What did I do wrong in installation? Domain blocking does not work

Help
1

Expected Behaviour:

  • Operating System (Family and Version) of Raspberry Pi: Debian GNU/Linux 13 (trixie)
  • Hardware: Raspberry Pi 4
  • Docker compose file or Docker run command: Docker was not used
  • Docker engine version: Docker was not used

Pihole should block domains I strictly configured it to block.

Actual Behaviour:

Pihole does not block the domain.

Debug Token:

https://tricorder.pi-hole.net/l98C5INq/

Additional info:

2

You blocked nytimes.com, but you are accessing a different domain: www.nytimes.com.

From DNS point of view, there is no "subdomains". This is just a different domain.

If you want to block every thing ending with nytimes.com, you need to mark the "wildcard" checkbox before you click on the "Add to denied domains" button:

image
image1153Ă—461 21.2 KB

3

@ rdwebdesign Thanks for responding.

I tried adding the domains again with the wildcard checkbox on, but I am still able to browse https://www.nytimes.com/ in my laptop’s browser.

image
image1004Ă—385 15.7 KB

4

Those are regex deny rules, you need them to be regex allow rules.

5

@ nosugref42 but my objective is to block NYT, not to allow it!

regardless, I just now tried to change the Type to Regex allow and, alas, I am still able to access NYT on my laptop.

6

Apologies, mis-read and thought you wanted to access the site. Have you checked that your laptop is not configured for another DNS provider, and is in fact using Pi-hole? FireFox includes a DoH setting which, when set, does not use the system configured DNS.

1 Like
7

Your browser might be set up to use some secure DNS server thus bypassing pihole.

1 Like
8
  • @ nosugref42 Here is a screenshot on my laptop of the wifi settings of the network emitted by my router. About DNS it says “Automatic (DHCP)”.
  • image
    image2004Ă—1606 308 KB
  • Also, I checked Firefox for the setting you mentioned, and it appears to be off:
  • image
    image1371Ă—356 26 KB
  • @ stopwastingmuhTime see above point
9

From your screenshots it looks like you are probably using a ZTE router/modem (possibly re-branded by your ISP).

These will often advertise their own address via DHCP as another DNS server (and in all cases do perform as a DNS server, forwarding your query upstream to your ISP’s server if a device queries them).

In some cases these also do not cope well if you specify the same address for both “primary” and “secondary” DNS.

Can you view the network information from your laptop and determine which DNS servers it is using (not the settings page, the current status)?

1 Like
10

From the laptop in question, from the command prompt or terminal on that client (and not via ssh or Putty to the Pi), what is the output of

nslookup pi.hole

nslookup flurry.com

nslookup flurry.com 192.168.1.205

nslookup flurry.com 192.168.1.206

1 Like
11

@ robgill here is the output from running Get-DnsClientServerAddress on my laptop:


InterfaceAlias               Interface Address ServerAddresses
                             Index     Family
--------------               --------- ------- ---------------
Local Area Connection* 1             8 IPv4    {}
Local Area Connection* 1             8 IPv6    {fec0:0:0:ffff::1, fec0:0:0:ffff::2, fec0:0:0:ffff::3}
Local Area Connection* 2            11 IPv4    {}
Local Area Connection* 2            11 IPv6    {fec0:0:0:ffff::1, fec0:0:0:ffff::2, fec0:0:0:ffff::3}
WiFi                                16 IPv4    {192.168.1.205}
WiFi                                16 IPv6    {2a0c:5a80:0:2::1, 2a0c:5a84:0:2::1, fe80::8920:e511:3338:f88, 2a0c:5a80:0:2::1...}
Bluetooth Network Connection        14 IPv4    {}
Bluetooth Network Connection        14 IPv6    {fec0:0:0:ffff::1, fec0:0:0:ffff::2, fec0:0:0:ffff::3}
Loopback Pseudo-Interface 1          1 IPv4    {}
Loopback Pseudo-Interface 1          1 IPv6    {fec0:0:0:ffff::1, fec0:0:0:ffff::2, fec0:0:0:ffff::3}

The IP of my raspberry pi (192.168.1.205) is listed in the “WiFi IPv4” entry. I do not understand what all the other addresses mean.

@ jfb here is the output from running the commands you listed on my laptop:

PS C:\> nslookup pi.hole
Server:  UnKnown
Address:  2a0c:5a80:0:2::1

*** UnKnown can't find pi.hole: Non-existent domain
PS C:\> nslookup flurry.com
Server:  UnKnown
Address:  2a0c:5a80:0:2::1

Non-authoritative answer:
Name:    flurry.com
Addresses:  76.223.84.192
          13.248.158.7

PS C:\> nslookup flurry.com 192.168.1.205
Server:  pi.hole
Address:  192.168.1.205

Name:    flurry.com
Addresses:  ::
          0.0.0.0

PS C:\> nslookup flurry.com 192.168.1.206
Server:  pi.hole
Address:  192.168.1.206

Name:    flurry.com
Addresses:  ::
          0.0.0.0
12

@ rogbill I tried changing the secondary DNS address to 0.0.0.0, but I can still browse NYTimes.com

image
image770Ă—447 12.6 KB

13

@ robgill the router in question is indeed a ZTE router. Here’s a picture of the label, with some details redacted for security.

  • image
    image1113Ă—452 117 KB
  • Also, here is what my home network setup looks like. There’s the ZTE router, which is connected via ethernet cables to both the Raspberry PI and a GRG-4284 fiber optic cable thingamajig, and a third connection (the yellow one) that goes to an uninvolved PC.
  • image
    image840Ă—698 190 KB
14

Thanks. From these we can see that your router is only listing your Pi-Hole as the DNS server for IPV4, which is good.

However, there are also DNS services listed for IPv6, which devices on your network will also be able to access, thereby bypassing your pihole:

WiFi 16 IPv6 {2a0c:5a80:0:2::1, 2a0c:5a84:0:2::1, fe80::8920:e511:3338:f88, 2a0c:5a80:0:2::1...}

These addresses are presumably the router itself.

Under your IPv6 tab in the router’s local network settings, you should have the option to specify IPv6 DNS servers also. You can change DNS Delegate Type to manual and put your pi-hole’s address in those.

The router may still advertise it’s own IPv6 DNS server via Router Advertisement.

You also on that model have the option of disabling both Router Advertisement and DHCPv6 for the wifi (under port control).

1 Like
15

@ rogbill I went to my router’s Local Network > LAN > IPv6 tab and changed the following

  • DHCPv6 Server > DNS Delegate Type from Auto to Manual
  • DHCPv6 Server > DNS Server1 from nothing to 2a0c:5a81:c102:3100:88fe:3261:f383:8e44
    (see comment below how I got this address*)
  • RA Service > RA Service from On to Off
  • Port Control clicked All Off

However, after all of these changes, I can still browse NYT on my laptop. So the issue has not been fixed.

* I got the IPv6 address I input in DNS Server by running ip a on my Raspberry PI and picking the address labeled inet6 ... scope global noprefixroute and removing the /64 postfix. Here is the output of ip a :

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host noprefixroute 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether dc:a6:32:2c:96:d5 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.205/24 brd 192.168.1.255 scope global noprefixroute eth0
       valid_lft forever preferred_lft forever
    inet6 2a0c:5a81:c102:3100:88fe:3261:f383:8e44/64 scope global noprefixroute 
       valid_lft forever preferred_lft forever
    inet6 fe80::d9d4:826a:bb19:d726/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever
3: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether dc:a6:32:2c:96:d6 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.206/24 brd 192.168.1.255 scope global noprefixroute wlan0
       valid_lft forever preferred_lft forever
    inet6 2a0c:5a81:c102:3100:be53:94f7:98ea:aebc/64 scope global noprefixroute 
       valid_lft forever preferred_lft forever
    inet6 fe80::54fb:ceed:487b:5a94/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever
16

I re-ran Get-DnsClientServerAddress on my laptop, and the output has changed:

InterfaceAlias               Interface Address ServerAddresses
                             Index     Family
--------------               --------- ------- ---------------
Local Area Connection* 1             8 IPv4    {}
Local Area Connection* 1             8 IPv6    {fec0:0:0:ffff::1, fec0:0:0:ffff::2, fec0:0:0:ffff::3}
Local Area Connection* 2            11 IPv4    {}
Local Area Connection* 2            11 IPv6    {fec0:0:0:ffff::1, fec0:0:0:ffff::2, fec0:0:0:ffff::3}
WiFi                                16 IPv4    {192.168.1.205}
WiFi                                16 IPv6    {2a0c:5a80:0:2::1, 2a0c:5a84:0:2::1, fe80::8920:e511:3338:f88}
Bluetooth Network Connection        14 IPv4    {}
Bluetooth Network Connection        14 IPv6    {fec0:0:0:ffff::1, fec0:0:0:ffff::2, fec0:0:0:ffff::3}
Loopback Pseudo-Interface 1          1 IPv4    {}
Loopback Pseudo-Interface 1          1 IPv6    {fec0:0:0:ffff::1, fec0:0:0:ffff::2, fec0:0:0:ffff::3}

The WiFi IPv6 entry now has 3 addresses instead of the previous 4 addresses. However, none of them are the Raspberry PI’s IPv6 address that I submitted in the previous step on my router’s DNS Server1 field. I don’t know why this is.

17

It seems that your router still seems to be advertising itself as a DNS server on your network, despite you specifying otherwise.

You have a network configuration problem, not a pi-hole configuration problem.

It may be worth contacting ZTE to find out how to address this.

1 Like
18

Update: I rebooted the router and the Raspberry PI, and now everything appears to work.

  1. NYTimes is blocked.
  2. Running Get-DnsClientServerAddress on my laptop shows WiFi 16 IPv6 {2a0c:5a81:c102:3100:88fe:3261:f383:8e44}

I feel silly for not having tried this earlier. Rebooting always helps.

Thanks everyone for your support! :folded_hands::folded_hands::folded_hands:

1 Like