Alternate subnet names not resolving

dotJason · July 29, 2020, 8:49pm

Expected Behaviour:

I run dual PiHoles on Raspi's. They are both in the same vlan (1) at 192.168.1.0/24. DHCP is provided by an Edgerouter running DNSMasq, and the PiHoles have a conditional forwarder set to deliver to the Edgerotuers interface. This works perfect as all of my VLAN 1 DNSMasq names are resolved properly by the PiHoles via the CF setting. The PiHole dashboard shows the names as desired. I also have an IoT VLAN (666) at 172.26.214.32/27. This VLAN offers out the PiHole IP's for DNS just like VLAN 1 does. But I want the VLAN 666 hosts to show the name from the Edgerouter as well. This does not work, instead it just shows the clients VLAN 666 IP.

Actual Behaviour:

Name resolution DOES work for all hosts, however, in the PiHole dashboard the VLAN 666 hosts do not resolve to the name. They only show the clients IP but I want the names to resolve. I suspect the issue stems from only having one CF entry, and I have added into a custom file to try adding the additional subnet but that caused the stats to go berzerk with rapidly increasing hits from that VLAN. Is there a documented setup for PiHole displaying names from multiple alternate subnets?

Regarding the stats going crazy, the specific info I added into 99-pihole-addn-vlans.conf are:

server=/214.26.172.in-addr.arpa/172.26.214.33

Where the subnet is a /27 and the gw is .33. I've read here about how to define vlsm for reverse DNS (DNSMasq uses the same notation as NT DNS) and PiHole seems to silently ignore the commands:

server=/2-27.214.26.172.in-addr.arpa/172.26.214.33

The GW IP stats are showing in arpa format and climbing fast. This is 5 minutes of the settings being in place but hey! Names are resolving at the poor Pi's CPU expense:

All hosts share the same domain (sdyoung.com) across both VLANs. The DHCP option assigns it in both scopes, too.

My ghetto topo:

              internet
                 |
                 |
vlan1------edgerouter------vlan666
  |                           |
pihole1                    iotDevices
pihole2
others hosts

Debug Token:

[Replace this text with the debug token provided from running pihole -d (or running the debug script through the web interface]

DanSchaper · July 29, 2020, 9:20pm

Who's the authoritative DNS server for vLAN 666?

yubiuser · July 29, 2020, 9:22pm

How many devices do you have on 666? The easiest solution might be to create Local DNS Records for each device.

DanSchaper · July 29, 2020, 9:23pm

If the edgerouter is the DHCP server for all the vLAN's then it's going to know the names. Since the debug token was left of (accidentally or on purpose) we'd have to ask a ton of questions to get the same information provided by the token.

DanSchaper · July 29, 2020, 9:26pm

Does 172.26.214.33 know how to answer dig queries for PTR records? Or does 172.26.214.33 point back at Pi-hole for DNS?

dotJason · July 29, 2020, 9:30pm

The router runs dnsmasq for hosts it leases but pihole is the pirst query point. I assumed pihole decided to conditionally fwd it to the router is the domain was matched.

Here's the dig output:

pi@pihole-1:~ $ dig +answer -x smart-things-hub-v2.sdyoung.com

; <<>> DiG 9.11.5-P4-5.1-Raspbian <<>> +answer -x smart-things-hub-v2.sdyoung.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 6722
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;com.sdyoung.smart-things-hub-v2.in-addr.arpa. IN PTR

;; AUTHORITY SECTION:
in-addr.arpa.           2951    IN      SOA     b.in-addr-servers.arpa. nstld.iana.org. 2020072067 1800 900 604800 3600

;; Query time: 52 msec
;; SERVER: 192.168.1.6#53(192.168.1.6)
;; WHEN: Wed Jul 29 14:29:30 MST 2020
;; MSG SIZE  rcvd: 141

dotJason · July 29, 2020, 9:32pm

about 18ish

dotJason · July 29, 2020, 9:34pm

token = https://tricorder.pi-hole.net/wsr7m8gfg2

DanSchaper · July 29, 2020, 9:37pm

That is a dig using 192.168.1.6. What is the IP address of the DNS server that knows how to answer PTR queries for vLAN 666? Is that the DNS server on the edgerouter?

You have:

    REV_SERVER=true
    REV_SERVER_DOMAIN=sdyoung.com
    REV_SERVER_TARGET=192.168.1.251
    REV_SERVER_CIDR=192.168.1.0/24

So any PTRs for 192.168.1.0/24 will go to 192.168.1.251. If you want vLAN 666 to be populated with names then you need to know who will answer those queries. Is it 192.168.1.251? Does dig -x 172.26.214.10 @192.168.1.251 work? Or does the Edgerouter have a different DNS server for vLAN 666? Is the Edgerouter set up to isolate the vLANs so that it will only answer 192 on 192 and not 172 on 192?

dotJason · July 29, 2020, 9:42pm

Yeah I eff'd up. Here's what you wanted. It appears from the pihole, using your dig syntax it can reverse lookup at either 172.26.214.33 OR 192.168.1.251.

pi@pihole-1:~ $ dig -x 172.26.214.42 @192.168.1.251

; <<>> DiG 9.11.5-P4-5.1-Raspbian <<>> -x 172.26.214.42 @192.168.1.251
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49262
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;42.214.26.172.in-addr.arpa.    IN      PTR

;; ANSWER SECTION:
42.214.26.172.in-addr.arpa. 150 IN      PTR     smart-things-hub-v2.sdyoung.com.

;; Query time: 1 msec
;; SERVER: 192.168.1.251#53(192.168.1.251)
;; WHEN: Wed Jul 29 14:41:23 MST 2020
;; MSG SIZE  rcvd: 100

pi@pihole-1:~ $ dig -x 172.26.214.42 @172.26.214.33

; <<>> DiG 9.11.5-P4-5.1-Raspbian <<>> -x 172.26.214.42 @172.26.214.33
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54322
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;42.214.26.172.in-addr.arpa.    IN      PTR

;; ANSWER SECTION:
42.214.26.172.in-addr.arpa. 150 IN      PTR     smart-things-hub-v2.sdyoung.com.

;; Query time: 1 msec
;; SERVER: 172.26.214.33#53(172.26.214.33)
;; WHEN: Wed Jul 29 14:41:31 MST 2020
;; MSG SIZE  rcvd: 100

DanSchaper · July 29, 2020, 9:46pm

Okay, solution should be simple. 172.26.214.33/27 targets to 192.168.1.251.

Or in pihole-FTL parlance:

/etc/dnsmasq.d/03-vlan666.conf

rev-server=172.26.214.33/27,198.168.1.251

dotJason · July 29, 2020, 9:57pm

ok, just before you sent that I edited the line to steer vlan 666 subnet to the routers interface in vlan 1 and I found the insane PTR queries ceased. So it seems this format
server=/2-27.214.26.172.in-addr.arpa/192.168.1.251
may solve it too, though it hadn't occurred to me to try swapping the ip's in this way.

i have a few other vlans to work out too, so I will try your suggested rev-server method on those.

thanks for the awesome support!

DanSchaper · July 29, 2020, 10:05pm

I've been informed that my rev-server line will fail. dnsmasq will only allow natural masks, so /24 is the smallest you can use.

dotJason · July 29, 2020, 10:10pm

ok. i found that even though I entered the subnetId and mask bits to trim the hosts to only the vlan it still seems to be resolving the other vlans adjacent to 172.26.214.32/27 in the /24 space. In my case that's still acceptable though for some it may be problematic.

thanks again.

system · August 19, 2020, 10:13pm

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.