DNS not resolving, static IP, DHCP disabled, nslookup works

#1

Expected Behaviour:

Web sites should resolve and IP’s should ping.

Actual Behaviour:

Destination Host Unreachable

Debug Token:

No token since no DNS, debug logs uploaded here.

This is a Raspberry Pi 2 B connected by Ethernet to an Arris DG3450A provided by RCN, Firewall Protection set to Low, DHCP is off, as I don’t see a way in the Arris to disable DHCP, only to specify an IP range for DHCP requests and no mention of rebind protection. Things I’ve tried, with a H/T to this thread:

  1. In /etc/hosts I put

    127.0.0.1 localhost
    ::1 localhost ip6-localhost ip6-loopback
    ff02::1 ip6-allnodes
    ff02::2 ip6-allrouters
    127.0.1.1 raspberrypi
    10.141.165.247 raspberrypio
    10.141.165.1 arrisatom.cable.rcn.com arrisatom

  1. nslookup’s resolve:

    nslookup pi-hole.net 10.141.165.247
    Server: 10.141.165.247
    Address: 10.141.165.247#53
    Non-authoritative answer:
    Name: pi-hole.net
    Address: 206.189.252.21

    pi@raspberrypi:~ $ nslookup flurry.com 10.141.165.247
    Server: 10.141.165.247
    Address: 10.141.165.247#53
    Name: flurry.com
    Address: 0.0.0.0

  2. ping’s fail:

     pi@raspberrypi:~ $ ping 8.8.8.8
     PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
    
  3. dig resolves:

    dig pi-hole.net

    ; <<>> DiG 9.10.3-P4-Raspbian <<>> pi-hole.net
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6860
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ;; QUESTION SECTION:
    ;pi-hole.net. IN A
    ;; ANSWER SECTION:
    pi-hole.net. 300 IN A 206.189.252.21
    ;; Query time: 18 msec
    ;; SERVER: 10.141.165.1#53(10.141.165.1)
    ;; WHEN: Fri Feb 22 03:44:47 GMT 2019
    ;; MSG SIZE rcvd: 56

    dig flurry.com

     ; &lt;&lt;&gt;&gt; DiG 9.10.3-P4-Raspbian &lt;&lt;&gt;&gt; flurry.com
     ;; global options: +cmd
     ;; Got answer:
     ;; -&gt;&gt;HEADER&lt;&lt;- opcode: QUERY, status: NOERROR, id: 53230
     ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
     ;; OPT PSEUDOSECTION:
     ; EDNS: version: 0, flags:; udp: 4096
     ;; QUESTION SECTION:
     ;flurry.com. IN A
     ;; ANSWER SECTION:
     flurry.com. 300 IN A 212.82.100.153
     flurry.com. 300 IN A 74.6.136.153
     flurry.com. 300 IN A 98.136.103.26
     ;; Query time: 19 msec
     ;; SERVER: 10.141.165.1#53(10.141.165.1)
     ;; WHEN: Fri Feb 22 03:45:46 GMT 2019
     ;; MSG SIZE rcvd: 87
    

    Feb 22 03:57:46 dnsmasq[5151]: using nameserver 10.141.165.1#53 for domain 165.141.10.in-addr.arpa
    Feb 22 03:57:46 dnsmasq[5151]: using nameserver 10.141.165.1#53 for domain arrisatom.cable.rcn.com
    Feb 22 03:57:46 dnsmasq[5151]: using nameserver 10.141.165.1#53
    Feb 22 03:57:46 dnsmasq[5151]: using nameserver 1.0.0.1#53
    Feb 22 03:57:46 dnsmasq[5151]: using nameserver 1.1.1.1#53
    Feb 22 03:57:46 dnsmasq[5151]: using nameserver 4.2.2.2#53
    Feb 22 03:57:46 dnsmasq[5151]: using nameserver 4.2.2.1#53
    Feb 22 03:57:46 dnsmasq[5151]: using nameserver 208.67.220.220#53
    Feb 22 03:57:46 dnsmasq[5151]: using nameserver 208.67.222.222#53
    Feb 22 03:57:46 dnsmasq[5151]: using nameserver 8.8.4.4#53
    Feb 22 03:57:46 dnsmasq[5151]: using nameserver 8.8.8.8#53
    Feb 22 03:57:46 dnsmasq[5151]: read /etc/hosts - 7 addresses
    Feb 22 03:57:46 dnsmasq[5151]: read /etc/pihole/local.list - 2 addresses
    Feb 22 03:57:46 dnsmasq[5151]: read /etc/pihole/black.list - 0 addresses
    Feb 22 03:57:48 dnsmasq[5151]: read /etc/pihole/gravity.list - 112838 addresses
    Feb 22 03:58:00 dnsmasq[5151]: query[PTR] 220.220.67.208.in-addr.arpa from 127.0.0.1
    Feb 22 03:58:00 dnsmasq[5151]: forwarded 220.220.67.208.in-addr.arpa to 10.141.165.1
    Feb 22 03:58:00 dnsmasq[5151]: forwarded 220.220.67.208.in-addr.arpa to 1.0.0.1
    Feb 22 03:58:00 dnsmasq[5151]: forwarded 220.220.67.208.in-addr.arpa to 1.1.1.1
    Feb 22 03:58:00 dnsmasq[5151]: forwarded 220.220.67.208.in-addr.arpa to 4.2.2.2
    Feb 22 03:58:00 dnsmasq[5151]: forwarded 220.220.67.208.in-addr.arpa to 4.2.2.1
    Feb 22 03:58:00 dnsmasq[5151]: forwarded 220.220.67.208.in-addr.arpa to 208.67.220.220
    Feb 22 03:58:00 dnsmasq[5151]: forwarded 220.220.67.208.in-addr.arpa to 208.67.222.222
    Feb 22 03:58:00 dnsmasq[5151]: forwarded 220.220.67.208.in-addr.arpa to 8.8.4.4
    Feb 22 03:58:00 dnsmasq[5151]: forwarded 220.220.67.208.in-addr.arpa to 8.8.8.8
    Feb 22 03:58:00 dnsmasq[5151]: reply 208.67.220.220 is resolver2.opendns.com
    Feb 22 03:58:00 dnsmasq[5151]: query[PTR] 1.0.0.1.in-addr.arpa from 127.0.0.1
    Feb 22 03:58:00 dnsmasq[5151]: forwarded 1.0.0.1.in-addr.arpa to 10.141.165.1
    Feb 22 03:58:00 dnsmasq[5151]: reply 1.0.0.1 is one.one.one.one
    Feb 22 03:58:00 dnsmasq[5151]: query[PTR] 2.2.2.4.in-addr.arpa from 127.0.0.1
    Feb 22 03:58:00 dnsmasq[5151]: forwarded 2.2.2.4.in-addr.arpa to 10.141.165.1
    Feb 22 03:58:00 dnsmasq[5151]: reply 4.2.2.2 is b.resolvers.Level3.net
    Feb 22 04:00:00 dnsmasq[5151]: query[PTR] 220.220.67.208.in-addr.arpa from 127.0.0.1
    Feb 22 04:00:00 dnsmasq[5151]: cached 208.67.220.220 is resolver2.opendns.com
    Feb 22 04:00:00 dnsmasq[5151]: query[PTR] 1.0.0.1.in-addr.arpa from 127.0.0.1
    Feb 22 04:00:00 dnsmasq[5151]: cached 1.0.0.1 is one.one.one.one
    Feb 22 04:00:00 dnsmasq[5151]: query[PTR] 2.2.2.4.in-addr.arpa from 127.0.0.1
    Feb 22 04:00:00 dnsmasq[5151]: cached 4.2.2.2 is b.resolvers.Level3.net

syslog:
Feb 22 04:09:48 raspberrypi dhcpcd[463]: eth0: no IPv6 Routers available
Feb 22 04:10:01 raspberrypi CRON[5404]: (root) CMD ( PATH="$PATH:/usr/local/bin/" pihole updatechecker local)
Feb 22 04:10:55 raspberrypi systemd[1]: Started Session c7 of user pi.
Feb 22 04:11:25 raspberrypi dhcpcd[463]: eth0: carrier lost
Feb 22 04:11:25 raspberrypi kernel: [ 6547.486972] smsc95xx 1-1.1:1.0 eth0: link down
Feb 22 04:11:25 raspberrypi dhcpcd[463]: eth0: deleting address fe80::d52c:44e7:d90d:da4
Feb 22 04:11:25 raspberrypi dhcpcd[463]: eth0: deleting default route via 10.141.255.254
Feb 22 04:11:26 raspberrypi avahi-daemon[2590]: Withdrawing address record for fe80::d52c:44e7:d90d:da4 on eth0.
Feb 22 04:11:26 raspberrypi dhcpcd[463]: eth0: deleting route to 10.141.0.0/16
Feb 22 04:11:26 raspberrypi avahi-daemon[2590]: Leaving mDNS multicast group on interface eth0.IPv6 with address fe80::d52c:44e7:d90d:da4.
Feb 22 04:11:26 raspberrypi avahi-daemon[2590]: Interface eth0.IPv6 no longer relevant for mDNS.
Feb 22 04:11:26 raspberrypi avahi-daemon[2590]: Withdrawing address record for 10.141.165.247 on eth0.
Feb 22 04:11:26 raspberrypi avahi-daemon[2590]: Leaving mDNS multicast group on interface eth0.IPv4 with address 10.141.165.247.
Feb 22 04:11:26 raspberrypi avahi-daemon[2590]: Interface eth0.IPv4 no longer relevant for mDNS.
Feb 22 04:11:31 raspberrypi kernel: [ 6553.478728] smsc95xx 1-1.1:1.0 eth0: link up, 100Mbps, full-duplex, lpa 0xCDE1
Feb 22 04:11:31 raspberrypi dhcpcd[463]: eth0: carrier acquired
Feb 22 04:11:31 raspberrypi dhcpcd[463]: eth0: IAID eb:33:d3:d3
Feb 22 04:11:31 raspberrypi dhcpcd[463]: eth0: adding address fe80::d52c:44e7:d90d:da4
Feb 22 04:11:31 raspberrypi dhcpcd[463]: eth0: probing address 10.141.165.247/16
Feb 22 04:11:32 raspberrypi dhcpcd[463]: eth0: soliciting an IPv6 router
Feb 22 04:11:33 raspberrypi avahi-daemon[2590]: Joining mDNS multicast group on interface eth0.IPv6 with address fe80::d52c:44e7:d90d:da4.
Feb 22 04:11:33 raspberrypi avahi-daemon[2590]: New relevant interface eth0.IPv6 for mDNS.
Feb 22 04:11:33 raspberrypi avahi-daemon[2590]: Registering new address record for fe80::d52c:44e7:d90d:da4 on eth0.*.
Feb 22 04:11:36 raspberrypi dhcpcd[463]: eth0: using static address 10.141.165.247/16
Feb 22 04:11:36 raspberrypi avahi-daemon[2590]: Joining mDNS multicast group on interface eth0.IPv4 with address 10.141.165.247.
Feb 22 04:11:36 raspberrypi dhcpcd[463]: eth0: adding route to 10.141.0.0/16
Feb 22 04:11:36 raspberrypi avahi-daemon[2590]: New relevant interface eth0.IPv4 for mDNS.
Feb 22 04:11:36 raspberrypi dhcpcd[463]: eth0: adding default route via 10.141.255.254
Feb 22 04:11:36 raspberrypi avahi-daemon[2590]: Registering new address record for 10.141.165.247 on eth0.IPv4.
Feb 22 04:11:45 raspberrypi dhcpcd[463]: eth0: no IPv6 Routers available
Feb 22 04:17:01 raspberrypi CRON[5516]: (root) CMD ( cd / && run-parts --report /etc/cron.hourly)
Feb 22 04:20:01 raspberrypi CRON[5530]: (root) CMD ( PATH="$PATH:/usr/local/bin/" pihole updatechecker local)
Feb 22 04:26:17 raspberrypi systemd-timesyncd[241]: Timed out waiting for reply from 108.61.56.35:123 (0.debian.pool.ntp.org).
Feb 22 04:26:28 raspberrypi systemd-timesyncd[241]: Timed out waiting for reply from 107.155.79.108:123 (0.debian.pool.ntp.org).
Feb 22 04:26:38 raspberrypi systemd-timesyncd[241]: Timed out waiting for reply from 184.105.182.15:123 (0.debian.pool.ntp.org).
Feb 22 04:26:48 raspberrypi systemd-timesyncd[241]: Timed out waiting for reply from 208.75.88.4:123 (0.debian.pool.ntp.org).

0 Likes

#2

Your debug log shows that the Pi cannot connect to the internet through the router:

 [i] Default IPv4 gateway: 10.141.255.254
    *Pinging 10.141.255.254...
[✗] Gateway did not respond. (https://discourse.pi-hole.net/t/why-is-a-default-gateway-important-for-pi-hole/3546)

and cannot connect to Google DNS via the router:

*** [ DIAGNOSING ]: Name resolution (IPv4) using a random blocked domain and a known ad-serving domain
[✓] ad.doubleclick.net.73498.9620.302br.net is 0.0.0.0 via localhost (127.0.0.1)
[✓] ad.doubleclick.net.73498.9620.302br.net is 0.0.0.0 via Pi-hole (10.141.165.247)
[✗] Failed to resolve doubleclick.com via a remote, public DNS server (8.8.8.8)

In the previous 24 hours, there have been 3 clients connected and quite a bit of DNS activity:

[2019-02-22 02:47:48.242 1587] Imported 39726 queries from the long-term database
[2019-02-22 02:47:48.244 1587]  -&gt; Total DNS queries: 39726
[2019-02-22 02:47:48.244 1587]  -&gt; Cached DNS queries: 106
[2019-02-22 02:47:48.245 1587]  -&gt; Forwarded DNS queries: 33794
[2019-02-22 02:47:48.245 1587]  -&gt; Exactly blocked DNS queries: 45
[2019-02-22 02:47:48.245 1587]  -&gt; Unknown DNS queries: 5781
[2019-02-22 02:47:48.245 1587]  -&gt; Unique domains: 301
[2019-02-22 02:47:48.245 1587]  -&gt; Unique clients: 3
[2019-02-22 02:47:48.245 1587]  -&gt; Known forward destinations: 4

This indicates a connection problem between the router and the Pi.

0 Likes

#3

Yes how do I resolve the connection problem? Other devices, e.g., the Mac I’m typing this on, work just fine.

0 Likes

#4

Find out the IP’s that the Pi has assigned with this command: ip a

Check that the IP subnet of /16 on the Pi matches the subnet of the rest of your network.

From the Pi terminal. see if you can ping the router or external domain (i.e. google.com).

0 Likes

#5

ip a: 10.141.165.247/16

ping 10.141.165.1 (which is the Arris cable modem)
PING 10.141.165.1 (10.141.165.1) 56(84) bytes of data.
64 bytes from 10.141.165.1: icmp_seq=1 ttl=64 time=3.80 ms

ping google.com
PING google.com (172.217.11.14) 56(84) bytes of data.
From raspberrypi (10.141.165.247) icmp_seq=1 Destination Host Unreachable

0 Likes

#6

I found my issue. I originally configured this at my university and the gateway was quite different when DHCP picked it up. So I matched the address space at home and forgot to check the GW, which I wasn’t aware was being used in/etc/dhcpd.conf even thought I had switched to static IP.
route -ne
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 10.141.255.254 0.0.0.0 UG 0 0 0 eth0
10.141.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0

My home GW was set to 10.141.255.1 :exploding_head:

So I tested blocking aol.com and it works!

However I’m blacklisted 8.8.8.8 and 8.8.4.4, to get around the issue of Chromecast’s hard coding those IP’s as the default DNS.

ping aol.com
PING aol.com (0.0.0.0): 56 data bytes
ping: sendto: No route to host

:+1:

PING 8.8.4.4
PING 8.8.4.4 (8.8.4.4): 56 data bytes
64 bytes from 8.8.4.4: icmp_seq=0 ttl=123 time=17.811 ms

:-1:

28%20PM

So I believe I have to create a static route and have 8.8.8.8 forward to the gateway IP, which in my case is 10.141.165.1

So I ran:
sudo ip route add 8.8.8.8 via 10.141.165.1
sudo ip route add 8.8.4.4 via 10.141.165.1

And this:
ip route list
default via 10.141.165.1 dev eth0 src 10.141.165.247 metric 202
8.8.4.4 via 10.141.165.1 dev eth0
8.8.8.8 via 10.141.165.1 dev eth0

Alas:
ip route list
default via 10.141.165.1 dev eth0 src 10.141.165.247 metric 202
8.8.4.4 via 10.141.165.1 dev eth0
8.8.8.8 via 10.141.165.1 dev eth0

What’s off in my syntax?

0 Likes

#7

This is not an effective strategy. You are blacklisting these domains in Pi-Hole, but if the Chromecast is hard coded to use Google DNS, the DNS from that device goes directly to Google and completely bypasses your Pi-Hole.

Adding static routes in the Pi is equally ineffective, as the Chromecast traffic won’t ever go to the Pi-Hole. Typically DNS redirection is done at the router level. The strategy is to block all outgoing DNS from devices other than the Pi-Hole, and redirect those requests to the Pi-Hole. Only the Pi-Hole can make DNS requests to the WAN.

0 Likes

#8

Well the Arris cable modem does not have any access to route commands nor iptables. I did successfully point DNS from the Arris to pi-hole. However no luck on getting a static route there nor iptables, to work:

sudo iptables -L -n -t nat 
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         
DNAT       udp  --  8.8.4.4              0.0.0.0/0            udp dpt:53 to:10.141.165.1
DNAT       udp  --  8.8.8.8              0.0.0.0/0            udp dpt:53 to:10.141.165.1
DNAT       udp  --  0.0.0.0/0            8.8.8.8              udp dpt:53 to:10.141.165.1
DNAT       udp  --  0.0.0.0/0            8.8.4.4              udp dpt:53 to:10.141.165.1

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
MASQUERADE  all  --  0.0.0.0/0            0.0.0.0/0

And:
route -ne

Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         10.141.165.1    0.0.0.0         UG        0 0          0 eth0
8.8.4.4         10.141.165.1    255.255.255.255 UGH       0 0          0 eth0
8.8.8.8         10.141.165.1    255.255.255.255 UGH       0 0          0 eth0
10.141.0.0      0.0.0.0         255.255.0.0     U         0 0          0 eth0

I did get this tip to work, i.e., to block connectivitycheck.gstatic.com.

0 Likes

closed #9

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.

0 Likes