[fixed] Pi-Hole newbie with DNS issues

Hello Pi-Hole community users,

I've just got my Raspberry Pi 4 (B, 2GB) for a few hours, it's primary purpose is Pi-Hole (for now). The installation went fine so far, but the Pi's ad-blocking doesn't seem to fully work, "Tail pihole.log" doesn't output much when using the router's IP as client DNS server. The admin panel can't be accessed via http://pi-hole/admin, only using the Pi's IPv4 as DNS server on my clients. My dashboard reports many activities, so basically it should work …

I prefer to keep the router's IP (Asus RT-AC68U) DNS (192.168.1.1) set as the DNS server on my clients, if possible. Checking previous posts adressing this issue, it's not clear to me what I should do on my end. It's a DNS issue, and according to the Asus control panel (LAN DHCP Server and IPv6 settings pages), the Pi is correctly set as the DNS server.

A few errors in the debug report "*** [ DIAGNOSING ]: Networking" point to what's wrong, but I can't figure out how to fix these. I've tried to follow the URLs given, to no avail.

Thank you for helping me :slight_smile:

Expected Behaviour:

Block ads and accessing the admin panel via http://pi-hole/admin

Actual Behaviour:

I can only access the Pi-Hole admin panel via local IP http://192.168.1.57/admin/index.php at this stage. Ads only get blocked when client DNS server is set to the Pi's IP address.

Debug Token:

https://tricorder.pi-hole.net/8acd0y00e4

@C64 Welcome to the Pi-hole Community!
Pi-hole works best if it is configured as your ONLY DNS setting in your router, and in turn, all of your network clients are DHCP clients. That is, each client would only "see" the Pi-hole as their primary DNS server. Is this not how you currently set up your Pi-hole?

1 Like

@Tesserax Thank you for participating and for your warm welcome :slightly_smiling_face: !
The router‘s own address is 192.168.1.1, the Pi has 192.168.1.57. The router is serving addresses via DHCP, where the Pi’s address is static.

The router‘s DNS server address is set to xx.57, this should account for the router directing all DNS calls to the Pi. The clients on my network all have 192.168.1.1 as their DNS server address, so they take it from the router as per DHCP defaults.

Alas, that circumvents blocking ads and connecting to the Pi-Hole admin panel via host name, for reasons still beyond me … :thinking:

What you describe here doesn't match your screenshots:

They show you've set your router's upstream IPv6-DNS to Pi-hole's IPv6 address (if only a link-local fe80: - first screenshot), and that you have configured your router's DHCP to hand out Pi-hole's IPv4 address (192.168.1.57) as local DNS server (second screenshot).

Yet you claim your clients still show your router (192.168.1.1) as DNS-Server.

This could be the case if

  1. your router includes itself as local DNS via DHCP, no matter what.
    (There are ASUS router models known here on this forum that exhibit this behaviour)
  2. your router does not force renewal of ist DHCP leases upon configuration change, and thus the new settings will be known by your clients only after their current lease expires
    (Default lease duration varies by router make and model, common values range anywhere from one to ten days.)

Depending on your clients, they might connect by IPv4, contact your router, which forwards rqeuests to its upstream IPv4 DNS (no screenshot for this, so assuming: goes to ISP default DNS).

Thank you @Bucking_Horn, I'm trying my best to get to grips with the functions and terminology :woozy_face:

This has now been disabled altogether. I'm not sure at all if and what this page is for (apart from being IPv6 related).

That is correct. Isn't this the way it should be? If not, what am I mistaking here?

The clients don't report any change of the DNS address, when I renew their DHCP lease manually.
Looking at the LAN-DHCP Server page, I see no other option than to enter the Pi-IP under DNS and WINS Server Setting > DNS Server … do you?

Failing the above (as it does), would it help to let the Pi serve IPs via DHCP, disabling the router's DHCP? If not, which options remain?

My /etc/dhcpcd.conf is set to

interface eth0
static ip_address=192.168.1.57/24
static routers=192.168.1.1
static domain_name_servers=192.168.1.1

and /etc/pihole/setupVars.conf is set to

PIHOLE_INTERFACE=eth0
IPV4_ADDRESS=192.168.1.57/24

As I said: The above doesn't match with your earlier statements, i.e.

and

Given your current question, I am at a loss as to which configuration you are intending to run :thinking:

May I suggest you make yourself familiar with the required network terminolgy, make your mind up about your config, and come back here once you've got that sorted and require additional guidance?

Reading one of my posts (click here, blues are links) in another (otherwise unrelated) topic might be helpful, as I consider it to be general enough to be relevant for you :wink:
(Concentrate on reading the arrowed bullet points in that post and try to ignore the rest)

1 Like

Please forgive my ignorance :pleading_face: @Bucking_Horn.

As far as I understand it, by default, local clients apply whatever is the default local DNS address broadcasted by the router's DHCP server. Unless local clients were configured to use a specific DNS address. Right/wrong? :thinking:

My local DHCP server at home is the Asus router, to which the Raspi running Pi-Hole is connected via eth0.

My current theory is:
The IP address of Pi-Hole should be set as DNS server address, which the DHCP server of the router broadcasts to all clients of my local network. According to this, all local client DNS calls run through Pi-Hole. Right/wrong? :thinking:


This screenshot shows where, according to my understanding, the Pi-Hole address should be entered.

Question:
Is it possible to configure the router DHCP server, so it is broadcasting the Pi-Hole IP address as the local DNS server address? Is this the ideal configuration?

Almost right - my overly pedantic additions and removals to your remarks as follows :wink:

As of your last screenshot, it looks as if your DHCP settings on your router are set up to distribute Pi-hole as DNS server. This would also be the preferred way, as this will allow you to view individual clients in Pi-hole's Query Log (which would not have been possible when keeping your router as DNS and forwarding requests upstream to Pi-hole).

My previous remark on possible impact of lease duration still applies.
You can force a lease renewal by dis- and reconnecting to the network, which in turn can be forced by switching a device on and off, if no other method is known.

That would depend on your needs, I am afraid.

What I can say is that it is a solid configuration to start with :wink:

1 Like

Gradually getting there, thanks @Bucking_Horn!

Positive.

I have a feeling that this is true to my situation. Craps. What should I do now?
Looking at the DNS options on my iPhone (automatic DNS configuration), I see both the router and Pi-Hole show up as DNS servers.

This is exactly what I want it to turn out. But how? :thinking:

First, let's verify whether that is true.

Assuming that you run a Windows machine in your network, open a command prompt on that machine and execute the following statements:
a. Renew the lease, in order to request the new DHCP configuration, just to be sure

ipconfig /renew

b. take a look at your DNS servers

ipconfig /all

Don't post the full answer, we are just interested in the DNS servers now.

1 Like

Asus routers are known to push their own IP for DNS via DHCP:

If want to be sure, install nmap on Pi-hole:

sudo apt install nmap

And post results for below one (might want to redact some):

sudo nmap -sU -p67 --script dhcp-discover 192.168.1.1

1 Like

There's a majority of OS X machines here, so after renewing the lease the output of

is (adapted to ipconfig getpacket en1 for OS X)

ipconfig getpacket en1
op = BOOTREPLY
htype = 1
flags = 0
hlen = 6
hops = 0
xid = 0x9fa5e9cc
secs = 1
ciaddr = 0.0.0.0
yiaddr = 192.168.1.206
siaddr = 192.168.1.1
giaddr = 0.0.0.0
chaddr = 10:40:f3:ed:e1:10
sname =
file =
options:
Options count is 13
dhcp_message_type (uint8): ACK 0x5
server_identifier (ip): 192.168.1.1
lease_time (uint32): 0x15180
renewal_t1_time_value (uint32): 0xa8c0
rebinding_t2_time_value (uint32): 0x12750
subnet_mask (ip): 255.255.255.0
broadcast_address (ip): 192.168.1.255
proxy_auto_discovery_url (string):

nb_over_tcpip_name_server (ip_mult): {192.168.1.1}
domain_name (string): horst
domain_name_server (ip_mult): {192.168.1.57, 192.168.1.1}
router (ip_mult): {192.168.1.1}
end (none):

Hi @deHakkelaar, thanks for chiming in! This is the result:

Starting Nmap 7.70 ( https://nmap.org ) at 2020-02-05 21:33 GMT
Nmap scan report for 192.168.1.1
Host is up (0.00030s latency).

PORT STATE SERVICE
67/udp open dhcps
| dhcp-discover:
| DHCP Message Type: DHCPACK
| Server Identifier: 192.168.1.1
| Subnet Mask: 255.255.255.0
| Broadcast Address: 192.168.1.255
| WPAD:
|
| NetBIOS Name Server: 192.168.1.1
| Domain Name: horst
| Domain Name Server: 192.168.1.57, 192.168.1.1
|_ Router: 192.168.1.1
MAC Address: 54:A0:50:D8:23:E8 (Asustek Computer)

Nmap done: 1 IP address (1 host up) scanned in 1.52 seconds

Bugger - seems your router is distributing itself. :frowning_face:

In that case, you have two options:

  1. disable DHCP on your router and enable DHCP on Pi-hole
    (This will keep individual clients identifiable in Pi-hole's Query Log)
  2. remove Pi-hole from DHCP and set it as your router's upstream DNS, usually via its Internet / WAN settings
    (This will make all DNS requests in Pi-hole'S Query Log appear to originate from your router. It doesn't affect Pi-hole's blocking in any way, but some features of Pi-hole's upcoming 5.0 release requiring client id probably won't apply)

You could also try to install a new firmware on your router, as @deHakkelaar suggests, but note that you would have to acquire support for doing so in the respective forums (Merlin, openWRT, DDWRT, pfSense, etc.).

1 Like

Another option is to flash another custom firmware onto the Asus router but is not without risks!

https://www.asuswrt-merlin.net/

@deHakkelaar
Been considering this in the past, thank you, but I don't feel inclined to do it just now. It looks like I should do it, one of these days! I fondly remember DD-WRT being a major upgrade for my trusty old Linksys WRT54G.

@Bucking_Horn
Switching DHCP over to Pi-Hole seems to have resolved the initial problem, blocking works. The only caveat is when running pihole -d, Networking reports errors:

*** [ DIAGNOSING ]: Networking
[✓] IPv4 address(es) bound to the eth0 interface:
192.168.1.200/24 does not match the IP found in /etc/pihole/setupVars.conf (Use IPv6 ULA addresses for Pi-hole)

[✓] IPv6 address(es) bound to the eth0 interface:
fe80::9edd:b635:2879:d87e does not match the IP found in /etc/pihole/setupVars.conf (Use IPv6 ULA addresses for Pi-hole)

^ Please note that you may have more than one IP address listed.
As long as one of them is green, and it matches what is in /etc/pihole/setupVars.conf, there is no need for concern.

The link to the FAQ is for an issue that sometimes occurs when the IPv6 address changes, which is why we check for it.

[i] Default IPv4 gateway: 192.168.1.1
192.168.1.1

I'm worried about the error messages showing up. Any pointers on how to fix it?
Still no access to the admin panel via http://pi-hole/admin … no deal breaker, but maybe related to other settings still not being ideal.
192.168.1.1 = Asus router, static IP, DHCP turned off
192.168.1.200 = Pi-Hole, DHCP ranges from 192.168.1.201 to .251
https://tricorder.pi-hole.net/7tchhcen2p

As you've changed IP from 192.168.1.57 into 192.168.1.200, you'll need to tell Pi-hole of these changes by running below one and select reconfigure:

pihole -r

Dont worry bout the IPv6 warning.

And on the client (Linux, Windows or MacOS), use the nslookup tool in a command prompt to diagnose DNS resolution eg:

nslookup pi.hole

nslookup pi.hole 192.168.1.200

2 Likes

Maybe more of a cosmetic issue, since you installed Pi-hole under a different IP (.57), and Pi-hole still remembers that in setupVars.conf.

Likely same as above, with a caveat:
fe80: prefixes a link-local IPv6 address.

While valid, it is non-routable, i.e. visible only to network clients on the same network segment. If you run a network with several routers / L3 switches / access points and/or several subnets, your Pi-hole may not be accessible by all of them.

You may want to change this to a ULA address (from range fd00::/8) by configuring your routers DHCPv6 settings accordingly.
EDIT: Actually, I wonder if this would still be necessary if you run Pi-hole as DHCP, but I am unaware of an option to configure a ULA via Pi-hole's UI - calling in @jfb, @deHakkelaar already reads and will comment if he knows)

Alternatively, do not enable IPv6 support in Pi-hole's DHCP and get rid of the IPV6_ADDRESS entry in setupVars.conf. Note that this might encourage some IPv6 capable devices to look for an IPv6 DNS server elsewhere, and some of them might succeed, thus bypassing Pi-hole. But then again, they might just as well do that if IPv6 is enabled. Happens more often than I'd wish for - darn! IPv6 auto configuration :wink:

This could be an issue, but I wouldn't expect Pi-hole to be blocking ads if that would fully affect your device.

To try and rectify all of the above, (optionally:) configure a ULA adress range and check your Pi-hole's ULA address, then ssh into your Pi-hole machine and run

pihole -r

and choose reconfigure.

EDIT: Afterwards, use @deHakkelaar's above nslookups in oder to verify your new setup :wink:

2 Likes

I recon it depends what DHCP range of IP's has been set, ipv4 or ipv6, and if below is activated:

image

EDIT: just realized, ipv6 doesnt work same as with ipv4 range with auto discovery and all :wink:

1 Like

Thanks @deHakkelaar and @Bucking_Horn, I really appreciate your help!

Done. Now I can access http://pi-hole/admin correctly! pihole -d now shows:

*** [ DIAGNOSING ]: Networking
[✓] IPv4 address(es) bound to the eth0 interface:
192.168.1.200/24 matches the IP found in /etc/pihole/setupVars.conf

[✓] IPv6 address(es) bound to the eth0 interface:
fe80::9edd:b635:2879:d87e does not match the IP found in /etc/pihole/setupVars.conf (Use IPv6 ULA addresses for Pi-hole)

^ Please note that you may have more than one IP address listed.
As long as one of them is green, and it matches what is in /etc/pihole/setupVars.conf, there is no need for concern.

The link to the FAQ is for an issue that sometimes occurs when the IPv6 address changes, which is why we check for it.

[i] Default IPv4 gateway: 192.168.1.1
192.168.1.1

https://tricorder.pi-hole.net/suup8gp280

nslookup pi.hole
Server: 192.168.1.200
Address: 192.168.1.200#53
Name: pi.hole
Address: 192.168.1.200

nslookup pi.hole 192.168.1.200
Server: 192.168.1.200
Address: 192.168.1.200#53
Name: pi.hole
Address: 192.168.1.200

Enabling IPv6 support (SLAAC + RA) didn't change the Network debug output tho … should this be active?
(see https://tricorder.pi-hole.net/ke06y31kjx for that)

*** [ DIAGNOSING ]: Networking
[✓] IPv4 address(es) bound to the eth0 interface:
192.168.1.200/24 matches the IP found in /etc/pihole/setupVars.conf

[✓] IPv6 address(es) bound to the eth0 interface:
fe80::9edd:b635:2879:d87e does not match the IP found in /etc/pihole/setupVars.conf (Use IPv6 ULA addresses for Pi-hole)

^ Please note that you may have more than one IP address listed.
As long as one of them is green, and it matches what is in /etc/pihole/setupVars.conf, there is no need for concern.

The link to the FAQ is for an issue that sometimes occurs when the IPv6 address changes, which is why we check for it.

[i] Default IPv4 gateway: 192.168.1.1
192.168.1.1

Strangely enough, I can ping 192.168.1.1 from either the Pi and a local client.

2 Likes