DNS leak test providing unexpected results (OpenDNS)

Expected Behaviour:

Various DNS leak test sites show something other than OpenDNS for DNS resolver.

Actual Behaviour:

Regardless of which upstream DNS resolver I select, the results always come back the same from various DNS leak tests. All OpenDNS servers. I've tried Cloudflare, Quad9, Google. I've flushed DNS on the pihole, the actual pi, my router, the laptop, and the browser, was hoping that was the issue. I do see some entries in pihole -d referencing OpenDNS server IP's (208.67.222.222 / 220.220), but I'm not sure why those are showing up there. Am I missing a config somewhere? All devices on my LAN are set to use the pihole and nothing else for DNS. Pi is set to use itself for DNS and nothing else.

Debug Token:

[https://tricorder.pi-hole.net/ei03e49t8i]

What is the output of the following from the Pi terminal?

tail -n25 /var/log/pihole.log

Here ya go-

pi@raspberrypi:~ $ tail -n25 /var/log/pihole.log
Jul  1 22:01:20 dnsmasq[9841]: forwarded aeon.co to 149.112.112.112
Jul  1 22:01:20 dnsmasq[9841]: reply www.lrb.co.uk is <CNAME>
Jul  1 22:01:20 dnsmasq[9841]: reply prod.lrb.co.uk is <CNAME>
Jul  1 22:01:20 dnsmasq[9841]: reply platformsh.map.fastly.net is 151.101.66.133
Jul  1 22:01:20 dnsmasq[9841]: reply platformsh.map.fastly.net is 151.101.130.133
Jul  1 22:01:20 dnsmasq[9841]: reply platformsh.map.fastly.net is 151.101.194.133
Jul  1 22:01:20 dnsmasq[9841]: reply platformsh.map.fastly.net is 151.101.2.133
Jul  1 22:01:20 dnsmasq[9841]: reply aeon.co is 52.41.147.98
Jul  1 22:01:20 dnsmasq[9841]: reply aeon.co is 54.191.49.242
Jul  1 22:01:20 dnsmasq[9841]: reply aeon.co is 54.213.48.157
Jul  1 22:01:20 dnsmasq[9841]: query[A] platformsh.map.fastly.net from 192.168.1.233
Jul  1 22:01:20 dnsmasq[9841]: cached platformsh.map.fastly.net is 151.101.2.133
Jul  1 22:01:20 dnsmasq[9841]: cached platformsh.map.fastly.net is 151.101.194.133
Jul  1 22:01:20 dnsmasq[9841]: cached platformsh.map.fastly.net is 151.101.130.133
Jul  1 22:01:20 dnsmasq[9841]: cached platformsh.map.fastly.net is 151.101.66.133
Jul  1 22:01:20 dnsmasq[9841]: query[A] aeon.co from 192.168.1.233
Jul  1 22:01:20 dnsmasq[9841]: cached aeon.co is 54.213.48.157
Jul  1 22:01:20 dnsmasq[9841]: cached aeon.co is 54.191.49.242
Jul  1 22:01:20 dnsmasq[9841]: cached aeon.co is 52.41.147.98
Jul  1 22:01:20 dnsmasq[9841]: query[AAAA] platformsh.map.fastly.net from 192.168.1.233
Jul  1 22:01:20 dnsmasq[9841]: forwarded platformsh.map.fastly.net to  149.112.112.112
Jul  1 22:01:20 dnsmasq[9841]: query[AAAA] aeon.co from 192.168.1.233
Jul  1 22:01:20 dnsmasq[9841]: forwarded aeon.co to 149.112.112.112
Jul  1 22:01:20 dnsmasq[9841]: reply platformsh.map.fastly.net is NODATA-IPv6
Jul  1 22:01:20 dnsmasq[9841]: reply aeon.co is NODATA-IPv6

Results from a DNS Leak test site ran from 192.168.1.233

146.112.137.64 r1.compute.atl1.edc.strln.net. Cisco OpenDNS, LLC Atlanta, United States
146.112.137.65 r2.compute.atl1.edc.strln.net. Cisco OpenDNS, LLC Atlanta, United States
146.112.137.66 r3.compute.atl1.edc.strln.net. Cisco OpenDNS, LLC Atlanta, United States
146.112.137.67 r4.compute.atl1.edc.strln.net. Cisco OpenDNS, LLC Atlanta, United States
146.112.137.68 r5.compute.atl1.edc.strln.net. Cisco OpenDNS, LLC Atlanta, United States
146.112.137.69 r6.compute.atl1.edc.strln.net. Cisco OpenDNS, LLC Atlanta, United States
146.112.137.70 r7.compute.atl1.edc.strln.net. Cisco OpenDNS, LLC Atlanta, United States
146.112.137.71 r8.compute.atl1.edc.strln.net. Cisco OpenDNS, LLC Atlanta, United States
146.112.137.72 r9.compute.atl1.edc.strln.net. Cisco OpenDNS, LLC Atlanta, United States
146.112.137.73 r10.compute.atl1.edc.strln.net. Cisco OpenDNS, LLC Atlanta, United States

DNS leak test results when ran from pi (192.168.1.100)

pi@raspberrypi:~ $ ./dnsleaktest.sh
Your IP: mycomcastIP [United States of America AS7922 COMCAST-7922]

You use 7 DNS servers:
146.112.137.64 [United States of America AS36692 OpenDNS]
146.112.137.66 [United States of America AS36692 OpenDNS]
146.112.137.67 [United States of America AS36692 OpenDNS]
146.112.137.68 [United States of America AS36692 OpenDNS]
146.112.137.71 [United States of America AS36692 OpenDNS]
146.112.137.72 [United States of America AS36692 OpenDNS]
146.112.137.73 [United States of America AS36692 OpenDNS]

Conclusion:
DNS may be leaking.

That's strange....pihole log shows requests being forwarded to the Quad9 DNS servers, but DNS leak test from the pi or from a laptop show OpenDNS. Weird.

DNS leak test is intended to show if your DNS service is outside your VPN service. I would believe the Pi-hole logs.

That makes sense, however even if I go to https://welcome.opendns.com/, that page also reports that I am using OpenDNS. Shouldn't that say I'm not? That's not a leak test site, that's legitimately to test if you're using OpenDNS servers.

even their test phishing site works, which is specific to them I believe - http://www.internetbadguys.com/ . If I wasn't using them I'd expect that page to not be blocked.

If Pi-hole is not using OpenDNS, are there other avenues to OpenDNS on your network? Second DNS defined somewhere, extra software, etc?

Not that I know of. The pi running pihole definitely doesn't have anything running on it that would force traffic to OpenDNS, yet a DNS test directly from the pi (using itself for DNS) also shows the OpenDNS servers.

No matter what upstream resolver I set in pihole, every single DNS test comes back with the OpenDNS servers. It's funky.

Maybe just wipe it all away and reinstall....?

The problem is likely not in the Pi-hole. Check the router and clients.

Checked the router, ran a nslookup straight from an SSH session into the router. Only name server it has on record is the pi (192.168.1.100). Resolv.conf on the router and the pi only contain one entry - 192.168.1.100.

Ran the same dns checks and welcome.opendns.com checks on 3 other LAN devices, all set to only have the pihole as their DNS server, all results the same. DNS checks show OpenDNS IP's, the OpenDNS test site all says I'm using OpenDNS, and the OpenDNS test block page is blocked on all of them saying it was blocked by OpenDNS.

I guess I could stop pointing to the pihole for DNS, point to my router, and set the router to use Quad9 for it's DNS. I'll check that now.

Expected behavior if I do that would be that OpenDNS no longer appears in any DNS checks. If that is the behavior I see....wouldn't that indicate it's something going on with the pihole? That's the only other device serving any sort of DNS function.

Alrighty took the pihole out of the equation. Set my PC to point to my router for DNS, set the router to point to Cloudflare for DNS. Results of the dns test are below -

IP Hostname ISP Country
108.162.236.22 None Cloudflare Atlanta, United States

Set the laptop back to using pihole for DNS, router is still set to point to Cloudflare for DNS. Dns test results below, and once again the OpenDNS test site says I'm using them.

I mean at this point I don't know what else it would be except the pihole. I've confirmed I can access other DNS providers and get different results from the DNS test if I don't point to the pihole, but as soon as I switch back to the pihole everything shows up as OpenDNS again.

IP Hostname ISP Country
146.112.137.64 r1.compute.atl1.edc.strln.net. Cisco OpenDNS, LLC Atlanta, United States
146.112.137.65 r2.compute.atl1.edc.strln.net. Cisco OpenDNS, LLC Atlanta, United States
146.112.137.66 r3.compute.atl1.edc.strln.net. Cisco OpenDNS, LLC Atlanta, United States
146.112.137.67 r4.compute.atl1.edc.strln.net. Cisco OpenDNS, LLC Atlanta, United States
146.112.137.68 r5.compute.atl1.edc.strln.net. Cisco OpenDNS, LLC Atlanta, United States
146.112.137.69 r6.compute.atl1.edc.strln.net. Cisco OpenDNS, LLC Atlanta, United States
146.112.137.70 r7.compute.atl1.edc.strln.net. Cisco OpenDNS, LLC Atlanta, United States
146.112.137.71 r8.compute.atl1.edc.strln.net. Cisco OpenDNS, LLC Atlanta, United States
146.112.137.72 r9.compute.atl1.edc.strln.net. Cisco OpenDNS, LLC Atlanta, United States
146.112.137.73 r10.compute.atl1.edc.strln.net. Cisco OpenDNS, LLC Atlanta, United States

I wonder what would happen if I just straight up blocked all traffic to OpenDNS at the router. In theory everything should be fine if the pihole isn't actually using OpenDNS. It's late, I'll pick this back up tomorrow morning with that as my first test. Really curious to see what happens, I really have no idea what to expect. Pihole logs seem to indicate DNS is going to someplace other than OpenDNS, but everything else seems to indicate OpenDNS is being used. I'll try the blocking test first thing in the AM and report back with an update.

Tail the Pi-hole logs and grep for forwarded to see where queries are being forwarded in real time. Run what ever tests you have been running and see if Pi-hole is actually forwarding the queries or if you have other configuration issues.

I'm not sure what that script is running or doing but it's not giving me accurate results.

dschaper@nanopi-r2s:~$ tail -f /var/log/pihole.log | grep forwarded
Jul  2 04:43:32 dnsmasq[3491]: forwarded 1.9044863.bash.ws to 149.112.112.11
Jul  2 04:43:32 dnsmasq[3491]: forwarded 1.9044863.bash.ws to 149.112.112.11
Jul  2 04:43:33 dnsmasq[3491]: forwarded 1.9044863.bash.ws.lan to 192.168.88.1
Jul  2 04:43:33 dnsmasq[3491]: forwarded 1.9044863.bash.ws.lan to 192.168.88.1
Jul  2 04:43:33 dnsmasq[3491]: forwarded 2.9044863.bash.ws to 149.112.112.11
Jul  2 04:43:33 dnsmasq[3491]: forwarded 2.9044863.bash.ws to 149.112.112.11
Jul  2 04:43:33 dnsmasq[3491]: forwarded 2.9044863.bash.ws.lan to 192.168.88.1
Jul  2 04:43:33 dnsmasq[3491]: forwarded 2.9044863.bash.ws.lan to 192.168.88.1
Jul  2 04:43:33 dnsmasq[3491]: forwarded 3.9044863.bash.ws to 149.112.112.11
Jul  2 04:43:33 dnsmasq[3491]: forwarded 3.9044863.bash.ws to 149.112.112.11
Jul  2 04:43:33 dnsmasq[3491]: forwarded 3.9044863.bash.ws.lan to 192.168.88.1
Jul  2 04:43:33 dnsmasq[3491]: forwarded 3.9044863.bash.ws.lan to 192.168.88.1
Jul  2 04:43:33 dnsmasq[3491]: forwarded 4.9044863.bash.ws to 149.112.112.11
Jul  2 04:43:33 dnsmasq[3491]: forwarded 4.9044863.bash.ws to 149.112.112.11
Jul  2 04:43:33 dnsmasq[3491]: forwarded 4.9044863.bash.ws.lan to 192.168.88.1
Jul  2 04:43:33 dnsmasq[3491]: forwarded 4.9044863.bash.ws.lan to 192.168.88.1
Jul  2 04:43:33 dnsmasq[3491]: forwarded 5.9044863.bash.ws to 149.112.112.11
Jul  2 04:43:33 dnsmasq[3491]: forwarded 5.9044863.bash.ws to 149.112.112.11
Jul  2 04:43:34 dnsmasq[3491]: forwarded 5.9044863.bash.ws.lan to 192.168.88.1
Jul  2 04:43:34 dnsmasq[3491]: forwarded 5.9044863.bash.ws.lan to 192.168.88.1
Jul  2 04:43:34 dnsmasq[3491]: forwarded 6.9044863.bash.ws to 149.112.112.11
Jul  2 04:43:34 dnsmasq[3491]: forwarded 6.9044863.bash.ws to 149.112.112.11
Jul  2 04:43:34 dnsmasq[3491]: forwarded 6.9044863.bash.ws.lan to 192.168.88.1
Jul  2 04:43:34 dnsmasq[3491]: forwarded 6.9044863.bash.ws.lan to 192.168.88.1
dschaper@nanopi-r2s:~$ bash dnsleaktest.sh
Your IP:
<redact>

You use 3 DNS servers:
66.185.114.242 [United States of America AS42 WOODYNET-1]
66.185.114.243 [United States of America AS42 WOODYNET-1]
66.185.114.244 [United States of America AS42 WOODYNET-1]

Conclusion:
DNS may be leaking.

You have conditional forwarding enabled, it's possible that the test script is sending .home queries that are going to your conditional server (the router?) and that is forwarding those queries out to it's upstream. The router should see that local domain and not forward it out but it may just throw everything out.

Disable Conditional Forwarding and test some more, see if there's a difference.

Edit: That script uploads your private information to a remote server, just so you know.

Hi @DanSchaper, thanks for the input on this - it's got me stumped.

Implemented the change you suggested, disabled conditional forwarding to my router. Since that dnsleak.sh script seems to give unreliable results, I'll remove it from my troubleshooting steps.

Here's where I'm at now-

  • All LAN clients are point to pihole for DNS - 192.168.1.100
  • Pihole is pointing to Quad9 for upstream DNS resolvers.
  • resolv.conf config on pi only has one entry, itself - 192.168.1.100
  • Router is also pointing to Quad9 for DNS, although this shouldn't matter as in theory no DNS requests are going to it, all are going to the pihole.
  • I've blocked any TCP / UDP traffic to the OpenDNS anycast IP's - 208.67.222.222 and 208.67.220.220

I created a free OpenDNS account to show basic stats on DNS requests received from my network. It shows about 4000 requests from just this morning, so somehow my DNS is definitely going to OpenDNS. The request count dropped down to 0 after I implemented the block on my router.

Since implementing the blocking rule, I get a DNS resolution failure for any lookups initiated from either the pi or various devices on my LAN. As the pihole is set to use Quad9 for upstream DNS, it shouldn't matter that I'm blocking traffic to OpenDNS, unless it was actually forwarding traffic to OpenDNS somehow.

Here are the pi-hole logs from just now grepped for "forwarded". All the logs indicate that the pihole is forwarding to Quad9, but something must be hijacking that somewhere and instead sending to OpenDNS, or else my DNS would be working right? Any ideas on places I could look in the pi config where it may be somehow forcing DNS to OpenDNS IP's?

pihole logs
Jul 2 08:42:50 dnsmasq[16724]: forwarded encryption.a7.ciscospark.com to 9.9.9. 9
Jul 2 08:42:50 dnsmasq[16724]: query[A] api.accounts.firefox.com from 192.168.1 .233
Jul 2 08:42:50 dnsmasq[16724]: forwarded api.accounts.firefox.com to 149.112.11 2.112
Jul 2 08:42:50 dnsmasq[16724]: forwarded api.accounts.firefox.com to 9.9.9.9
Jul 2 08:42:50 dnsmasq[16724]: query[A] profile.accounts.firefox.com from 192.1 68.1.233
Jul 2 08:42:50 dnsmasq[16724]: forwarded profile.accounts.firefox.com to 149.11 2.112.112
Jul 2 08:42:50 dnsmasq[16724]: forwarded profile.accounts.firefox.com to 9.9.9. 9
Jul 2 08:42:51 dnsmasq[16724]: query[A] clients4.google.com from 192.168.1.243
Jul 2 08:42:51 dnsmasq[16724]: forwarded clients4.google.com to 149.112.112.112
Jul 2 08:42:51 dnsmasq[16724]: forwarded clients4.google.com to 9.9.9.9

Some additional info - ran nslookup from my router CLI, below are the results. So it doesn't appear that the router is somehow redirecting traffic to OpenDNS, it sends all DNS to Quad9.

jruddy@RT-AC68U-B760:/tmp/home/root# nslookup google.com
Server: 9.9.9.9
Address 1: 9.9.9.9 dns9.quad9.net

Name: google.com
Address 1: 2607:f8b0:4002:807::200e atl14s77-in-x0e.1e100.net
Address 2: 108.177.122.102
Address 3: 108.177.122.139
Address 4: 108.177.122.100
Address 5: 108.177.122.101
Address 6: 108.177.122.113
Address 7: 108.177.122.138

But wait! It gets weirder. Much weirder. Now I'm really lost. I ran a tcpdump for port 53 and exported it into wireshark as a pcap. Not sure I can attach it, but I see all the DNS requests from inside my network going to the pi (192.168.1.100), and then the pi forwarding them on to Quad9 servers. I don't see a single DNS request go to the OpenDNS IP's from either the host on my network, or from the pihole. All requests from the hosts go to the pihole, all forwards from the pihole go to the Quad9 IP addresses.

While running the dump I went to the OpenDNS verification site (welcome.opendns.com) and the test block page (internetbadguys.com), both confirmed I was using OpenDNS. Which makes absolutely no sense. Now I'm really stumped. Almost seems like OpenDNS is responding incorrectly? It says I'm using them, but just looking at the raw tcpdump I don't see any traffic going to them at all. Unless Quad9 is forwarding on over to OpenDNS....? That wouldn't make any sense.

Could someone else using Quad9 for upstream resolvers try going to the two OpenDNS test sites I listed above? Let me know what page you see?

I don't think Quad9 offers an account you can create to check DNS stats from your network, but I'm pretty sure Cloudflare does. I'll trying switching over to them as the upstream for the pihole, run all the same tests / pcaps, and then check the Cloudflare account stats page. I should - in theory - see DNS requests going to Cloudflare from my IP address.

One other check I'll run is taking the pihole out of the picture again, pointing DNS to my router, and pointing my router to Quad9 / Cloudflare. If I see the same results from the OpenDNS test sites - confirming I'm using them - then I guess this is just some sort of weird issue on the OpenDNS side. I'll post an update once I get a chance to try out those steps.