DNS Resolution works on all devices except a mackbook

pmc · April 3, 2025, 9:52pm

I've searched for answers and looked through the FAQ. I have pi-hole set up as a docker container on an RPi3. Every device on my LAN (phones, smart speakers, etc.) seems to work fine, except my macbook cannot resolve anything.

On the macbook, I tried setting the network connection use the DNS server that the router's DHCP tells it, and I also tried setting the network connection to use the pi-hole DNS server directly. Neither work. I did the necessary sudo dscacheutil -flushcache; sudo killall -HUP mDNSResponder as well.

One peculiar thing I noticed is at least on the macbook, the router is returning itself as the DNS server, though I think this is a separate problem since the name lookup failures still occur when I set the DNS server manually on the macbook to the RPi's address

The RPi is 192.168.0.10 and the router is 192.168.0.1.

Expected Behaviour:

DNS lookups occur on all devices on the LAN.

Actual Behaviour:

DNS lookups succeed on all devices except a macbook. nslookup on the macbook works and shows the right DNS server, but ping does not resolve IPs, nor do browsers.

$ ping www.reddit.com
ping: cannot resolve www.reddit.com: Unknown host

$ nslookup -q=AAAA www.reddit.com
Server:         192.168.0.10
Address:        192.168.0.10#53

Non-authoritative answer:
www.reddit.com  canonical name = reddit.map.fastly.net.

Authoritative answers can be found from:
fastly.net
        origin = ns1.fastly.net
        mail addr = hostmaster.fastly.com
        serial = 2017052201
        refresh = 3600
        retry = 600
        expire = 604800
        minimum = 30

Debug Token:

https://tricorder.pi-hole.net/JR0NFTdK/

Docker Compose

  pihole:
    container_name: pihole
    image: pihole/pihole:latest
    ports:
      # DNS Ports
      - "53:53/tcp"
      - "53:53/udp"
      # Default HTTP Port
      - "8080:80/tcp"
      # Default HTTPs Port. FTL will generate a self-signed certificate
      - "8443:443/tcp"
    environment:
      TZ: 'America/Los_Angeles'
      # Set a password to access the web interface. Not setting one will result in a random password being assigned
      FTLCONF_webserver_api_password: 'password'
      FTLCONF_dns_listeningMode: 'all'
    # Volumes store your data between container upgrades
    volumes:
      # For persisting Pi-hole's databases and common configuration file
      - './etc-pihole:/etc/pihole'
    cap_add:
      - SYS_NICE
    restart: unless-stopped

Router Setup

rdwebdesign · April 3, 2025, 10:08pm

This means Pi-hole is working as expected and the macbook is using Pi-hole as DNS server.

Can you try to disable Local Network in Privacy & security settings on your Mac?

I'm not a MacOS user, but I remember other issues where users had to turn off this option for each browser.

pmc · April 3, 2025, 11:48pm

Thanks for your reply. If I'm understanding you right, there's no way to disable "Local Network" in "Privacy and Security" - it's a group rather than an individual setting. What that setting does is allow individual apps to access other addresses on the LAN. For instance, if I disable it for Firefox, I wouldn't be able to access the pi-hole UI at 192.68.0.10:8080. There's no setting for ping/terminal exes

This means Pi-hole is working as expected and the macbook is using Pi-hole as DNS server.

My understanding is nslookup makes a direct socket connection to the DNS server but everything else like ping uses the DNS api/cache.

That got me looking at the DNS logs though. On the macbook while manually configured to the pihole DNS, I see these errors when I try $ ping www.reddit.com

default	16:39:40.192209-0700	mDNSResponder	[C125802.1 Hostname#ac544bd7:443 failed proxy (satisfied (Path is satisfied), interface: en0[802.11], ipv4, dns, uses wifi)] event: proxy:children_failed @0.015s
error	16:39:40.193094-0700	mDNSResponder	[Q40659] Querier session event -- type: terminated, error: -6753/0xFFFFE59F kConnectionErr
default	16:39:40.193181-0700	mDNSResponder	[C125802 Hostname#ac544bd7:443 tcp, url hash: a4c6fed5, fast-open, definite, attribution: developer] cancelled
default	16:39:40.199990-0700	networkserviceproxy	Received error (-65554) from mDNSResponder (com.apple.mDNSResponder) for SingleHop agent on interface en0

So it looks like maybe the DNS service on macos is throwing an error after querying pihole

pmc · April 4, 2025, 12:12am

I think I figured it out. I kept seeing references to apple private relay in the DNS logs on the macbook. I think it acts like dnsmasq. I turned it off and now pihole DNS lookups work on the macbook !

system · April 25, 2025, 12:13am

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.