Forcing all Android queries through Pi-hole

Expected Behaviour:

All DNS requests are sent through Pi-hole from Android (v 10) device (Galaxy S9) when only WiFi is enabled on the device.

Actual Behaviour:

The only DNS request (Log 0) to show in pi-hole.log for the device is shown below. Another device on the network (Win10 PC) seems to be interacting well with Pi-hole, i.e. blacklist items are blocked and DNS requests show consistently in the pi-hole.log.

Debug Token:

https://tricorder.pi-hole.net/e3b897yddl

Log 0: from unlocking the device

Sep 16 20:44:33 dnsmasq[11090]: query[A] www.google.com from 192.168.0.11
Sep 16 20:44:33 dnsmasq[11090]: forwarded www.google.com to 8.8.4.4
Sep 16 20:44:33 dnsmasq[11090]: forwarded www.google.com to 8.8.8.8
Sep 16 20:44:33 dnsmasq[11090]: reply www.google.com is 172.217.8.164

I started with troubleshooting IPv6 traffic by checking both boxes in Pi-hole Web > Settings > DNS > IPv6 (Google DNS). This changed Log 0 into Log 1.

Log 1: unlocking the device with IPv6 Google DNS servers enabled

Sep 16 20:46:56 dnsmasq[11389]: query[A] www.google.com from 192.168.0.11
Sep 16 20:46:56 dnsmasq[11389]: forwarded www.google.com to 2001:4860:4860::8844
Sep 16 20:46:56 dnsmasq[11389]: forwarded www.google.com to 2001:4860:4860::8888
Sep 16 20:46:56 dnsmasq[11389]: forwarded www.google.com to 8.8.4.4
Sep 16 20:46:56 dnsmasq[11389]: forwarded www.google.com to 8.8.8.8
Sep 16 20:46:56 dnsmasq[11389]: reply www.google.com is 172.217.4.228

No DNS requests showed up past Log 1 from the device. Repeated unlocks show the cache serving the response. The change has since been reverted since it was a default setting.

Port forwarding on my modem+router (Netgear C3000) was added. External and internal ports were set to 53, the external IP was that of the device, the internal was the Pi's static IP. This caused internet failure on the device, so I will probably not try that again until I know more about what I'm doing. This modem+router does not support firewall scripts.

Using the Pi-hole's DHCP server instead of the router's yielded no change.

Is there something I can do through the Pi-hole web API to force all DNS queries from the device through Pi-hole? If not, where would you suggest I look for device-level settings?

Pi-hole is neither a proxy not a firewall. You'd have to do this at the router-level. However, only powerful routers (or ones with custom powerful firmware) can offer protocol/port/device selective filters. You'd want rerouting of all port 53 traffic to your Pi-hole except for the Pi-hole itself.

Look for DNS-over-HTTPS (DoH) settingy. Your Android phone may look up google.com and use their server for future DNS lookups.

Using Pi-hole DHCP was the only way I could ensure all my devices used Pi-hole, including all my Android devices.

Did you disable your router from assigning DHCP, then force your Android device to get a new lease from Pi-hole DHCP?

Got it now. Yes, the Pi-hole's DHCP was able to catch requests while the router's is off.

I imagine I had not cleared the cache properly when I tried before, but this time I decided to restart everything (Pi, router, and device) at the same time. It's working now.

Thank you both, @truCido and @Coro, for your comments.

1 Like

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.