Have to "pihole restartdns" after reboot

Rico_Lino · February 26, 2020, 3:20pm

Problem with Beta 5.0:
I installed Pi-hole, upgraded to 5.0 beta.
Afterwards I got unbound to work for being my own resolver.
And then I installed wireguard for VPN (for using DNS on my mobile phone).

If I now reboot my pi I have to manually do a "pihole restartdns" before DNS queries will be answered.

Debug Token:
[✓] Your debug token is: https://tricorder.pi-hole.net/3bj5093o58

DanSchaper · February 26, 2020, 5:16pm

Which interface should Pi-hole be listening on, and is Listen all interfaces selected?

Rico_Lino · February 26, 2020, 6:01pm

"Listen on all Interfaces" (Option 1) is selected an it has to listen to eth0 and wg0.

DanSchaper · February 26, 2020, 6:28pm

Did you follow a guide for adding the Wireguard VPN that we could look at?

Rico_Lino · February 26, 2020, 9:37pm

Info: I am using a fresh DietPi installation

Basically this is the guide I used:

#Installation

sudo apt-get update
sudo apt-get upgrade
sudo apt-get install raspberrypi-kernel-headers
echo "deb http://deb.debian.org/debian/ unstable main" | sudo tee --append /etc/apt/sources.list.d/unstable.list
sudo apt-get install dirmngr
wget -O - https://ftp-master.debian.org/keys/archive-key-10.asc | sudo apt-key add -

printf 'Package: *\nPin: release a=unstable\nPin-Priority: 150\n' | sudo tee --append /etc/apt/preferences.d/limit-unstable
sudo apt-get update
sudo apt-get install wireguard 

sudo apt-get install iptables
sudo reboot

#Enable ipv4 forwarding then reboot to make changes active

sudo perl -pi -e 's/#{1,}?net.ipv4.ip_forward ?= ?(0|1)/net.ipv4.ip_forward = 1/g' /etc/sysctl.conf
sudo reboot

#see if it is working (should be "1"):
sysctl net.ipv4.ip_forward


#generate keys
[...]

#configure wg0 interface
sudo nano /etc/wireguard/wg0.conf

[Interface]
Address = 192.168.177.1/24
SaveConfig = true
ListenPort = 51820
PrivateKey = [...]

PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostUp = sysctl net.ipv4.conf.%i.forwarding=1 net.ipv4.conf.$(sed -n 3p /DietPi/dietpi/.network).forwarding=1
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

[Peer]
#p1
PublicKey = [...]
AllowedIPs = 192.168.177.2/32

[Peer]
#p2
PublicKey = [...]
AllowedIPs = 192.168.177.3/32

#--- PEER-config ---#

[Interface]
Address = 192.168.177.2/32
PrivateKey = [...]
DNS = 192.168.177.1

[Peer]
PublicKey = [...]
Endpoint = [...]:51820
AllowedIPs = 172.167.177.1/32, 192.168.178.0/24
PersistentKeepalive = 25


#start Wireguard
sudo wg-quick up wg0

#check Wireguard
sudo wg

#set autostart
sudo systemctl enable wg-quick@wg0

DanSchaper · February 26, 2020, 10:16pm

Rico_Lino:

PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostUp = sysctl net.ipv4.conf.%i.forwarding=1 net.ipv4.conf.$(sed -n 3p /DietPi/dietpi/.network).forwarding=1
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

Those rules change the routing of packets and probably cause issues. But that's beyond what we can provide guidance or assistance with.

Rico_Lino · February 27, 2020, 1:47pm

I commented these 3 lines out and tested it again.
It is still not working as expected.
I think that the DNS server is starting before the wg0 interface is correctly up and there is some hassle then.
Can I somehow delay the start of the DNS server for like 20 seconds?

DanSchaper · February 27, 2020, 4:28pm

Not that I know of.

mibere · February 27, 2020, 4:50pm

Maybe a configuration (sequence, dependency) in the Daemon file?

In the file /lib/systemd/system/unbound.service I have

[Unit]
Description=Unbound DNS resolver
After=network.target redis-server.service
Before=nss-lookup.target
Wants=nss-lookup.target

DanSchaper · February 27, 2020, 6:50pm

Something that just came to mind.

Can you remove (temporarily) the line except-interface=nonexisting from /etc/dnsmasq.d/01-pihole.conf and reboot to see if that improves anything?

Rico_Lino · February 27, 2020, 7:32pm

There is no line like this.

root@fr0sh-pi:~# grep interface /etc/dnsmasq.d/01-pihole.conf
root@fr0sh-pi:~#

DanSchaper · February 27, 2020, 7:32pm

Can you cat /etc/dnsmasq.d/01-pihole.conf?

Rico_Lino · February 27, 2020, 7:34pm

root@fr0sh-pi:~# cat /etc/dnsmasq.d/01-pihole.conf
# Pi-hole: A black hole for Internet advertisements
# (c) 2017 Pi-hole, LLC (https://pi-hole.net)
# Network-wide ad blocking via your own hardware.
#
# Dnsmasq config for Pi-hole's FTLDNS
#
# This file is copyright under the latest version of the EUPL.# Please see LICENSE file for your rights under this license.

###############################################################################
#      FILE AUTOMATICALLY POPULATED BY PI-HOLE INSTALL/UPDATE PROCEDURE.      #
# ANY CHANGES MADE TO THIS FILE AFTER INSTALL WILL BE LOST ON THE NEXT UPDATE #
#                                                                             #
#        IF YOU WISH TO CHANGE THE UPSTREAM SERVERS, CHANGE THEM IN:          #
#                      /etc/pihole/setupVars.conf                             #
#                                                                             #
#        ANY OTHER CHANGES SHOULD BE MADE IN A SEPARATE CONFIG FILE           #
#                    WITHIN /etc/dnsmasq.d/yourname.conf                      #
###############################################################################

addn-hosts=/etc/pihole/local.list
addn-hosts=/etc/pihole/custom.list


localise-queries


no-resolv



cache-size=10000

log-queries
log-facility=/var/log/pihole.log

local-ttl=2

log-async






server=127.0.0.1#5353
dnssec
trust-anchor=.,19036,8,2,49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5
trust-anchor=.,20326,8,2,E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D

local-service
server=/fritz.box/192.168.178.1
server=/178.168.192.in-addr.arpa/192.168.178.1
server=/use-application-dns.net/
root@fr0sh-pi:~#

DanSchaper · February 27, 2020, 7:34pm

Ah, looks like that's been updated to use:

local-service

Accept DNS queries only from hosts whose address is on a local subnet, ie a subnet for which an interface exists on the server. This option only has effect if there are no --interface , --except-interface , --listen-address or --auth-server options. It is intended to be set as a default on installation, to allow unconfigured installations to be useful but also safe from being used for DNS amplification attacks.

DanSchaper · February 27, 2020, 7:36pm

So if the interface is not online when FTL starts, then it does not know that it's a valid subnet to answer questions for.

Rico_Lino · February 27, 2020, 7:39pm

This would be eth0 in my case.
(I did not check VPN after a reboot yet...)

So is there a way to start FTL a bit "slower"?

DanSchaper · February 27, 2020, 7:42pm

See my previous answer to the question.

scottydaman · February 27, 2020, 7:57pm

You can probably do something like wait for the interface to come up properly, but I just have the following in /etc/rc.local on my pi zero which takes a bit longer for its usb network to initialize.

sleep 15
pihole restartdns

Rico_Lino · February 27, 2020, 8:53pm

rc.local is deprecated on DietPi.
So i placed a script "wait.sh" in "/var/lib/dietpi/postboot.d/" and made it +x.

#!/bin/bash
sleep 10
pihole restartdns

After testing two times it seems to be working fine.

Thanks a lot!

DL6ER · February 29, 2020, 9:46am

You can open a feature request for this and we can add a setting for it. This is really an easy task and the code can be implemented and tested within minutes.