DNS request timed out

Kernel · September 25, 2022, 11:13pm

I am trying to run a recursive DNS server via Pi-Hole on a Raspberry Pi 4B.

The server itself seems to be running fine, as I am able to access the server's admin page I have ensured the only upstream DNS is 127.0.0.1#5335, so everything appears to be properly configured in that regard. I am also able to ping the server from my desktop.

However, it does not seem to be actually resolving DNS requests. When trying to set the server as my DNS on my desktop it fails to resolve and seemingly defaults back to the DNS provided by my ISP.

I tried using nslookup example.com 192.168.0.26 (my Pi-hole's IP) to manually force it to use Pi-hole, and it did recognize the server as pi.hole, but the DNS requests ultimately always time out.

nslookup works for any other DNS server I tried, like Cloudflare or Google.

Interestingly enough, I can still see these requests (among some others, likely from when I tried setting Pi-hole as my actual DNS) coming through from my desktop's IP on the Query Log for Pi-hole.

My router is set to use DNS servers provided by my ISP, and I am unable to change them. However, if I manually change my DNS to any major DNS provider (say 1.1.1.1 or 8.8.8.8) through my desktop's network settings, it appears to actually use that DNS and override what my ISP provides. In other words, I can get other DNS providers to work but not Pi-hole.

Debug Token:

https://tricorder.pi-hole.net/oKErA9qb/

jfb · September 26, 2022, 2:10am

This may be a Debian 11 issue:

Edit file /etc/resolvconf.conf and comment out the last line which should then read:

#unbound_conf=/etc/unbound/unbound.conf.d/resolvconf_resolvers.conf

Delete the unwanted unbound configuration file:

sudo rm /etc/unbound/unbound.conf.d/resolvconf_resolvers.conf

Restart unbound:

sudo service unbound restart

Kernel · September 26, 2022, 5:47am

This appears to have fixed the issue with it timing out, thanks! And I do get seemingly proper query logs on my server's admin page when browsing the internet.

However, it doesn't appear that Pi-hole is actually blocking any ads. I've tried disabling IPv6, changing DNS settings in my browser, and even uninstalled unbound and try cloudflared for DoH in hopes it'd be a workaround.

It also doesn't appear to yield proper results in DNS leak test sites. It defaults back to the DNS server my ISP provides, or if I set an alternative (like 8.8.8.8) it'll go to that. The results with tests have been a bit finnicky, since messing around with toggling IPv6 or DoH on my desktop changes whether my ISP's servers or public servers show up, even if my specified DNS servers are left the same in my network settings.

My guess is that this is some kind of restriction put in place by my ISP, but again.. it is quite strange how at least based on results I've gotten from DNS leak testing sites, with certain settings I can in fact override my ISP's servers and only get query resolves from public DNS servers I specify (such as Cloudfare or Google).

Bucking_Horn · September 26, 2022, 7:35am

Your router's DHCP server is not handing out Pi-hole as DNS server, but rather Spectrum's public DNS resolvers:

*** [ DIAGNOSING ]: Discovering active DHCP servers (takes 10 seconds)
   Scanning all your interfaces for DHCP servers
   
   * Received 548 bytes from wlan0:192.168.0.1
     Offered IP address: 192.168.0.26
     DHCP options:
      Message type: DHCPOFFER (2)
      router: 192.168.0.1
      dns-server: 71.10.216.1
      dns-server: 71.10.216.2
      --- end of options ---

Pi-hole has to be the sole DNS server in your network.
Currently, none of your client devices would use Pi-hole, unless a device has been manually configured to do so.

From a client that you'd expect to use Pi-hole for DNS, what's the output of:

nslookup pi.hole

nslookup flurry.com

nslookup flurry.com 192.168.0.26

Kernel · September 26, 2022, 9:55pm

Hello. It turns out I in fact was able to change the DNS settings on my router (after figuring out how to get around an apparent router firmware bug that initially prevented it) and get them set to the following:

As a side note, I have changed my Pi-hole's IP to 192.168.0.21. I have also disabled IPv6 on both my client and my Pi, and at the moment I am not using cloudflared or unbound. I'm simply trying to get Pi-hole to work.

All of those nslookup results you requested (which I sent from my desktop client) resolve with pi.hole, as shown below:

However, I am still getting ads.

My Pi-hole shows queries on the admin page, so I know it's at least receiving them.

I created another debug log and checked the portion you were referencing above, and it shows my Pi's DNS now (along with Google, as expected), and zero DNS servers of my ISP. I'm not really sure what the issue is. Here's the token:

https://tricorder.pi-hole.net/tzNhWdez/

I would also like to add that DNS leak test sites were still showing my ISP for a few results UNTIL I manually went into my network configuration and set it to match the DNS servers I had set on my router, like so:

That seemed to do the trick, however.. the test results show Google and not Cloudflare (which is what I have set as my upstream provider for my Pi), so it's as though the Pi-hole server is still failing to resolve and falling back on Google as shown:

rdwebdesign · September 27, 2022, 2:38am

Your router is using Google DNS server.

You added Google's DNS servers as your secondary and tertiary DNS servers.

Your router will use ALL DNS servers at the same time. It will bypass pi-hole, even if pi-hole is online.

Bucking_Horn · September 27, 2022, 9:13am

All of those nslookupss look fine - they show that your Pi-hole is accessible from your client via its IP, that indeed Pi-hole has been used, at least for those requests, and that Pi-hole is blocking as expected.

But rdwebdesign is right:
Your router is still distributing public DNS servers (besides Pi-hole):

*** [ DIAGNOSING ]: Discovering active DHCP servers (takes 10 seconds)
   Scanning all your interfaces for DHCP servers
   
   * Received 548 bytes from wlan0:192.168.0.1
     Offered IP address: 192.168.0.21
     DHCP options:
      Message type: DHCPOFFER (2)
      router: 192.168.0.1
      dns-server: 192.168.0.21
      dns-server: 8.8.8.8
      dns-server: 8.8.4.4
      --- end of options ---

As mentioned before:

Any alternate DNS server, and clients will chose to by-pass Pi-hole via those alternates (i.e. 8.8.8.8 and 8.8.4.4 in your case) at their own discretion.

Kernel · October 5, 2022, 1:23am

Hey, sorry for the late reply.

I did set Pi-hole as the sole DNS server in my network via my router configuration, and it still failed to work.

I have a router/modem combo and I believe my ISP is forcing certain requests through their servers. I am looking into getting a better setup, as what I have now is outdated on top of having buggy firmware. Thank you for all the help, it will make my next set up easy!

chrislph · October 5, 2022, 1:56am

Your router screenshot above looks like you could delete the secondary and tertiary servers from your settings and just have the Pi-hole as the primary. Are you able to do that, or does leaving them blank cause them to become auto-populated with Google or Spectrum's servers again? Is that what you mean when you say your ISP forces requests through their servers?

If so, what happens if you put the Pi-hole's IP in there for all three addresses? If it accepts that as valid settings then it might work around the problem and fix things for you.

Alternatively, even if you can't change the router's DNS easily, are you able to turn off the router's DHCP server?

If so, you could try using your Pi-hole for DHCP instead. You would turn offf the router's DHCP and turn on the Pi-hole's DHCP in Settings > DHCP. Put in the same ranges as the ones your router was using, and put in your router's own IP address for the Router address.

Then ensure your devices are using DHCP and disconnect and reconnect to the network. Instead of the router answering them and giving them the enforced DNS, now your Pi-hole will answer them instead and ensure they're all using Pi-hole for their DNS.

The router will still be sitting there with its enforced DNS but now it's lonely with nothing using it.

Kernel · October 6, 2022, 12:45am

It does not allow me to leave any severs blank. In order to change them without getting an error I actually had to do something strange where I changed the third one first, then the first, then the second. I looked into it and apparently it's an actual firmware bug with my router that makes setting DNS servers very finnicky.

I was able to put Pi-hole's IP for all 3 and did try that earlier, unfortunately it didn't work. I was still getting DNS leaks that showed my ISP's servers.

I turned off my router's DHCP server and used Pi-hole instead but that didn't work either. Really tricky to narrow down what the issue is. I suspect it may be related to IPv6 queries. When I turn off IPv6 on my desktop (the client from which I test everything) I can get it so DNS leak test sites show don't show my ISP's servers anymore, making it appear it's working. Yet Pi-hole still doesn't work. I wish I were more knowledgeable on all this as it seems the issue is very elusive.

jfb · October 6, 2022, 12:54am

When you run a local recursive resolver, your home IP is shown as the DNS server. Some sites report that as the ISP DNS server.

chrislph · October 6, 2022, 2:47am

The primary issue here is that your router was/is acting as the DHCP server and giving out multiple addresses as DNS servers. You either have to make it give out just your Pi-hole IP or stop using it for DHCP.

Try that hack of using the Pi-hole IP for all three servers once again (it may have worked after all, see below) or try turning off the router's DHCP entirely and using Pi-hole for DHCP as per the earlier reply. Once that's done make sure your devices are using DHCP and reconnect them to your network so that they get the correct Pi-hole address.

DNS Leak Test is useful but needs careful interpretation of the results. An Extended test asks your browser to resolve 6 unique and random subdomains of dnsleaktest.com, 6 times over. If you were just sending those to Google's 8.8.8.8 you will still end up with multiple Google IP addresses resolving these queries because of how Google's 8.8.8.8 handles requests. DNS Leak Test will show a big table of servers in the results. The point is that you will see them labelled as Google, which matches your use of just Google for the test.

If you are using Unbound on your network, and if you have fixed the primary issue at the start, then from DNS Leak Test's perspective all it can see is your public IP, and it will dutifully report that as the address of the resolver and show your ISP's name, since they own your public address. I would not expect to see your ISP's actual DNS servers. I would expect to see the results be 1 server found for each of the 6 tries, and your public IP as the only entry in the table.

You can try this and watch the results in real time to see what's happening in Pi-hole.

Open a terminal on your Pi-hole and enter:

sudo tail -n0 -f /var/log/pihole/pihole.log | grep -E "forwarded.*test\.dnsleaktest\.com"

Go to DNS Leak Test. Make a note of your public IP which is shown to you before the tests.

Start an Extended test. You should see these appear in your Pi-hole terminal and you should see that they are all being forwarded to 127.0.0.1#5335 to be resolved.

At the end of the test DNS Leak Test should be showing you just your own IP as the DNS server. If so then everything is working. If you see more IPs then your router is still interfering in some way and the primary problem is not fixed. In that case it would be useful to make a note of the companies and IPs shown, eg Google, your ISP, so you can track down where they are getting involved.

Kernel · October 6, 2022, 7:33pm

Thanks for the reply. I have been changing my approach in trying to resolve this so some of what you're seeing in above posts doesn't reflect what I'm actually doing at the moment.

I'll clarify my exact setup (and issues).

I have set all 3 DNS servers on my Router to that of my Pi-hole (the IP is now 192.168.0.23).

I have disabled DHCP on my router and enabled it on Pi-hole (using the same IP range).

For now I have just set Cloudflare as my upstream DNS. Note that I HAVE to enable IPv6 for this or my ISP's DNS servers will show on dnsleaktest.com.

When I use dnsleaktest.com and use the command you posted above, I get this for example:

The IP it's forwarding to is the IPv6 of Cloudflare (my upstream DNS for now), so it's an expected result.. although it seems it is exclusively resolving IPv6, not IPv4.

My ISP's DNS servers do not show up at all, suggesting it's working correctly. In fact no DNS leak sites show my ISP with my current setup, giving the illusion there is no issue.

Sadly it still doesn't work for blocking ads, but I've potentially narrowed down the issue.

I have manually set my IPv4/IPv6 DNS in my Pi-hole under /etc/dhcpcd.conf to the following settings:

interface wlan0
        static ip_address=192.168.0.23/24
        static routers=192.168.0.1
        static domain_name_servers=192.168.0.23 2600:6c52:7d7f:7672:4ffe:11d1:72e9:980b

If I go to /etc/resolv.conf in my Pi-hole I see this:

The first 2 nameservers are exactly what I'd expect and are correct, they are the IPv4/IPv6 of my Pi-hole respectively.

However, the last 2 boxed in red are automatically added, and are in fact DNS servers of my ISP. I've been trying to stop them from being automatically added, but to no avail. Not entirely sure what the proper steps are.

Bucking_Horn · October 6, 2022, 8:01pm

I'd advise against setting static IPv6 addresses manually, unless you know what you are dealing with, or you may mess up your routing, and end up with an invalid or even false IPv6 address.

It is your router that absolutely MUST be configured to advertise and offer Pi-hole's IPv6 DNS server address, or not to advertise any IPv6 DNS server at all.
EDIT: As an ultimate measure, you could consider disabling IPv6 support on your router altogether, provided you do not depend on IPv6.

A router that cannot be configured either way will likely advertise its own IPv6 address as DNS server, or those assigned by an ISP (as in your case), allowing clients to completely by-pass Pi-hole via IPv6 at their own discretion.

Adding Pi-hole's IPv6 support into that mix would have no effect on your router. It would just lower the probability of IPv6 clients using your router instead of Pi-hole's IPv6 address.

Kernel · October 6, 2022, 8:30pm

Your answer explains exactly what I suspected, and I will keep that in mind regarding setting a static IPv6. At this point I've just been trying to see what configurations create what results.

Unfortunately my router does not allow me to configure it to advertise Pi-Hole's IPv6 DNS, and so it is simply providing ones assigned by my ISP.

I was hoping there was some way to override this on my Pi-hole. I was looking into disabling SLAAC but had no luck. Unfortunately the issues I've run into exceed most of my knowledge, so I feel I'll wind up causing more problems than solutions.

system · October 27, 2022, 8:31pm

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.