Can't get pihole to work on br0 interface

That would depend on your needs, e.g. whether you'd want NATing for some reasons.
(Also, libvirt's default virtual network will create iptables rules automatically to "allow traffic to/from guests attached to the virbr0 device in the INPUT, FORWARD, OUTPUT and POSTROUTING chains")

That's why I wrote 'you may need' instead of 'you have to'

No routing involved with bridging on the privileged domain.
The interfaces dont have an IP to route anyway (except for the bridge interface).

Bucking_Horn: Right now none of the VMs are spun up until I can resolve this issue, so I don't think iptables, or NATing are causing any issues as of yet. The brctl show command only lists the interfaces I have in /etc/network/interfaces as libvrt hasn't started any of the virtual interfaces yet. The set up is just eth0 on a bridge virbr0. Virbr0 isn't virtual, maybe that was a bad choice in naming.

I'll check systemctl status pihole-FTW when I get to the box again upon a fresh reboot when I know pihole hasn't started. Are the other mechanisms for trying to figure out why pihole doesn't start on boot so I'm ready when I get on the box again?

sudo systemctl status --full --no-pager pihole-FTL

And check ports used by Pi-hole if conflicting with other daemons:

pi@noads:~ $ sudo netstat -nltup | grep 'Proto\|:53 \|:67 \|:80 \|:471[1-8] '
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:53              0.0.0.0:*               LISTEN      30074/pihole-FTL
tcp        0      0 127.0.0.1:4711          0.0.0.0:*               LISTEN      30074/pihole-FTL
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      602/lighttpd
tcp6       0      0 :::53                   :::*                    LISTEN      30074/pihole-FTL
tcp6       0      0 ::1:4711                :::*                    LISTEN      30074/pihole-FTL
tcp6       0      0 :::80                   :::*                    LISTEN      602/lighttpd
udp        0      0 0.0.0.0:53              0.0.0.0:*                           30074/pihole-FTL
udp        0      0 0.0.0.0:67              0.0.0.0:*                           30074/pihole-FTL
udp6       0      0 :::53                   :::*                                30074/pihole-FTL

Okay, so with the changes to the network/interfaces file, and reconfiguring pihole on virbr0, here are the outputs:

sudo netstat -nltup | grep 'Proto\|:53 \| :67 \|:80 \|:471[1-8]'
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 127.0.0.1:4711          0.0.0.0:*               LISTEN      1267/pihole-FTL
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      1901/nginx -g daemo
tcp        0      0 127.0.0.1:53            0.0.0.0:*               LISTEN      1267/pihole-FTL
tcp6       0      0 ::1:4711                :::*                    LISTEN      1267/pihole-FTL
tcp6       0      0 ::1:53                  :::*                    LISTEN      1267/pihole-FTL
udp        0      0 127.0.0.1:53            0.0.0.0:*                           1267/pihole-FTL
udp6       0      0 ::1:53                  :::*                                1267/pihole-FTL

user@server:~$ pihole status
  [✓] DNS service is running
  [✓] Pi-hole blocking is Enabled

So it should be running on 192.168.0.201 (as per the static IP). I have my router using 192.168.0.201 as the DNS it hands out to clients. This is the output from a Windows machine on the network:

C:\Users\user>nslookup google.com
DNS request timed out.
    timeout was 2 seconds.
Server:  UnKnown
Address:  192.168.0.201

DNS request timed out.
    timeout was 2 seconds.

I've kind of been down this road before, and had more luck with configuring pihole in eth0 instead of virbr0. But since I'm here asking for help, is there anywhere else I can look for clues as to what's going on?

(Also I discovered that I don't have dnsmasq installed. When I try installing it, I get the following error: dnsmasq: failed to create listening socket for 127.0.0.1: Address already in use, not sure if that helps at all)

You dont need dnsmasq anymore as its embedded into the pihole-FTL binary already.
Make sure its removed or disabled:

sudo systemctl disable dnsmasq

sudo systemctl stop dnsmasq

sudo systemctl restart pihole-FTL

Can you SSH into the IP from remote PC now ?
Whats output for below ones ?

sudo brctl show

ip l

ip a

ip r

If you compare my netstat with yours, you can see pihole-FTL is not listening to IPv4 ports 53 TCP or UDP for DNS.
Most of the times this is caused by rogue config file(s).
What config files do you have ?

sudo grep -v '^#\|^$' -R /etc/dnsmasq.* | sort

Below how mine looks like:

pi@noads:~ $ sudo grep -v '^#\|^$' -R /etc/dnsmasq.* | sort
/etc/dnsmasq.conf:conf-dir=/etc/dnsmasq.d
/etc/dnsmasq.conf.dpkg-old:conf-dir=/etc/dnsmasq.d
/etc/dnsmasq.conf.old:conf-dir=/etc/dnsmasq.d
/etc/dnsmasq.d/01-pihole.conf:addn-hosts=/etc/pihole/black.list
/etc/dnsmasq.d/01-pihole.conf:addn-hosts=/etc/pihole/gravity.list
/etc/dnsmasq.d/01-pihole.conf:addn-hosts=/etc/pihole/local.list
/etc/dnsmasq.d/01-pihole.conf:bogus-priv
/etc/dnsmasq.d/01-pihole.conf:cache-size=10000
/etc/dnsmasq.d/01-pihole.conf:dhcp-ignore-names=tag:wpad-ignore
/etc/dnsmasq.d/01-pihole.conf:dhcp-name-match=set:wpad-ignore,wpad
/etc/dnsmasq.d/01-pihole.conf:domain-needed
/etc/dnsmasq.d/01-pihole.conf:interface=eth0
/etc/dnsmasq.d/01-pihole.conf:localise-queries
/etc/dnsmasq.d/01-pihole.conf:local-ttl=2
/etc/dnsmasq.d/01-pihole.conf:log-async
/etc/dnsmasq.d/01-pihole.conf:log-facility=/var/log/pihole.log
/etc/dnsmasq.d/01-pihole.conf:log-queries
/etc/dnsmasq.d/01-pihole.conf:no-resolv
/etc/dnsmasq.d/01-pihole.conf:server=149.112.112.10
/etc/dnsmasq.d/01-pihole.conf:server=9.9.9.10

Before I post the outputs of the other commands, I believe you might be on to something in that there might be a rogue configuration in the dnsmasq configuration files.

user@server:~$ sudo grep -v '^#\|^$' -R /etc/dnsmasq.* | sort
/etc/dnsmasq.conf.dpkg-old:conf-dir=/etc/dnsmasq.d
/etc/dnsmasq.conf.old:conf-dir=/etc/dnsmasq.d
/etc/dnsmasq.d/01-pihole.conf:addn-hosts=/etc/pihole/black.list
/etc/dnsmasq.d/01-pihole.conf:addn-hosts=/etc/pihole/gravity.list
/etc/dnsmasq.d/01-pihole.conf:addn-hosts=/etc/pihole/local.list
/etc/dnsmasq.d/01-pihole.conf:cache-size=10000
/etc/dnsmasq.d/01-pihole.conf:interface=virbr0
/etc/dnsmasq.d/01-pihole.conf:localise-queries
/etc/dnsmasq.d/01-pihole.conf:local-ttl=2
/etc/dnsmasq.d/01-pihole.conf:log-async
/etc/dnsmasq.d/01-pihole.conf:log-facility=/var/log/pihole.log
/etc/dnsmasq.d/01-pihole.conf:log-queries
/etc/dnsmasq.d/01-pihole.conf:no-resolv
/etc/dnsmasq.d/01-pihole.conf:server=8.8.4.4
/etc/dnsmasq.d/01-pihole.conf:server=8.8.8.8
/etc/dnsmasq.d-available/libvirt-bin:bind-interfaces
/etc/dnsmasq.d/libvirt-bin:bind-interfaces
/etc/dnsmasq.d/network-manager:bind-interfaces

Anything look funky? I don't know enough about these configs, but I don't see any bind-interface configurations in your output.

Also, I apt-get remove dnsmaq --purge ed the dnsmasq utility, and yes I'm able to ssh into my box.

Get ride of above two files and move them to your home folder for backup:

sudo mv /etc/dnsmasq.d/libvirt-bin ~

sudo mv /etc/dnsmasq.d/network-manager ~

Restart to apply:

sudo service pihole-FTL restart

And check netstat again if listening now:

sudo netstat -nltup | grep 'Proto\|:53 \|:67 \|:80 \|:471[1-8]'

Is network-manager active ?

sudo service network-manager status

Thats another network manager that can mangle your IP setup!

EDIT:typo

It works!

For now I just commented out the bind-interfaces directives, and it works. As a bonus, I spun up the VMs, and it looks like they're doing fine as well. I wonder why libvirt added those directives? It looks like it works fine without them. Maybe I added them long ago and forgot?

Would you mind explaining in simple terms what the bind-interfaces directive does and why it broke pihole's DNS capabilities?

Also,

user@server~$ sudo netstat -nltup | grep 'Proto\|:53 \| :67 \|:80 \|:471[1-8]'
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      2099/nginx -g daemo
tcp        0      0 0.0.0.0:53              0.0.0.0:*               LISTEN      1193/dnsmasq
tcp6       0      0 :::53                   :::*                    LISTEN      1193/dnsmasq
udp        0      0 0.0.0.0:53              0.0.0.0:*                           1193/dnsmasq
udp6       0      0 :::53                   :::*                                1193/dnsmasq

Lastly I thought network-manager is the utility that reads and applies your /etc/network/interfaces settings. Does pihole handle this natively as well?

user@server:~$ sudo service network-manager status
● NetworkManager.service - Network Manager
   Loaded: loaded (/lib/systemd/system/NetworkManager.service; enabled; vendor preset: enabled)
   Active: active (running) since Thu 2019-12-12 23:59:44 PST; 9min ago
     Docs: man:NetworkManager(8)
 Main PID: 1068 (NetworkManager)
    Tasks: 3
   Memory: 8.4M
      CPU: 158ms
   CGroup: /system.slice/NetworkManager.service
           └─1068 /usr/sbin/NetworkManager --no-daemon

On the Windows machine on the network:

C:\Users\user>nslookup google.com
Server:  server
Address:  192.168.0.201

Non-authoritative answer:
Name:    google.com
Addresses:  2607:f8b0:4007:803::200e
          216.58.217.206

Shame you uninstalled dnsmasq again as the man pages can be useful:

pi@noads:~ $ man dnsmasq
[..]
       -z, --bind-interfaces
              On  systems  which  support it, dnsmasq binds the wildcard
              address, even when it is listening  on  only  some  inter‐
              faces.  It  then discards requests that it shouldn't reply
              to. This has the advantage of working even when interfaces
              come and go and change address. This option forces dnsmasq
              to really bind only the interfaces  it  is  listening  on.
              About  the  only  time when this is useful is when running
              another nameserver (or another instance of dnsmasq) on the
              same  machine.  Setting  this option also enables multiple
              instances of dnsmasq which provide DHCP service to run  in
              the same machine.

Its most of the times used to assure the daemon is only listening on one or more specific IP's.
Right now, your setup is listening on all IP's 0.0.0.0.

Is that a current netstat output ?
dnsmasq shouldn't be active like explained before.

I believe ifupdown does that:

pi@noads:~ $ apt policy ifupdown
ifupdown:
  Installed: 0.8.19
[..]

pi@noads:~ $ apt show ifupdown
[..]
Description: high level tools to configure network interfaces
 This package provides the tools ifup and ifdown which may be used to
 configure (or, respectively, deconfigure) network interfaces based on
 interface definitions in the file /etc/network/interfaces.

Uhg, you're right. I was so excited about DNS working, I didn't thoroughly look at the output of netstat. I must have uninstalled dnsmasq, and either stupidly reinstalled it, or does pihole install it during a reconfiguration when running pihole -r?

Here's the update output with dnsmasq actually removed:

Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      1913/nginx -g daemo
tcp        0      0 0.0.0.0:53              0.0.0.0:*               LISTEN      1634/pihole-FTL
tcp        0      0 127.0.0.1:4711          0.0.0.0:*               LISTEN      1634/pihole-FTL
tcp6       0      0 :::53                   :::*                    LISTEN      1634/pihole-FTL
tcp6       0      0 ::1:4711                :::*                    LISTEN      1634/pihole-FTL
udp        0      0 0.0.0.0:53              0.0.0.0:*                           1634/pihole-FTL
udp6       0      0 :::53                   :::*                                1634/pihole-FTL

And the config files:

/etc/dnsmasq.conf.old:conf-dir=/etc/dnsmasq.d
/etc/dnsmasq.d/01-pihole.conf:addn-hosts=/etc/pihole/black.list
/etc/dnsmasq.d/01-pihole.conf:addn-hosts=/etc/pihole/gravity.list
/etc/dnsmasq.d/01-pihole.conf:addn-hosts=/etc/pihole/local.list
/etc/dnsmasq.d/01-pihole.conf:cache-size=10000
/etc/dnsmasq.d/01-pihole.conf:interface=virbr0
/etc/dnsmasq.d/01-pihole.conf:localise-queries
/etc/dnsmasq.d/01-pihole.conf:local-ttl=2
/etc/dnsmasq.d/01-pihole.conf:log-async
/etc/dnsmasq.d/01-pihole.conf:log-facility=/var/log/pihole.log
/etc/dnsmasq.d/01-pihole.conf:log-queries
/etc/dnsmasq.d/01-pihole.conf:no-resolv
/etc/dnsmasq.d/01-pihole.conf:server=8.8.4.4
/etc/dnsmasq.d/01-pihole.conf:server=8.8.8.8

However, after uninstalling dnsmasq, and even though pihole is running,

● pihole-FTL.service - LSB: pihole-FTL daemon
   Loaded: loaded (/etc/init.d/pihole-FTL; bad; vendor preset: enabled)
   Active: active (exited) since Fri 2019-12-13 00:30:18 PST; 5min ago
     Docs: man:systemd-sysv-generator(8)
  Process: 900 ExecStart=/etc/init.d/pihole-FTL start (code=exited, status=0/SUCCESS)
    Tasks: 0
   Memory: 0B
      CPU: 0

Dec 13 00:29:56 server systemd[1]: Starting LSB: pihole-FTL daemon...
Dec 13 00:29:58 server pihole-FTL[900]: Not running
Dec 13 00:30:17 server su[1268]: Successful su for pihole by root
Dec 13 00:30:17 server su[1268]: + ??? root:pihole
Dec 13 00:30:17 server su[1268]: pam_unix(su:session): session opened for user pihole by (uid=0)
Dec 13 00:30:18 server pihole-FTL[900]: FTL started!
Dec 13 00:30:18 server systemd[1]: Started LSB: pihole-FTL daemon.

The Windows machine reports:

C:\Users\user>nslookup google.com
Server:  UnKnown
Address:  192.168.0.201

*** UnKnown can't find google.com: Query refused

I was so close

No.
In the past, Pi-hole depended on the dnsmasq binary.
Now its embedded in the pihole-FTL binary so dont need it anymore.

And if you query for a domain that Pi-hole knows about and wont need to be forwarded to upstream configured Google DNS 8.8.8.8/8.8.4.4 ?

nslookup pi.hole

EDIT: I forgot, you can live tail the logs at same time:

pihole -t

EDIT2: and to make thngs easier, you can also use below to query (without the win PC depending on DHCP DNS):

nslookup pi.hole 192.168.0.201

Actually I executed a pihole -r and reconfigured pihole after removing the dnsmasq utility, set it back on virbr0, rebooted and it, again works. Perhaps I could have gotten away with a pihole restartdns. In anycase, it works for real this time:

tcp        0      0 127.0.0.1:4711          0.0.0.0:*               LISTEN      1257/pihole-FTL
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      1914/nginx -g daemo
tcp        0      0 0.0.0.0:53              0.0.0.0:*               LISTEN      1257/pihole-FTL
tcp6       0      0 ::1:4711                :::*                    LISTEN      1257/pihole-FTL
tcp6       0      0 :::53                   :::*                    LISTEN      1257/pihole-FTL
udp        0      0 0.0.0.0:53              0.0.0.0:*                           1257/pihole-FTL
udp6       0      0 :::53                   :::*                                1257/pihole-FTL

C:\Users\user>nslookup google.com
Server:  server
Address:  192.168.0.201

Non-authoritative answer:
Name:    google.com
Addresses:  2607:f8b0:4007:803::200e
          172.217.14.78

Final pihole -d output.

https://tricorder.pi-hole.net/h47ff6wstv

Looks good to me. Does everything look correct? FWIW, again the VMs are working fine, I don't see any issues.

Looks good.
Could check that last one on the Windows client:

nslookup pi.hole

Or see if a blocked domain gets redirected to 0.0.0.0:

nslookup doubleclick.com

And check stats:

nc localhost 4711 <<< $'>stats'

C:\Users\user>nslookup pi.hole
Server:  server
Address:  192.168.0.201

Name:    pi.hole
Addresses:  2606:6000:cd41:5d00:d63d:7eff:fe9e:9de2
          192.168.0.201

C:\Users\user>nslookup doubleclick.com
Server:  server
Address:  192.168.0.201

Name:    doubleclick.com
Addresses:  ::
          0.0.0.0

user@server:~$ nc localhost 4711 <<< $'>stats'
domains_being_blocked 113706
dns_queries_today 30310
ads_blocked_today 1099
ads_percentage_today 3.625866
unique_domains 770
queries_forwarded 6227
queries_cached 10816
clients_ever_seen 12
unique_clients 11
dns_queries_all_types 30310
reply_NODATA 133
reply_NXDOMAIN 92
reply_CNAME 49
reply_IP 225
privacy_level 0
status enabled
---EOM---

It might be that network-manager aquired IPv6 2606:6000:cd41:5d00:d63d:7eff:fe9e:9de2 for the bridge interface:

ip a

I would make sure network-manager isn't involved anymore:

sudo systemctl disable network-manager

sudo reboot

And check again:

ip a

host pi.hole localhost

● NetworkManager.service - Network Manager
   Loaded: loaded (/lib/systemd/system/NetworkManager.service; disabled; vendor preset: enabled)
   Active: inactive (dead)
     Docs: man:NetworkManager(8)

Dec 13 01:12:38 server systemd[1]: Network Manager is not active.

ip a:

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master virbr0 state UP group default qlen 1000
    link/ether d4:3d:7e:9e:9d:e2 brd ff:ff:ff:ff:ff:ff
3: virbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether d4:3d:7e:9e:9d:e2 brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.201/24 brd 192.168.0.255 scope global virbr0
       valid_lft forever preferred_lft forever
    inet6 2606:6000:cd41:5d00:dce4:8334:67c8:ca4/64 scope global temporary dynamic
       valid_lft 604649sec preferred_lft 85649sec
    inet6 2606:6000:cd41:5d00:d63d:7eff:fe9e:9de2/64 scope global mngtmpaddr dynamic
       valid_lft 604797sec preferred_lft 604797sec
    inet6 fe80::d63d:7eff:fe9e:9de2/64 scope link
       valid_lft forever preferred_lft forever

host pi.hole localhost:

Using domain server:
Name: localhost
Address: 127.0.0.1#53
Aliases:

pi.hole has address 192.168.0.201
pi.hole has IPv6 address 2606:6000:cd41:5d00:d63d:7eff:fe9e:9de2

I'm not sure what this means. What is it supposed to be?

host is another lookup tool same as nslookup.
Am wondering where those IPv6 addresses are coming from.
Am not that proficient with IPv6.
And got to leave now so maybe at later time look into it or someone else can enlighten ?

I'm not that proficient at IPv6 either.

Thank you for your help, the support has been well above-and-beyond. As far as I can tell, things are working. I'll look into this further when I get a chance, but this has been a huge roadblock for me in configuring the rest of my network. I donated what I could, although the support has been worth much more than that.

If others stumble upon this thread, there has been a lot of back-and-forth in regards to configuration, but I think the main offender for DNS not working was rogue dnsmasq configurations.

Thank you again.

Keep an eye on this, as libvirt could re-enable these configuration options on consecutive runs.

With regards to your IPv6 address:

NetworkManager would not touch any interfaces declared in /etc/network/interfaces by default, and you've disabled/uninstalled it anyhow.

# dns=dnsmasq

So that means IPv6 auto configuration has taken over, which means your system works as expected (if not quite as intended by you )

Auto configuration is a core feature of IPv6, so not at all a bad thing (though it is bound to create some head-aches with regards to enforcing Pi-hole as DNS, but that's an entirely different topic).

If you do not need IPv6, you could also disable IPv6 altogether in your router (if your router allows this), sparing you many of the afore-mentioned head-aches.

net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1

net.ipv6.conf.eth0.disable_ipv6 = 1