Why do blacklisted domains show IPv4 as "Pi-holed" but not IPv6 in the query log?

This behavior can be fixed by setting

AAAA_QUERY_ANALYSIS=no

in /etc/pihole/pihole-FTL.conf (you need to create this file if it doesn't exist).

If you still see blacklisted IPv6 domains show as forwarded in your query log but don't have IPv6 enabled, you may see a false positive like the image below, where the IPv4 version of the domain is blocked, but not the IPv6 version.

root@pihole:~ $ cat /etc/pihole/gravity.list | grep edge.quantserve.com
192.168.1.126 edge.quantserve.com

If your Pi-hole does not have an IPv6 address assigned to it, Pi-hole doesn't know to use IPv6 blocking and it instead sends the DNS query to an upstream server. If the upstream server returns an AAAA record, but your client devices cannot communicate via IPv6, you will see this behavior.

Fixing these false-positives

If you don't want to set the FTL config file up the you need to set up a Unique Local Address (ULA) for IPv6 on the network.

1 Like

Hi,

this is exactly what I need for my Pi-hole, as I don't use ipv6 and so I need no ipv6 logs.
But after creating the file with content analyze_AAAA=no and several restarts, flushing logs etc. there is still no difference in the query output. Pi-hole is on 3.0.1 / 3.0.1a / 2.8!
Can you help?

btw. the topic is something reverse, the question is:
Why do blacklisted domains show IPv4 AND IPv6 as “Pi-holed” in the query log?
or
HOW do blacklisted domains show IPv4 as “Pi-holed” but not IPv6 in the query log?

Perhaps @DL6ER or @MrD might have some insights?

Did you put exactly this into the config file?

analyze_AAAA=no

Then run sudo service pihole-FTL restart. Then run cat /var/log/pihole-FTL.log and share the output securely.

EDIT: Sorry, there was a mixup with the documentation. The correct thing to put in the config is:

AAAA_QUERY_ANALYSIS=no
1 Like

Hi,

yes, AAAA_QUERY_ANALYSIS=no is what works now - thanks a lot!

On this site , it's also documented wrong, maybe someone can fix it there too:
GitHub - pi-hole/FTL: The Pi-hole FTL engine

1 Like

does this apply to FTL ver 3.0?
I did a fresh install and now I'm seeing ipv6 not pi-holed again

Yes, the setting should still work on 3.0

thanks. does a change to the /etc/pihole/pihole-FTL.conf file require any kind of restart?

spoke too soon. looks like it doesn't work with the new version.

Are you using AAAA_QUERY_ANALYSIS?

yes .. I have
AAAA_QUERY_ANALYSIS=no
in in /etc/pihole/pihole-FTL.conf which I had to create.

What is the output of cat /var/log/pihole-FTL.log | pihole tricorder

pi@DNS1:~ $ cat /var/log/pihole-FTL.log | pihole tricorder
u6jmmk1jjq

Same issue here.

[2018-03-24 01:02:24.492] Notice: Found no readable FTL config file
[2018-03-24 01:02:24.492]         Using default settings
[2018-03-24 01:02:24.492] Starting config file parsing (/etc/pihole/pihole-FTL.conf)
[2018-03-24 01:02:24.492]    SOCKET_LISTENING: only local
[2018-03-24 01:02:24.492]    QUERY_DISPLAY: Show queries
[2018-03-24 01:02:24.493]    AAAA_QUERY_ANALYSIS: Show AAAA queries

Run these commands and share the output:

sudo service pihole-FTL restart
ls -lh /var/log/pihole-FTL.log
cat /var/log/pihole-FTL.log | pihole tricorder

Run the same commands as above and share the output

pnn3qebq3z

it looks like the behavior has stopped. perhaps due to the FTL restart.
I had rebooted prior to running the command above.

1 Like