Can't get Pi-hole working, dns won't resolve

Techloid-g · May 28, 2020, 7:40pm

Been trying to get Pihole working for a few days now, followed all the steps several times and still nothing. My devices will read that they have the right DNS address and will load pages but pi-hole doesn't filter. Go to the setting page and there tons of cashed DNS insertions but 0 evictions. Perhaps there is some coding I have to do to the router to make it the only DNS? if I do an nslookup on a device I'll get :

Server:  raspberrypi
Address:  192.168.1.84

DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
*** Request to raspberrypi timed-out

Router is Asus RT-AC87R

Any help appreciated.

Expected Behaviour:

DNS filter working
-raspbian buster
-raspberry Pi4

Actual Behaviour:

DNS filter not working

Debug Token:

yc38k6zfj8

deHakkelaar · May 29, 2020, 12:29pm

EDIT: I didnt notice the duplicate post:

You might have a several issues.

The "timed out" messages when do nslookup;
Asus DHCP not playing nice with Pi-hole.

For the timeouts, if have a firewall running on Pi-hole, make sure to allow ports 53 TCP & UDP:

iptables -nL

https://docs.pi-hole.net/main/prerequesites/#ports

About Asus and DHCP:

From same thread:

And maybe the devs/mods can see something in your debug log thats wrong ?

Techloid-g · May 29, 2020, 8:06pm

Yeah, I ended up installing merlin last night and disabled router ip advertising but it still wasn't working. So I tried getting pihole to act as the DCHP server, but I can't seem to find to command structure needed for Raspian to get iptables to change the port settings... didn't even realize Raspbian had iptables lol

deHakkelaar · May 29, 2020, 9:09pm

iptables isnt Raspbian specific.
Packet filtering, NAT etc is compiled into most kernels already as "Netfilter".
iptables is just a tool to interact:

pi@ph5:~ $ man iptables
[..]
DESCRIPTION
       Iptables and ip6tables are used to set up,  maintain,  and  in‐
       spect  the  tables  of IPv4 and IPv6 packet filter rules in the
       Linux kernel.  Several different tables may be  defined.   Each
       table contains a number of built-in chains and may also contain
       user-defined chains.

       Each chain is a list of rules which can match a set of packets.
       Each  rule  specifies  what  to  do with a packet that matches.
       This is called a `target', which may be a jump  to  a  user-de‐
       fined chain in the same table.

Fyi, below is default permissive rules:

pi@ph5:~ $ sudo iptables -nL
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Techloid-g · May 29, 2020, 10:43pm

That matches my output. I'm just unable to find the proper command line syntax to use iptables on rasbian. I'm pretty sure I need to open port 67 to enable the DHCP server but the commands I'm using don't seem to be working.

https://docs.pi-hole.net/main/prerequesites/#ports

iptables -I INPUT 1 -p udp --dport 67:68 --sport 67:68 -j ACCEPT
iptables v1.8.2 (nf_tables): unknown option "--dport" 
Try 'iptables -h' or 'iptables --help' for more information

RaspPiOwner · May 30, 2020, 2:43am

I initially setup my PI to connect to my router over WIFI and I was having trouble getting my devices to start using the Pi-hole. For me the solution was to update the Interface listening behavior within the Pi-hole settings to "Listen on all interfaces", by default it was configured to "Listen only on interface eth0.

Hope that helps.

deHakkelaar · May 30, 2020, 1:49pm

If your iptables output matches mine, you wont need to alter with iptables because your rules already allow all.

Below is a good tool to test DNS from a client before you make alterations to your router settings.
You can also run this one on Pi-hole itself to test:

nslookup pi.hole 192.168.1.84

First check if the pihole-FTL daemon is actually listening on DNS ports 53 UDP/TCP (and others used by Pi-hole) with below:

sudo netstat -nltup | grep 'Proto\|:53 \|:67 \|:80 \|:547 \|:471[1-8] '

If that checks out ok, check interface/IP configured for Pi-hole:

grep 'PIHOLE_INTERFACE\|IPV[4,6]_ADDRESS\|DNSMASQ_LISTENING' /etc/pihole/setupVars.conf

See if it matches with the actual interface that holds the 192.168.1.84 IP:

ip -4 -br a

If that checks out ok, it might be that your router is doing a thing called "DNS rebind protection":

EDIT: forgot to mention but sometimes AV software can mangle DNS lookups:

system · June 20, 2020, 1:58pm

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.