Cannot resolve name server after moving to another network

dig ns1.pi-hole.net @8.8.8.8

?

What is the output of the following from the Pi terminal:

dig ns1.pi-hole.net

1 Like

lol :smiley:
Its called tandem troubleshooting :wink:

1 Like
pi@raspberrypi:~ $ dig ns1.pi-hole.net @8.8.8.8

; <<>> DiG 9.11.5-P4-5.1+deb10u1-Raspbian <<>> ns1.pi-hole.net @8.8.8.8
;; global options: +cmd
;; connection timed out; no servers could be reached

pi@raspberrypi:~ $ dig ns1.pi-hole.net

; <<>> DiG 9.11.5-P4-5.1+deb10u1-Raspbian <<>> ns1.pi-hole.net
;; global options: +cmd
;; connection timed out; no servers could be reached

You have a connectivity problem on your network if you can't reach any name servers.

The first dig should completely bypass any internal DNS servers and go directly to the Google DNS server.

Do you have any firewalls or re-directs for DNS traffic on port 53?

traceroute -n 8.8.8.8

?

Check your router for below:

Might have to configure the new IP to be allowed by rebind protection (if have any).

nothing that I know of actually :confused:

pi@raspberrypi:~ $ traceroute -n 8.8.8.8
traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets
 1  192.168.8.1  2.660 ms  2.081 ms  3.881 ms
 2  192.168.0.1  5.688 ms  5.001 ms  4.838 ms
 3  83.169.183.45  42.528 ms  38.996 ms  39.743 ms
 4  88.134.234.201  37.617 ms 88.134.234.203  37.627 ms 88.134.234.201  36.280 ms
 5  145.254.3.66  36.886 ms  35.724 ms 145.254.3.92  34.518 ms
 6  145.254.2.217  34.671 ms  37.276 ms  36.336 ms
 7  145.254.2.217  37.299 ms  34.224 ms 145.254.2.215  31.946 ms
 8  72.14.194.138  31.468 ms  43.416 ms  37.840 ms
 9  * * *
10  8.8.8.8  35.802 ms  39.741 ms  38.148 ms

Check rebind protection or similar on the router!

Check local firewall:

pi@ph5:~ $ sudo iptables -nL
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
pi@raspberrypi:~ $ sudo iptables -nL
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:1194

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
DOCKER-USER  all  --  0.0.0.0/0            0.0.0.0/0           
DOCKER-ISOLATION-STAGE-1  all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
DOCKER     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
ACCEPT     all  --  10.8.0.0/24          0.0.0.0/0           

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain DOCKER (1 references)
target     prot opt source               destination         

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target     prot opt source               destination         
DOCKER-ISOLATION-STAGE-2  all  --  0.0.0.0/0            0.0.0.0/0           
RETURN     all  --  0.0.0.0/0            0.0.0.0/0           

Chain DOCKER-ISOLATION-STAGE-2 (1 references)
target     prot opt source               destination         
DROP       all  --  0.0.0.0/0            0.0.0.0/0           
RETURN     all  --  0.0.0.0/0            0.0.0.0/0           

Chain DOCKER-USER (1 references)
target     prot opt source               destination         
RETURN     all  --  0.0.0.0/0            0.0.0.0/0           

Try flush all those rules for diagnosing.
Might want to do this on console as you might get kicked from ssh.

And check below again:

dig ns1.pi-hole.net @8.8.8.8

To restore the Netfilter(iptables) rules, just reboot.

pi@raspberrypi:~ $ sudo iptables -L -n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

pi@raspberrypi:~ $ dig ns1.pi-hole.net @8.8.8.8

; <<>> DiG 9.11.5-P4-5.1+deb10u1-Raspbian <<>> ns1.pi-hole.net @8.8.8.8
;; global options: +cmd
;; connection timed out; no servers could be reached

but still can't understand how pihole still works

ICMP seems to get through to 8.8.8.8 (from traceroute output).
But DNS doesnt (from dig).
You haven't answered yet if have checked for rebind protection or similar on the router ?
I'm outta ideas.

EDIT: maybe one idea:

dig ns1.pi-hole.net @1.1.1.1

?

ok, I had this option On, and when I switched it off.. it just worked
I'm using GL.iNet GL-AR750S-Ext (Slate) router

image

pi@raspberrypi:~ $ dig ns1.pi-hole.net @8.8.8.8

; <<>> DiG 9.11.5-P4-5.1+deb10u1-Raspbian <<>> ns1.pi-hole.net @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49435
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;ns1.pi-hole.net.		IN	A

;; ANSWER SECTION:
ns1.pi-hole.net.	2966	IN	A	185.136.96.96

;; Query time: 27 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Wed Aug 19 16:57:28 CEST 2020
;; MSG SIZE  rcvd: 60

1 Like

Post make model of the router for others to find ?
And mark your last reply as solution pls ?

Sure, but how this could be related? even if it still sends the DNS 192.168.8.105 hard coded to itself, it should work... right?!

For the Pi-hole host, 8.8.8.8 and 8.8.4.4 is hard coded for DNS:

and the rebind attack is still on
image

Thank you @deHakkelaar and @jfb for your time and troubleshooting :bowing_man:

1 Like