DNS isn't resolving requests


Expected Behaviour:

Pi Hole should resolve Domains

Actual Behaviour:

Pi Hole doesn’t resolve domains. Perhabs, something is blocking piholes DNS requests to the extern DNS like Google

dig pi-hole output:

# dig pi-hole.net

; <<>> DiG 9.10.3-P4-Debian <<>> pi-hole.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62332
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

; EDNS: version: 0, flags:; udp: 512
;pi-hole.net.                   IN      A

pi-hole.net.            288     IN      A

;; Query time: 12 msec
;; WHEN: Thu Jan 10 09:54:28 UTC 2019
;; MSG SIZE  rcvd: 56

I’m using NATing for my network:


# Flush existing rules
iptables -F

# Anything from the internet should have an public IP
iptables -A FORWARD	-i $WAN_IF -s 	-j REJECT
iptables -A FORWARD	-i $WAN_IF -s		-j REJECT
iptables -A FORWARD	-i $WAN_IF -s 		-j REJECT
iptables -A INPUT 	-i $WAN_IF -s 	-j REJECT
iptables -A INPUT 	-i $WAN_IF -s		-j REJECT
iptables -A INPUT 	-i $WAN_IF -s 		-j REJECT

# Block NetBIOS (Stupid Windows... don't tell anyone that you're there!)
iptables -A FORWARD -p tcp --sport 137:139 -o $WAN_IF -j REJECT
iptables -A FORWARD -p udp --sport 137:139 -o $WAN_IF -j REJECT
iptables -A OUTPUT 	-p tcp --sport 137:139 -o $WAN_IF -j REJECT
iptables -A OUTPUT 	-p udp --sport 137:139 -o $WAN_IF -j REJECT

# Already existing connections would be accepted on every port
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Einkommende Pings erlauben
iptables -A INPUT -p icmp --icmp-type echo-request -j $PING_ALLOW

#### SPECIFIC ####
# Enable SSH and protect by x-tries
iptables -A INPUT -p tcp --dport $SSH_PORT -m state --state NEW -m recent --set --name SSH --rsource -j ACCEPT
iptables -A INPUT -m recent --update --seconds $SSH_BAN_TIME --hitcount $SSH_MAX_TRIES --rttl --name SSH --rsource -j REJECT

#iptables -A INPUT -j ACCEPT -p tcp --dport 80
#iptables -A INPUT -j ACCEPT -p tcp --dport 443

echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -s $LAN_NET -o $WAN_IF -j MASQUERADE

# Port Forwarding
iptables -t nat -A PREROUTING -i $WAN_IF -p tcp --dport 53		-j DNAT --to $LAN_IP.10:53		# CT110 - PiHole	PiHole DNS
iptables -t nat -A PREROUTING -i $WAN_IF -p udp --dport 53		-j DNAT --to $LAN_IP.10:53		# CT110 - PiHole	PiHole DNS

iptables -t nat -A PREROUTING -i $WAN_IF -p tcp --dport $DIFFERENT_PORT	-j DNAT --to $LAN_IP.10:80


Debug Token:



Everything looks good on the debug log:

*** [ DIAGNOSING ]: Name resolution (IPv4) using a random blocked domain and a known ad-serving domain
[✓] 4e34b4865905c4.com is via localhost (
[✓] 4e34b4865905c4.com is via Pi-hole (
[✓] doubleclick.com is via a remote, public DNS server (

The information you provided looks fine as well, the dig to the local resolver returned the proper address for pi-hole.net. What are you seeing that leads you to conclude that DNS is not working?


Oh, I missed that information.
Every client which use the pi hole as DNS can’t resolve the domainnames. It doesn’t matter if they are outside (world) or inside the network (, so they are telling that there’s “no internet connection”.
Maybe it’s not a resolution problem by pi hole itself. Maybe the DNS enquiry get lost somewhere (iptables). But I can not see any mistake and I have no idea how to find the error in my configuration.


The Pi-hole is working correctly. From that snippet of the debug log we can know the following:

A random domain from your list of domains to be blocked is returning when queried with localhost as the resolver:

dig 4e34b4865905c4.com @

That domain also returns when queried with the Pi-hole IP address as the resolver.

dig 4e34b4865905c4.com @

And finally a known domain is returning an external IP address when queried at Google’s DNS server.

dig doubleclick.com @

Those all were successful and returned expected IP addresses so the Pi-hole is functioning and is able to query itself internally and Google externally.

If you are running an open resolver and are allowing the world to use your Pi-hole, that is unsupported and unadvised and we will not be able to assist you with issues related to the firewall allowing that process to happen.

closed #5

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.