I've had a lot of Google ads breaking through recently, yet the server they're largely from - adclick.g.doubleclick.net - is indeed included the Gravity database, twice, from the default list and one other. Neither it, nor any other regex/whitelist of any doubleclick domain is in any whitelist.
Pi-hole** v5.17.3 FTL** v5.24 Web Interface v5.21, behind an Orbi router
All was well until the recent change in the oisd.nl list, since when I have been having a lot of ad breakthrough.
What do you get when you do a dig against it?
dig adclick.g.doubleclick.net
What are the results of the following from the Pi terminal:
pihole -q -exact adclick.g.doubleclick.net
nslookup adclick.g.doubleclick.net 127.0.0.1
And from the client on which you are seeing the ads (not via ssh to the Pi, but from the terminal or command prompt on that client):
nslookup adclick.g.doubleclick.net
This could be devices using DNS over HTTP maybe? DNS over HTTPS - Wikipedia
; <<>> DiG 9.16.44-Raspbian <<>> adclick.g.doubleclick.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8244
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;adclick.g.doubleclick.net. IN A
;; ANSWER SECTION:
adclick.g.doubleclick.net. 300 IN A 172.217.14.98
;; Query time: 20 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sun Jan 14 15:48:09 PST 2024
;; MSG SIZE rcvd: 70
This device is not using Pi-hole for DNS.
Exact matches for **adclick.g.doubleclick.net** found in: - https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts - https://raw.githubusercontent.com/anudeepND/blacklist/master/adservers.txt
nslookup adclick.g.doubleclick.net 127.0.0.1
Server: 127.0.0.1 Address: 127.0.0.1#53 Name: adclick.g.doubleclick.net Address: 0.0.0.0 Name: adclick.g.doubleclick.net Address: ::
And from the client on which you are seeing the ads (not via ssh to the Pi, but from the terminal or command prompt on that client):
Server: 10.0.0.24
Address: 10.0.0.24#53Name: adclick.g.doubleclick.net
Address: 0.0.0.0
nslookup adclick.g.doubleclick.net
My apologies - I ran that on the raspberry pi itself, not on the client where I am seeing the ads. Following is the dig against it on the client:
; <<>> DiG 9.10.6 <<>> adclick.g.doubleclick.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62308
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;adclick.g.doubleclick.net. IN A
;; ANSWER SECTION:
adclick.g.doubleclick.net. 2 IN A 0.0.0.0
;; Query time: 550 msec
;; SERVER: 10.0.0.24#53(10.0.0.24)
;; WHEN: Sun Jan 14 15:56:19 PST 2024
;; MSG SIZE rcvd: 70
Pi-hole is correctly blocking the domain.
Look in your query log (filter for this domain) and see if it has been allowed at any point in the past 24 hours.
Not sure what to say or do about this?
EDIT; (Answer I'd originally written was wrong - I had not set qury log to 'Show All'). There are repeated mentions of the domain in the query log, and all are gravity blocks.
I was writing a comment to tell you the Query Log page only shows the most recent queries (the last 100 queries) and you need to use the "show all" link, but you find out the issue.
The Query Log only shows the last 24h. You can also use the Long-term Data > Query Log page to see if a domain was blocked using other time ranges.
Also, using Tools > Tail pihole.log you will be able to see if Pi-hole is blocking domains (in real-time).
nslookup command on a terminal window (on the desired device);
Yes, I've [quote="rdwebdesign, post:12, topic:67646, full:true"]
I was writing a comment to tell you the Query Log page only shows the most recent queries (the last 100 queries) and you need to use the "show all" link, but you find out the issue.
The Query Log only shows the last 24h. You can also use the Long-term Data > Query Log page to see if a domain was blocked using other time ranges.
**Nothing in the longer term data
Also, using Tools > Tail pihole.log you will be able to see if Pi-hole is blocking domains (in real-time).
nslookup command on a terminal window (on the desired device);I've been checking that, and it's a little odd - I see gravity blocking many domains including quite a few doubleclick.net subdomains, but I see zero requests for adclick.g.doubleclick.net or pagead2.googlesyndication.com, yet they are where the ads are comng from?
If the requests for these 2 domains are not showing in the log, this means the device is using a different DNS server.
Hmmm....well, my client computer is a Mac laptop, connected via Wifi, and the DNS for the laptop on that network is set to be the Pi, for both #1 and #2 DNS servers, and there are no other DNS servers listed after those. And I can see from the realime pihole log that my laptop is definitely requesting many domains at ad-infested sites (e.g. thehill.com), and blocking dozens of them. So it is 100% using the pihole for DNS?
It may be that the ads in question are in fact not coming from that domain. In Safari you can usually see where an ad banner is coming from by right-clicking it and selecting Inspect Element. You can then see the URL with the domain name in the panel that appears. If the option is not present you may first need to go to Safari > Preferences... > Advanced > Show Develop menu to enable it.
Here's an example, using an image of a banner from a sharing site.
The src= part shows that this image came from img.freepik.com.
That's exactly how I've been identifiying the publishing domains. The ad I'm seeing are definitely flagged as coming from them.
I don't quite understand what's going on here, everything seems to point to the domains being blocked, but the addresses are stil being issued - from SOMEWHERE?!
Might be worth following the log live. In the Pi-hole terminal the following command:
sudo tail -f /var/log/pihole/pihole.log | grep "adclick.g.doubleclick.net"
will follow the pihole.log file and instantly reveal when it gets a query for that domain, as well as the response. With that running, try the lookup commands on the client where you are seeing the symptoms, either of
nslookup adclick.g.doubleclick.net
dig adclick.g.doubleclick.net
By not specifying the server, this is testing if the client is consistently sending the queries to Pi-hole, as well as letting you see the reply in real time. Keep an eye on the Pi-hole terminal when you run these, what do you see?
Does it even show up? If not, it means the client did not send the query to Pi-hole. You can try it again with the Pi-hole IP address specified. Either of
nslookup adclick.g.doubleclick.net IP
dig adclick.g.doubleclick.net @IP
Any change there?
Tip – you can press Enter a couple of times in the Pi-hole log terminal after each test (it adds a couple of blank lines) to visually separate the responses so you can be sure which tests got a response.
Thanks for that. I tried all your suggestions on both of the servers I mentioned, and both are indeed returned as gravity blocked. Here's a screenshot of the Safari inspector showing an ad from thehilll.com which shows it came from googleads.g.doubleclick.net, yet another adserver I can't seem to block, despite it also being in both the adlists referenced above
And here's the output of the tail on the pihole log for the same domain, on the same client:
I'm quite confused - how can it be blocked, yet getting delivered?!!
The <a ... href= ...> means that's where the banner links to if you click it, not where the image of the banner itself is being served from. Try right-clicking it and seeing if you have "Open image in new tab" or something like that. Or try the dev method again but you're looking for the source of the image.
