Clients not using pihole dns by default

ysammy · March 20, 2020, 4:38am

My clients are not using the pihole DNS resolver by default. I have set my LAN DNS server in my router to my pihole LAN IP address 192.168.1.7. I can load the pihole admin panel just fine both through the local IP and through my reverse proxy. pihole is running in a docker container behind an nginx reverse proxy on pihole.mydomain.com.

This behavior seems to be occurring across all of my systems. I've tested in Ubuntu, MacOS, and Windows 10 and the behavior is the same. If I query DNS for pi.hole, the tool (dig, nslookup, whatever) uses my router 192.168.1.1 instead of the pihole resolver running on 192.168.1.7. The only DNS I have configured in the router LAN settings is 192.168.1.7. IP address 192.168.1.7 is the primary on all systems. 192.168.1.1 is configured as the secondary because that's what my router advertises. Nothing ever seems to use the primary.

But if I specify the DNS resolver to be 192.168.1.7, everything works fine. It is just never used by default.

I have included the example from my Ubuntu machine below.

Why might this be happening?

Expected Behaviour:

dig pi.hole resolves 192.168.1.7

Actual Behaviour:

Here's how to read this. I am:

Running this on the Ubuntu machine
pihole is running locally in a docker container
I am showing /etc/resolv.conf with the settings obtained from my router
First, dig pi.hole using the default resolver. The router 192.168.1.1 DNS is used and pi.hole resolves incorrectly.
Second, dig pi.hole forcing the resolver to use pihole on 127.0.0.1. pi.hole resolves correctly.

➜  docker git:(pihole) cat /etc/resolv.conf
# This file is managed by man:systemd-resolved(8). Do not edit.
nameserver 196.168.1.7
nameserver 192.168.1.1

➜  docker git:(pihole) dig pi.hole

; <<>> DiG 9.11.3-1ubuntu1.11-Ubuntu <<>> pi.hole
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 31550
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;pi.hole.			IN	A

;; AUTHORITY SECTION:
.			86243	IN	SOA	a.root-servers.net. nstld.verisign-grs.com. 2020031900 1800 900 604800 86400

;; Query time: 13 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Thu Mar 19 21:30:36 PDT 2020
;; MSG SIZE  rcvd: 111

➜  docker git:(pihole) dig @127.0.0.1 pi.hole

; <<>> DiG 9.11.3-1ubuntu1.11-Ubuntu <<>> @127.0.0.1 pi.hole
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63458
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;pi.hole.			IN	A

;; ANSWER SECTION:
pi.hole.		2	IN	A	192.168.1.7

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Mar 19 21:30:44 PDT 2020
;; MSG SIZE  rcvd: 52

Debug Token:

https://tricorder.pi-hole.net/r7i5rl4ib6

Bucking_Horn · March 20, 2020, 10:21am

Welcome to the Pi-hole community, ysammy.

Your debug log shows DNS requests being received and filtered, if very few by very few clients only.

If your devices are using 192.168.1.1 for DNS, the most likely cause would be your router still distributing it alongside Pi-hole.

There are some routers that are known to do this - you wouldn't run an ASUS RT-AC68 e.g.?

ysammy · March 20, 2020, 2:05pm

Yes, I do have an ASUS RT-AC68. And yes, I am seeing successful requests in the query log. Everything just seems to be preferring the secondary DNS server. I understand that having two DNS servers configured might let some queries past pihole, but I'm surprised that all of them are bypassing pihole in this case.

ysammy · March 20, 2020, 2:43pm

I'll add that the same behavior occurs if I resolve something like a-ads.com. If I let the tools choose a resolver, it will resolve. If I force it to use my pihole resolver, it will successfully blackhole.

Bucking_Horn · March 20, 2020, 4:15pm

Your observations confirms this device as misbehaving, then.

There are absolutely no guarantees on how a specific device will handle multiple DNS servers. Preference is completely at the device's discretion.

Seeing any of the DNS server used at any proportion is perfectly legal.

The only safe way to enforce usage of Pi-hole is to have it as your network's solitary DNS server.

That leaves you with the following options to employ Pi-hole in your network:
a) file a complaint with ASUS and hope they are fixing their firmware at some time
b) try configuring your router to use Pi-hole as its upstream DNS server (but loose the ability to monitor DNS traffic for specific clients in Pi-hole)
c) manually configure each device in your network to use Pi-hole (depends on device support)
d) try an alternative firmware (e.g. Asuswrt-Merlin)
e) get another router

system · April 10, 2020, 4:15pm

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.