Clients by MAC address don't follow the group assignment when query by IPv6 address

[SuperdukeGates]

Versions

• Pi-hole: v6.0.5
• AdminLTE: n/a
• Web: v6.0.2
• FTL: v6.0.4

Platform

• OS and version: Debian bullseye

• Platform: Raspberry Pi

Expected behavior

Pihole should follow the policy of the assigned group.

Actual behavior / bug

Pihole seems apply the Default group but not the assigned group.

Steps to reproduce

Steps to reproduce the behavior:

1. Assume a client's MAC address is 60:12:34:56:78:9A and its IPv4: 192.168.123.33, IPv6: fd12:a987:4321:5678:192:168:123:33
2. Assume the Pihole server has IPv4: 192.168.123.1, IPv6: fd12:a987:4321:5678:192:168:123:1 and listen on them.
3. At Pihole web interface, click the Groups and add a group called BLANK
4. Then goto Clients and add a client by the MAC address 60:12:34:56:78:9A and assign the group BLANK only.
5. From the client issue 'nslookup incoming.telemetry.mozilla.org 192.168.123.1' . There is no block. This is correct because of the group BLANK.
6. From the client issue 'nslookup incoming.telemetry.mozilla.org fd12:a987:4321:5678:192:168:123:1'. It's blocked (i.e. 0.0.0.0 and ::). This is incorrect and seems the Default's policy not BLANK.

[DL6ER]

Please enable query debugging using, e.g.

sudo pihole-FTL --config debug.queries true
sudo pihole-FTL --config debug.clients true

and try again. Then please share the log with us (/var/log/pihole/FTL.log).

I just did the same and confirmed I get both times an IP address for doubleclick.net using once the IPv4 address and once the ULA of my Pi-hole. I then check querying the Pi-hole from within itself (dig @127.0.0.1) and received 0.0.0.0.

[SuperdukeGates]

Okay. I did sudo pihole-FTL --config debug.queries true and sudo pihole-FTL --config debug.clients true then tried again.

I use nslookup doubleclick.net 192.168.123.1 got the A and AAAA addresses for doubleclick.net
I use nslookup doubleclick.net fd12:a987:4321:5678:192:168:123:1 got A as 0.0.0.0 and AAAA as ::.

Here is the log

2025-03-27 22:30:33.892 CST [31489/T29654] INFO: Reloading config due to pihole.toml change
2025-03-27 22:30:33.903 CST [31489/T29654] DEBUG_ANY: ************************
2025-03-27 22:30:33.903 CST [31489/T29654] DEBUG_ANY: *    DEBUG SETTINGS    *
2025-03-27 22:30:33.904 CST [31489/T29654] DEBUG_ANY: * DATABASE:       NO   *
2025-03-27 22:30:33.904 CST [31489/T29654] DEBUG_ANY: * NETWORKING:     NO   *
2025-03-27 22:30:33.904 CST [31489/T29654] DEBUG_ANY: * LOCKS:          NO   *
2025-03-27 22:30:33.904 CST [31489/T29654] DEBUG_ANY: * QUERIES:        YES  *
2025-03-27 22:30:33.904 CST [31489/T29654] DEBUG_ANY: * FLAGS:          NO   *
2025-03-27 22:30:33.904 CST [31489/T29654] DEBUG_ANY: * SHMEM:          NO   *
2025-03-27 22:30:33.904 CST [31489/T29654] DEBUG_ANY: * GC:             NO   *
2025-03-27 22:30:33.904 CST [31489/T29654] DEBUG_ANY: * ARP:            NO   *
2025-03-27 22:30:33.904 CST [31489/T29654] DEBUG_ANY: * REGEX:          NO   *
2025-03-27 22:30:33.905 CST [31489/T29654] DEBUG_ANY: * API:            NO   *
2025-03-27 22:30:33.905 CST [31489/T29654] DEBUG_ANY: * TLS:            NO   *
2025-03-27 22:30:33.905 CST [31489/T29654] DEBUG_ANY: * OVERTIME:       NO   *
2025-03-27 22:30:33.905 CST [31489/T29654] DEBUG_ANY: * STATUS:         NO   *
2025-03-27 22:30:33.905 CST [31489/T29654] DEBUG_ANY: * CAPS:           NO   *
2025-03-27 22:30:33.905 CST [31489/T29654] DEBUG_ANY: * DNSSEC:         NO   *
2025-03-27 22:30:33.905 CST [31489/T29654] DEBUG_ANY: * VECTORS:        NO   *
2025-03-27 22:30:33.905 CST [31489/T29654] DEBUG_ANY: * RESOLVER:       NO   *
2025-03-27 22:30:33.905 CST [31489/T29654] DEBUG_ANY: * EDNS0:          NO   *
2025-03-27 22:30:33.906 CST [31489/T29654] DEBUG_ANY: * CLIENTS:        YES  *
2025-03-27 22:30:33.906 CST [31489/T29654] DEBUG_ANY: * ALIASCLIENTS:   NO   *
2025-03-27 22:30:33.906 CST [31489/T29654] DEBUG_ANY: * EVENTS:         NO   *
2025-03-27 22:30:33.906 CST [31489/T29654] DEBUG_ANY: * HELPER:         NO   *
2025-03-27 22:30:33.906 CST [31489/T29654] DEBUG_ANY: * CONFIG:         NO   *
2025-03-27 22:30:33.906 CST [31489/T29654] DEBUG_ANY: * INOTIFY:        NO   *
2025-03-27 22:30:33.906 CST [31489/T29654] DEBUG_ANY: * WEBSERVER:      NO   *
2025-03-27 22:30:33.906 CST [31489/T29654] DEBUG_ANY: * EXTRA:          NO   *
2025-03-27 22:30:33.907 CST [31489/T29654] DEBUG_ANY: * RESERVED:       NO   *
2025-03-27 22:30:33.907 CST [31489/T29654] DEBUG_ANY: * NTP:            NO   *
2025-03-27 22:30:33.907 CST [31489/T29654] DEBUG_ANY: * NETLINK:        NO   *
2025-03-27 22:30:33.907 CST [31489/T29654] DEBUG_ANY: ************************
2025-03-27 22:30:33.920 CST [31489/T29654] INFO: Wrote config file:
2025-03-27 22:30:33.920 CST [31489/T29654] INFO:  - 153 total entries
2025-03-27 22:30:33.921 CST [31489/T29654] INFO:  - 131 entries are default
2025-03-27 22:30:33.921 CST [31489/T29654] INFO:  - 22 entries are modified
2025-03-27 22:30:33.921 CST [31489/T29654] INFO:  - 0 entries are forced through environment
2025-03-27 22:30:44.640 CST [31489M] DEBUG_QUERIES: **** new UDP IPv4 query[A] query "doubleclick.net" from eth0/192.168.123.33#34758 (ID 450, FTL 18082, src/dnsmasq/forward.c:1899)
2025-03-27 22:30:44.640 CST [31489M] DEBUG_QUERIES: Set global cache status to 2
2025-03-27 22:30:44.640 CST [31489M] DEBUG_QUERIES: doubleclick.net is known as not to be blocked
2025-03-27 22:30:44.640 CST [31489M] DEBUG_QUERIES: **** got cache reply: doubleclick.net is 142.250.204.46 (ID 450, src/dnsmasq/rfc1035.c:2127)
2025-03-27 22:30:44.641 CST [31489M] DEBUG_QUERIES: DNS cache: A/192.168.123.33/doubleclick.net -> CACHE, no expiry
2025-03-27 22:30:44.641 CST [31489M] DEBUG_QUERIES: Set reply to IP (4) in src/dnsmasq_interface.c:2330
2025-03-27 22:30:44.641 CST [31489M] DEBUG_QUERIES: FTL_CNAME called with: src = doubleclick.net, dst = doubleclick.net, id = 450
2025-03-27 22:30:44.641 CST [31489M] DEBUG_QUERIES: Set global cache status to 3
2025-03-27 22:30:44.641 CST [31489M] DEBUG_QUERIES: doubleclick.net is known as not to be blocked
2025-03-27 22:30:44.641 CST [31489M] DEBUG_QUERIES: Query 450: CNAME doubleclick.net ---> doubleclick.net
2025-03-27 22:30:44.642 CST [31489M] DEBUG_QUERIES: **** new UDP IPv4 query[AAAA] query "doubleclick.net" from eth0/192.168.123.33#45512 (ID 451, FTL 18083, src/dnsmasq/forward.c:1899)
2025-03-27 22:30:44.642 CST [31489M] DEBUG_QUERIES: Set global cache status to 2
2025-03-27 22:30:44.642 CST [31489M] DEBUG_QUERIES: doubleclick.net is known as not to be blocked
2025-03-27 22:30:44.642 CST [31489M] DEBUG_QUERIES: **** got cache reply: doubleclick.net is 2404:6800:4012:9::200e (ID 451, src/dnsmasq/rfc1035.c:2127)
2025-03-27 22:30:44.643 CST [31489M] DEBUG_QUERIES: DNS cache: AAAA/192.168.123.33/doubleclick.net -> CACHE, no expiry
2025-03-27 22:30:44.643 CST [31489M] DEBUG_QUERIES: Set reply to IP (4) in src/dnsmasq_interface.c:2330
2025-03-27 22:30:44.643 CST [31489M] DEBUG_QUERIES: FTL_CNAME called with: src = doubleclick.net, dst = doubleclick.net, id = 451
2025-03-27 22:30:44.643 CST [31489M] DEBUG_QUERIES: Set global cache status to 3
2025-03-27 22:30:44.643 CST [31489M] DEBUG_QUERIES: doubleclick.net is known as not to be blocked
2025-03-27 22:30:44.643 CST [31489M] DEBUG_QUERIES: Query 451: CNAME doubleclick.net ---> doubleclick.net
2025-03-27 22:30:46.688 CST [31489M] DEBUG_QUERIES: **** new UDP IPv6 query[A] query "doubleclick.net" from eth0/fd12:a987:4321:5678:192:168:123:33#34442 (ID 452, FTL 18084, src/dnsmasq/forward.c:1899)
2025-03-27 22:30:46.688 CST [31489M] DEBUG_QUERIES: Set global cache status to 1
2025-03-27 22:30:46.688 CST [31489M] DEBUG_QUERIES: doubleclick.net is known as gravity blocked
2025-03-27 22:30:46.688 CST [31489M] DEBUG_QUERIES: Preparing reply for "doubleclick.net"
2025-03-27 22:30:46.689 CST [31489M] DEBUG_QUERIES: Setting EDE: blocked (15) + "gravity"
2025-03-27 22:30:46.689 CST [31489M] DEBUG_QUERIES:   Adding RR: "doubleclick.net A 0.0.0.0"
2025-03-27 22:30:46.689 CST [31489M] DEBUG_QUERIES: **** got cache reply: doubleclick.net is 0.0.0.0 (ID 452, src/dnsmasq_interface.c:496)
2025-03-27 22:30:46.689 CST [31489M] DEBUG_QUERIES: Set reply to IP (4) in src/dnsmasq_interface.c:2330
2025-03-27 22:30:46.692 CST [31489M] DEBUG_QUERIES: **** new UDP IPv6 query[AAAA] query "doubleclick.net" from eth0/fd12:a987:4321:5678:192:168:123:33#48281 (ID 453, FTL 18085, src/dnsmasq/forward.c:1899)
2025-03-27 22:30:46.692 CST [31489M] DEBUG_QUERIES: Set global cache status to 1
2025-03-27 22:30:46.692 CST [31489M] DEBUG_QUERIES: doubleclick.net is known as gravity blocked
2025-03-27 22:30:46.692 CST [31489M] DEBUG_QUERIES: Preparing reply for "doubleclick.net"
2025-03-27 22:30:46.692 CST [31489M] DEBUG_QUERIES: Setting EDE: blocked (15) + "gravity"
2025-03-27 22:30:46.692 CST [31489M] DEBUG_QUERIES:   Adding RR: "doubleclick.net AAAA ::"
2025-03-27 22:30:46.692 CST [31489M] DEBUG_QUERIES: **** got cache reply: doubleclick.net is :: (ID 453, src/dnsmasq_interface.c:531)
2025-03-27 22:30:46.692 CST [31489M] DEBUG_QUERIES: Set reply to IP (4) in src/dnsmasq_interface.c:2330

[yubiuser]

Please generate a debug log and post the token here.

[SuperdukeGates]

This problem seems be intermitten. I can't reproduce this problem for now.

I'm trying to find out more precise reproduce steps and will post here later.

[SuperdukeGates]

I followed the Readme.md to install a new pihole in a Linux Mint 21.1 virtual machine. This time the pihole runs in a x86_64 virtual machine.

I guess the problem seems happen in the network table(I don't know the real term) expiration mechanism inside the pihole system (FTL ?). I could not reproduce the problem until I changed the upstream DNS servers to my own (in LAN) recursive DNS resolver (ISC BIND 9), which are able to reverse resolve my LAN IPv4 addresses, and uncheck Never forward reverse lookups for private IP ranges. And yes my original pihole also had this option unchecked.

I think the key point is not about my own DNS server but the forward reverse lookups for private IP ranges and my DNS server can do this.

Besides, I try to have my client to get new random MAC address and add a new Clients with this MAC address with BLANK group. Eventually, I can reproduce this problem.

But after I apply the same procedure to add another Clients, i.e. by MAC address and with only BLANK group, the problem was gone for previous added Clients. I have to renew my MAC address and repeat the procedure to reproduce this problem.

So the reproduce steps:

1. Install pihole, configure well as said above. I'll also paste the pihole.toml at the bottom of this comment. (ipv4:192.168.123.1, ipv6:fd12:a987:4321:5678:192:168:123:1)
2. Make sure the client has a fresh MAC address.
3. Add a Groups called BLANK for example.
4. Add the client's MAC address to Clients and with only BLANK as the group.
5. Use client to resolve a blocked domain name, nslookup doubleclick.net 192.168.123.1, this should resolve normally.
6. Use client to resolve a blocked domain name, nslookup doubleclick.net fd12:a987:4321:5678:192:168:123:1, this might be blocked. This is the problem we got.

The pihole.toml

[dns]
  upstreams = [
    "192.168.123.201",
    "192.168.123.202"
  ] ### CHANGED, default = []
  CNAMEdeepInspect = true
  blockESNI = true
  EDNS0ECS = true
  ignoreLocalhost = false
  showDNSSEC = true
  analyzeOnlyAandAAAA = false
  piholePTR = "PI.HOLE"
  replyWhenBusy = "ALLOW"
  blockTTL = 2
  hosts = []
  domainNeeded = true ### CHANGED, default = false
  expandHosts = false
  domain = "lan"
  bogusPriv = false ### CHANGED, default = true
  dnssec = false
  interface = ""
  hostRecord = ""
  listeningMode = "LOCAL"
  queryLogging = true
  cnameRecords = []
  port = 53
  revServers = []
  [dns.cache]
    size = 10000
    optimizer = -1 ### CHANGED, default = 3600
    upstreamBlockedTTL = 86400
  [dns.blocking]
    active = true
    mode = "NULL"
    edns = "TEXT"
  [dns.specialDomains]
    mozillaCanary = true
    iCloudPrivateRelay = true
    [dns.reply.host]
      force4 = false
      IPv4 = ""
      force6 = false
      IPv6 = ""
    [dns.reply.blocking]
      force4 = false
      IPv4 = ""
      force6 = false
      IPv6 = ""
  [dns.rateLimit]
    count = 1000
    interval = 60
[dhcp]
  active = false
  start = ""
  end = ""
  router = ""
  netmask = ""
  leaseTime = ""
  ipv6 = false
  rapidCommit = false
  multiDNS = false
  logging = false
  ignoreUnknownClients = false
  hosts = []
  [ntp.ipv4]
    active = false ### CHANGED, default = true
    address = ""
  [ntp.ipv6]
    active = false ### CHANGED, default = true
    address = ""
  [ntp.sync]
    active = true
    server = "pool.ntp.org"
    interval = 3600
    count = 8
    [ntp.sync.rtc]
      set = false
      device = ""
      utc = true
[resolver]
  resolveIPv4 = true
  resolveIPv6 = false ### CHANGED, default = true
  networkNames = false ### CHANGED, default = true
  refreshNames = "IPV4_ONLY"
[database]
  DBimport = true
  maxDBdays = 91
  DBinterval = 60
  useWAL = true
  [database.network]
    parseARPcache = true
    expire = 91
[webserver]
  domain = "pi.hole"
  acl = ""
  port = "80o,443os,[::]:80o,[::]:443os"
  threads = 50
  headers = [
    "Content-Security-Policy: default-src 'self' 'unsafe-inline';",
    "X-Frame-Options: DENY",
    "X-XSS-Protection: 0",
    "X-Content-Type-Options: nosniff",
    "Referrer-Policy: strict-origin-when-cross-origin"
  ]
  [webserver.session]
    timeout = 1800
    restore = true
  [webserver.tls]
    cert = "/etc/pihole/tls.pem"
  [webserver.paths]
    webroot = "/var/www/html"
    webhome = "/admin/"
  [webserver.interface]
    boxed = true
    theme = "default-auto"
  [webserver.api]
    max_sessions = 16
    prettyJSON = false
    pwhash = "$BALLOON-SHA256$v=1$s=1024,t=32$7bHhh+vCP0xWjPoYyFQTlQ==$A94lOtPN9+TtJ5bz3ntn8geHj6khAriCwTCaqcvCQx4=" ### CHANGED, default = ""
    totp_secret = ""
    app_pwhash = ""
    app_sudo = false
    cli_pw = true
    excludeClients = []
    excludeDomains = []
    maxHistory = 86400
    maxClients = 10
    client_history_global_max = true
    allow_destructive = true
    [webserver.api.temp]
      limit = 60.000000
      unit = "C"
[files]
  pid = "/run/pihole-FTL.pid"
  database = "/etc/pihole/pihole-FTL.db"
  gravity = "/etc/pihole/gravity.db"
  gravity_tmp = "/tmp"
  macvendor = "/etc/pihole/macvendor.db"
  setupVars = "/etc/pihole/setupVars.conf"
  pcap = ""
  [files.log]
    ftl = "/var/log/pihole/FTL.log"
    dnsmasq = "/var/log/pihole/pihole.log"
    webserver = "/var/log/pihole/webserver.log"
[misc]
  privacylevel = 0
  delay_startup = 0
  nice = -10
  addr2line = true
  etc_dnsmasq_d = false
  dnsmasq_lines = []
  extraLogging = false
  readOnly = false
  [misc.check]
    load = true
    shmem = 90
    disk = 90
[debug]
  database = false
  networking = false
  locks = false
  queries = false
  flags = false
  shmem = false
  gc = false
  arp = false
  regex = false
  api = false
  tls = false
  overtime = false
  status = false
  caps = false
  dnssec = false
  vectors = false
  resolver = false
  edns0 = false
  clients = false
  aliasclients = false
  events = false
  helper = false
  config = false
  inotify = false
  webserver = false
  extra = false
  reserved = false
  ntp = false
  netlink = false
  all = false

By the way, I didn't notice this problem until a user complain this to me. His problem is the mobile game Ads be blocked cause he cannot earn bonus points. But the Ads. was not always blocked, sometimes fine but sometimes blocked.