DNS stops resolving very quickly after enabling pi-hole

The issue I am facing:

I have set up pi-hole on a raspberry pi 4 model b. No issues with installation. It has the local IP address 192.168.1.15. I have updated the router to ensure that the pi will always get this IP address. I then update the settings in router to use that IP address as the DNS address. Symptoms I get are as follows:

  1. Pi-Hole will work immediately, but for a very short period of time (maybe 1-2 minutes at best).
  2. Pi-Hole will then stop resolving DNS, and all of my devices on network will stop working as they can't resolve addresses.
  3. Pi-Hole will sometimes show an error that the Maximum number of concurrent dns queries has been reached. Other times it won't show any errors.

I have no way of resolving this without removing the pi-hole IP address from router's DNS settings.

Note 1: for upstream DNS I use a smart DNS provider, but I have tested with Google's and it's the same behaviour regardless.
Note 2: I set up Pi-Hole in an AWS free-tier instance before I got my hands on a pi, and it has worked with no issues. The configuration/setup/options I can see look to be identical between the version running in AWS and the version running on the Pi (apart from the IP address, obviously), but one works perfectly and the other doesn't.

Details about my system:

I have a raspberry pi 4, model b - runs Raspberry Pi OS. Simple install, followed all of the default settings.
I have the pi set up to connect using wifi for now (will move to ethernet once it's fully set up - the router is awkward to get to, so it's easier to use wifi while setting up).
I am with Vodafone Ireland, using a Gigabox router. I have previously had smart DNS (and prior to that Google's DNS or 1.1.1.1) on that router with no issues.

What I have changed since installing Pi-hole:

Nothing, this issue appeared immediately after enabling pi-hole by updating the DNS settings on router.

Please upload a debug log and post just the token URL that is generated after the log is uploaded by running the following command from the Pi-hole host terminal:

pihole -d

or do it through the Web interface:

Tools > Generate Debug Log

Hey,
If I have the pi-hole IP set up in DNS, then I can't upload the debug log (Error message: curl: (6) Could not resolve host: tricorder.pi-hole.net). I can't manually upload it either.

If I set the IP address to be something other than pi-hole then it will upload fine, but is that correct then (as pi-hole is not being used then).

I have a copy of the debug log from when pi-hole was set in DNS stored locally, what's best next step?

Do this.

Done: https://tricorder.pi-hole.net/yWbwYBOo/

(thanks in advance)

The only problem I see in your debug log that could be related to this problem is:

   Aug 29 14:32:46 dnsmasq[716]: query[PTR] 109.117.78.109.in-addr.arpa from 127.0.0.1
   Aug 29 14:32:46 dnsmasq[716]: config error is REFUSED (EDE: network error)
   Aug 29 14:32:46 dnsmasq[716]: query[PTR] 109.117.78.109.in-addr.arpa from 127.0.0.1
   Aug 29 14:32:46 dnsmasq[716]: config error is REFUSED (EDE: network error)

There are no related diagnostic messages.

There is a possibility that the Pi is losing WiFi connection to your network.

I do note that your DHCP server is not passing out the IP of Pi-hole for DNS:

     DHCP options:
      Message type: DHCPOFFER (2)
      server-identifier: 192.168.1.1
         lease-time: 86400 ( 1d )
      netmask: 255.255.255.0
         router: 192.168.1.1
      dns-server: 192.168.1.1
      dns-server: 5<redacted>4
      hostname: "VFIEVOX3.Router"
      renewal-time: 43200 ( 12h )
      rebinding-time: 75600 ( 21h )
      --- end of options ---
    
   DHCP packets received on interface wlan0: 1
   DHCP packets received on interface eth0: 0
   DHCP packets received on interface lo: 0

Pi-hole is at this IP: wlan0 (192.168.1.15)

Hey,

I re-installed PiHole and moved the pi to connect via ethernet. Same behaviour. Debug log is: https://tricorder.pi-hole.net/FQfWp85t/

The error log showed a load of these messages:

|2022-09-04 20:36:28|DNSMASQ_WARN|Warning in dnsmasq core:

Maximum number of concurrent DNS queries reached (max: 150)

Appreciate any pointers

Run from your Pi-hole machine, what's the output of the following commands:

curl ifconfig.me; echo
echo ">stats >quit" | nc localhost 4711
echo ">top-clients >quit" | nc localhost 4711
1 Like

Hey, the 3 outputs are as follows:
paul@raspberrypi:~ $ curl ifconfig.me; echo

5<redacted>4

paul@raspberrypi:~ $ echo ">stats >quit" | nc localhost 4711

domains_being_blocked 137497
dns_queries_today 9602
ads_blocked_today 90
ads_percentage_today 0.937305
unique_domains 364
queries_forwarded 6424
queries_cached 106
clients_ever_seen 12
unique_clients 12
dns_queries_all_types 9602
reply_UNKNOWN 6690
reply_NODATA 66
reply_NXDOMAIN 64
reply_CNAME 154
reply_IP 126
reply_DOMAIN 26
reply_RRNAME 4
reply_SERVFAIL 0
reply_REFUSED 2472
reply_NOTIMP 0
reply_OTHER 0
reply_DNSSEC 0
reply_NONE 0
reply_BLOB 0
dns_queries_all_replies 9602
privacy_level 0
status enabled

paul@raspberrypi:~ $ echo ">top-clients >quit" | nc localhost 4711

0 4936 5<redacted>4
1 2589 192.168.1.2 LGwebOSTV.station
2 925 109.78.8.9
3 351 192.168.1.11
4 268 192.168.1.5
5 241 192.168.1.8 amazon-a58cbe7fc.station
6 118 192.168.1.7 Pixel-6.station
7 107 127.0.0.1 localhost
8 64 192.168.1.3 XBOX.station
9 1 192.168.1.19 pi.hole

Thanks.

Your Pi-hole is open to public DNS requests via your public IP.
(I have redacted that from your above output.)

You are runing an open resolver, which poses a potential threat for all Internet users, e.g. by serving as a multiplier in a DNS Amplification attack.

Your observation of Pi-hole being unresponsive as well as the REFUSED error codes may be attributable to some misuse already happening (edit: at least one client 109.78.8.9 is not from your internal network, accounting for the second highest number of DNS requests).

The Pi-hole team strongly discourages Pi-hole’s usage as an open resolver, and we won't provide support in that case.

I have changed the setting in DNS to Allow only local requests
Allows only queries from devices that are at most one hop away (local devices)

I enabled pihole DNS in my router and got this in error logs immediately:

|2022-09-07 14:02:30|DNSMASQ_WARN|Warning in dnsmasq core:

ignoring query from non-local network 51.37.21.117 (logged only once)|
| --- | --- |

That IP address is my IP address, so I don't know how to get around this.

Could you post screenshots for all DNS related settings in your router and post make/model pls?
You can paste screenshots here directly.
Most likely you have DNS settings for both LAN and WAN/Internet.
Recommended is below:

https://docs.pi-hole.net/main/post-install/

I have a Vodafone gigabox router. Dns settings are as follows (192.168.1.19 is the ip for my raspberry pi)

If those are the only DNS settings in the router, they appear to be for the WAN side.
Which explains why your router WAN IP (your public Internet IP) appears in the Pi-hole logs.
Plus it explains the warning you received.
What is preferred and described in the docs is to have the DHCP service for your LAN (currently active on your router) to advertise the Pi-hole IP to its clients for DNS resolution.
Advantages are:
one less hop in the DNS path;
you see real stats from your clients on the webGUI instead of only your router;
and particular Pi-hole features become available like for example defining client groups.

Check if you can disable the DHCP service on the router?
As a replacement, you can let Pi-hole take over the DHCP service part for your network:

Best when switching is to enable the DHCP service on Pi-hole first before disabling the one on the router!
This because some routers drop the LAN connection temporarily causing your clients to try and renew their DHCP lease while the DHCP service might not be up and running yet.

Have you made sure that your Pi-hole instance is not an open resolver?
You can check by running below one on the Pi to figure out your public IP:

curl ifconfig.me; echo

And enter the public IP below to check:

https://www.openresolver.com/

Finally got this work. The exact steps I took were as follows:

  1. On my pihole, enable DHCP. Leave DHCP enabled on router.
  2. On my router, edit DHCP settings to only offer 1 IP address (192.168.1.2).
  3. On my router, edit DNS settings and disable DNS.
  4. On my pihole, ensure than DNS is set up correctly.
  5. Restart router and restart pihole.

I don't know why I had to follow these specific steps, but anything else I tried would fail. I can now confirm that I have pihole up and running and (because I am using smart DNS) I can 100% confirm that the DNS settings from the pihole are being respected on my devices.

Thanks to all who helped on this trek!

You are still running an open resolver, i.e. your Pi-hole is open to misuse:

To stop that, close port 53 on your router immediately (and maybe port 80 as well).

Oh that was the AWS version I had initially set up, it was open (in error). I have terminated it now, so all good.

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.