns.cloudflare.com.

nslookup.io DNS records for revanced.net
image

So that is correct. These BOGUS (NSEC(3) missing) are DNSSEC related messages so validation looks like its failing.

I wll admit that I'm not versed on DNSSEC. I don't use. Dig can do some validation. Try
this command:

dig DNSKEY revanced.net +short

root@raspberrypi:~# dig DNSKEY revanced.net +short
217.119.121.226

How about:

dig DS revanced.net +trace

root@raspberrypi:~# dig DS revanced.net +trace

; <<>> DiG 9.16.44-Debian <<>> DS revanced.net +trace
;; global options: +cmd
. 85704 IN NS l.root-servers.net.
. 85704 IN NS m.root-servers.net.
. 85704 IN NS a.root-servers.net.
. 85704 IN NS b.root-servers.net.
. 85704 IN NS c.root-servers.net.
. 85704 IN NS d.root-servers.net.
. 85704 IN NS e.root-servers.net.
. 85704 IN NS f.root-servers.net.
. 85704 IN NS g.root-servers.net.
. 85704 IN NS h.root-servers.net.
. 85704 IN NS i.root-servers.net.
. 85704 IN NS j.root-servers.net.
. 85704 IN NS k.root-servers.net.
. 85704 IN RRSIG NS 8 0 518400 20240523050000 20240510040000 5613 . kDenK13iRdW7sqFruSPDfvKI0ka51HdJ/WwqJhdAzXqBUJIhZNdps5FY hCWXKdA4bRH4Z5RirOsBbFbywrBs4sLDUP6zJ7Mf5y0dNvzYTHUlUNFA KiQ67aIkcB6jPnl4L0fequdGalD0D2XS/kNhupn2J7QnJlU/Oa/tIlIU P3RoaxdhbrUvqIyQHjDyIlCoV+o/au3ZrCtwx+UzaaGmtwSJesUC6OEq v+ncbHdu6sPiRgEniXKitnBH7mtXxo4iSh4IZRzT5/scqDWlKJZOIGRJ SrfPqsP7miikm6q5+KBiN/RLnn+A9C2qrj6de+2mDbU63vHF3fBrDrcn WZu1tg==
;; Received 717 bytes from 192.168.2.1#53(192.168.2.1) in 3 ms

revanced.net. 1 IN A 217.119.121.226
;; Received 46 bytes from 170.247.170.2#53(b.root-servers.net) in 0 ms

Is that the full output? It seems to hit the TLD and then fail. When I run the command I get:

; <<>> DiG 9.18.24-1-Debian <<>> DS revanced.net +trace
;; global options: +cmd
. 12888 IN NS d.root-servers.net.
. 12888 IN NS g.root-servers.net.
. 12888 IN NS f.root-servers.net.
. 12888 IN NS h.root-servers.net.
. 12888 IN NS i.root-servers.net.
. 12888 IN NS e.root-servers.net.
. 12888 IN NS l.root-servers.net.
. 12888 IN NS k.root-servers.net.
. 12888 IN NS j.root-servers.net.
. 12888 IN NS a.root-servers.net.
. 12888 IN NS m.root-servers.net.
. 12888 IN NS b.root-servers.net.
. 12888 IN NS c.root-servers.net.
. 12888 IN RRSIG NS 8 0 518400 20240522050000 20240509040000 5613 . jQNE12XVpiS1CG0BlUrNE+aIF+iNQbggZBudOq3jR1rADvjCzxptSvyw PzO7C9QzxmBp7RND8x5R+BDsqhcEWD0gHqW7RvKndUtw0lCbE4FaZx7R c/CXYQMXG33XnvoyY511m+o+MgmeTwuL2v9UmFzJD2xQje9Tn167yyjg mR4WNUcXqLKSJ4/z4/k4DS6SCQsOB4+0id5GkpxkqNbtARc/eyo1ZWXB BhxA01fB1gJw7FT8Qx5UCzZQz7wrdJ4c4ZIkyAGr50u0WMfhxBU33Pgx VaG5vLIKNNr9WTtvfOFDjRTPqOeVC6WEllCe+Ew6Nhje6IWa0qf5IPdx pztvfQ==
;; Received 525 bytes from 192.168.0.3#53(192.168.0.3) in 84 ms

net. 172800 IN NS m.gtld-servers.net.
net. 172800 IN NS k.gtld-servers.net.
net. 172800 IN NS b.gtld-servers.net.
net. 172800 IN NS f.gtld-servers.net.
net. 172800 IN NS d.gtld-servers.net.
net. 172800 IN NS h.gtld-servers.net.
net. 172800 IN NS j.gtld-servers.net.
net. 172800 IN NS l.gtld-servers.net.
net. 172800 IN NS a.gtld-servers.net.
net. 172800 IN NS e.gtld-servers.net.
net. 172800 IN NS c.gtld-servers.net.
net. 172800 IN NS g.gtld-servers.net.
net. 172800 IN NS i.gtld-servers.net.
net. 86400 IN DS 37331 13 2 2F0BEC2D6F79DFBD1D08FD21A3AF92D0E39A4B9EF1E3F4111FFF2824 90DA453B
net. 86400 IN RRSIG DS 8 1 86400 20240523050000 20240510040000 5613 . UrlXL1jdVKCXXf9DdjqD1WCSIdP3p+FQvQh6fVP/TtY/rgMOYJR7FA3b l+u2li55puzPdF98ueY1142joKZB8oaVUBujrvTQMK9oCMEkNbyOpUML bcEFv14UnOaWaOSMDlHlvVIG1GhD9neQPNvMrkgDkbvmwj8+UqX4KNGD bZyTDiyFUhQjoQkgEU9nJO2NSSMoWBRbwBTouVxvEEOpHYvpnCYT8623 6v7fU2oJlCLZU+phqtWYaybFPySv7cncFyhin9oAjeGXB2hXhBML8vXP vSU4uIhK0JpDogP20cUyUlYFSC1udtdfHTzTgpgTh3TakyMkffXytZe1 mv86zA==
;; Received 1169 bytes from 198.41.0.4#53(a.root-servers.net) in 28 ms

A1RT98BS5QGC9NFI51S9HCI47ULJG6JH.net. 86400 IN NSEC3 1 1 0 - A1RTLNPGULOGN7B9A62SHJE1U3TTP8DR NS SOA RRSIG DNSKEY NSEC3PARAM
A1RT98BS5QGC9NFI51S9HCI47ULJG6JH.net. 86400 IN RRSIG NSEC3 13 2 86400 20240516065220 20240509054220 51809 net. sZOEAf1l1pcgAZiaR/ObTAU94tUoLluiopMlH/Ahz+AVK8kjSsjvuxlf P3yfM7DJvV+X92lJH5asmdQoXOgyqw==
net. 900 IN SOA a.gtld-servers.net. nstld.verisign-grs.com. 1715346369 1800 900 604800 86400
net. 900 IN RRSIG SOA 13 1 900 20240517130609 20240510115609 51809 net. ZeZhwXeAqtYj8SgRNYTtlbkts/kUmoAf5/bH3IDo6wMYrTG1Q3ex1CxH IemLH/mCMB5lTg0/VZcw/PKaHz6hmg==
95M0JTQRESE66D9LB13EE62942GSFHAS.net. 86400 IN NSEC3 1 1 0 - 95M403MODFHI2M76VO5UUS8U8K9EK4DD NS DS RRSIG
95M0JTQRESE66D9LB13EE62942GSFHAS.net. 86400 IN RRSIG NSEC3 13 2 86400 20240517065213 20240510054213 51809 net. P7Qd3W79KfB+nRQS2wv25a8g3SIOyKfLWsViVqd0jq/FYdOr+vIba2p3 GU1BbiuM1ps/CB12q/BV6yal7tnxAw==
;; Received 570 bytes from 192.12.94.30#53(e.gtld-servers.net) in 52 ms