Why do blacklisted domains show IPv4 as "Pi-holed" but not IPv6 in the query log?


#1

This behavior can be fixed by setting

AAAA_QUERY_ANALYSIS=no

in /etc/pihole/pihole-FTL.conf (you need to create this file if it doesn’t exist).

If you still see blacklisted IPv6 domains show as forwarded in your query log but don’t have IPv6 enabled, you may see a false positive like the image below, where the IPv4 version of the domain is blocked, but not the IPv6 version.

root@pihole:~ $ cat /etc/pihole/gravity.list | grep edge.quantserve.com
192.168.1.126 edge.quantserve.com

If your Pi-hole does not have an IPv6 address assigned to it, Pi-hole doesn’t know to use IPv6 blocking and it instead sends the DNS query to an upstream server. If the upstream server returns an AAAA record, but your client devices cannot communicate via IPv6, you will see this behavior.

Fixing these false-positives

If you don’t want to set the FTL config file up the you need to set up a Unique Local Address (ULA) for IPv6 on the network.


IPv6 domains not blocked?
IPv6 is not blocked
After update ads not being blocked, passed on via ipv6 but ipv6 is not enabled
Cannot use Pi-hole as DNS server with IPv6 requests
What happens to Internet when Raspberry down
17k queries in 24h, 8k+ to the same domain
Few Questions about my new Pi-Hole installation
Running IPv4 but still getting some adds over IPv6
Ip6 showing in logs but it's turned off everythwhere
Not Blocking Amazon ad on Pages to Test Ad Blocking Performance
Not Blocking Amazon ad on Pages to Test Ad Blocking Performance
Youtube adverts and some others
IPv4 blocked, IPv6 Allowed - How do I fix?
Blacklisted Domain only blocked via IPv4
#2

Hi,

this is exactly what I need for my Pi-hole, as I don’t use ipv6 and so I need no ipv6 logs.
But after creating the file with content analyze_AAAA=no and several restarts, flushing logs etc. there is still no difference in the query output. Pi-hole is on 3.0.1 / 3.0.1a / 2.8!
Can you help?

btw. the topic is something reverse, the question is:
Why do blacklisted domains show IPv4 AND IPv6 as “Pi-holed” in the query log?
or
HOW do blacklisted domains show IPv4 as “Pi-holed” but not IPv6 in the query log?


#3

Perhaps @DL6ER or @MrD might have some insights?


After update ads not being blocked, passed on via ipv6 but ipv6 is not enabled
#4

Did you put exactly this into the config file?

analyze_AAAA=no

Then run sudo service pihole-FTL restart. Then run cat /var/log/pihole-FTL.log and share the output securely.

EDIT: Sorry, there was a mixup with the documentation. The correct thing to put in the config is:

AAAA_QUERY_ANALYSIS=no

#5

Hi,

yes, AAAA_QUERY_ANALYSIS=no is what works now - thanks a lot!

On this site , it’s also documented wrong, maybe someone can fix it there too:
https://github.com/pi-hole/FTL#ftls-config-file


#6

does this apply to FTL ver 3.0?
I did a fresh install and now I’m seeing ipv6 not pi-holed again


#7

Yes, the setting should still work on 3.0


#8

thanks. does a change to the /etc/pihole/pihole-FTL.conf file require any kind of restart?


#9

spoke too soon. looks like it doesn’t work with the new version.


#10

Are you using AAAA_QUERY_ANALYSIS?


#11

yes … I have
AAAA_QUERY_ANALYSIS=no
in in /etc/pihole/pihole-FTL.conf which I had to create.


#12

What is the output of cat /var/log/pihole-FTL.log | pihole tricorder


#13

pi@DNS1:~ $ cat /var/log/pihole-FTL.log | pihole tricorder
u6jmmk1jjq


#14

Same issue here.

[2018-03-24 01:02:24.492] Notice: Found no readable FTL config file
[2018-03-24 01:02:24.492]         Using default settings
[2018-03-24 01:02:24.492] Starting config file parsing (/etc/pihole/pihole-FTL.conf)
[2018-03-24 01:02:24.492]    SOCKET_LISTENING: only local
[2018-03-24 01:02:24.492]    QUERY_DISPLAY: Show queries
[2018-03-24 01:02:24.493]    AAAA_QUERY_ANALYSIS: Show AAAA queries

#15

Run these commands and share the output:

sudo service pihole-FTL restart
ls -lh /var/log/pihole-FTL.log
cat /var/log/pihole-FTL.log | pihole tricorder

#16

Run the same commands as above and share the output


#17

pnn3qebq3z


#18

it looks like the behavior has stopped. perhaps due to the FTL restart.
I had rebooted prior to running the command above.