Where is the user-added blacklist file that has my query entries blocked?

low_rider · July 8, 2022, 6:27pm

To skip all text below, my question is, where is the Pi-Hole user-added blacklist file for all the entries I have added from the query log?

So, I have Pi-Hole set to block

scribe.roku.logs.com

When this doesn't show up in the pi log, I know it's slipping through.

I have UFW with GUFW (and starting the program with 'sudo gufw-pkexec` just thought that might help someone else, because it doesn't start gui w/o it.

Anyway, on both the VM for Pi-Hole, AND the windows 10 host, I have set port 53 to be blocked. I guess the only way to do this is by setting up something like OpnSense and doing routing, but that's just too much right now.

I know I add the include /path/to/blacklist in the pi-hole config file, don't need help there, but I can't find my custom entries file. I have not done a

pihole -g -r yet, but I'm hoping that won't be needed as I think I'll need to reconfigure some things.

nprampage · July 8, 2022, 6:47pm

Did you mean

scribe.logs.roku.com

instead? Because pihole already blocks that with default adlists. Never seen scribe.roku.logs.com in my usage.

As for where they are, I think for a while now they're entries in /etc/pihole/gravity.db.

jfb · July 8, 2022, 6:47pm

This is in the gravity database at /etc/pihole/gravity.db.

From the Pi terminal, what is the output of

pihole -q scribe.roku.logs.com

When this doesn't show up in the logs, that means Pi-hole never received a query for that domain.

From a client that you believe should be connected to the Pi-Hole for DNS (preferably the one you are using that isn't getting the domain entered in the Pi-hole logs), from the command prompt or terminal on that client (and not via ssh or Putty to the Pi), what is the output of

nslookup pi.hole

nslookup scribe.roku.logs.com

Not following you here. If you block port 53, you block DNS traffic to/from that client.

jfb · July 8, 2022, 6:52pm

To save us all a lot of time going back and forth with questions, please generate a debug log, upload it when prompted and post the token URL here.

low_rider · July 8, 2022, 7:12pm

I think this is an unbound issue... it's hard to pinpoint. From the pi-hole VM, things go through it, but for the TV... it's bypassing the entire setup. This was definitely not the case before I installed unbound.

Yep, absolutely nothing is going through the pi-hole, except for the system (virtual machine) that it's installed in. So, I'll send those darn logs and hope you can help. If not, I'll go hang around the unbound forums, never been there yet.

BTW, I have 270+ entries into the blacklist from the query log! If I'm not actively using something, I just block it until I am, so that's where there is so much in there. I need to clear a few to update windows defender.

https://tricorder.pi-hole.net/IS07pLhK/

jfb · July 8, 2022, 7:14pm

This is likely not related to unbound, since unbound is visible only to Pi-hole and not visible to clients.

jfb · July 8, 2022, 7:29pm

This makes no sense. If nothing is requesting the domain, why block it?

How? This isn't among your domain blocks shown in your query log. Is this in one of your local adlist files?

Please provide the outputs I asked for.

From your debug log - it appears that you are blocking port 53 outgoing from the Pi. If you do this, how is the DNS resolver going to reach the internet?

*** [ DIAGNOSING ]: Name resolution (IPv4) using a random blocked domain and a known ad-serving domain
[✓] ankaraa.icu is 0.0.0.0 on lo (127.0.0.1)
[✓] ankaraa.icu is 0.0.0.0 on enp0s3 (192.168.1.16)
[✗] Failed to resolve doubleclick.com via a remote, public DNS server (8.8.8.8)

This is to be expected if all the DNS traffic gets funneled through the VM to get to Pi-hole:

 -----tail of pihole.log------
   Jul  8 15:10:13 dnsmasq[579]: cached discourse.pi-hole.net is 52.14.183.198
   Jul  8 15:10:13 dnsmasq[579]: query[A] discourse.pi-hole.net from 192.168.1.16
   Jul  8 15:10:13 dnsmasq[579]: cached discourse.pi-hole.net is 52.14.183.198
   Jul  8 15:10:23 dnsmasq[579]: query[A] discourse.pi-hole.net from 192.168.1.16
   Jul  8 15:10:23 dnsmasq[579]: cached discourse.pi-hole.net is 52.14.183.198
   Jul  8 15:10:23 dnsmasq[579]: query[A] discourse.pi-hole.net from 192.168.1.16
   Jul  8 15:10:23 dnsmasq[579]: cached discourse.pi-hole.net is 52.14.183.198
   Jul  8 15:10:35 dnsmasq[579]: query[A] ns1.pi-hole.net from 192.168.1.16
   Jul  8 15:10:35 dnsmasq[579]: forwarded ns1.pi-hole.net to 127.0.0.1#5335
   Jul  8 15:10:36 dnsmasq[579]: reply ns1.pi-hole.net is 205.251.193.151

Why is your DHCP server passing out its own IP, and not the IP of Pi-hole for DNS?

*** [ DIAGNOSING ]: Discovering active DHCP servers (takes 10 seconds)
   Scanning all your interfaces for DHCP servers
   Timeout: 10 seconds
   
   * Received 300 bytes from enp0s3:192.168.1.1
     Offered IP address: 192.168.1.103
     Server IP address: 192.168.1.1
     Relay-agent IP address: N/A
     BOOTP server: (empty)
     BOOTP file: (empty)
     DHCP options:
      Message type: DHCPOFFER (2)
      server-identifier: 192.168.1.1
      lease-time: 43200 ( 12h )
      renewal-time: 21600 ( 6h )
      rebinding-time: 37800 ( 10h 30m )
      netmask: 255.255.255.0
      broadcast: 192.168.1.255
      domain-name: "lan"
      dns-server: 192.168.1.1
      router: 192.168.1.1
      --- end of options ---
    
   DHCP packets received on interface lo: 0
   DHCP packets received on interface enp0s3: 1

low_rider · July 8, 2022, 7:57pm

So, I'll remove the DNS rules on the VM I added via ufw.

Database entry for scribe.roku, yeah I guess it's somewhere else, because I did at one time, have it manually entered, then I think it moved to another list and I removed it from my blacklist.

Regarding excessive blacklisting Some of those domains do hit several times when whitelisted, so many of them I will keep blacklisted, but I have to check a few out like I mentioned as this is not a secure setup, I'm blocking too many update domains on the windows side.

NS Lookups As for the , the TV doesn't allow all that, would be awesome if I just ran a totally different custom setup, but this one is just so convenient and all the logins are stored in it.

Side note: If I upload logs in the future, you'll always see google getting blocked, and it's going to stay that way!

DHCP Yep, this is my main issue. I am using a bit of a funky wireless setup, with a hotspot, and I thought I could use that to make devices receive the pi-hole dns, doesn't work.

To explain, I have WAN router > ISP wireless access router > then my wireless chip on Windows > Windows Wi-Fi Virtual Adapter "Hotspot feature" (both interfaces use VM IP) > and lastly, the VM.

I have the VM as the dns, but back to windows, I use the "hotspot" feature in Wi-Fi to share the connection with other devices. I have the DNS severs in the Windows IPv4 config set to the VM IP, and I can manually set it up individually per device.

I don't have experience with using the Pi-Hole as the DHCP server, if I do this, will I still see traffic from each device's IP address or will it all say "VM IP address" for all devices? I'd rather have it per device.

low_rider · July 8, 2022, 9:29pm

UFW complicated things, I had the top green, and the bottom red, so INCOMING was denied, which I understood quite quickly when I couldn't access the VM from another device. I'll be deleting this topic.

system · July 15, 2022, 9:30pm

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.