One of the "deal" sites I read (www.dealnews.com) is sometimes blocked, i.e. I get a page that says "Blocked by pi-hole." By trial and error I found that the issue was click.linksynergy.com, which of course I would expect to be blocked. My question is how can I eliminate the "trial and error" part and track down the issue systematically.
Also, what is the likely structure of the page that causes it to be entirely blocked, as opposed to just having an ad blocked?
Note that Pi-Hole is a domain blocker, not a content blocker. In both of these URLS, the protocol is https, the domain is www.dealnews.com, and the path is what follows. Pi-Hole blocks at the domain level, so if you have www.dealnews.com blocked, then neither of these URL's should load, since they are both on the same domain.
The fact that this is not being blocked in all cases indicates that you may have a DNS bypass, where your clients are sending some of their DNS traffic to a DNS server other than Pi-Hole.
How do you have your router and clients set up to use Pi-Hole? Is Pi-Hole the ONLY DNS listed in either the router or the clients?
I don't think I have a DNS bypass. I think the issue is that the first example URL redirects (or something) to linksynergy.com and the other does not. You will notice that the two URL's look markedly different.
I think Pi-Hole is down exactly what it should be doing. The easy thing to do would be to whitelist linksynergy.com, but that would be self-defeating.
In answer to the last question, everything in the house (except one) is pointed to the router, the router is pointed to the Pi-Hole host, and the Pi-Hole host is pointed to Cloudflare. Unless I have misinterpreted something, that is the recommended configuration.
The one exception is set up to use Cloudflare directly, but that is not the client that produced the data I presented.
Mar 20 20:57:30 dnsmasq[498]: query[A] click.linksynergy.com from 73.221.126.49
Mar 20 20:57:30 dnsmasq[498]: /etc/pihole/gravity.list click.linksynergy.com is 192.168.0.201
This appears for the first link, but not the second.
You are correct. I was thinking backwards - what should be blocked, not what should be allowed. My apologies for my reply which addressed the wrong problem.
As you noted, even if a domain is allowed (as in your case), the redirect can get you to a domain that is blocked. And, you are correct in that Pi-Hole is doing exactly what it should and your setup is correct.
If you want to access that link on that site, one short-term solution may be to disable Pi-Hole for a minute or so while you load that link. That would not create a permanent whitelist entry, but may get you through the path to complete a purchase.
Another option might be to keep a browser that you use only for sites like this (Chrome or Firefox). That browser can use a DNS setting that bypasses Pi-Hole, and you would use that browser in the case of sites like this. You could browse in private mode and not gather up a bunch of cookies. You could also put a browser based blocker on that browser (uBlock or similar).