Whitelist is not allowing access to things that are on adlists

Drummer · July 31, 2020, 12:56pm

Expected Behaviour:

Things on the whitelist should be able to be accessed. (vortex.data.microsoft.com)

Actual Behaviour:

Things on the whitelist are still blocked.

Debug Token:

https://tricorder.pi-hole.net/q7ghxrnu4j

Bucking_Horn · July 31, 2020, 1:25pm

From a client machine that you still deem to block your whitelist entry, what's the output of:

nslookup vortex.data.microsoft.com

Drummer · July 31, 2020, 1:27pm

Server:         8.8.8.8
Address:        8.8.8.8#53

Non-authoritative answer:
vortex.data.microsoft.com       canonical name = asimov.vortex.data.trafficmanager.net.
Name:   asimov.vortex.data.trafficmanager.net
Address: 64.4.54.254
asimov.vortex.data.trafficmanager.net   canonical name = global.vortex.data.trafficmanager.net.

Bucking_Horn · July 31, 2020, 1:37pm

That output shows two things:

a) vortex.data.microsoft.com is not blocked
b) your client is using Google's quad-8 as DNS rather than Pi-hole

As such, the results are inconclusive as to your original request.

You should sort your network configuration (see Making your network take advantage of Pi-hole) and then reassess your observations.

Drummer · July 31, 2020, 2:19pm

I followed "Making your network take advantage of Pi-hole" but when I view the Query Log its still saying its blocked

Bucking_Horn · July 31, 2020, 2:29pm

Please provide a current nslookup result.

Drummer · July 31, 2020, 2:31pm

Server:         8.8.8.8
Address:        8.8.8.8#53

Non-authoritative answer:
vortex.data.microsoft.com       canonical name = asimov.vortex.data.trafficmanager.net.
asimov.vortex.data.trafficmanager.net   canonical name = global.vortex.data.trafficmanager.net.
Name:   global.vortex.data.trafficmanager.net
Address: 64.4.54.254

Bucking_Horn · July 31, 2020, 2:43pm

Same as before:
Pi-hole is not blocking vortex.data.microsoft.com, it's not even queried by your client.

What makes you think your client is blocking it?
What makes you think your client would be using Pi-hole?

jfb · July 31, 2020, 2:44pm

This client is not using Pi-hole for DNS. It is using Google DNS and the queries are bypassing Pi-hole.

Drummer · July 31, 2020, 2:50pm

On the query log it is saying "vortex.data.microsoft.com 192.168.1.1 Blocked (regex blacklist) IP (0.0ms)". I've tried manually setting the DNS and still wont go through. I've also tried googles DNS and I can connect.

Bucking_Horn · July 31, 2020, 2:55pm

On the same client that runs the nslookup, what's the result of

ipconfig /all | find /i "IPv4"

jfb · July 31, 2020, 2:55pm

What is the output of the following from the same client:

nslookup vortex.data.microsoft.com 192.168.1.12

Drummer · July 31, 2020, 3:01pm

Apologizes I misread a message ive been doing nsLookup on the ssh...
here are the "nsLookup" results from a client

DNS request timed out.
    timeout was 2 seconds.
Server:  UnKnown
Address:  192.168.1.1

DNS request timed out.
    timeout was 2 seconds.
Name:    vortex.data.microsoft.com
Address:  0.0.0.0

and here is the "ipconfig /all | find /i "IPv4""

IPv4 Address. . . . . . . . . . . : 192.168.56.1(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.1.9(Preferred)

and for the "nslookup vortex.data.microsoft.com 192.168.1.12"

Server:  raspberrypi
Address:  192.168.1.12

Name:    vortex.data.microsoft.com
Addresses:  ::
          0.0.0.0

Bucking_Horn · July 31, 2020, 3:15pm

Now, that's more like it.

You've configured your router to use Pi-hole as its upstream DNS, that's why your Query Log shows the entry originating from your router's 192.168.1.1.

But it also claims "Blocked (regex blacklist)".
This is strange, since your debug log does not list any regex entries to start with:

*** [ DIAGNOSING ]: contents of /var/log

-rw-r--r-- 1 pihole pihole 31054 Jul 31 07:48 /var/log/pihole-FTL.log
  -----tail of pihole-FTL.log------
   [2020-07-31 07:46:40.464 28748M] INFO: No regex blacklist entries found
   [2020-07-31 07:46:40.466 28748M] INFO: No regex whitelist entries found

Can you check your Pi-hole's UI for any blacklist entries of type Regex?

Drummer · July 31, 2020, 3:17pm

There are no blacklist entries showing up.

Bucking_Horn · July 31, 2020, 3:30pm

Let's take a peek in the database by running the following command on your Pi-hole machine:

sqlite3 /etc/pihole/gravity.db "SELECT id, domain FROM domainlist where type=3;"

Repeat: please run above on your Pi-hole machine (192.168.1.12).

Drummer · July 31, 2020, 3:33pm

Nothing is happening. Its just going to the next command line.

deHakkelaar · July 31, 2020, 3:39pm

I believe blacklist regex stored below:

pi@ph5:~ $ sqlite3 /etc/pihole/gravity.db ".tables"
adlist               domainlist_by_group  vw_gravity
adlist_by_group      gravity              vw_regex_blacklist
client               group                vw_regex_whitelist
client_by_group      info                 vw_whitelist
domain_audit         vw_adlist
domainlist           vw_blacklist

pi@ph5:~ $ sqlite3 /etc/pihole/gravity.db "SELECT * FROM vw_regex_blacklist;"
pi@ph5:~ $

Shouldn't you start peeking there ?

Bucking_Horn · July 31, 2020, 3:46pm

Those tables prefixed by vw_ are not real tables, but views filled by reading and aggregating data from other tables.

While your SQL statement would suffice, its origin is indeed still the **domainlist** table. (click for more)

CREATE VIEW vw_regex_blacklist AS SELECT domain, domainlist.id AS id, domainlist_by_group.group_id AS group_id
    FROM domainlist
    (...)

deHakkelaar · July 31, 2020, 3:53pm

Thx!
Peeking & poking C64