Won't Block Ads

rufus · January 22, 2019, 3:25am

Please follow the below template, it will help us to help you!

Expected Behaviour:

block ads and have OpenVPN accessible from inside and outside of the network.

Actual Behaviour:

not blocking ads

Debug Token:

I tried to upload the token but got an error so I guess my UFW settings are not correct. I'll paste them below.

Setup: PiZeroW, Netgear Router, OpenVPN, Pi-Hole, UFW

Status: active
Logging: on (low)
Default: deny (incoming), deny (outgoing), allow (routed)
New profiles: skip

To Action From

1194/udp ALLOW IN Anywhere
22 ALLOW IN 10.8.0.0/24
53 ALLOW IN Anywhere
22/tcp (OpenSSH) ALLOW IN Anywhere
10.8.0.0/24 ALLOW IN Anywhere
80 ALLOW IN Anywhere
53 (v6) ALLOW IN Anywhere (v6)
80 (v6) ALLOW IN Anywhere (v6)

53 ALLOW OUT Anywhere
80/tcp ALLOW OUT Anywhere
443/tcp ALLOW OUT Anywhere
10.8.0.0/24 ALLOW OUT Anywhere
192.168.1.6 1194/udp ALLOW OUT Anywhere
Anywhere ALLOW OUT Anywhere on tun0
443 ALLOW OUT Anywhere
53 (v6) ALLOW OUT Anywhere (v6)
80/tcp (v6) ALLOW OUT Anywhere (v6)
443/tcp (v6) ALLOW OUT Anywhere (v6)
Anywhere (v6) ALLOW OUT Anywhere (v6) on tun0
443 (v6) ALLOW OUT Anywhere (v6)

jfb · January 22, 2019, 3:26am

I would start with disabling UFW and verify that your VPN setup works. Then work on the UFW settings.

rufus · January 22, 2019, 4:17pm

I did that before I posted here. UFW is set up properly to run the VPN. Everything is working but pi-hole won't filter ads

jfb · January 22, 2019, 4:44pm

Please try the following steps

sudo nano /etc/resolv.conf
edit 127.0.0.1 to 9.9.9.9 or your preferred third party DNS service
save
Run a debug log and upload it.

rufus · January 22, 2019, 10:01pm

it won't let me upload attachments
it says I am a new user

jfb · January 22, 2019, 10:22pm

You don't need to be a user. When you run the debug log, at the end it will ask if you want to upload the log (Y/N). Answer yes and it will upload to the file server and give you a token. Post that token. You will see something like this - your token will not be the same.

********************************************
********************************************
[✓] ** FINISHED DEBUGGING! **

    * The debug log can be uploaded to tricorder.pi-hole.net for sharing with developers only.
    * For more information, see: https://pi-hole.net/2016/11/07/crack-our-medical-tricorder-win-a-raspberry-pi-3/
    * If available, we'll use openssl to upload the log, otherwise it will fall back to netcat.

[?] Would you like to upload the log? [y/N] y
    * Using openssl for transmission.

***********************************
***********************************
[✓] Your debug token is: 72wugm0mlt
***********************************

rufus · January 22, 2019, 11:02pm

I can't upload I think due to my UFW but don't know what to open

Error:
There was an error uploading your debug log.

jfb · January 23, 2019, 1:23am

Post the debug log here and we'll grab it and make it private.

rufus · January 23, 2019, 1:32am

It won't let me upload it

rufus · January 23, 2019, 1:32am

It says I'm a new user

jfb · January 23, 2019, 1:52am

If you can't upload it, post it.

rufus · January 23, 2019, 4:11pm

Debug log was moved to private.

jfb · January 23, 2019, 6:36pm

There is only one problem showing in your debug log

[i] Default IPv4 gateway: 192.168.1.1

* Pinging 192.168.1.1…
[✗] Gateway did not respond. ([Why is a default gateway important for Pi-hole?](https://discourse.pi-hole.net/t/why-is-a-default-gateway-important-for-pi-hole/3546))

But, further down the test for blocking both within the Pi (on the localhost and on the IP of the Pi) are working, as is the ability of the Pi-Hole to contact the Google DNS server.

*** [ DIAGNOSING ]: Name resolution (IPv4) using a random blocked domain and a known ad-serving domain
[✓] [count731.51yes.com](http://count731.51yes.com) is 0.0.0.0 via localhost (127.0.0.1)
[✓] [count731.51yes.com](http://count731.51yes.com) is 0.0.0.0 via Pi-hole (192.168.1.6)
[✓] [doubleclick.com](http://doubleclick.com) is 216.58.217.110 via a remote, public DNS server (8.8.8.8)

What is the output of these commands from the Pi terminal:

echo ">stats" | nc localhost 4711

dig cnn.com

dig cnn.com @192.168.1.6

dig cnn.com @8.8.8.8

rufus · January 23, 2019, 7:01pm

Not sure what to to about the gateway but here are the restults

domains_being_blocked 112495
dns_queries_today 3492
ads_blocked_today 84
ads_percentage_today 2.405498
unique_domains 247
queries_forwarded 1019
queries_cached 2389
clients_ever_seen 5
unique_clients 4
dns_queries_all_types 3492
reply_NODATA 66
reply_NXDOMAIN 3
reply_CNAME 1176
reply_IP 2231
privacy_level 0
status enabled

dig cnn.com

; <<>> DiG 9.10.3-P4-Raspbian <<>> cnn.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57709
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;cnn.com.                       IN      A

;; ANSWER SECTION:
cnn.com.                22      IN      A       151.101.65.67
cnn.com.                22      IN      A       151.101.1.67
cnn.com.                22      IN      A       151.101.129.67
cnn.com.                22      IN      A       151.101.193.67

;; Query time: 51 msec
;; SERVER: 9.9.9.9#53(9.9.9.9)
;; WHEN: Wed Jan 23 14:00:22 EST 2019
;; MSG SIZE  rcvd: 100

dig cnn.com @192.168.1.6

; <<>> DiG 9.10.3-P4-Raspbian <<>> cnn.com @192.168.1.6
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46153
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;cnn.com.                       IN      A

;; ANSWER SECTION:
cnn.com.                17      IN      A       151.101.1.67
cnn.com.                17      IN      A       151.101.65.67
cnn.com.                17      IN      A       151.101.129.67
cnn.com.                17      IN      A       151.101.193.67

;; Query time: 17 msec
;; SERVER: 192.168.1.6#53(192.168.1.6)
;; WHEN: Wed Jan 23 14:00:52 EST 2019
;; MSG SIZE  rcvd: 100

dig cnn.com @8.8.8.8

; <<>> DiG 9.10.3-P4-Raspbian <<>> cnn.com @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47153
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;cnn.com.                       IN      A

;; ANSWER SECTION:
cnn.com.                37      IN      A       151.101.65.67
cnn.com.                37      IN      A       151.101.1.67
cnn.com.                37      IN      A       151.101.193.67
cnn.com.                37      IN      A       151.101.129.67

;; Query time: 19 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Wed Jan 23 14:01:06 EST 2019
;; MSG SIZE  rcvd: 100

jfb · January 23, 2019, 7:24pm

These results show that your Pi-Hole is/was working in the past 24 hours. The first output is a summary of the activity in the past 24 hours. We have only tested DNS lookups for a domain not likely to be on a block list. Let's run a few more checks.

From the Pi terminal, run these commands for a domain that is on the default block lists.

dig flurry.com

dig flurry.com @1.1.1.1

dig flurry.com @127.0.0.1

Then, from the client that is seeing ads, run (dig or nslookup, depending on your system)

dig pi.hole
or
nslookup pi.hole

dig flurry.com
or
nslookup flurry.com

rufus · January 23, 2019, 8:28pm

dig flurry.com

; <<>> DiG 9.10.3-P4-Raspbian <<>> flurry.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55292
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;flurry.com.                    IN      A

;; ANSWER SECTION:
flurry.com.             300     IN      A       212.82.100.153
flurry.com.             300     IN      A       98.136.103.26
flurry.com.             300     IN      A       74.6.136.153

;; Query time: 41 msec
;; SERVER: 9.9.9.9#53(9.9.9.9)
;; WHEN: Wed Jan 23 15:25:13 EST 2019
;; MSG SIZE  rcvd: 87

dig flurry.com @1.1.1.1

; <<>> DiG 9.10.3-P4-Raspbian <<>> flurry.com @1.1.1.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18346
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1452
;; QUESTION SECTION:
;flurry.com.                    IN      A

;; ANSWER SECTION:
flurry.com.             218     IN      A       74.6.136.153
flurry.com.             218     IN      A       98.136.103.26
flurry.com.             218     IN      A       212.82.100.153

;; Query time: 20 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Wed Jan 23 15:25:44 EST 2019
;; MSG SIZE  rcvd: 87

dig flurry.com @127.0.0.1

; <<>> DiG 9.10.3-P4-Raspbian <<>> flurry.com @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25268
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;flurry.com.                    IN      A

;; ANSWER SECTION:
flurry.com.             2       IN      A       0.0.0.0

;; Query time: 1 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Jan 23 15:25:59 EST 2019
;; MSG SIZE  rcvd: 55

nslookup pi.hole

Server:  resolver1.opendns.com
Address:  208.67.222.222

*** resolver1.opendns.com can't find pi.hole: Non-existent domain

nslookup flurry.com

Server:  resolver1.opendns.com                                                                                          
Address:  208.67.222.222                                                                                                                                                                                                                        Non-authoritative answer:  
Name:    flurry.com                                                                                                     
Addresses:  
74.6.136.153                                                                                                          
98.136.103.26                                                                                                           
212.82.100.153

rufus · January 25, 2019, 5:58pm

do you have any thoughts?

jfb · January 25, 2019, 6:11pm

Apologies for the delay - I missed your reply. Here's what those digs and nslookups are telling us:

dig flurry.com should have returned 0.0.0.0, since this is a blocked domain.

dig flurry.com @1.1.1.1 returned the correct address, which is expected. This confirms that the Pi can get to the internet as well.

dig flurry.com @127.0.0.1 (the Pi loopback address) returned the correct result.

The two nslookup commands from your client both show that the clients are not using Pi-Hole for DNS, as the requests went to an OpenDNS resolver directly. This is a configuration problem in your client or router.

Please generate a new debug log, upload it when prompted, and post the token here.

rufus · January 25, 2019, 7:45pm

it still won't upload (see below)
What do I need to add/enable in my firewall so the pi would upload and generate a token?

[?] Would you like to upload the log? [y/N] y
* Using openssl for transmission.
[✗] There was an error uploading your debug log.

Please try again or contact the Pi-hole team for assistance.

jfb · January 25, 2019, 8:54pm

Temporarily edit the nameserver on your Pi:

sudo nano /etc/resolv.conf

edit nameserver 127.0.0.1 to nameserver 9.9.9.9 or your preferred third party DNS service

save and exit

Then try to upload the debug log