The issue I am having is basically identical to this one...
I have run my Pi-Hole for about 3 months now. I have my router set up to direct all DNS queries to Pi-Hole which is running a root DNS server. I am running DHCP from the Pi-Hole and I have the DHCP on the router switched off. Up to a few days ago, it has all worked fine.
What I am now seeing is that (say) I open a web page on my laptop, I can see some of the associated DNS queries as originating from my laptop (which is fine) and some of the queries originating from the router. I have tried this with several clients (two laptops and two iPhones), and I have rebooted the Pi-Hole and the router in case something was mysteriously broken. I have re-checked the router configuration and it is still saying that DNS is being served by the Pi-Hole.
What prompted me to spot this is that my wife started complaining that she couldn't access most of the web sites she wanted. And when I checked the Pi-Hole logs, I could only see a tiny sub-set of the DNS requests that I would expect to see. I tried monitoring it in real time while I experimented with my laptop connected and sure enough, the logs were not showing any requests (though strangely, my laptop seemed to have no issues connecting to various websites - maybe it was caching?).
Reboots of the Pi-Hole and/or router seemed to fix the issue for a short while (minutes) but then one or other of the above problems start to happen again.
The only clue I have is that this problem seemed to start a couple of days ago which coincides with me updating the block lists on the Pi-Hole. I'm a bit slack with keeping it updated so this was the first time I had updated in a month or two.
All connections are via WiFi. I don't suppose it matters but in the interests of completeness, it's a linksys router (yes, I know! But up to now it's mostly behaved).
It's all rather strange and I'm not sure I'm expecting an answer but if anyone has any clues, I would love to hear.
I suspect that some client(s) are still using the router for DNS.
-----tail of pihole.log------
Mar 7 13:28:27 dnsmasq[727]: query[A] lan.UK-Seamap.local from 192.168.1.1
Mar 7 13:28:27 dnsmasq[727]: cached lan.UK-Seamap.local is NXDOMAIN
Mar 7 13:28:27 dnsmasq[727]: query[AAAA] lan.UK-Seamap.local from 192.168.1.1
Mar 7 13:28:27 dnsmasq[727]: cached lan.UK-Seamap.local is NXDOMAIN
Please elaborate.
From the client in question, what are the outputs of the following commands:
nslookup pi.hole
If a Windows machine, from the Windows command prompt:
The extract of the log you posted are requests from a Windows laptop I was using earlier. You are correct in that 192.168.1.1 is the router IP. I can check the laptop tomorrow to see what its DNS is set to.
Re "I have my router set up to direct all DNS queries to Pi-Hole"
The router is a Lynksys one and makes regular DNS lookups to "phone home". I block all these lookups with Pi-Hole. This is how the problem became apparent - because any DNS lookups from the router are blocked. But if it was working correctly, that would be ok because all the clients should be talking directly to the DNS on the Pi-Hole
I don't have nslookup or ipconfig, but dig on the laptop I'm using tells me I am using the Pi-Hole - I would paste the text but cut & paste isn't working for me between xterm and this web browser
However, at the moment, the Pi-Hole logs are showing that this laptop is behaving and all requests are coming direct from it and not from the router.
My iphone on the other had is a different issue. If I leave the phone DNS setting at "automatic", it lists the Pi-Hole as the only DNS available but DNS requests from the phone still look like they are coming from the router (according to the logs). However, if I set the iphone DNS to "manual" (with the exact same DNS details), the logs show that DNS requests are coming direct from the phone. But I cannot understand why this would be. The only DHCP on the network is the Pi-Hole which (obviously) publishes the DNS address of the Pi-Hole. DHCP on the router is switched off. So why would the phone think that the DNS server is the router?
But why would this (linux) laptop I'm using pick up the correct DNS (ie the Pi-Hole) but my phone picks up the router as DNS? It's the same DHCP for them both (and yes, I have restarted everything several times)
The thing is, this has worked fine for months. It's only just started playing up and other than the block list update I did a couple of days ago, nothing has changed.
---edit---
I subsequently noticed that after a delay, the phone (when in "automatic" DNS setting) listed an IPv6 DNS address. I have no idea what this is referring to - there should be no IPv6 traffic on the network, but I went back to the (Linksys) router and I found that under Connectivity -> Internet Settings -> IPv6 there is an option called "IPv6 - Automatic". This was enabled. So I disabled it and now the phone no longer has an IPv6 DNS address and requests from it (even in "automatic" DNS setting) are going straight to the Pi-Hole. Which is correct! I know that the ISP didn't supports IPv6 so I'm wondering if they have just enabled it and that's caused the router to pick up the address and pass it on to clients? I need to check with the ISP. I am starting to think this could be the cause of my woes - now that I have disabled the IPv6, I'll see what happens over the next day or so
Your debug log shows that your Pi-hole host OS is aware of an IPv6 nameserver address:
*** [ DIAGNOSING ]: contents of /etc
-rw-r--r-- 1 root root 103 Mar 7 12:39 /etc/resolv.conf
nameserver 192.168.1.250
nameserver 2a<redacted>d3
Likely that address belongs to your router (Belkin?), indicating that it's advertising its own IPv6 address as DNS server, allowing your clients to by-pass Pi-hole via that IPv6.
In your case, your router seems to also be configured to use Pi-hole as its upstream, so any DNS requests your clients have sent to your router's IPv6 will then be forwarded to Pi-hole by your router.
While this still catches and filters client requests that originally by-passed Pi-hole via your router, it won't allow you to attribute those DNS requests to individual clients anymore, unless your router would support injecting EDNS(0) ECS information in the DNS requests that it forwards to Pi-hole.
You'd have to find a way to configure your router to stop advertising its own IPv6 as DNS server, or to advertise your Pi-hole host machine's IPv6.
You'd have to consult your router's documentation sources on further details for its IPv6 configuration options.
I think your analysis is spot on. I have no idea why the router (yes - Belkin/Linksys) is suddenly advertising IPv6 addresses - as far as I recall it has never done it before. My best guess is that something has changed at the isp and that has woken-up some sleeping feature in the router (the IPv6 setting I mentioned previously has always been set - it just hasn’t done anything up to now)
Anyway, in case I have no more to report, thank you very much for your help. I’ll see how it goes but I think the culprit has been identified - even if it doesn’t really make sense