Whitelisted domain still gets blocked

Anant · June 25, 2021, 2:22pm

We use Office 365. Whenever I try to open an office/sharepoint link, it first redirects to login.microsoftonline.com. This domain is whitelisted but as long as Pihole is "enabled", the login redirect url is always blocked.

I checked for the domain in the "Find Domain in blocked lists" section and I Get the following output:

 Match found in exact whitelist
   login.microsoftonline.com
   microsoftonline.com
 Match found in https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts:
   drm-server13-login-microsoftonline.com 
 Match found in https://gitlab.com/quidsup/notrack-blocklists/raw/master/notrack-blocklist.txt:
   click.email.microsoftonline.com 
 Match found in https://phishing.army/download/phishing_army_blocklist_extended.txt:
   login.microsoftonline.com.authorize.client.id.2315846.morgenwargestern.com 
   login.microsoftonline.com.authorize.client.id.3313514354.morgenwargestern.com 
   login.microsoftonline.com.common.account.oauth22.authorizeclient.id.4345a7b9.9a63.4910.a426.35363201d503.thriveconsulting.net.au 
   login.microsoftonline.com.office.harting.myshn.eu 
   login.microsoftonline.com.office.raymond-james-dev.raymondjames.shnpoc.net 
 Match found in https://someonewhocares.org/hosts/zero/hosts:
   drm-server13-login-microsoftonline.com

As you can see, the primary login.microsoftonline.com is whitelisted. But it never resolves. If I disable pihole and load the same link, it works fine. After "logging in", the subsequent URLs/pages load fine

Expected Behaviour:

the domain login.microsoftonline.com should not be blocked as it is explicitly whitelisted

OS: Mac OS X 11.1 running on a Macbook Pro 13 (2017)

Actual Behaviour:

The domain login.microsoftonline.com is blocked by Pihole

Debug Token:

https://tricorder.pi-hole.net/9ten2l6h4c

jfb · June 25, 2021, 4:11pm

From the terminal on the MBP (and not via ssh session to the Pi-hole terminal), what is the output of the following:

dig login.microsoftonline.com

Then, from the Pi terminal, what is the output of the following:

grep -C10 login.microsoftonline.com /var/log/pihole.log | tail -n40

Anant · June 26, 2021, 7:48am

Hi,

Thank you for helping with this issue.
This is the output of those commands:

dig login.microsoftonline.com

; <<>> DiG 9.10.6 <<>> login.microsoftonline.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47350
;; flags: qr rd ra; QUERY: 1, ANSWER: 11, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;login.microsoftonline.com.	IN	A

;; ANSWER SECTION:
login.microsoftonline.com. 214	IN	CNAME	a.privatelink.msidentity.com.
a.privatelink.msidentity.com. 175 IN	CNAME	prda.aadg.msidentity.com.
prda.aadg.msidentity.com. 214	IN	CNAME	www.tm.a.prd.aadg.akadns.net.
www.tm.a.prd.aadg.akadns.net. 215 IN	A	40.126.35.80
www.tm.a.prd.aadg.akadns.net. 215 IN	A	40.126.35.86
www.tm.a.prd.aadg.akadns.net. 215 IN	A	20.190.163.21
www.tm.a.prd.aadg.akadns.net. 215 IN	A	40.126.35.64
www.tm.a.prd.aadg.akadns.net. 215 IN	A	20.190.163.20
www.tm.a.prd.aadg.akadns.net. 215 IN	A	40.126.35.87
www.tm.a.prd.aadg.akadns.net. 215 IN	A	40.126.35.144
www.tm.a.prd.aadg.akadns.net. 215 IN	A	40.126.35.151

;; Query time: 45 msec
;; SERVER: 192.168.0.6#53(192.168.0.6)
;; WHEN: Sat Jun 26 13:16:46 IST 2021
;; MSG SIZE  rcvd: 287

Jun 26 13:12:58 dnsmasq[2315]: forwarded static.businessworld.in to 149.112.112.112
Jun 26 13:12:58 dnsmasq[2315]: reply static.businessworld.in is <CNAME>
Jun 26 13:12:58 dnsmasq[2315]: reply static.businessworld.in.cdn.cloudflare.net is 172.67.185.28
Jun 26 13:12:58 dnsmasq[2315]: reply static.businessworld.in.cdn.cloudflare.net is 104.21.68.20
Jun 26 13:13:00 dnsmasq[2315]: query[A] login.microsoftonline.com from 192.168.0.78
Jun 26 13:13:00 dnsmasq[2315]: cached login.microsoftonline.com is <CNAME>
Jun 26 13:13:00 dnsmasq[2315]: cached a.privatelink.msidentity.com is <CNAME>
Jun 26 13:13:00 dnsmasq[2315]: cached prda.aadg.msidentity.com is <CNAME>
Jun 26 13:13:00 dnsmasq[2315]: cached www.tm.a.prd.aadg.trafficmanager.net is 20.190.163.21
Jun 26 13:13:00 dnsmasq[2315]: cached www.tm.a.prd.aadg.trafficmanager.net is 20.190.163.19
Jun 26 13:13:00 dnsmasq[2315]: cached www.tm.a.prd.aadg.trafficmanager.net is 40.126.35.87
Jun 26 13:13:00 dnsmasq[2315]: cached www.tm.a.prd.aadg.trafficmanager.net is 40.126.35.128
Jun 26 13:13:00 dnsmasq[2315]: cached www.tm.a.prd.aadg.trafficmanager.net is 40.126.35.64
Jun 26 13:13:00 dnsmasq[2315]: cached www.tm.a.prd.aadg.trafficmanager.net is 40.126.35.151
Jun 26 13:13:00 dnsmasq[2315]: cached www.tm.a.prd.aadg.trafficmanager.net is 40.126.35.144
Jun 26 13:13:00 dnsmasq[2315]: cached www.tm.a.prd.aadg.trafficmanager.net is 40.126.35.80
--
Jun 26 13:16:32 dnsmasq[2315]: exactly blacklisted yyy.xxxx.in is 0.0.0.0 //Anant: Removed a revealing domain
Jun 26 13:16:34 dnsmasq[2315]: query[A] browser.pipe.aria.microsoft.com from 192.168.0.91
Jun 26 13:16:34 dnsmasq[2315]: gravity blocked browser.pipe.aria.microsoft.com is 0.0.0.0
Jun 26 13:16:35 dnsmasq[2315]: query[A] austin.logs.roku.com from 192.168.0.17
Jun 26 13:16:35 dnsmasq[2315]: gravity blocked austin.logs.roku.com is 0.0.0.0
Jun 26 13:16:35 dnsmasq[2315]: query[A] scribe.logs.roku.com from 192.168.0.17
Jun 26 13:16:35 dnsmasq[2315]: gravity blocked scribe.logs.roku.com is 0.0.0.0
Jun 26 13:16:38 dnsmasq[2315]: query[A] a-ups-presence2-prod-azsc.australiaeast.cloudapp.azure.com from 192.168.0.91
Jun 26 13:16:38 dnsmasq[2315]: forwarded a-ups-presence2-prod-azsc.australiaeast.cloudapp.azure.com to 149.112.112.112
Jun 26 13:16:38 dnsmasq[2315]: reply a-ups-presence2-prod-azsc.australiaeast.cloudapp.azure.com is 52.114.16.139
Jun 26 13:16:46 dnsmasq[2315]: query[A] login.microsoftonline.com from 192.168.0.91
Jun 26 13:16:46 dnsmasq[2315]: forwarded login.microsoftonline.com to 149.112.112.112
Jun 26 13:16:46 dnsmasq[2315]: reply login.microsoftonline.com is <CNAME>
Jun 26 13:16:46 dnsmasq[2315]: reply a.privatelink.msidentity.com is <CNAME>
Jun 26 13:16:46 dnsmasq[2315]: reply prda.aadg.msidentity.com is <CNAME>
Jun 26 13:16:46 dnsmasq[2315]: reply www.tm.a.prd.aadg.akadns.net is 40.126.35.80
Jun 26 13:16:46 dnsmasq[2315]: reply www.tm.a.prd.aadg.akadns.net is 40.126.35.86
Jun 26 13:16:46 dnsmasq[2315]: reply www.tm.a.prd.aadg.akadns.net is 20.190.163.21
Jun 26 13:16:46 dnsmasq[2315]: reply www.tm.a.prd.aadg.akadns.net is 40.126.35.64
Jun 26 13:16:46 dnsmasq[2315]: reply www.tm.a.prd.aadg.akadns.net is 20.190.163.20
Jun 26 13:16:46 dnsmasq[2315]: reply www.tm.a.prd.aadg.akadns.net is 40.126.35.87
Jun 26 13:16:46 dnsmasq[2315]: reply www.tm.a.prd.aadg.akadns.net is 40.126.35.144
Jun 26 13:16:46 dnsmasq[2315]: reply www.tm.a.prd.aadg.akadns.net is 40.126.35.151

jfb · June 26, 2021, 4:44pm

These outputs show that the domain was not blocked. An IP was returned to the requesting client.

system · July 17, 2021, 4:44pm

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.