EDIT: Problem solved. Everything is working as intended. When you make a new whitelist entry (or create a new one though the GUI), you also need to go into Group Management -> Domains and assign which groups you want the new whitelist item to apply to. Now that I've done that, whitelists work as I expected them too.
URL's of this type are getting blocked:
http://click.mail.tnt.com/?qs=
I used the GUI to add click.mail.tnt.com to the whitelist.
I expect that click.mail.tnt.com should no longer be blocked by Pihole since it is on the whitelist.
But this is not my experience.
Actual Behaviour:
The query log shows the block.
2021-03-01 14:46:59 AAAA click.mail.tnt.com
(blocked click.virt.s7.exacttarget.com) DanHome.cutthatout Blocked (gravity, CNAME) CNAME (313.9ms)
As I mentioned, I used the GUI to add click.mail.tnt.com to the whitelist but the URL is still blocked.
I used the GUI to add the regex (.|^)tnt.com$ to the whitelist.
I tried again but the URL is still blocked.
I used the GUI to add click.virt.s7.exacttarget.com to the whitelist (since it is referred to in the query log).
I tried again but the URL is still blocked.
In CLI, I entered "pihole -q click.virt.s7.exacttarget.com" which shows a similar host called "origin-click.virt.s7.exacttarget.com".
I used the GUI to add origin-click.virt.s7.exacttarget.com to the whitelist.
I tried again but the URL is still blocked.
In the CLI, pihole -q shows click.mail.tnt.com is on the whitelist and nowhere else.
pihole -q click.mail.tnt.com
Match found in exact whitelist
click.mail.tnt.com
Match found in regex whitelist
(\.|^)tnt\.com$
pihole -q shows click.virt.s7.exacttarget.com is on the whitelist and in some block lists.
pihole -q click.virt.s7.exacttarget.com
Match found in exact whitelist
click.virt.s7.exacttarget.com
origin-click.virt.s7.exacttarget.com
Match found in https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts:
click.virt.s7.exacttarget.com
Match found in https://www.github.developerdan.com/hosts/lists/ads-and-tracking-extended.txt:
origin-click.virt.s7.exacttarget.com
Match found in https://www.github.developerdan.com/hosts/lists/tracking-aggressive-extended.txt:
click.virt.s7.exacttarget.com
origin-click.virt.s7.exacttarget.com
Still, when I query from my Windows PC, I get a blocked IP address back...
C:\>nslookup
Default Server: PiHole.cutthatout
Address: 10.11.12.5
> click.mail.tnt.com
Server: PiHole.cutthatout
Address: 10.11.12.5
Name: click.mail.tnt.com
Addresses: ::
0.0.0.0
Output of pihole -t while querying from the windows box (as above)
Mar 1 23:03:20: query[A] click.mail.tnt.com.cutthatout from 10.11.12.69
Mar 1 23:03:20: cached click.mail.tnt.com.cutthatout is NXDOMAIN
Mar 1 23:03:20: query[AAAA] click.mail.tnt.com.cutthatout from 10.11.12.69
Mar 1 23:03:20: cached click.mail.tnt.com.cutthatout is NXDOMAIN
Mar 1 23:03:20: query[A] click.mail.tnt.com from 10.11.12.69
Mar 1 23:03:20: forwarded click.mail.tnt.com to 9.9.9.9
Mar 1 23:03:20: reply click.mail.tnt.com is <CNAME>
Mar 1 23:03:20: reply click.virt.s7.exacttarget.com is blocked during CNAME inspection
Mar 1 23:03:20: query[AAAA] click.mail.tnt.com from 10.11.12.69
Mar 1 23:03:20: forwarded click.mail.tnt.com to 9.9.9.9
Mar 1 23:03:21: reply click.mail.tnt.com is <CNAME>
Mar 1 23:03:21: reply click.virt.s7.exacttarget.com is blocked during CNAME inspection
Do I have a fundamental misunderstanding of how the whitelist works? I expect any single alias appearing on the whitelist is enough to return the correct DNS lookup. Does every CNAME have to appear on the whitelist to exempt a host from the blocklist?
Do whitelists only apply to the default client group? That's the only explanation I can come up with.