SETUP
2 deco mesh routers
PROBLEM
DEBUG TOKEN
https://tricorder.pi-hole.net/f54w8oihza
What DNS servers do you have configured on the clients? Do you have just the single Pi-hole DNS address or have you added additional DNS server IP addresses?
The DHCP server looks good, it's sending 192.168.68.114 as the sole DNS server.
I recall some users finding that Deco Mesh adds in it's own DNS setup, there may be more information if you search for Deco here in the forum or on the web.
Pi-hole looks functional from the log output.
*** [ DIAGNOSING ]: Name resolution (IPv4) using a random blocked domain and a known ad-serving domain
[✓] www.pies-do-oddania.dnsrobotuptime.ru is 0.0.0.0 via localhost (127.0.0.1)
[✓] www.pies-do-oddania.dnsrobotuptime.ru is 0.0.0.0 via Pi-hole (192.168.68.114)
[✓] doubleclick.com is 172.217.194.100 via a remote, public DNS server (8.8.8.8)
They only have one Pi-hole DNS address
I don't think the problem only lies on the deco. I tried to manually set DNS on my phone to connect to the pihole. The internet ran fine but ads are still popping up. When I connect my mac to the pihole, I can't even reach the internet with error code: DNS_PROBE_FINISHED_BAD_CONFIG. Both only have one Pi-hole DNS address. (I didn't set up the secondary DNS)
Here's the newly generated debug token https://tricorder.pi-hole.net/okc231w5jj
I appreciate your help. I'm really new to the networking stuffs.
How did you verify this on a respective device?
On MacOS, you may want to run
scutil --dns | grep nameserver
On Windows, you should look for the DNS sever section in the output of
ipconfig /all
From your MacBook, what's the output of:
nslookup pi.hole
nslookup flurry.com 192.168.68.114
nslookup flurry.com 80.241.218.68
The results for the first two commands are OK:
Pi-hole is used for DNS, it's providing its own local name, and it's also blocking flurry.com.
Let's see if your Pi-hole can provide resolution for public names as well:
nslookup google.com
The third command, however, indicates that something - presumably, your router- would redirect DNS requests to public DNS servers: The public server at 80.241.218.68 would block flurry.com as well, yet you received a set of IP addresses as answer.
I suppose this is what makes me unable to connect to the internet?
Interesting. How do I disable this redirection? (I used Deco M4 as stated before). I can tell you that in the WAN settings, that "Obtain DNS Automatically" is on. Is this related?
What upstream DNS servers are configured for Pi-hole if you run below on the Mac?
nslookup -class=chaos -type=txt servers.bind
Do those upstream DNS server(s) resolve propely if you do below on the Mac client and on Pi-hole:
nslookup google.com <UPSTREAM_DNS_SERVER_IP>
Yes.
While it demonstrates that your client has used Pi-hole at 192.168.68.114 for that DNS request (so accessing local DNS servers is not redirected by your router), it should have returned a bunch of IPs instead of SERVFAIL.
Please run an nslookup for google.com from your Pi-hole RPi and share the output.
Also, both your debug logs indicate you are using DNSSEC.
DNSSEC requires correct timing information, so that could also cause failures if it would be off by more than a margin.
Verify your date and timezone are current on your RPi.
And another thing form your debug logs seems odd:
*** [ DIAGNOSING ]: Discovering active DHCP servers (takes 10 seconds)
Scanning all your interfaces for DHCP servers
* Received 300 bytes from wlan0:192.168.68.1
Offered IP address: 192.168.68.114
DHCP options:
Message type: DHCPOFFER (2)
server-identifier: 192.168.68.1
router: 192.168.68.1
dns-server: 192.168.100.1
dns-server: 192.168.68.1
--- end of options ---
Your second log indicates your router is now distributing its own IP alongside Pi-hole's, allowing clients to by-pass Pi-hole.
That wasn't the case in your first log.
Did you change something on your router in the meantime?
As this is specific for the device, I cannot know that.
You'd have to consult your router's documentation sources to find out.
Your router (currently) doesn't seem to interfere with local DNS traffic, but I guess diversion of public DNS may also interfere with DNSSEC, as Pi-hole wouldn't receive DNS replies from the configured DNS servers it expects to talk to.
You could try to verify that assumption by disabling DNSSEC and see if it works then.
Its showing the correct date and time
Well, yes. I decided to set my devices DNS manually instead of set it on the router to minimize the potential error points. Currently it is set to dynamic IP with "Obtain DNS Automatically" on (previously I set the DNS on router by turning off the "Obtain DNS Automatically" and set it to pihole ip.
HEY IT WORKS! kinda...? I can certainly connect to the internet now but I do still get some ads (not as many as before). I checked at https://adblock-tester.com/ and it only got 58/100. I also still getting ads on my android apps (same frequency as before). Is this normal?
Please don't do that, or if you have to do that, communicate that back to us. Intermittent configuration changes make it all the harder to help you analysing your issue.
That's good. 
If you want to keep DNSSEC, you may wanto to try using your router as Pi-hole's only upstream DNS server. This should mitigate your router's redirection of public DNS requests (by avoiding them altogether).
Be careful to not configure your router to use Pi-hole as an upstream, as that would close a DNS loop.
Sorry my bad.
Thank you tho for all the help! Wouldn't figure out this myself otherwise. One last question:
Does this means I can't use pihole on the router scale? (to change all device DNS on network at once)
This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.