Custom upstream = lost internet connection

Expected Behaviour:

Loading pages as usual.

Actual Behaviour:

Cannot load any page.

More details:

Whenever I set custom DNS upstream adress, I cannot load any page. It happens with stubby, unbound or custom DNS like NextDNS. Querry is filled fine, even NextDNS log is filled, but browser wont load anything and I lose my internet connection. Pi-hole and internet works fine with one of defaults upstreams, like Quad9 or Google.

I'm able to set DoH with NextDNS directly in MikroTik router and it works fine, but then pi-hole is not in middle. I would like to have client->router->pi-hole->stuby with nextDNS or unbound->internet.

I suspect firewall in router or disabled IPv6. But cannot verify.

Debug Token:

Debug log (sorry, cannot upload debug token when I cannot connect to internet)
https://pastebin.com/raw/smjSTN2J

If you can't verify it, me certainly neither.

Your debug log shows you were using unbound as upstream at the time of its creation.

Start verfying if unbound is operational by using the tests from our unbound guide.

tobias@rpi3B:~ $ dig fail01.dnssec.works @127.0.0.1 -p 5335

; <<>> DiG 9.16.33-Debian <<>> fail01.dnssec.works @127.0.0.1 -p 5335
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 26949
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;fail01.dnssec.works.           IN      A

;; Query time: 3499 msec
;; SERVER: 127.0.0.1#5335(127.0.0.1)
;; WHEN: Tue Dec 06 15:18:39 CET 2022
;; MSG SIZE  rcvd: 48

tobias@rpi3B:~ $ dig dnssec.works @127.0.0.1 -p 5335

; <<>> DiG 9.16.33-Debian <<>> dnssec.works @127.0.0.1 -p 5335
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 56748
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;dnssec.works.                  IN      A

;; Query time: 0 msec
;; SERVER: 127.0.0.1#5335(127.0.0.1)
;; WHEN: Tue Dec 06 15:18:39 CET 2022
;; MSG SIZE  rcvd: 41

First command looks ok (SERVFAIL), second however shows fail (should be NOERROR). What could be wrong? Something about DNSSEC?

EDIT: I previously added those rules in firewall in MikroTik:

/ip firewall nat add chain=dstnat action=redirect protocol=tcp dst-port=53 
/ip firewall nat add chain=dstnat action=redirect protocol=udp dst-port=53

...to force all DNS go through pihole. However when I disable those rules off, I've got this from unbound tests:

; <<>> DiG 9.16.33-Debian <<>> dnssec.works @127.0.0.1 -p 5335
;; global options: +cmd
;; connection timed out; no servers could be reached

I'm confused.

That would suggest that your firewall would be involved.

I'm not familiar with your Microtik's firewall, so I am unsure whether your router firewall rules are suitable to match your intentions. Specifically, I 'd somehow expected to see a destination IP address (Pi-hole host), and also an exemption for traffic originating from Pi-hole's host's IP itself.

You should consider to also consult your firewall's documentation and support channels.

Noone is aswering my question on MikroTik forum, so I have another idea.

Is it possible to route DNS request from pihole back to router and then to internet?

Instead of this: client - router - pihole - custom upstream (unbound) - internet
I would like to have this: client - router - pihole - router - DoH - internet (DoH is supported and work fine on RouterOS)

Yes.

Please, can you be more specific? I'm not sure what I need to look for? Is is possible to set it in pihole or do I need some settings for firewall rules? Thanks.

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.