FTL not reachable on LAN but working via WireGuard. Responds to ping on port 53 from LAN.Web Admin reachable

greubeuld · April 25, 2022, 4:43pm

Hello,

my setup suddenly stop working only on my LAN. It still works when ssh in the server or using Wireguard.
I have tried everything I could think of by I'm now at my wits end.

Any help or suggestion would be greatly appreciated.

Expected Behaviour:

Setting the Rasberry ip in the DNS setting for my OS should be using PiHole

Actual Behaviour:

no response from the device

% nslookup google.fr
;; connection timed out; no servers could be reached

When using PiVPN to connect via Wireguard it is working as intended

 % nslookup google.fr
Server:		10.6.0.1
Address:	10.6.0.1#53

Non-authoritative answer:
Name:	google.fr
Address: 142.250.185.99

I have not changed anything on my network for it to stop working (but have unattended upgrades enabled)
I can ping the device from my LAN

 % ping seedbox.local  
PING seedbox.local (192.168.1.28): 56 data bytes
64 bytes from 192.168.1.28: icmp_seq=0 ttl=64 time=4.418 ms
64 bytes from 192.168.1.28: icmp_seq=1 ttl=64 time=6.272 ms
64 bytes from 192.168.1.28: icmp_seq=2 ttl=64 time=5.406 ms
64 bytes from 192.168.1.28: icmp_seq=3 ttl=64 time=16.846 ms
64 bytes from 192.168.1.28: icmp_seq=4 ttl=64 time=59.495 ms
64 bytes from 192.168.1.28: icmp_seq=5 ttl=64 time=101.961 ms
^C
--- seedbox.local ping statistics ---
6 packets transmitted, 6 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 4.418/32.400/101.961/36.536 ms

netcat gives me an answer on port 53 from my LAN

% nc -vz 192.168.1.28 53
Connection to 192.168.1.28 port 53 [tcp/domain] succeeded!

Firewall seems to be letting trafic through on port 53

pi@seedbox:~ $ sudo lsof -i:53
COMMAND     PID   USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
pihole-FT 11251 pihole    4u  IPv4  96374      0t0  UDP *:domain 
pihole-FT 11251 pihole    5u  IPv4  96375      0t0  TCP *:domain (LISTEN)
pihole-FT 11251 pihole    6u  IPv6  96376      0t0  UDP *:domain 
pihole-FT 11251 pihole    7u  IPv6  96377      0t0  TCP *:domain (LISTEN)

nslookup from the device is working as inenteded

pi@seedbox:~ $ nslookup google.com
Server:		127.0.0.1
Address:	127.0.0.1#53

Non-authoritative answer:
Name:	google.com
Address: 142.250.186.46
Name:	google.com
Address: 2a00:1450:4001:827::200e

Web interface is reachable (when bypassing the PiHole DNS)
All my clients are iOS or MacOS (tested on both)

Debug Token:

(https://tricorder.pi-hole.net/sO9HgqC7/)

greubeuld · April 25, 2022, 6:35pm

Update after seing a similar thread :

my pihole IP is 192.168.1.28

pi@seedbox:~ $ ip -4 addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    inet 192.168.1.28/24 brd 192.168.1.255 scope global noprefixroute eth0
       valid_lft forever preferred_lft forever

But even from the host, it can't use 192.168.1.28 as a resolver
127.0.0.1 works though

pi@seedbox:~ $ nslookup flurry.com 9.9.9.9
Server:		9.9.9.9
Address:	9.9.9.9#53

Non-authoritative answer:
Name:	flurry.com
Address: 74.6.136.150
Name:	flurry.com
Address: 98.136.103.23
Name:	flurry.com
Address: 212.82.100.150

pi@seedbox:~ $ nslookup flurry.com 192.168.1.28
;; connection timed out; no servers could be reached

pi@seedbox:~ $ nslookup flurry.com 127.0.0.1
Server:		127.0.0.1
Address:	127.0.0.1#53

Name:	flurry.com
Address: 0.0.0.0
Name:	flurry.com
Address: ::

Bucking_Horn · April 25, 2022, 9:45pm

Your debug log shows a custom configuration for your wireguard interface wg0:

*** [ DIAGNOSING ]: contents of /etc/dnsmasq.d

-rw-r--r-- 1 root root 52 Apr 17  2020 /etc/dnsmasq.d/02-pivpn.conf
   addn-hosts=/etc/pivpn/hosts.wireguard
   interface=wg0

That would conflict with Pi-hole's local Interface Setting, forcing it to listen on wg0 only.

Remove that last interface=wg0 interface line from your configuration, then restart Pi-hole, e.g. by running pihole restartdns.

If your Wireguard clients can't resolve via Pi-hole, switch Pi-hole's Interface setttings to Permit all origins.

greubeuld · April 26, 2022, 6:06am

Hello,

Thank you so much for taking the time to look into my issue.
Changing this setting appears to have solved the issue. Thank you so much !

What really rattles me is that this setting has not been changed sincen (at least) April 2020 (date of the config file) and was working fine.

Do you happen to know if there has been an update that would have changed this behavior ? I don't think dnsmasq has been updated in a while on my machine (2.80-1+rpt1+deb10u1)

I'm trying to figure out what would have triggered this.

Thank you so much again for solving my issue

system · May 17, 2022, 6:06am

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.