Whitelist regex domain blocked due to adlist

Help
1

only way I can get regex white listed domain to work is by disabling the adlist. I thought regex white list would remove blocking entries and basically override what domains may be in adlists. yes/no?

I only have 1 group. The default group.

Pi-hole version is v5.9 (Latest: v5.9)
AdminLTE version is v5.11 (Latest: v5.11)
FTL version is v5.14 (Latest: v5.14)

Debug Token: IArnY1Yt

nslookup beacons.gvt2.com
Server: UnKnown
Address: 192.168.2.253 Name: beacons.gvt2.com
Addresses: 0.0.0.0

regex whitelisted:
pihole-FTL regex-test beacons.gtv2.com
[i] Loading regex filters from database...
Compiled 17 black- and 9 whitelist regex filters in 3.543 msec

[i] Checking domain against blacklist...
Time: 0.091 msec
[i] Checking domain against whitelist...
(.|^)gtv[0-9]+.com$ matches (regex whitelist, DB ID 305)
Time: 0.087 msec

I still see it in adlist:
root@pi:~# pihole -q -adlist beacons.gvt2.com
Match found in https://www.github.developerdan.com/hosts/lists/ads-and-tracking-extended.txt:
beacons.gvt2.com

2

That just tests the syntax of the regex you want to add. That doesn't actually add it.

I suggest not using regex for a single domain, just whitelist that domain.

3

That is very interesting. I checked nslookup with some domains on my whitelist. Like you're seeing, some give no address. When I disable pi-hole and run the same nslookup, I see the address. I would think that the whitelist would take precedence over the adlist. Very odd.

Ran some more tests. It seems the domains that were on the whitelist also matched a regex on the blacklist. So, perhaps the precedence from greatest to least is blacklist, whitelist, adlist.

Does your domain match anywhere on the blacklist?

Still more tests. pihole -q domain does show domain on exact whitelist and regex blacklist. nslookup shows no address, but I can browse to the domain on Chrome. So, maybe nslookup isn't the best test?

1 Like
4

Yes and no.

Whitelists take precedence over blacklists. Whitelists do not remove domains from gravity.

The priority is:

  1. Exact Whitelist
  2. Regex Whitelist
  3. Exact Blacklist
  4. Blocklist domains (AKA gravity )
  5. Regex Blacklist

If a domain is found anywhere from top to bottom, FTL skips the rest of the tests.

This does not create the regex and add it to your gravity database. It tests the regex only.

5

I understand that doesnt' create the regex. the regex is (.|^)gtv[0-9]+.com and already created i'm testing to see if i'm getting the match and per the output. I am matching my whitelist regex and it is not found in blacklist per same output below....

[i] Checking domain against blacklist...
Time: 0.091 msec
[i] Checking domain against whitelist...
(.|^)gtv[0-9]+.com$ matches (regex whitelist, DB ID 305)
Time: 0.087 msec

so per the priority listed in comments my whitelist regex at step 2 should be found just like the above test and stop further testing down to the "Blocklist Domains", step4. This doens't seem to be the case though. I have to disable the adlist in order to relsolve the domain even with whitelist in place.

7

You will see the domain in the blacklist with a pihole -q. That is just checking if the domain exists on any list. It does. The whitelist is internal and when a query comes for that domain then Pi-hole sees it's whitelisted and doesn't check the blacklist.

What do you see when you dig beacons.gvt2.com @pi-hole?

8

in my OP I do the pihole -q and it's only found in the adlist which should be the lower priority. also my lookup results are listed, returns 0.0.0.0 unless I fully disable the adlist.

9

thanks for testing. Blockhead
I've used dig and nslookup on the pi as well as remote. if I force either tool to use google "8.8.8.8" it resolves. Furthermore I see it logged (below) in pihole that it's blocking while nslookup or dig is used.

ex...
Feb 23 13:15:55 dnsmasq[1220572]: query[A] beacons.gvt2.com from 192.168.2.53
Feb 23 13:15:55 dnsmasq[1220572]: gravity blocked beacons.gvt2.com is 0.0.0.0

I verified white list regex matches yet still 0.0.0.0. If I add it as an exact whitelist it works and resolves. it's the regex whitelist I'm not having luck with overriding adlist.

feels like a possible regex whitelist bug to be honest:
tried all of these from advanced to real basic regex whitelist.

image
image257×396 12.1 KB

10

Can you post a debug token URL from pihole -d?

And you can debug regex with the following:

Note the second command line configuration.

Also:

That will output the exact information that Pi-hole is using.

11

token from OP.
https://tricorder.pi-hole.net/IArnY1Yt

Created new one: Your debug token is: https://tricorder.pi-hole.net/SFfbcPS2/

regex debugging was posted in the original post along with output.
more examples of regexes used in above post match the domain however still blocked. only exact whitelist seem to be overriding

here are some more tests:

root@pi:~# pihole-FTL regex-test beacons.gtv2.com
[i] Loading regex filters from database...
    Compiled 17 black- and 15 whitelist regex filters in 9.935 msec

[i] Checking domain against blacklist...
    Time: 0.067 msec
[i] Checking domain against whitelist...
    (\.|^)gtv[0-9]+\.com$ matches (regex whitelist, DB ID 305)
    (\.|^)gtv[0-9]\.com$ matches (regex whitelist, DB ID 310)
    (\.|^)gtv2\.com$ matches (regex whitelist, DB ID 313)
    (\.|^)gtv2\.com matches (regex whitelist, DB ID 315)
    ^beacons\.gtv2\.com$ matches (regex whitelist, DB ID 317)
    beacons\.gtv2\.com matches (regex whitelist, DB ID 318)
    Time: 0.586 msec

root@pi:~# pihole-FTL regex-test beacons.gtv2.com  "(\.|^)gtv2\.com"
[i] Compiling regex filter...
    Compiled regex filter in 0.064 msec

Checking domain...
    (\.|^)gtv2\.com matches
   Time: 0.036 msec

The ADLIST blocking domain is:

Match found in https://www.github.developerdan.com/hosts/lists/ads-and-tracking-extended.txt:
   beacons.gvt2.com
12

Those aren't the same domains. Try a regex for gvt2.com instead of gtv2.com.

2 Likes
13

OH WOW! slight dyslexia

Works
(.|^)gtv[0-9].com$

sorry for wasting your time and thank you for another pair of eyes. I was going crazy b/c I know regex WL was working.

14

No worries, I did the same thing in reproducing it locally and didn't catch it until I couldn't find the domains on the adlist that you linked.

Glad we got it sorted out!

1 Like
15

I was still seeing things on my exact whitelist fail nslookup with pi-hole enabled and not with pi-hole disabled and not when using a browser. And I think I may have gotten closer to finding out why.

nslookup main.iam.ad.ext.azure.com
Server: pi.hole
Address: 192.168.10.10

Name: main.iam.ad.ext.azure.com.[note nslookup adds a FQDN]
Addresses: ::
0.0.0.0

nslookup main.iam.ad.ext.azure.com
Server: pi.hole
Address: 192.168.10.10

Non-authoritative answer:
Name: www.tm.f.prd.aadg.akadns.net
Addresses: 40.126.23.6
40.126.23.8
20.190.151.71
40.126.23.9
20.190.151.136
20.190.151.72
20.190.151.135
Aliases: main.iam.ad.ext.azure.com
na.privatelink.msidentity.com
prdf.aadg.msidentity.com

I'm thinking since it oddly adds a FQDN in nslookup, it fails the exact whitelist and hits on the regex blacklist for a fail result in pi-hole, and the browser doesn't "helpfully" add the FQDN, so it passes. As noted below, is confirmed to be a nslookup issue, not a pi-hole issue.

1 Like
16

nslookup on Windows will add that trailing dot by itself along with any local domain you have specified (usually with DHCP). It's any annoying "feature".

1 Like
17

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.