dig ns1.pi-hole.net @8.8.8.8
?
dig ns1.pi-hole.net @8.8.8.8
?
What is the output of the following from the Pi terminal:
dig ns1.pi-hole.net
lol
Its called tandem troubleshooting
pi@raspberrypi:~ $ dig ns1.pi-hole.net @8.8.8.8
; <<>> DiG 9.11.5-P4-5.1+deb10u1-Raspbian <<>> ns1.pi-hole.net @8.8.8.8
;; global options: +cmd
;; connection timed out; no servers could be reached
pi@raspberrypi:~ $ dig ns1.pi-hole.net
; <<>> DiG 9.11.5-P4-5.1+deb10u1-Raspbian <<>> ns1.pi-hole.net
;; global options: +cmd
;; connection timed out; no servers could be reached
You have a connectivity problem on your network if you can't reach any name servers.
The first dig should completely bypass any internal DNS servers and go directly to the Google DNS server.
Do you have any firewalls or re-directs for DNS traffic on port 53?
traceroute -n 8.8.8.8
?
Check your router for below:
Might have to configure the new IP to be allowed by rebind protection (if have any).
nothing that I know of actually
pi@raspberrypi:~ $ traceroute -n 8.8.8.8
traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets
1 192.168.8.1 2.660 ms 2.081 ms 3.881 ms
2 192.168.0.1 5.688 ms 5.001 ms 4.838 ms
3 83.169.183.45 42.528 ms 38.996 ms 39.743 ms
4 88.134.234.201 37.617 ms 88.134.234.203 37.627 ms 88.134.234.201 36.280 ms
5 145.254.3.66 36.886 ms 35.724 ms 145.254.3.92 34.518 ms
6 145.254.2.217 34.671 ms 37.276 ms 36.336 ms
7 145.254.2.217 37.299 ms 34.224 ms 145.254.2.215 31.946 ms
8 72.14.194.138 31.468 ms 43.416 ms 37.840 ms
9 * * *
10 8.8.8.8 35.802 ms 39.741 ms 38.148 ms
Check rebind protection or similar on the router!
Check local firewall:
pi@ph5:~ $ sudo iptables -nL
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
pi@raspberrypi:~ $ sudo iptables -nL
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:1194
Chain FORWARD (policy ACCEPT)
target prot opt source destination
DOCKER-USER all -- 0.0.0.0/0 0.0.0.0/0
DOCKER-ISOLATION-STAGE-1 all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
DOCKER all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT all -- 10.8.0.0/24 0.0.0.0/0
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain DOCKER (1 references)
target prot opt source destination
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target prot opt source destination
DOCKER-ISOLATION-STAGE-2 all -- 0.0.0.0/0 0.0.0.0/0
RETURN all -- 0.0.0.0/0 0.0.0.0/0
Chain DOCKER-ISOLATION-STAGE-2 (1 references)
target prot opt source destination
DROP all -- 0.0.0.0/0 0.0.0.0/0
RETURN all -- 0.0.0.0/0 0.0.0.0/0
Chain DOCKER-USER (1 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0
Try flush all those rules for diagnosing.
Might want to do this on console as you might get kicked from ssh.
And check below again:
dig ns1.pi-hole.net @8.8.8.8
To restore the Netfilter(iptables) rules, just reboot.
pi@raspberrypi:~ $ sudo iptables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
pi@raspberrypi:~ $ dig ns1.pi-hole.net @8.8.8.8
; <<>> DiG 9.11.5-P4-5.1+deb10u1-Raspbian <<>> ns1.pi-hole.net @8.8.8.8
;; global options: +cmd
;; connection timed out; no servers could be reached
ICMP seems to get through to 8.8.8.8
(from traceroute
output).
But DNS doesnt (from dig
).
You haven't answered yet if have checked for rebind protection or similar on the router ?
I'm outta ideas.
EDIT: maybe one idea:
dig ns1.pi-hole.net @1.1.1.1
?
ok, I had this option On, and when I switched it off.. it just worked
I'm using GL.iNet GL-AR750S-Ext (Slate) router
pi@raspberrypi:~ $ dig ns1.pi-hole.net @8.8.8.8
; <<>> DiG 9.11.5-P4-5.1+deb10u1-Raspbian <<>> ns1.pi-hole.net @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49435
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;ns1.pi-hole.net. IN A
;; ANSWER SECTION:
ns1.pi-hole.net. 2966 IN A 185.136.96.96
;; Query time: 27 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Wed Aug 19 16:57:28 CEST 2020
;; MSG SIZE rcvd: 60
Post make model of the router for others to find ?
And mark your last reply as solution pls ?
Sure, but how this could be related? even if it still sends the DNS 192.168.8.105 hard coded to itself, it should work... right?!
For the Pi-hole host, 8.8.8.8
and 8.8.4.4
is hard coded for DNS:
and the rebind attack is still on