HTTP(S) connections (without DNS) to certain hosts are blocked (by ISP?)

[yuukiAme]

Creating a bug report/issue

• I have searched the existing open and closed issues

Required Information

• DietPi version | cat /boot/dietpi/.version

root@DietPi:~# cat /boot/dietpi/.version
cat /boot/dietpi/.version
G_DIETPI_VERSION_CORE=9
G_DIETPI_VERSION_SUB=3
G_DIETPI_VERSION_RC=0
G_GITBRANCH='master'
G_GITOWNER='MichaIng'

• Distro version | echo $G_DISTRO_NAME $G_RASPBIAN

root@DietPi:~# echo $G_DISTRO_NAME $G_RASPBIAN
bookworm 0

• Kernel version | uname -a

root@DietPi:~# uname -a
Linux DietPi 6.1.21-v8+ #1642 SMP PREEMPT Mon Apr  3 17:24:16 BST 2023 aarch64 GNU/Linux

• SBC model | echo $G_HW_MODEL_NAME or (EG: RPi3)

root@DietPi:~# echo $G_HW_MODEL_NAME
RPi 4 Model B (aarch64)

• Power supply used | (EG: 5V 1A RAVpower)

Raspberry Pi Power supply 5V 3A

• SD card used | (EG: SanDisk ultra)

SanDisk Ultra 64G

Additional Information (if applicable)

• Software title

PiVPN

• Was the software title installed freshly or updated/migrated?

Freshly installed

• Can this issue be replicated on a fresh installation of DietPi?

Not sure.

• Bug report ID | echo $G_HW_UUID

root@DietPi:~# echo $G_HW_UUID
c16aa61b-b23a-4d7c-adcd-91591412a10b

Steps to reproduce

1. install Dietpi image on RPi

2. apt update && apt upgrade -y

3. dietpi-launcher

4. install Pi-hole, Unbound, activate DoT with the conf from Dietpi Docs

5. install pivpn, wireguard, setup DNS support with Pi-Hole ,add user, scan QR code

6. add conf file to a device (e.g: an Android phone) to connect to pivpn OUTSIDE of the network

7. check for the websites that is KNOWN to be blocked like 18+ sites, see if it returns query on unbound, load the content on the browser within my Local Network, meaning the DoT is working because my DNS query is encrypted and returned to Unbound with no issue.

8. Turn on Wireguard VPN on the device in Step 6

9. check if the known blocked website works and contents are loaded in the browser.

Expected behaviour

It should load all the contents of the website in the browser.

Actual behaviour

The browser will not load any content and return an error like "Unable to connect". Like an unencrypt query was rejected by the ISP DNS.

Extra details

I can use Pi-Hole with Unbound (activated DoT (DNS over TLS)). I can browse normally to any websites I want other than the block list inside Pi-Hole.
My country required ISP to blocks certain websites from their own DNS. So ISP will allow your network to query the website, but it will reject the content of the website.

Help me to troubleshoot if PiVPN is leaking the query because when I access my network over PiVPN, it behaves exactly like when I access the blocked websites WITHOUT Pi-Hole and Unbound DoT which mean my query to unencrypted and intercept by my ISP.

My question is:

How do I check/troubleshoot PiVPN whether it is encrypting my query to Pi-Hole and Unbound on port 5335 or leaving the query unencrypted like port 53?

[Joulinar]

We should clarify a few basic things at the beginning.

When using a VPN such as Wireguard (PiVPN is only an interface on the server for managing clients), all traffic between the VPN client and VPN server is always encrypted. It doesn't matter what it is. Therefore, all requests, including DNS, between your mobile phone and your server are encrypted.

Communication between PiHole and Unbound is always unencrypted. However, this does not matter, as this only takes place on the server.

DNS requests between Unbound and the upstream DoT server, on the other hand, are encrypted again via TLS protocol.

Normally there should be no difference for DNS requests between a mobile phone via VPN or a client in the local network, as all requests first go to the PiHole and then to Unbound.

The chain actually looks like this: Client > (VPN) > PiHole > Unbound > Upstream DNS (via DoT)

Translated with DeepL.com (free version)

[yuukiAme]

We should clarify a few basic things at the beginning.

When using a VPN such as Wireguard (PiVPN is only an interface on the server for managing clients), all traffic between the VPN client and VPN server is always encrypted. It doesn't matter what it is. Therefore, all requests, including DNS, between your mobile phone and your server are encrypted.

Communication between PiHole and Unbound is always unencrypted. However, this does not matter, as this only takes place on the server.

DNS requests between Unbound and the upstream DoT server, on the other hand, are encrypted again via TLS protocol.

Normally there should be no difference for DNS requests between a mobile phone via VPN or a client in the local network, as all requests first go to the PiHole and then to Unbound.

The chain actually looks like this: Client > (VPN) > PiHole > Unbound > Upstream DNS (via DoT)

Translated with DeepL.com (free version)

I understand all that. Thanks for the clarification. So my current VPN traffic should be encrypted. Only the traffics from Pi-hole and Unbound is unencrypted.

Then what exactly can I do to test and find out why my query fails to certain websites in my VPN? Yet my traffic in local network works as intended.

[Joulinar]

Check whether all traffic from the VPN client to the VPN server goes through the tunnel or whether only a split tunnel is active. AllowedIPs = 0.0.0.0/0 should be set in the Wireguard client configuration.

[MichaIng]

WireGuard (clients) have a setting DNS to enforce a different DNS server to query, which makes sense since a local one might not be reachable when traffic is forced through the tunnel. If your PiVPN is running on the same server which hosts Pi-hole, use the WireGuard-internal VPN server IP with this setting.

Note that this is only a client-side setting, same as whether all traffic is forced through the VPN, requests to the server-side LAN or the server itself only. So it is all about how the clients are configured.

Ah, and don't forget to allow "All origins" in Pi-hole for DNS queries. By default it allows queries only from the LAN/main interface of the server, hence blocks queries form any VPN interface.

EDIT: Use AllowedIPs = 0.0.0.0/0, ::/0 at best (if you really want all traffic to be passed through the VPN) to assure IPv6 is as well forced through the tunnel. Else, if IPv6 is enabled on the client, all traffic to IPv6-enabled hosts would bypass the VPN.

[yuukiAme]

Check whether all traffic from the VPN client to the VPN server goes through the tunnel or whether only a split tunnel is active. AllowedIPs = 0.0.0.0/0 should be set in the Wireguard client configuration.

From my Wireguard client conf

[Interface]
PrivateKey = iCHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHcHE=
Address = 10.9.82.2/24
DNS = 10.9.82.1

[Peer]
PublicKey = FkPLcT0Nyt3JJJJJJJJJ+TMJAPwxEaxYOrcNTs=
PresharedKey = P292QilxCCCCCCCCCCCCCCCCCru4pkHzzPqCpK4=
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = example.domain.com:51820

Ignore the PrivateKey , PublicKey, and PresharedKey, I changed to hide the actual value. So I definitely have AllowedIPs = 0.0.0.0/0, ::/0

[yuukiAme]

WireGuard (clients) have a setting DNS to enforce a different DNS server to query, which makes sense since a local one might not be reachable when traffic is forced through the tunnel. If your PiVPN is running on the same server which hosts Pi-hole, use the WireGuard-internal VPN server IP with this setting.

Note that this is only a client-side setting, same as whether all traffic is forced through the VPN, requests to the server-side LAN or the server itself only. So it is all about how the clients are configured.

Ah, and don't forget to allow "All origins" in Pi-hole for DNS queries. By default it allows queries only from the LAN/main interface of the server, hence blocks queries form any VPN interface.

EDIT: Use AllowedIPs = 0.0.0.0/0, ::/0 at best (if you really want all traffic to be passed through the VPN) to assure IPv6 is as well forced through the tunnel. Else, if IPv6 is enabled on the client, all traffic to IPv6-enabled hosts would bypass the VPN.

It's a full tunnel, which allows access to everything within the network. I can use http://pi.hole/admin, even SSH into any VM or server I have in my local network, e.g. Nginx Proxy and Portainer, etc...

I checked the public IP address and it's the same as the one from the Local Network, not the coffee shop public IP address or LTE Public IP.
I also checked the dnsleaktest and they all reported that it is using Cloudflare DNS which is my upstream DNS inside of Unbound.

[MichaIng]

I also checked the dnsleaktest and they all reported that it is using Cloudflare DNS which is my upstream DNS inside of Unbound.

Hmm, then I do not understand what the issue is, when clients do in fact use that Pi-hole instance as DNS server through the VPN. If those are Linux/UNIX clients, can you check /etc/resolv.conf, whether 10.9.82.1 is really the only namesever entry?

[yuukiAme]

can you check /etc/resolv.conf

root@DietPi:~# cat /etc/resolv.conf
nameserver 1.1.1.1
nameserver 1.0.0.1

[MichaIng]

I mean on the client(s).

[yuukiAme]

I mean on the client(s).

RIP. it's an iPhone.
I also have an Android phone with Termux installed. Give me a few minutes to setup another pivpn client on that Android device.

[yuukiAme]

The Termux doesn't work with cat /etc/resolv.conf. Nevermind.

Any other methods?

[Joulinar]

From your mobile phone, you should see the DNS queries inside the PiHole log. Do you? Even for the website in question. If this is the case, DNS resolution is working fine.

[MichaIng]

Yes, especially check whether you see a query log entry for those cases, where a website is blocked, while you expect it to be accessible thanks to the VPN DNS.

Ah, and also check whether the related browser has DoH enabled, which would bypass the system DNS and VPN.

[yuukiAme]

From your mobile phone, you should see the DNS queries inside the PiHole log. Do you? Even for the website in question. If this is the case, DNS resolution is working fine.

@Joulinar Yes, I can access Pi-hole over the VPN, use the http://pi.hole/admin/, and log in the admin panel, see the query log with my client name called wireguard.pivpn. DNS resolution is definitely working. I even check with SSH into the pi (over VPN), use dig to check Unbound issues. I even checked the Pi-hole > Tools > Search Adlists, to make sure none of my blocklists blocked the exact domain I want to test.

@MichaIng For sure, the DoH, I always check that one off within the browser, on Android 13 and later, inside its Settings, it has Private DNS. I made sure to turn that off first, not even Automatic.

[Joulinar]

Question was if you see inside PiHole log the DNS request for the website not working. If this is the case, DNS resolution is not your problem.

[yuukiAme]

Question was if you see inside PiHole log the DNS request for the website not working. If this is the case, DNS resolution is not your problem.

@Joulinar
I used another Android device named ai, connected over VPN and test out an 18+ site

Pi-hole logged the query

Screenshot on my Tablet device named ai- ai.pivpn

On my PC, with pornhub.com cache, no VPN

[Joulinar]

yes DNS resolution is working, so it's something else. Like the browser escaping the VPN tunnel

[yuukiAme]

Like the browser escaping the VPN tunnel

And exactly like how my browser behaves when my query was unencrypted (without Unbound DoT) using 1.1.1.1 at port 53 so my ISP DNS rejects the query. So that's why I'm stuck here. Wondering if PiVPN is "leaking" the query. But I know it shouldn't be.

[Joulinar]

It's not a DNS issue as you see the query inside PiHole. As well it is forward to Unbound according your PiHole screen shot. It's not the DNS query escaping but somehow the browser not using to VPN to access the website.

[yuukiAme]

I thought it was a fluke with Firefox. So I installed Vivaldi Browser for Android. I went into Vivaldi Settings > Privacy and security > and disabled use secure DNS : Off

I deliberately clicked on a Vivaldi bookmark added that I know for sure is in the blocklist. It blocked it successfully. But I tried with pornhub.com and the content is never delivered like Firefox.

I think you're right, @Joulinar .

the browser not using to VPN to access the website.

The browser is clearly using the Pi-hole DNS inside the VPN, but the domains blocked by my country is not working inside it.

[MichaIng]

Can you check whether the IP address pornhub.com is resolved to, is the same when accessing from your PC (within your LAN) and when accessing from the VPN client? If both get the same IP address, and all traffic of the client is passed through the VPN, I have no idea how the client could behave any differently. The browser should not be able to bypass the VPN, at least not when using accessing public/routable IP address. Other than DNS, network traffic/routes are enforced at system level.

And you are sure that Unbound is configured to use DoT? Compare with our docs: https://dietpi.com/docs/software/dns_servers/#__tabbed_2_5

Btw, on your PC pornhub.com works since you use DoH there?

[yuukiAme]

Can you check whether the IP address pornhub.com is resolved to, is the same when accessing from your PC (within your LAN) and when accessing from the VPN client?

on PC - LAN
Result: Working as intended

on Tablet (Android) - VPN
Result : Blocked

It's using the same IP address. The Cache is from the first query from PC.

And you are sure that Unbound is configured to use DoT? Compare with our docs: https://dietpi.com/docs/software/dns_servers/#__tabbed_2_5

Yes. I was troubleshooting another problem with domain end in .site with NLnetLabs/Unbound yesterday on Github. Issue here

Btw, on your PC pornhub.com works since you use DoH there?

Yup. It works. Same with other 18+ sites and news sites that my countries blocked.

[MichaIng]

Interesting, the LAN client seems to send a DoH query to Pi-hole, which is forwarded to Unbound, if I understand the "HTTPS" query type correctly?

However, so the A type query is answered as intended, works for the LAN client, is cached as intended, and hence answered from cache to the VPN client, but does not work there.

Confusing, indeed. The Android tablet is currently also located in your LAN, just using the VPN (unnecessarily, for testing), right? So that really only enabling the VPN makes the difference?

[yuukiAme]

Interesting, the LAN client seems to send a DoH query to Pi-hole, which is forwarded to Unbound, if I understand the "HTTPS" query type correctly?

I don't have DoH enabled for this network at all. Only Pi-Hole with Unbound DoT. I understand the difference between them. Like how Adguard-DNS / Adguard Home using DNS-over-HTTPS with their SSL cert and privatekey in Encryption Settings.

The Android tablet is currently also located in your LAN, just using the VPN (unnecessarily, for testing), right? So that really only enabling the VPN makes the difference?

I have 3 different ways of connecting to the internet.

1. Network number 1 have Pi-Hole with Unbound DoT and PiVPN
2. Network number 2 for my family uses, have no DNS server, or anything. Just ISP modem/router combo. So ISP can see my unencrypted query easily and reject it.
3. 4G/LTE from my phones.

So I use the Tablet connected to Network number 2 and turn on Wireguard app to connect to PiVPN and it connected to Network number 1 and I open pornhub.com in my Firefox browser and it's blocked.

I tried the exact same thing with 4G/LTE network as above. Same result.

Which led me to the Title of the issue "Leak DNS query over VPN connection". I know it isn't true.
That's why I'm asking for help to find faults in my understanding with PiVPN and disprove the title.

EDIT: changed # to number because Github pinged other issue numbers.

[MichaIng]

PiVPN means a (regular) WireGuard server in your case. Might be important when you check for answers elsewhere. PiVPN is only the installer, and the CLI to create client configs, otherwise it has no effect on the VPN.

With AllowedIPs = 0.0.0.0/0, ::/0, leaking the DNS query or anything else should not be possible. This creates a route which forces every routable request through the VPN. Only requests to local/LAN range IP addresses can then bypass the VPN. A killswitch can be used to prevent that as well. So I think, whatever happens, it happens at the VPN server/LAN side. We see the DNS query at Pi-hole, so that does not seem to be the issue. Probably traffic from the pornhub.com IP is blocked, not the DNS query, but that should apply for any other request from LAN the same way.

Maybe best to use tcpdump at the server, so see which requests are coming and going from the VPN client. Also, when you temporarily switch to using Pi-hole as DNS resolver for the VPN/Pi-hole server itself (/etc/resolv.conf), does accessing pornhub.com via curl work?

[yuukiAme]

when you temporarily switch to using Pi-hole as DNS resolver for the VPN/Pi-hole server itself (/etc/resolv.conf), does accessing pornhub.com via curl work?

output

root@DietPi:~# nslookup pornhub.com
Server:         1.1.1.1
Address:        1.1.1.1#53

Non-authoritative answer:
Name:   pornhub.com
Address: 66.254.114.41

follow up output with curl

root@DietPi:~# curl pornhub.com
<!DOCTYPE html>
<html>
<header><title>404 Page</title></header>
<body>
<font size="6"><b>We're sorry but the page you're looking for could not be found!!!!!</b></font>
</body>
</html>

which is expected because of the transparent DNS query.

I will do the tcpdump later because this will take a while to check.

[yuukiAme]

Wait.
Should I change the Static DNS in Dietpi-config from Cloudflare DNS to to Pi-Hole with unbound DoT itselfinstead?

[Joulinar]

usually, DNS setting in DietPi itself has no relation to PiHole. And best practice is not to change to a local DNS server like PiHole or AGH.

[yuukiAme]

Background: I brought my Macbook Air to the coffee shop. It took a while to setup the Wireguard because of the newer Wireguard cannot be installed from App Store. I had to deal with brew, Wireguard-tools and, wireguard-go

Macbook output /etc/resolv.conf

mac@192 ~ % cat /etc/resolv.conf 
#
# macOS Notice
#
# This file is not consulted for DNS hostname resolution, address
# resolution, or the DNS query routing mechanism used by most
# processes on this system.
#
# To view the DNS configuration used by this system, use:
#   scutil --dns
#
# SEE ALSO
#   dns-sd(1), scutil(8)
#
# This file is automatically generated.
#
nameserver 10.9.82.1

Macbook output on curl pornhub.com

mac@192 ~ % curl pornhub.com
<html><body><h1>408 Request Time-out</h1>
Your browser didn't send a complete request in time.
</body></html>

Macbook requests after using curl pornhub.com being caputure with tcpdump on the Server (Pi-hole)

REMOVED

EDIT: I will remove the tcpdump.txt in a few hours. Because it contains a lot of public IP address that could reveal my location.

[MichaIng]

Hmm, so pornhub is not accessible on the Mac? Was it every accessible there? So instead of comparing VPN with no VPN, we should probably compare Mac and PC, as the PC is the only device where pornhub was ever accessible?

[yuukiAme]

so pornhub is not accessible on the Mac?

True. But if I use Proton VPN, it will work.

Was it every accessible there?

Not sure what this comment means.

we should probably compare Mac and PC, as the PC is the only device where pornhub was ever accessible?

I can confirm that my Xiaomi (Android) and Samsung Tablet (Android) did open www.pornhub.com in Firefox browser on BOTH LAN and VPN connection. Work just like my PC (Windows).

Ignore this.

Test: Devices on Pi-Hole network with Unbound, 3 websites being tested - pornhub, steam, xhamster

Device	Status
O11(Windows)	Pornhub✔Steam✔Xhamster✔
iPhone 10(iOS)	Pornhub❌Steam✔Xhamster✔
iPhone 14(iOS)	Pornhub❌Steam✔Xhamster✔
Xiaomi(Android)	Pornhub✔Steam✔Xhamster✔
Samsung(Android)	Pornhub❌Steam✔Xhamster✔
Macbook(MacOS)	Pornhub❌Steam✔Xhamster✔

Note: Earlier today, Xiaomi could not open www.pornhub.com. But it opens Steam just fine because I use the Steam app on Android.
OMG. I hate these tests. Why is it full of variety? It's so fickle. So much inconsistent.

I only have a laptop that is a Mac and it uses similar commands to Linux and I can move it around to different locations so that's why I chose it to test out VPN vs no VPN.

[MichaIng]

True. But if I use Proton VPN, it will work.

Makes sense, as your ISP then does not see any traffic from your home to pornhub (IP).

Not sure what this comment means.

I mean whether pornhub was ever accessible on the Mac (when not using ProtonVPN or any other public provider).

I only have a laptop that is a Mac and it uses similar commands to Linux and I can move it around to different locations so that's why I chose it to test out VPN vs no VPN.

Good, so we know the (home) VPN is not the reason for the issue, but it also does not prevent it. And encrypted DNS does not resolve it either, since it is the HTTP(S) connection itself which fails. And for now, based on earlier curl and openssl output, pornhub themselves get and answer the request, but the TLS handshake it is somehow not successful.

EDIT: Okay, some more devices are affected, interesting that one Android works, the other one not. Also the DietPi server is affected, getting a 404 response with curl, instead of a redirect. However, so we need to find out what the difference between requests from those devices is.

Can you run the traceroute on Windows like this:

tracert www.pornhub.com

And on the Mac and/or DietPi like this:

apt install mtr
mtr www.pornhub.com

and paste the results? I want to see whether the routes differ at any point. You can mask IPs/hostnames from your LAN, of course.

mtr instead of traceroute on Linux, since in my case the latter has issues finding the route to pornhub, while mtr and tracert (on Windows) succeed, and curl delivers the fill pornhub HTML document successfully.

[yuukiAme]

I mean whether pornhub was ever accessible on the Mac (when not using ProtonVPN or any other public provider).

Never. I hardly ever use this laptop. It's an older Macbook. It has like 4 GB of RAM and Intel duo cores. Super slow. So I never used it to access pornhub.com before yesterday.

traceroute on Windows

C:\Users\PC>tracert www.pornhub.com

Tracing route to pornhub.com [66.254.114.41]
over a maximum of 30 hops:

  1    <1 ms    <1 ms    <1 ms  tplinkwifi.net [192.168.16.1]
  2    21 ms    19 ms    19 ms  O11 [2x.xx.xxx.xxx]
  3     2 ms     1 ms     1 ms  10.255.39.245
  4    21 ms    21 ms    21 ms  O11 [2x.xx.xxx.xxx]
  5    20 ms    24 ms    22 ms  O11 [2x.xx.xxx.xxx]
  6    21 ms    20 ms    20 ms  O11 [2x.xx.xxx.xxx]
  7    46 ms    44 ms    44 ms  O11 [2x.xx.xxx.xxx]
  8    40 ms    40 ms    75 ms  125.xxx.xxx.xxx.isp.domain.com  [125.xxx.xxx.xxx]
  9    39 ms    39 ms    39 ms  213.248.97.50
 10     *        *        *     Request timed out.
 11    40 ms    40 ms    40 ms  62.115.137.243
 12    76 ms    76 ms    76 ms  hnk-b4-link.ip.twelve99.net [62.115.112.223]
 13   245 ms   245 ms   245 ms  tky-b3-link.ip.twelve99.net [62.115.134.187]
 14   242 ms   240 ms   241 ms  lax-b23-link.ip.twelve99.net [62.115.137.108]
 15   241 ms   240 ms   240 ms  lax-b22-link.ip.twelve99.net [62.115.143.39]
 16   245 ms   245 ms   245 ms  haproxy-ic-328269.ip.twelve99-cust.net [213.248.75.179]
 17   230 ms   230 ms   229 ms  cust-reflected-svc11502.ip.reflected.net [64.210.157.119]
 18   245 ms   245 ms   244 ms  reflectededge.reflected.net [66.254.114.41]

Trace complete.

mtr www.pornhub.com

Wow. that's a cool application/software. I like it a lot. Thanks for introducing me to mtr.

output

DietPi (192.168.16.2) -> www.pornhub.com (66.254.114.41)                                       2024-05-08T02:38:53+0700
Keys:  Help   Display mode   Restart statistics   Order of fields   quit
                                                                               Packets               Pings
 Host                                                                        Loss%   Snt   Last   Avg  Best  Wrst StDev
 1. 192.168.16.1                                                              0.0%     5    0.4   0.6   0.4   0.6   0.1
 2. localhost                                                                 0.0%     5    2.0   1.8   1.4   2.0   0.2
 3. 10.255.39.245                                                             0.0%     5    1.7   1.9   1.6   2.6   0.4
 4. localhost                                                                20.0%     5   20.1  21.5  20.1  24.6   2.1
 5. localhost                                                                 0.0%     5   22.0  24.1  20.7  27.5   3.0
 6. localhost                                                                 0.0%     4   20.3  20.5  20.3  20.9   0.3
 7. localhost                                                                 0.0%     4   44.4  44.8  44.4  45.0   0.3
 8. 125.xxx.xxx.xxx.isp.domain.com                                           0.0%     4   40.1  47.8  40.1  70.0  14.8
 9. (waiting for reply)
10. (waiting for reply)
11. 62.115.137.243                                                            0.0%     4   40.3  40.3  40.0  40.5   0.2
12. hnk-b4-link.ip.twelve99.net                                               0.0%     4   76.6  76.9  76.5  77.2   0.4
13. tky-b3-link.ip.twelve99.net                                               0.0%     4  245.7 245.7 245.6 245.8   0.1
14. lax-b23-link.ip.twelve99.net                                              0.0%     4  241.1 241.1 241.0 241.2   0.1
15. lax-b22-link.ip.twelve99.net                                              0.0%     4  245.6 245.4 245.2 245.6   0.2
16. haproxy-ic-328269.ip.twelve99-cust.net                                    0.0%     4  245.8 245.7 245.4 246.1   0.3
17. cust-reflected-svc11502.ip.reflected.net                                  0.0%     4  229.9 232.6 229.8 240.3   5.2
18. reflectededge.reflected.net

They both seem to work.
Note: When I ran mtr on dietpi, the 125.xxx.xxx.xxx.isp.domain.com entry has a high rate of Loss - hovering around 75%-80%. No clue what that means.

Another test mtr on DietPi if I leave it on longer than 30 seconds

                                                 My traceroute  [v0.95]
DietPi (192.168.16.2) -> www.pornhub.com (66.254.114.41)                                       2024-05-08T03:08:42+0700
Keys:  Help   Display mode   Restart statistics   Order of fields   quit
                                                                               Packets               Pings
 Host                                                                        Loss%   Snt   Last   Avg  Best  Wrst StDev
 1. 192.168.16.1                                                              0.0%    27    0.5   0.6   0.4   4.5   0.8
 2. localhost                                                                 0.0%    27    2.3   3.8   1.4  47.8   8.8
 3. 10.255.39.245                                                             0.0%    27    2.0   1.8   1.5   2.4   0.2
 4. localhost                                                                 0.0%    27   21.4  20.9  19.8  21.9   0.6
 5. localhost                                                                 0.0%    27   19.9  22.8  19.5  25.8   2.1
 6. localhost                                                                 0.0%    27   20.6  20.6  20.2  21.6   0.3
 7. localhost                                                                 0.0%    27   44.6  45.0  44.1  46.3   0.7
 8. 125.xxx.xxx.xxx.isp.domain.com                                             0.0%    26   40.2  40.1  39.7  40.9   0.3
 9. 213.248.97.50                                                            84.0%    26   39.5  39.5  39.4  39.7   0.1
10. sng-b7-link.ip.twelve99.net                                              96.0%    26   40.4  40.4  40.4  40.4   0.0
11. 62.115.137.243                                                            0.0%    26   40.4  40.4  39.8  42.9   0.6
12. hnk-b4-link.ip.twelve99.net                                               0.0%    26   76.5  77.3  76.2  81.4   1.5
13. tky-b3-link.ip.twelve99.net                                               0.0%    26  241.6 241.5 241.2 242.0   0.2
14. lax-b23-link.ip.twelve99.net                                              0.0%    26  241.0 241.1 240.6 243.5   0.7
15. lax-b22-link.ip.twelve99.net                                              0.0%    26  241.5 241.1 240.7 241.5   0.2
16. haproxy-ic-328269.ip.twelve99-cust.net                                    0.0%    26  240.9 247.2 240.9 255.9   3.8
17. cust-reflected-svc11502.ip.reflected.net                                  0.0%    26  227.8 227.7 225.1 258.2   6.4
18. reflectededge.reflected.net                                               0.0%    26  241.2 244.7 240.9 245.3   1.1

[yuukiAme]

After brew install mtr and dealing with mtr command not found - I had to create ~/.zshrc to deal with it. I'm good

output for Macbook - without VPN on Pi-Hole network

mac.192 (192.168.16.32) -> www.pornhub.com (66.254.114.41)       2024-05-08T02:50:42
Keys:  Help   Display mode   Restart statistics   Order of fields   quit
                                                      Packets               Pings
 Host                                               Loss%   Snt   Last   Avg  Best  Wrst StDev
 1. tplinkwifi.net                                   0.0%    16    2.2   1.6   1.2   2.3   0.3
 2. localhost                                        0.0%    16    3.2  13.9   2.5  62.3  16.9
 3. 10.255.39.245                                    0.0%    16    3.3   3.2   2.6   4.9   0.5
 4. localhost                                        0.0%    16   21.7  22.4  21.3  23.6   0.7
 5. localhost                                        0.0%    15   28.3  26.1  22.3  28.6   1.9
 6. localhost                                        0.0%    15   21.8  21.8  21.3  23.1   0.5
 7. localhost                                        0.0%    15   47.0  47.1  45.8  52.3   1.6
 8. 125.xxx.xxx.xxx.isp.domain.com                  0.0%    15   45.6  46.6  45.1  56.4   2.7
 9. 213.248.97.50                                   57.1%    15   44.9  45.1  44.9  45.2   0.1
10. (waiting for reply)
11. 62.115.137.243                                   0.0%    15   45.2  42.0  41.0  45.3   1.4
12. hnk-b4-link.ip.twelve99.net                      0.0%    15   77.5  78.5  77.4  84.4   1.8
13. tky-b3-link.ip.twelve99.net                      6.7%    15  246.4 243.5 242.4 247.4   1.7
14. lax-b23-link.ip.twelve99.net                     6.7%    15  246.2 246.4 245.9 247.2   0.4
15. lax-b22-link.ip.twelve99.net                     0.0%    15  242.9 242.2 241.5 243.0   0.4
16. haproxy-ic-328269.ip.twelve99-cust.net           0.0%    15  247.7 250.3 246.1 276.6   8.0
17. cust-reflected-svc11502.ip.reflected.net         0.0%    15  226.3 228.3 226.3 234.9   3.1
18. reflectededge.reflected.net                      0.0%    15  246.0 243.0 241.8 246.3   1.6

output for Macbook - with VPN on Pi-Hole network

mac.192 (10.9.82.3) -> www.pornhub.com (66.254.114.41)              2024-05-08T02:51:57
Keys:  Help   Display mode   Restart statistics   Order of fields   quit
                                                         Packets               Pings
 Host                                                  Loss%   Snt   Last   Avg  Best  Wrst StDev
 1. pi.hole                                             0.0%    12    2.0   2.5   2.0   3.2   0.4
 2. tplinkwifi.net                                      0.0%    12    3.1   2.7   2.3   3.5   0.3
 3. localhost                                           0.0%    12    3.8   5.5   3.6  15.7   3.4
 4. 10.255.39.245                                       0.0%    12    4.2   4.2   3.7   4.9   0.4
 5. localhost                                           0.0%    12   24.3  23.6  22.1  24.6   0.7
 6. localhost                                           0.0%    12   29.1  27.0  22.7  29.9   1.9
 7. localhost                                           0.0%    12   23.1  23.0  22.4  23.7   0.4
 8. localhost                                           0.0%    11   46.8  47.5  46.1  48.9   0.9
 9. 125.xxx.xxx.xxx.isp.domain.com                     0.0%    11   42.2  42.9  41.7  43.9   0.7
10. 213.248.97.50                                      90.0%    11   46.0  46.0  46.0  46.0   0.0
11. (waiting for reply)
12. 62.115.137.243                                      0.0%    11   49.8  47.8  46.6  52.1   1.7
13. hnk-b4-link.ip.twelve99.net                         0.0%    11   78.7  80.6  78.5  90.7   3.8
14. tky-b3-link.ip.twelve99.net                         0.0%    11  257.1 249.0 247.6 257.1   2.7
15. lax-b23-link.ip.twelve99.net                        0.0%    11  245.6 243.6 242.9 245.6   0.7
16. lax-b22-link.ip.twelve99.net                        0.0%    11  243.1 243.4 242.9 243.9   0.3
17. haproxy-ic-328269.ip.twelve99-cust.net              0.0%    11  281.5 251.3 247.6 281.5  10.1
18. cust-reflected-svc11502.ip.reflected.net            0.0%    11  228.8 228.1 227.2 229.4   0.6
19. reflectededge.reflected.net                         0.0%    11  247.3 247.2 247.0 247.7   0.2

[yuukiAme]

Extra tests from Macbook

Test 3: mtr number 3 on network number 2 (not Pi-hole) no VPN - default DNS

192.168.1.106 (127.0.0.1) -> www.pornhub.com (127.0.0.1)                          2024-05-08T03:00:37
Keys:  Help   Display mode   Restart statistics   Order of fields   quit
                                                                  Packets               Pings
 Host                                                           Loss%   Snt   Last   Avg  Best  Wrst StDev
 1. localhost                                                    0.0%    15    0.3   0.2   0.1   0.5   0.1

Test 4: mtr number 4 network number 2 with vpn no dns entry in conf file

192.168.1.106 (127.0.0.1) -> www.pornhub.com (127.0.0.1)                            2024-05-08T03:01:31
Keys:  Help   Display mode   Restart statistics   Order of fields   quit
                                                                    Packets               Pings
 Host                                                             Loss%   Snt   Last   Avg  Best  Wrst StDev
 1. localhost                                                      0.0%    11    0.1   0.1   0.1   0.2   0.0

Test 5 : mtr number 5 network number 2 with vpn with dns entry 10.9.82.1

mac.local (10.9.82.3) -> www.pornhub.com (66.254.114.41)               2024-05-08T03:02:46
Keys:  Help   Display mode   Restart statistics   Order of fields   quit
                                                                    Packets               Pings
 Host                                                             Loss%   Snt   Last   Avg  Best  Wrst StDev
 1. pi.hole                                                        0.0%    11    3.4   3.8   3.4   4.7   0.5
 2. tplinkwifi.net                                                 0.0%    11    4.2   4.2   3.5   5.1   0.4
 3. localhost                                                      0.0%    11    4.8  12.2   4.4  42.8  11.6
 4. 10.255.39.245                                                  0.0%    11    5.3   5.5   5.0   7.2   0.6
 5. localhost                                                      0.0%    11   24.0  24.6  23.6  25.9   0.9
 6. localhost                                                      0.0%    11   26.6  27.6  23.5  32.3   2.6
 7. localhost                                                      0.0%    11   23.9  24.2  23.5  26.0   0.7
 8. localhost                                                      0.0%    10   44.6  44.9  44.0  45.7   0.5
 9. 125.xxx.xxx.xxx.isp.domain.com                                 0.0%    10   49.4  51.0  47.6  71.9   7.4
10. 213.248.97.50                                                 88.9%    10   42.9  42.9  42.9  42.9   0.0
11. (waiting for reply)
12. 62.115.137.243                                                 0.0%    10   44.8  45.5  43.6  49.4   2.3
13. hnk-b4-link.ip.twelve99.net                                    0.0%    10   82.2  81.0  80.0  85.0   1.5
14. tky-b3-link.ip.twelve99.net                                    0.0%    10  249.0 249.2 248.5 250.0   0.5
15. lax-b23-link.ip.twelve99.net                                   0.0%    10  248.7 248.7 248.5 249.2   0.2
16. lax-b22-link.ip.twelve99.net                                   0.0%    10  248.8 249.0 248.4 250.2   0.5
17. haproxy-ic-328269.ip.twelve99-cust.net                         0.0%    10  244.5 244.9 244.3 246.0   0.5
18. cust-reflected-svc11502.ip.reflected.net                       0.0%    10  229.5 234.4 228.8 262.5  10.7
19. reflectededge.reflected.net                                    0.0%    10  248.0 248.3 247.9 249.1   0.4

[MichaIng]

Ah sorry, right, on Mac of course the apt install was nonsense. However, not bad to have the result from the DietPi/Linux system as well.

Yeah, mtr seems to be better than the classic traceroute, not only as it continues to monitor all nodes to get averages, but also since at least in this particular case, from the systems I can test this, traceroute was simply not able to find the route to pornhub.

ISP DNS blocks *.pornhub.com, hence all ends at localhost, makes sense. With any other DNS, the VPN adds the VPN/Pi-hole server as first hop, otherwise has no effect. And also the routes on all devices without VPN are identical. So that is not the difference. Probably it is not even the ISP which blocks this in a way, but the TLS libraries used on those systems somehow have an issue in your particular case. But I am pretty much out of ideas how to further debug.

Just one last test, on the DietPi system, which seem to have been affected as well. Can you test again with curl as well as wget? Both use different TLS libraries. If not the case, use Pi-hole for DNS resolving, as we know it is otherwise blocked by ISP DNS:

cp -a /etc/resolv.conf{,.bak}
echo 'nameserver 127.0.0.1' > /etc/resolv.conf
curl -L https://www.pornhub.com
wget -O- https://www.pornhub.com
mv /etc/resolv.conf{.bak,}

In case of success, both return the full HTML document, which is huge, so do not wonder, and no need to paste that 😄. If it ends with </html>, it was a success, that is all we need to know.

Not sure whether someone on our forum has further ideas how to debug, or in general how requests can be (made) fail in such a way. Otherwise, probably people on some StackExchange site, like https://superuser.com/, have an idea. In case, it makes sense to leave the (home) VPN out of the game. It was a reasonable idea to test whether it helps, but we showed that it is irrelevant in regards of the issue. But that using an encrypted public DNS (like DoH in browser) is required in any case, as the ISP DNS blocks it, is of course important, and that using a public VPN provider fixes the issue on the affected systems, is relevant as well. So it is somehow these particular systems or clients sending the HTTP(S) request through this particular ISP route, having issues, while other systems/clients, sending the same request through the same route, succeed.
EDIT: Ah, you said the Mac fails as well when trying from the coffee shop internet access, right? So the same clients are affected as well when sending from other access points in the same region (?).

An interesting case, so in case you're doing to further debug, I am interested about the outcome. You can ping me on superuser as well (same username).

[yuukiAme]

Just one last test, on the DietPi system, which seem to have been affected as well. Can you test again with curl as well as wget? Both use different TLS libraries. If not the case, use Pi-hole for DNS resolving, as we know it is otherwise blocked by ISP DNS:

cp -a /etc/resolv.conf{,.bak}
echo 'nameserver 127.0.0.1' > /etc/resolv.conf
curl -L https://www.pornhub.com
wget -O- https://www.pornhub.com
mv /etc/resolv.conf{.bak,}

Output on DietPi

root@DietPi:~# cp -a /etc/resolv.conf{,.bak}
echo 'nameserver 127.0.0.1' > /etc/resolv.conf
curl -L https://www.pornhub.com
wget -O- https://www.pornhub.com
mv /etc/resolv.conf{.bak,}
curl: (35) Recv failure: Connection reset by peer
--2024-05-08 04:13:11--  https://www.pornhub.com/
Resolving www.pornhub.com (www.pornhub.com)... 66.254.114.41
Connecting to www.pornhub.com (www.pornhub.com)|66.254.114.41|:443... connected.
GnuTLS: The TLS connection was non-properly terminated.
Unable to establish SSL connection.

With a blinking cursor. Should I Ctrl+C to cancel the operation?

What now? I certainly could make a superuser account and ask a question there. I don't think anyone else other than you, @MichaIng is willing to debug/troubleshooting this far into an issue.

Thank you so much for your help.

[yuukiAme]

Ah, you said the Mac fails as well when trying from the coffee shop internet access, right? So the same clients are affected as well when sending from other access points in the same region (?).

Yup. Mac fails at the Coffee Shop too. Another problem you happened to remind me is my country has 3 major ISP so their DNS and DNS Filter implementation are all different. That could be why my results are varies.

What a pain. All I want is to self-host and be in control of my data yet. To have privacy. Apparently it's too much to ask in my country. Super lame.

[MichaIng]

Okay, so OpenSSL and GnuTLS both run into the same issue. So the TLS library is unrelated as well. EDIT: Fits to the 404/408 response you got with curl pornhub.com, where no TLS was involved yet, but a redirect expected.

What now? I certainly could make a superuser account and ask a question there. I don't think anyone else other than you, @MichaIng is willing to debug/troubleshooting this far into an issue.

There is no guarantee, of course, and on StackExchange sites it is a bit RNG and timing, whether someone with interest and knowledge sees the question or not while it is new/highlighted. But there are certainly people around willing to help/answer questions, with much more knowledge/experience than me. So it is worth an attempt, if you do not mind the time to create an account, read a bit into how to ask a question properly and sort/sum up the relevant results we found.

What a pain. All I want is to self-host and be in control of my data yet. To have privacy. Apparently it's too much to ask in my country. Super lame.

Well, DNS and probably packet filtering by ISP is not directly related to whether you can self-host things or not? You can self-host a VPN and a DNS for DoT or DoH perfectly fine. So you can bypass DNS filtering that way, or use DoH with a public provider instead. Just sadly it does not help with the HTTPS request issue, whatever is causing this.

However, yeah, any kind of Internet filtering can be nasty. I was in China for a week, and it was interesting how many websites were blocked, not only raw.githubusercontent.com, while github.com works well (same in India, as far as I read, weird somehow), but also all Google services, including Gmail, Cloudflare, and even DuckDuckGo (my default search machine), for whatever reason. Microsoft services and Bing however do work. One can bypass the issue with a VPN, which is not strictly forbidden, especially for western visitors who often simply require it (our DietPi mails go through Gmail, currently). But even then, for some reasons, some websites are suspiciously slow, nearly unusable (when using DoH to bypass DNS block), while others work perfectly fine. Whether intended or not, at least I had the impression that it was intended, and your issue reminded me about this.

[yuukiAme]

@MichaIng I’m reading up on StackExchanger Superuser rules and tags.

Which tags do you think this issue belongs to? Because I know their mods will remove issues or could straight up ban me if I tried to resubmit and commit a “spam” offense against their site.

[yuukiAme]

@MichaIng

Superuser question posted

They closed it really quick with off-topic. The 2nd comment gave me some thoughts.
Is Cloudflare respecting my country content filtering as well? How do I switch all my query to Quad9 to test DNS-over-HTTPS properly?

[Joulinar]

How do I switch all my query to Quad9 to test DNS-over-HTTPS

I guess you would need to use cloudflared instead of Unbound. https://docs.pi-hole.net/guides/dns/cloudflared/

[yuukiAme]

@Joulinar
Thanks. That was my thoughts after that answer. Been researching through our DietPi old issues. Someone mentioned in 2018, Cloudflared was being shaddy with their CDN and bad for privacy. I'm not sure if their opinion changed since 2018.
I'm also looking into DNScrypt-proxy and ODOH.

[Joulinar]

Cloudflared can be used with Quad9 as well. It's just an application that can be used with various upstream DNS provider.

[yuukiAme]

Yes. I understood that. The pi-hole Docs did mentioned the https upstream that is using Cloudflare DNS. Of course I could change it over to Quad9. I'm just making sure I'm learning all of the other options as well.

[yuukiAme]

Update: It seems that after I switched everything to Quad9, from the DietPi-Config, to the Cloudflared, set up with Quad9 DoH as upstream DNS, Wireguard app into my PiVPN, www.pornhub.com still doesn't work over the VPN.
So I installed Intra on my Android Tablet, selected Quad9 as the DNS over HTTPS server , erased the history and cache on my browser. I can access www.pornhub.com now.

Now I'm not sure what to think now. The issue can be closed I guess.

[MichaIng]

They are wrong: Cloudflare does not respect country filtering, at least not in your case. We do already know that clients get the correct IP from Cloudflare, and the connection is blocked on HTTP(S) connection level to/from the true host instead.

Not sure whether it is really OOT at superuser, but I wouldn't know a better StackExchange site in this case. I left a comment to ask about this, and add the relevant info, let's see ...

[MichaIng]

https://meta.superuser.com/questions/15219/where-to-ask-questions-about-non-dns-based-country-based-website-http-blocking

[yuukiAme]

@MichaIng @Joulinar

Good news.

I went nuts after drinking too many cups of coffee. So I did a factory reset on an Android device (Xiaomi) to reduce all variables.
So the phone is fresh. Only using network number 2 so no Pi-hole and Cloudflared. Only Default DNS from ISP.

I installed 1.1.1.1 app from Google Play Store. Install VPN profile, uses the Google Chrome that came with phone. To switch to DNS-over-HTTPS. Checked with 1.1.1.1/help to confirm that it is using cloudflare DoH.
I tested the five websites mentioned in the Superuser question.

They all work now. No delays. Instant content delivery.

I formed a hypothesis it could the Adguard.apk and maybe its the adguardca.crt.
I uses Adguard app on all my devices. Except for my PC because everything works on it, I have uBlock Origin on Firefox to deal with ads and Pi-Hole to block the domains completely.

Background:
The AdGuard app requires the user to install a CA certificate provided by AdGuard to enhanced the ad blocks and DNS filters. Otherwise, Firefox browser will throw HSTS / SSL errors.
It required the same on MacOS with a custom user cert added in the Keychain.
I think I found the problem.

To test out the hypothesis, I removed the CA cert from my Samsung tablet and uninstalled the Adguard.apk. Reboot the device. Install 1.1.1.1 app, install VPN profile. This device nows can open the 5 websites above as well.

Big progress.

Now that solves half the issue. Because MacOS and iPhone are still failing to open www.pornhub.com and sometimes with medium.com even without Adguard and its VPN profile. No clue why. It's not iCloud+ private relay.

Either Pornhub SSL/TLS certificate has a problem verify its identity with Adguard CA cert. Not too sure on the traffic and route from the ISP side.

Do you have any methods to debug related to SSL/TLS cert instead?
Should I ask the expert over in the Unbound issues for help? He was pretty good at looking at my unbound journalctl log.

I can finally close this issue. Looks like I will have to remove all Adguard app and its CA from the trusted CA.

EDIT: I forgot. I need to test this over VPN as well. Before closing this issue.

[MichaIng]

Okay that is a very good explanation: Note that HTTPS filtering/inspection means that AdGuard decrypts, filters and in case blocks all traffic/packets between you and the website you want to access. This includes porn, online banking (aside of some hardcoded exceptions), etc. So I am quite sure that this AdGuard HTTPS filter/firewall rates some pornhub content as malicious, block it, hence replaces it with these weird 404/408 HTML documents I was wondering about. The only thing I am wondering about, is why the DietPi system was affected by this as well.

The way this is implemented, basically compromises HTTPS at its core. It is like a MITM, which HTTPS normally prevents against, but in this case you are explicitly asked to trust the AdGuard certificate which re-encrypts traffic. I mean, AdGuard software is (mostly or completely?) open source, and we have no reason to mistrust them (now). But IMO the principle to break the essential security of HTTPS in the name of security is just wrong. And I am not alone with this opinion.

We are using Cloudflare as proxy/CDN/cache/DDoS protection for HTTP(S) traffic to our website, which basically does the same. However, it does so transparently, i.e. resolving dietpi.com gives you IP addresses from the known Cloudflare Edge servers, the related TLS certificate is controlled by use, can be enabled/disabled/revoked, it adds request and response headers to tell clients what they are connecting to etc. And most importantly, DietPi is not a sensitive/privacy concerning topic, and everything you can do on our website is/will be public anyway. Bug report and survey uploads, done via SFTP, bypass Cloudflare, btw. But I would be at least concerned about an app/actor which decrypts/reads really all traffic to any website/web service 😉.

[yuukiAme]

This includes porn, online banking (aside of some hardcoded exceptions), etc. So I am quite sure that this AdGuard HTTPS filter/firewall rates some pornhub content as malicious, block it, hence replaces it with these weird 404/408 HTML documents I was wondering about.

This might explain it. If this is true, when I reinstall Adguard.apk, install the adguard-ca.crt, I turn off the dns filtering and firewall, it should allow my devices to start opening the HTTPS to the 5 websites I mentioned above and content delivery should work as intended.

But the weird part in this is why bbc.com and medium.com fails as well. Their websites shouldn't be on their DNS filtering, right? I only my ISP DNS is interested in blocking those traffic.

The way this is implemented, basically compromises HTTPS at its core. It is like a MITM, which HTTPS normally prevents against, but in this case you are explicitly asked to trust the AdGuard certificate which re-encrypts traffic. I mean, AdGuard software is (mostly or completely?) open source, and we have no reason to mistrust them (now). But IMO the principle to break the essential security of HTTPS in the name of security is just wrong. And I am not alone with this opinion.

I will email their support and create a ticket asking for clarification on their ca crt and dns filtering. Decrypting my HTTPS traffic on their end and see my query is obvious concerning. But I understand why it had to be done. How else Adguard suppose to know if that specific traffic needed to block and not delivery to client device.

But I would be at least concerned about an app/actor which decrypts/reads really all traffic to any website/web service 😉.

Viewing the traffic is just one problem. If they are storing customer traffic and still linking it to me, and my government happens to required them by law to hand it over is another problem.

I've looking for ways to encrypt traffic between client (PC) to DNS resolver (Pi-hole or Adguard Home). The internet pointed me to dnscrypt.info and there are so many implentation between the client implementation vs server implementation that I don't know which one to uses. Any suggestions?

[MichaIng]

No need to ask AdGuard about that: It is intended behaviour, to block ads and/or block traffic to malicious sites. But yes, you are right, bbc.com and medium.com should of course not be blocked, at best, in case, only ads embedded in these websites. And the DietPi system should not have been affected. So probably the AdGuard HTTPS filtering was only one part of the issue.

Filtering will be done locally on an automated level, hence your traffic is, of course, not sent to AdGuard servers where they could read it. Though, not impossible that bits of information are sent to be checked by a cloud block list or heuristic. At least in general this is how some anti virus software do/did it. Though for ads filtering such is surely overkill an not done.

So for me, the problem is not concerns or mistrust against AdGuard now, but the method of decrypting HTTPS traffic, and that way breaking end-to-end encryption as well as authentication (installing a generally trusted cert for a website that is not coming from this website), in general. Actors who are trustable now can change, be hacked, or whatever, so having such method installed and generally accepted as "security enhancement" IMO bears a general risk for the future. There may be edge cases, but not as by default enabled feature for common end user software, IMO.

I've looking for ways to encrypt traffic between client (PC) to DNS resolver (Pi-hole or Adguard Home).

Downstream DoH or DoT with AdGuard Home and/or WireGuard/VPN with Pi-hole/AGH as you were already doing.

[yuukiAme]

I have since reinstall Adguard.apk from their Adguard website. Installed their CA.crt again to my Xiaomi.

I did a bit more research. In Adguard app Settings > Filtering > Network > HTTPS Filtering > HTTPS-Filtered websites > turn OFF Filter websites with EV certificates.

This is the real reason why 3 out of the 5 websites mentioned above broke. Not sure why DietPi itself broke either. I guess I can close this issue now.

Thank you for your time and knowledge @MichaIng and @Joulinar . This has been a very productive week and a ton of learning experience for me.