New PiHole install not blocking ads properly / no IPv6 DNS assigned

Forums › Desktop computing › New PiHole install not blocking ads properly / no IPv6 DNS assigned

timmmay

20574 posts

Uber Geek

Trusted

Lifetime subscriber

#306990 11-Sep-2023 11:27

I've moved PiHole to a new server, and it doesn't seem to be working properly. I wonder if anyone can help work out why. The Pi Hole Dashboard is showing 1.6% of DNS queries blocked in the last hour since I restarted it, which is significantly lower than I would expect.

I can see that queries are going from my PC to the Pi Hole, as they're appearing in the Pi Hole query log. Pi Hole is also doing DHCP. I have only looked at one computer at the moment, I can look at my personal computer later. My phone uses a different online DNS provider.

I first noticed that I'm seeing big red advertisements on stuff.co.nz. I copied the image location which told me the ad is served from tpc.googlesyndication.com . When I use the pihole "search adlists" function of pihole I can see this domain is on one of the block lists I've configured.

Pihole output

Exact matches for tpc.googlesyndication.com found in:
- https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
- https://v.firebog.net/hosts/AdguardDNS.txt

When I grab random domains from one of the blocklists and do an nslookup I can see the IPs for the domain are returned rather than blocked.

nslookup bidgear.com
Server: pi.hole
Address: 192.168.1.x

Non-authoritative answer:
Name: bidgear.com
Addresses: 2606:4700:20::681a:36b
2606:4700:20::ac43:4a24
2606:4700:20::681a:26b
172.67.74.36
104.26.2.107
104.26.3.107

A blocked domain looks different in the query log

When the query is sent for bidgear.com pihole shows the query as "bidgear.com.lan". I believe this is because that's the domain the PiHole DCHP server assigns.

Ethernet adapter Ethernet 2:

Connection-specific DNS Suffix . : lan

DHCP Server . . . . . . . . . . . : 192.168.1.x (correct pi hole address)

DNS Servers . . . . . . . . . . . : 192.168.1.x (correct pi hole address)

The only thing I can see that looks odd is that the blocked domains don't have ".lan" appended to them. Any thoughts / suggestions?

1 | 2 | 3 | 4

1571 posts

Uber Geek

#3125918 11-Sep-2023 12:10

Why does it show the domain as bidgear.com.lan? The .lan part looks wrong to me.

Are you using the default block lists too?

Edit: Oh you listed a couple of the block lists - I missed that. Im still curious about the .lan part. The other thing I am wondering is if all your DHCP clients have updated - perhaps they have not yet and thats the problem?

Ruphus

465 posts

Ultimate Geek

#3125932 11-Sep-2023 12:56

I've not used PiHole for ages and use Adguard now but have you setup any DNS Rewrites in PiHole? (I'm sure if that's even a thing in PiHole)

timmmay

20574 posts

Uber Geek

Trusted

Lifetime subscriber

#3125987 11-Sep-2023 13:25

More research finds this answer, which suggests it's a "feature" of nslookup. Basically Windows looks for local servers with that domain as well as internet domains, so if you query bob.com it'll look for bob.com.lan then bob.com, both A and AAAA records, so four DNS queries. If you follow the guide in that answer you can turn on nslookup debug mode and see it happening.

PiHole DHCP is handing out "lan" as a domain name, and "ipconfig /all" shows "lan" as the "Connection-specific DNS Suffix". See the image below.

What's odd is PiHole is taking these queries nslookup sends for domains like bidgear.com.lan and returns the public IP for bidgear.com, rather than blocking them.

Another weird thing is when I'm using Chrome / Firefox I don't see any of the domains in the PiHole query log. I've disabled secure DNS in both Chrome and Firefox, and Firefox is explicitly set to use default DNS. The system is definitely pointing at the PiHole DNS.

Something weird is going on. I'll see what my home PC does in a few hours. Maybe it's something odd about the setup of the work PC I'm currently using.

timmmay

20574 posts

Uber Geek

Trusted

Lifetime subscriber

#3125988 11-Sep-2023 13:25

Ruphus:

I've not used PiHole for ages and use Adguard now but have you setup any DNS Rewrites in PiHole? (I'm sure if that's even a thing in PiHole)

I don't know what that means, so probably no.

fearandloathing

503 posts

Ultimate Geek

ID Verified

Lifetime subscriber

#3126017 11-Sep-2023 13:48

I certainly would not have ‘lan’ for the dns suffix, leave it blank. I suspect .lan is being appended by windows and is getting forwarded upstream.

This article https://www.ctrl.blog/entry/homenet-domain-name.html more or less aligns with my point of view on internal dns suffix’s.

If you have ipv6 enabled, your device maybe using the ipv6 dns servers from your isp.

On my pihole I use the following

https://docs.pi-hole.net/guides/dns/cloudflared/

Using NextDNS as the upstream dns over https resolver.

timmmay

20574 posts

Uber Geek

Trusted

Lifetime subscriber

#3126064 11-Sep-2023 14:14

That's interesting, thanks @fearandloathing. You can't remove the dns suffix in PiHole, so I've set it to "home.arpa". It'll take 4 hours to make it out to the various clients around the house when DHCP is renewed.

It could be that the browser is doing IPv6 queries. I've disable DNS over https type options so it shouldn't be, but who knows what it's really doing.

My PC / router / ISP does have IPv6. I have a feeling my previous Pi Hole box return IPV6 DNS servers. I have the 2degrees IPv6 DNS servers defined, and PiHole is returning AAAA records.

I'm not really bothered about DNS over https, or using CloudFlared for DNS, which I already have on my Pi4. If I find a good reason I might set it up.

timmmay

20574 posts

Uber Geek

Trusted

Lifetime subscriber

#3126069 11-Sep-2023 14:53

I found something else odd. When I ping a domains on the blocklist I haven't used before it works fine but doesn't show up in the pihole query log. When I then do an nslookup of the same domain then it appears in the Pihole query log.

Equinox IT

Cloud spending continues to surge globally, but most organisations haven’t made the changes necessary to maximise the value and cost-efficiency benefits of their cloud investments. Download the whitepaper From Overspend to Advantage now.

fearandloathing

503 posts

Ultimate Geek

ID Verified

Lifetime subscriber

#3126073 11-Sep-2023 15:19

Does ipconfig /all show ipv6 dns servers

timmmay

20574 posts

Uber Geek

Trusted

Lifetime subscriber

#3126074 11-Sep-2023 15:28

@fearandloathing No. I'll try this on my home PC in a little while as well.

Ethernet adapter Ethernet 2:

Connection-specific DNS Suffix . : home.arpa
Description . . . . . . . . . . . : Realtek USB GbE Family Controller #2
Physical Address. . . . . . . . . : 64-C9-01-CC-xx-xx
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : 2406:(removed)(Preferred)
IPv6 Address. . . . . . . . . . . : fd00::(removed)(Preferred)
Temporary IPv6 Address. . . . . . : 2406:(removed)(Preferred)
Temporary IPv6 Address. . . . . . : fd00::(removed)(Preferred)
Link-local IPv6 Address . . . . . : fe80::(removed)(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.1.xx(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Monday, 11 September 2023 6:31:02 am
Lease Expires . . . . . . . . . . : Monday, 11 September 2023 6:03:14 pm
Default Gateway . . . . . . . . . : fe80::(removed)%23
192.168.1.1
DHCP Server . . . . . . . . . . . : 192.168.1.xx
DHCPv6 IAID . . . . . . . . . . . : 335020000
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-27-36-20-0B-64-C9-xx-xx-xx-xx
DNS Servers . . . . . . . . . . . : 192.168.1.xx
NetBIOS over Tcpip. . . . . . . . : Enabled

timmmay

20574 posts

Uber Geek

Trusted

Lifetime subscriber

#3126089 11-Sep-2023 16:06

Interesting... switching from my work PC to my home PC things work as expected.

My PC gets assigned IPv4 and IPv6 DNS servers, all point at the Pi Hole server (see nslookup below)
When I do an nslookup it appears in the PiHole logs without a suffix (see image below) and the reply is 0.0.0.0 as expected
Chrome / web browser queries appear in the PiHole logs. This might be because of IPv6 DNS. Interestingly I see A / AAAA / HTTPS record type queries in PiHole.

My interim conclusion is either a) my work computer is heavily managed (I do work for a large company) or b) I've mucked with something in the network settings on my work computer that's making it behave like this (probably more likely). Interested in thoughts, what settings might have caused the work computer to act like this.

Ethernet adapter Ethernet:

Connection-specific DNS Suffix . : home.arpa
Description . . . . . . . . . . . : Realtek Gaming 2.5GbE Family Controller
Physical Address. . . . . . . . . : 18-C0-4D-64-xx-xx
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : 2406:(removed)(Preferred)
(other IP6 addresses removed for brevity)
IPv4 Address. . . . . . . . . . . : 192.168.1.x(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Monday, 11 September 2023 3:47:57 pm
Lease Expires . . . . . . . . . . : Monday, 11 September 2023 5:47:57 pm
Default Gateway . . . . . . . . . : fe80::(removed)%5
fe80::(removed)%5
192.168.1.1
DHCP Server . . . . . . . . . . . : 192.168.1.12 (pi hole IP)
DHCPv6 IAID . . . . . . . . . . . : 102280000
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-27-4F-CE-43-18-C0-xx-xx-xx-xx
DNS Servers . . . . . . . . . . . : 192.168.1.12
2406:(removed)
fe80::(removed)
NetBIOS over Tcpip. . . . . . . . : Enabled

Nslookup

> nslookup ceromobi.club
Server: pi.hole
Address: 192.168.1.12

Name: ceromobi.club
Addresses: ::
0.0.0.0

Blocking of nslookup as expected

boland

545 posts

Ultimate Geek

#3126091 11-Sep-2023 16:08

I've got two Pi Holes running in my home, one of them as DHCP server, never experienced what you're seeing

I have "home" as Pi-hole domain name, which I think was the default setting, and not causing any issues. It's also showing up as Connection-specific DNS Suffix. Based on my knowledge that's only used for local devices on your network. Maybe try renaming "lan" to something else like "home"?

Just tested with bidgear.com and I indeed see 4 DNS queries in Pi Hole, two including .home (which are green/not blocked) and two without, being blocked. And I see 0.0.0.0 in the nslookup terminal, so all fine. Do you also see two queries for bidgear.com (without .lan) being blocked / red?

One difference; I'm not using IPv6.

fearandloathing

503 posts

Ultimate Geek

ID Verified

Lifetime subscriber

#3126143 11-Sep-2023 16:29

Disable IPv6 on your router, whilst there is likely better advice. Your devices are likely not using pihole exclusively for name resolution.

That is the issue and the fix I had recently when changing my router. I’ll look at revisiting that problem for myself some time in the future.

RunningMan

8953 posts

Uber Geek

#3126144 11-Sep-2023 16:32

Not the work computer pushing everything down a VPN tunnel to work (including DNS) is it?

timmmay

20574 posts

Uber Geek

Trusted

Lifetime subscriber

#3126146 11-Sep-2023 16:47

boland:

I've got two Pi Holes running in my home, one of them as DHCP server, never experienced what you're seeing

I have "home" as Pi-hole domain name, which I think was the default setting, and not causing any issues. It's also showing up as Connection-specific DNS Suffix. Based on my knowledge that's only used for local devices on your network. Maybe try renaming "lan" to something else like "home"?

Just tested with bidgear.com and I indeed see 4 DNS queries in Pi Hole, two including .home (which are green/not blocked) and two without, being blocked. And I see 0.0.0.0 in the nslookup terminal, so all fine. Do you also see two queries for bidgear.com (without .lan) being blocked / red?

One difference; I'm not using IPv6.

On my home computer everything is working as expected. Connection suffix has been set to "home.arpa" as suggested above, which is meant to be the new standard.

When I run "nslookup bidgear.com" on my home computer I can see only two queries sent to pi hole, instead of the four that are sent from the work PC. It only queries A and AAAA for the actual domain, it doesn't query for the "home.arpa" suffix version. I did only just change the suffix to that so the work computer won't have that until the next DHCP renewal.

It'll be interesting to see what happens when I turned the work computer on.

timmmay

20574 posts

Uber Geek

Trusted

Lifetime subscriber

#3126148 11-Sep-2023 16:48

fearandloathing: Disable IPv6 on your router, whilst there is likely better advice. Your devices are likely not using pihole exclusively for name resolution.

That is the issue and the fix I had recently when changing my router. I’ll look at revisiting that problem for myself some time in the future.

I agree there's some other name resolution going on. I can't disable IPv6, one of my servers is IPv6 only, I can't ssh to it over IPv4. Plus I'd rather keep IPv6 working generally.

I'll probably work out the root cause of the problem at some point. When I do I'll make sure I post it. I appreciate your help :)

1 | 2 | 3 | 4