DNS isn't resolving requests


#1

Expected Behaviour:

Pi Hole should resolve Domains

Actual Behaviour:

Pi Hole doesn’t resolve domains. Perhabs, something is blocking piholes DNS requests to the extern DNS like Google

dig pi-hole output:

# dig pi-hole.net

; <<>> DiG 9.10.3-P4-Debian <<>> pi-hole.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62332
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;pi-hole.net.                   IN      A

;; ANSWER SECTION:
pi-hole.net.            288     IN      A       206.189.252.21

;; Query time: 12 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Jan 10 09:54:28 UTC 2019
;; MSG SIZE  rcvd: 56

I’m using NATing for my network:

#!/bin/bash

# Flush existing rules
iptables -F


# Anything from the internet should have an public IP
iptables -A FORWARD	-i $WAN_IF -s 192.168.0.0/16 	-j REJECT
iptables -A FORWARD	-i $WAN_IF -s 172.16.0.0/12		-j REJECT
iptables -A FORWARD	-i $WAN_IF -s 10.0.0.0/8 		-j REJECT
iptables -A INPUT 	-i $WAN_IF -s 192.168.0.0/16 	-j REJECT
iptables -A INPUT 	-i $WAN_IF -s 172.16.0.0/12		-j REJECT
iptables -A INPUT 	-i $WAN_IF -s 10.0.0.0/8 		-j REJECT


# Block NetBIOS (Stupid Windows... don't tell anyone that you're there!)
iptables -A FORWARD -p tcp --sport 137:139 -o $WAN_IF -j REJECT
iptables -A FORWARD -p udp --sport 137:139 -o $WAN_IF -j REJECT
iptables -A OUTPUT 	-p tcp --sport 137:139 -o $WAN_IF -j REJECT
iptables -A OUTPUT 	-p udp --sport 137:139 -o $WAN_IF -j REJECT

# Already existing connections would be accepted on every port
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Einkommende Pings erlauben
iptables -A INPUT -p icmp --icmp-type echo-request -j $PING_ALLOW


#### SPECIFIC ####
# Enable SSH and protect by x-tries
iptables -A INPUT -p tcp --dport $SSH_PORT -m state --state NEW -m recent --set --name SSH --rsource -j ACCEPT
iptables -A INPUT -m recent --update --seconds $SSH_BAN_TIME --hitcount $SSH_MAX_TRIES --rttl --name SSH --rsource -j REJECT


#### PORT OPENING ON HOST MACHINE
#iptables -A INPUT -j ACCEPT -p tcp --dport 80
#iptables -A INPUT -j ACCEPT -p tcp --dport 443


#### PORT FORWARDING ####
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -s $LAN_NET -o $WAN_IF -j MASQUERADE

# Port Forwarding
iptables -t nat -A PREROUTING -i $WAN_IF -p tcp --dport 53		-j DNAT --to $LAN_IP.10:53		# CT110 - PiHole	PiHole DNS
iptables -t nat -A PREROUTING -i $WAN_IF -p udp --dport 53		-j DNAT --to $LAN_IP.10:53		# CT110 - PiHole	PiHole DNS

iptables -t nat -A PREROUTING -i $WAN_IF -p tcp --dport $DIFFERENT_PORT	-j DNAT --to $LAN_IP.10:80

_

Debug Token:

pt62pjhba8


#2

Everything looks good on the debug log:

*** [ DIAGNOSING ]: Name resolution (IPv4) using a random blocked domain and a known ad-serving domain
[✓] 4e34b4865905c4.com is 0.0.0.0 via localhost (127.0.0.1)
[✓] 4e34b4865905c4.com is 0.0.0.0 via Pi-hole (10.0.0.10)
[✓] doubleclick.com is 216.58.205.238 via a remote, public DNS server (8.8.8.8)

The information you provided looks fine as well, the dig to the local resolver returned the proper address for pi-hole.net. What are you seeing that leads you to conclude that DNS is not working?


#3

Oh, I missed that information.
Every client which use the pi hole as DNS can’t resolve the domainnames. It doesn’t matter if they are outside (world) or inside the network (10.0.0.0/24), so they are telling that there’s “no internet connection”.
Maybe it’s not a resolution problem by pi hole itself. Maybe the DNS enquiry get lost somewhere (iptables). But I can not see any mistake and I have no idea how to find the error in my configuration.


#4

The Pi-hole is working correctly. From that snippet of the debug log we can know the following:

A random domain from your list of domains to be blocked is returning 0.0.0.0 when queried with localhost as the resolver:

dig 4e34b4865905c4.com @127.0.0.1

That domain also returns 0.0.0.0 when queried with the Pi-hole IP address as the resolver.

dig 4e34b4865905c4.com @10.0.0.10

And finally a known domain is returning an external IP address when queried at Google’s DNS server.

dig doubleclick.com @8.8.8.8

Those all were successful and returned expected IP addresses so the Pi-hole is functioning and is able to query itself internally and Google externally.

If you are running an open resolver and are allowing the world to use your Pi-hole, that is unsupported and unadvised and we will not be able to assist you with issues related to the firewall allowing that process to happen.