New PiHole install not blocking ads properly / no IPv6 DNS assigned

Forums › Desktop computing › New PiHole install not blocking ads properly / no IPv6 DNS assigned

1 | 2 | 3 | 4

timmmay

20574 posts

Uber Geek

Trusted

Lifetime subscriber

#3127643 14-Sep-2023 11:36

fe31nz:

So, in your FritzBox settings, I would recommend changing to "Do not assign unique local addresses"

@fe31nz this setting removed the fd / unique local link address from the Pi Hole, which meant the IPv6 DNS address I had configured was no longer valid. I've changed the setting back to "always assign ULA". Alternately I could use the 2406:: address - which would you suggest? The Pi Hole itself announces the 2406:: address using RDNSS so it should be safe enough to use.

Also, I created a new Linux box and checked the DNS servers assigned by DHCP, everything came through as expected. It's looking like Windows is the problem, rather than the Pi Hole or Router setup. I might still try moving back to router DHCP to see what happens.

timmmay

20574 posts

Uber Geek

Trusted

Lifetime subscriber

#3127787 14-Sep-2023 14:19

It looks like Windows actually has the IPv6 DNS servers, it's just not displaying them in ipconfig. I found a useful command here. Output below.

Next step - why are ads not being blocked properly on the work machine? nslookup from the work machine specifically to the Pi Hole server returns IPs that should be blocked, whereas from Linux / home PC it blocks them as it should.

From work PC

> nslookup tpc.googlesyndication.com 192.168.1.12

Addresses: 2404:6800:4006:811::2001
142.251.221.65

From a brand new Ubuntu 23.04 Linux machine on my network

> nslookup tpc.googlesyndication.com 192.168.1.12

Name: tpc.googlesyndication.com
Address: 0.0.0.0
Name: tpc.googlesyndication.com
Address: ::

Showing Windows has the Ipv6 DNS

> netsh int ipv6 show dnsservers

DNS servers configured through DHCP: fd00::xxxx:98c5
2406:xxxx:2ee9
Register with which suffix: Primary only

> netsh int ipv6 show dnsservers

DNS servers configured through DHCP: 192.168.1.12
Register with which suffix: Primary only

fe31nz

1228 posts

Uber Geek

#3127972 14-Sep-2023 23:59

timmmay:

It looks like Windows actually has the IPv6 DNS servers, it's just not displaying them in ipconfig. I found a useful command here. Output below.

Next step - why are ads not being blocked properly on the work machine? nslookup from the work machine specifically to the Pi Hole server returns IPs that should be blocked, whereas from Linux / home PC it blocks them as it should.

From work PC

> nslookup tpc.googlesyndication.com 192.168.1.12

Addresses: 2404:6800:4006:811::2001
142.251.221.65

From a brand new Ubuntu 23.04 Linux machine on my network

> nslookup tpc.googlesyndication.com 192.168.1.12

Name: tpc.googlesyndication.com
Address: 0.0.0.0
Name: tpc.googlesyndication.com
Address: ::

Showing Windows has the Ipv6 DNS

> netsh int ipv6 show dnsservers

DNS servers configured through DHCP: fd00::xxxx:98c5
2406:xxxx:2ee9
Register with which suffix: Primary only

> netsh int ipv6 show dnsservers

DNS servers configured through DHCP: 192.168.1.12
Register with which suffix: Primary only

That is definitely wierd. I am not familiar with the PiHole software, but unless you had specifically configured it to do something different for the work PC's IP address, I would expect it to give the same result for the same nslookup, regardless of the PC sending the query. So I think you need to check the PiHole logs to make sure they show the query from the work PC - it looks rather like the work PC has been configured to divert DNS lookups to some work defined DNS server, regardless of whether it is actually connected to the work network. You may need to turn up the logging level to get the PiHole to show the queries.

timmmay

20574 posts

Uber Geek

Trusted

Lifetime subscriber

#3128004 15-Sep-2023 07:45

fe31nz:

That is definitely wierd. I am not familiar with the PiHole software, but unless you had specifically configured it to do something different for the work PC's IP address, I would expect it to give the same result for the same nslookup, regardless of the PC sending the query. So I think you need to check the PiHole logs to make sure they show the query from the work PC - it looks rather like the work PC has been configured to divert DNS lookups to some work defined DNS server, regardless of whether it is actually connected to the work network. You may need to turn up the logging level to get the PiHole to show the queries.

Thanks @fe31nz. It's doing the weird local looking thing still, I can see it when nslookup is in debug mode. Trace below for amarktflow.com.

It first looks to local servers on the "home.arpa" domain, which appears in the pihole logs. amarktflow.com.home.arpa
Then it gets the actual domain IP instead of the blocked IP, which it says comes from pihole, but doesn't appear in the query log.
When I do a new query within debug "aoredi.com." (note the trailing full stop) it doesn't search for the home.arpa domain, but the query doesn't show in any pihole log.

I think I'll ask on the pihole forum.

> nslookup

> set debug

> amarktflow.com

Server: pi.hole
Address: 192.168.1.12

------------
Got answer:
HEADER:
opcode = QUERY, id = 6, rcode = NXDOMAIN
header flags: response, want recursion, recursion avail.
questions = 1, answers = 0, authority records = 0, additional = 0

QUESTIONS:
amarktflow.com.home.arpa, type = A, class = IN

------------
------------
Got answer:
HEADER:
opcode = QUERY, id = 7, rcode = NXDOMAIN
header flags: response, want recursion, recursion avail.
questions = 1, answers = 0, authority records = 0, additional = 0

QUESTIONS:
amarktflow.com.home.arpa, type = AAAA, class = IN

------------
------------
Got answer:
HEADER:
opcode = QUERY, id = 8, rcode = NOERROR
header flags: response, want recursion, recursion avail.
questions = 1, answers = 2, authority records = 0, additional = 0

QUESTIONS:
amarktflow.com, type = A, class = IN
ANSWERS:
-> amarktflow.com
internet address = 104.17.236.50
ttl = 300 (5 mins)
-> amarktflow.com
internet address = 104.16.52.80
ttl = 300 (5 mins)

------------
Non-authoritative answer:
------------
Got answer:
HEADER:
opcode = QUERY, id = 9, rcode = NOERROR
header flags: response, want recursion, recursion avail.
questions = 1, answers = 2, authority records = 0, additional = 0

QUESTIONS:
amarktflow.com, type = AAAA, class = IN
ANSWERS:
-> amarktflow.com
AAAA IPv6 address = 2606:4700::6810:3450
ttl = 300 (5 mins)
-> amarktflow.com
AAAA IPv6 address = 2606:4700::6811:ec32
ttl = 300 (5 mins)

------------
Name: amarktflow.com
Addresses: 2606:4700::6810:3450
2606:4700::6811:ec32
104.17.236.50
104.16.52.80

fe31nz

1228 posts

Uber Geek

#3128388 16-Sep-2023 01:59

timmmay:

Thanks @fe31nz. It's doing the weird local looking thing still, I can see it when nslookup is in debug mode. Trace below for amarktflow.com.

It first looks to local servers on the "home.arpa" domain, which appears in the pihole logs. amarktflow.com.home.arpa
Then it gets the actual domain IP instead of the blocked IP, which it says comes from pihole, but doesn't appear in the query log.
When I do a new query within debug "aoredi.com." (note the trailing full stop) it doesn't search for the home.arpa domain, but the query doesn't show in any pihole log.

I think I'll ask on the pihole forum.

That sounds like what I was expecting - the work PC has been configured somehow to divert all DNS traffic to the work specified DNS servers. So the queries never go to the PiHole. What I do not understand is how nslookup still says it is talking to the PiHole IP address. I can think of ways of that happening, but it would take something like a NAT rule in the firewall that is preserving the PiHole address while redirecting the traffic, and that is overly complicated for what the company would be wanting its PCs to do. If your router has the ability to capture traffic for Wireshark to analyse, that would be the way to find out for sure - capture all port 53 traffic to and from the work PC. There should be none, as the traffic is supposed to go via the PiHole. There are a number of routers that can do traffic capture, but it is often a hidden capability - FritzBoxes use a blind URL to hide it, for example.

timmmay

20574 posts

Uber Geek

Trusted

Lifetime subscriber

#3128413 16-Sep-2023 08:43

fe31nz:

That sounds like what I was expecting - the work PC has been configured somehow to divert all DNS traffic to the work specified DNS servers. So the queries never go to the PiHole. What I do not understand is how nslookup still says it is talking to the PiHole IP address. I can think of ways of that happening, but it would take something like a NAT rule in the firewall that is preserving the PiHole address while redirecting the traffic, and that is overly complicated for what the company would be wanting its PCs to do. If your router has the ability to capture traffic for Wireshark to analyse, that would be the way to find out for sure - capture all port 53 traffic to and from the work PC. There should be none, as the traffic is supposed to go via the PiHole. There are a number of routers that can do traffic capture, but it is often a hidden capability - FritzBoxes use a blind URL to hide it, for example.

Some of the DNS queries make it to Pi Hole, but not all of them. It's quite bizarre. I think I would have to get down to packet capture to work it out, but I'm not sure I care enough. I might have a go with the Fritzbox packet capture some time if I have time.

fe31nz

1228 posts

Uber Geek

#3128730 16-Sep-2023 23:51

timmmay:

Some of the DNS queries make it to Pi Hole, but not all of them. It's quite bizarre. I think I would have to get down to packet capture to work it out, but I'm not sure I care enough. I might have a go with the Fritzbox packet capture some time if I have time.

That triggered the thought that it is probably using both the work provided DNS servers and the locally provided (DHCP?) PiHole DNS server. So check your network settings to see if there are any static DNS server settings set up to point to the work DNS servers.

Equinox IT

Cloud spending continues to surge globally, but most organisations haven’t made the changes necessary to maximise the value and cost-efficiency benefits of their cloud investments. Download the whitepaper From Overspend to Advantage now.

Tinkerisk

4224 posts

Uber Geek

#3128734 17-Sep-2023 02:20

One single NAT rule incepting all clients (except end-to-end VPN) and force Port 53 DNS traffic to the DNS server’s IP address would normally be sufficient.

- NET: FTTH, OPNsense, 10G backbone, GWN APs, ipPBX
- SRV: 12 RU HA server cluster, 0.1 PB storage on premise
- IoT: thread, zigbee, tasmota, BidCoS, LoRa, WX suite, IR
- 3D: two 3D printers, 3D scanner, CNC router, laser cutter

timmmay

20574 posts

Uber Geek

Trusted

Lifetime subscriber

#3128774 17-Sep-2023 13:41

fe31nz:

That triggered the thought that it is probably using both the work provided DNS servers and the locally provided (DHCP?) PiHole DNS server. So check your network settings to see if there are any static DNS server settings set up to point to the work DNS servers.

The Network Settings in the control panel are all set to auto / dhcp, there's no other DNS servers specified. They should show in the "ipconfig /all" as well. My current guess is there's some corporate software running that's somehow intercepting some of the DNS requests, though why it intercepting some but not all is a bit puzzling. I also can't find anything on the system that looks like it would intercept DNS.

I think I've spent enough time on the work PC problem. If it's not working on other computers maybe I'll look into it more. Thanks all for the help 🙂

nzkc

1571 posts

Uber Geek

#3128791 17-Sep-2023 17:35

Does the work PC have a hosts file maybe?

Would have thought if it did it would just have their own services in there. Hosts file is used before DNS is, so worth checking it.

timmmay

20574 posts

Uber Geek

Trusted

Lifetime subscriber

#3128909 18-Sep-2023 09:55

nzkc:

Does the work PC have a hosts file maybe?

Would have thought if it did it would just have their own services in there. Hosts file is used before DNS is, so worth checking it.

The only thing in there were a few entries for docker, creating DNS aliases for this PC. So nothing relevant. Good idea though, worth checking.

Tinkerisk

4224 posts

Uber Geek

#3147908 15-Oct-2023 23:21

So now I have extended the existing PADD (PiHole Ad Data Display - or something like that) with PiHole, PADD, unbound and gravity-sync, so that a ZeroTier (VPN) gateway for VLANs in the network and all mobile devices out of home(!) can play along. Tailscale (simpler) would also have been an option, but is not quite as flexible for more complex LANs and it can‘t be self-hosted (at a later stage).

Considering a Raspberry Pi 3B+, its CPU utilisation is 49% at 56.7 DegC and ~9W power consumption. However, the Pi is monitored by 2 slave x86 VMs, which then take over immediately in the event of its failure (DNS). I have added a sample pic from github to see what it looks like. My setup uses DNSSEC and IPv6 as well, but no DHCP.

You can now call it a little defensible digital self-defence machine if you like (my customers do). Just the size of a upright cigarette box, in a dedicated black plastic case with a 3.5“ colour display right next to their Fritzboxes (most common ModemRouters in and from Germany). 😆

(No, I don't sell the things - I only charge the procurement costs at normal prices I paid. Everything else is included in the actual service.)

Tinkerisk

4224 posts

Uber Geek

#3147918 16-Oct-2023 01:53

Goodie for tinkerer and admins (don‘t know how long but currently for free).

Citation: *** USERS SAY ITS BETTER THAN NETWORK ANALYZER, INET and FING *** 😉

Have a nice working day - here it‘s still Sunday. 😁

1 | 2 | 3 | 4