But pihole still blocks click.redditmail.com despite the whitelist entry. I thought that whitelists override blacklists. I have no groups or clients configured except the defaults. All of the DNS requests to pihole come from a single location - a Linux bind that forwards to the pihole. pihole is running in a VirtualBox VM. Except for click.redditmail.com, pihole is working as expected.
Apr 26 22:43:38: query[A] thirdparty.bnc.lt from 192.1.1.9
Apr 26 22:43:38: gravity blocked thirdparty.bnc.lt is 0.0.0.0
pihole log immediately after trying to browse to click.redditmail.com shows the same thing as after dig:
Apr 26 22:54:58: query[A] thirdparty.bnc.lt from 192.1.1.9
Apr 26 22:54:58: gravity blocked thirdparty.bnc.lt is 0.0.0.0
By the way, 192.1.1.9 in the above pihole log is the IP of the bind DNS that forwards to pihole (as expected). The output of the dig command was generated on a different computer (Windows 10) that uses 192.1.1.9 as its DNS server.
If I disable pihole blocking for 30 seconds and try dig again I get:
Please upload a debug log and post just the token URL that is generated after the log is uploaded by running the following command from the Pi-hole host terminal:
Your debug log shows your Pi-hole host machine to live at 192.1.1.10:
*** [ DIAGNOSING ]: Networking
[✓] IPv4 address(es) bound to the eth0 interface:
192.1.1.10/24
Your network's DHCP server is distributing two different DNS servers, however:
*** [ DIAGNOSING ]: Discovering active DHCP servers (takes 10 seconds)
Scanning all your interfaces for DHCP servers
* Received 306 bytes from eth0:192.1.1.253
Offered IP address: 192.1.1.10
Server IP address: 192.1.1.253
DHCP options:
Message type: DHCPOFFER (2)
dns-server: 192.1.1.9
dns-server: 9.9.9.9
router: 192.1.1.250
--- end of options ---
Note that Pi-hole has to be the sole DNS server for your network - clients will by-pass Pi-hole via alternative DNS servers.
What is the machine at 192.1.1.9?
EDIT:
In addition, (how) is that above dig registering in Pi-hole's Query Log?
The following command may help answering that:
All of the local clients are configured (via DHCP) to use 192.1.1.9 as their DNS server. 192.1.1.9 is a Rocky Linux server running bind. It resolves all of the localnet names.
The bind server forwards to 192.1.1.10 (pihole). So the clients cannot bypass pihole because they don't know anything about 192.1.1.10.
I do see a small configuration error on my part in that I need to disable my DHCP server from providing 9.9.9.9 as an alternate DNS address so conceivably clients could bypass pihole by using 9.9.9.9. However, that has no bearing on the current problem as I can see pihole resolving names. Furthermore, if one of the local clients was to use 9.9.9.9 as a DNS server, the worst thing that would happen is that 9.9.9.9 (Quad9) would correctly resolve click.redditmail.com and I wouldn't get blocked.
In case you want to see it, here is named.conf from 192.1.1.9. You can see the forwarders section is configured to use 192.1.1.10 (the pihole).
-----------------------------
// Config file for caching only name server
logging
{
channel default_debug
{
file "data/named.run";
severity dynamic;
};
category lame-servers { null; };
};
options {
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
// Uncommenting this might help if you have to go through a
// firewall and things are not working out:
//query-source port 53;
// added by HS to fix "insecurity proof failed"
// advised that's not a good idea
//dnssec-enable no;
//dnssec-validation no;
//forward first;
forwarders {
192.1.1.10; //pihole
//9.9.9.9; //Quad9
//149.112.112.112; //Quad9
// OpenDNS doesn't support DNSSEC?
//208.67.222.222; // OpenDNS
//208.67.220.220; // OpenDNS
//8.8.8.8; // Google
//8.8.4.4; // Google
//64.255.237.240; // ns1.iinet.com
//64.255.237.241; // ns2.iinet.com
};
};
zone "." {
type hint;
file "root.hints";
};
#zone "0.0.127.in-addr.arpa" {
# type master;
# file "pz/127.0.0";
#};
zone "sci1.com" {
notify no;
type master;
file "pz/sci1.com";
};
zone "1.1.192.in-addr.arpa" {
notify no;
type master;
file "pz/192.1.1";
};
-------------------------------
This configuration is working fine with the sole exception that click.redditmail.com is blocked by pihole even though whitelisted. Localnet name resolution works fine. Internet name resolution works fine, and I can see pihole correctly resolving internet names in the pihole log.
I can see in the logs very clearly that all name resolution is working as expected except that pihole blocks click.redditmail.com (as you can see in the dig output posted above). Simply disabling pihole blocking for 30 seconds allows click.redditmail.com to resolve correctly for 30 seconds, so this is clearly pihole blocking that name resolution.
Your second output above shows that Pi-hole is correctly allowing click.redditmail.com when queried directly, as expected.
However, your bind at 192.1.1.9 is pre-processing the request:
It seems to forward a DNS request for the CNAME domain thirdparty.bnc.lt instead of the actual request.
You could address this by adjusting your bind configuration.
But I'd probably recommend to consider rearranging your network's DNS resolution chain:
Have your router distribute your Pi-hole as DNS resolver, and use your bind as Pi-hole's only upstream. You also want to untick Never forward non-FQDN A and AAAA queries as well as Never forward reverse lookups for private IP ranges via Settings|DNS in that configuration.
That certainly is enough to address your current issue.
Still, in order to properly address the root cause, you may want to consider rearranging your DNS resolution chain, to also avoid similar future unexpected behaviour for other domains.
