I have a Pihole running on a raspberry pi and also have Unbound installed on the pihole.
I am having ad domains getting through, even thought they are in my block lists.
Wondering if my dns is somehow being bypassed/leaked?
When I run a dns leaktest, at dnsleaktest.com it says 1 server found which matches my ip address.
I think I have ipv6 disabled but not 100% sure.
Looking to make sure I have everything configured properly in OpenWRT before I ask for help from the pihole forums.
Thanks
If you had an IPv6 leak/working it would have shown up in the test.
I'm sure you are aware they had a major update 3 days ago, and patches everyday since, so it may be having growing pains.
No, I wasnt aware of that. I guess I should lurk on the pihole forums a bit 
I should clarify that some sites are blocked but for some reason, some are not.
So its not like its not working at all.
How do we know? You do not share the conf files you have doubts about?
Unless your pi host's also the firewall, it's not where the requests are leaking...
https://openwrt.org/docs/guide-user/firewall/fw3_configurations/intercept_dns
I did some more investigating and it seems like not all queries are going through the pihole.
For example, if I go to dailymail.co.uk to test the ad blocking, brave sheild and UBlock Origin in Firefox say they blocked facebook.net but when I query the pihole log, it does not show as being blocked or allowed.
Below is a copy of my config
root@OpenWrt:~# ubus call system board
{
"kernel": "5.15.167",
"hostname": "OpenWrt",
"system": "Intel(R) Celeron(R) N4100 CPU @ 1.10GHz",
"model": "ZOTAC ZBOX-CI329NANO",
"board_name": "zotac-zbox-ci329nano",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "23.05.5",
"revision": "r24106-10cc5fcd00",
"target": "x86/64",
"description": "OpenWrt 23.05.5 r24106-10cc5fcd00"
}
}
root@OpenWrt:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd92:2edf:a32e::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
list dns '192.168.1.199'
config interface 'wan'
option device 'eth1'
option proto 'dhcp'
root@OpenWrt:~# cat /etc/config/wireless
cat: can't open '/etc/config/wireless': No such file or directory
root@OpenWrt:~# cat /etc/config/dhcp
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option cachesize '1000'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
option ednspacket_max '1232'
option filter_aaaa '0'
option filter_a '0'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
list dhcp_option '6,192.168.1.199'
list dhcp_option '23,192.168.1.199'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config host
option name 'RaspberryPi'
list mac '
option ip '192.168.1.199'
option leasetime 'infinite'
root@OpenWrt:~# cat /etc/config/firewall
config defaults
option syn_flood '1'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'Pi'
option src 'lan'
option src_ip '!192.168.1.199'
option src_dport '53'
option dest_ip '192.168.1.199'
option dest_port '53'
config nat
option name 'Pi'
list proto 'tcp'
list proto 'udp'
option src 'lan'
option dest_ip '192.168.1.199'
option dest_port '53'
option target 'MASQUERADE'
You do understand why if one ad-blocker (your browser) blocked an ad another (your pi-hole) would not see the request?
Wouldnt the pihole block it before the browser?
Edit: Even if the Ublock is turned off, facebook.net does not show up in the pihole logs
No, it is a request. The browser handles, blocking it, first.
I added a list for blocking facebook years ago and I'm sure you can it.
Anyway.
You are into Pi-hole territory and they would have better answers.
Are you sure the browser isn't bypassing your pi-hole ?
This is wrongly set. DHCPv4 option 23 is TTL. If you want DHCPv6 DNS server, better to set in odhcpd options.
Thats whats odd. As mentioned some queries show up in the pihole log, some do not.
\i could understand if none of them did or all did but blocked items are being allowed for some reason but some things show up in the pihole log as blocked or allowed while others do not appear at all?
Thanks for any suggestions
Yeah, even though I have ipv6 disabled, I set that to force any ipv6 requests through the pihole, in case they were bypassing it some how.
I'll remove it as it did not help the issue.
Thanks
As mentioned, I use Unbound for dns.
On the Overview page of LuCi, under Network IPV4 upstream, it shows the routers WAN public IP, WAN gateway and WAN dns servers.
The dns servers shown are my isp's dns servers. Is that correct?
For the WAN, yes.
WAN <> clients.
Thought so but was wondering if that was how the pihole was being bypassed.
Thanks for educating me 