Have to "pihole restartdns" after reboot

Problem with Beta 5.0:
I installed Pi-hole, upgraded to 5.0 beta.
Afterwards I got unbound to work for being my own resolver.
And then I installed wireguard for VPN (for using DNS on my mobile phone).

If I now reboot my pi I have to manually do a "pihole restartdns" before DNS queries will be answered.

Debug Token:
[βœ“] Your debug token is: https://tricorder.pi-hole.net/3bj5093o58

Which interface should Pi-hole be listening on, and is Listen all interfaces selected?

"Listen on all Interfaces" (Option 1) is selected an it has to listen to eth0 and wg0.

Did you follow a guide for adding the Wireguard VPN that we could look at?

Info: I am using a fresh DietPi installation

Basically this is the guide I used:

#Installation

sudo apt-get update
sudo apt-get upgrade
sudo apt-get install raspberrypi-kernel-headers
echo "deb http://deb.debian.org/debian/ unstable main" | sudo tee --append /etc/apt/sources.list.d/unstable.list
sudo apt-get install dirmngr
wget -O - https://ftp-master.debian.org/keys/archive-key-10.asc | sudo apt-key add -

printf 'Package: *\nPin: release a=unstable\nPin-Priority: 150\n' | sudo tee --append /etc/apt/preferences.d/limit-unstable
sudo apt-get update
sudo apt-get install wireguard 

sudo apt-get install iptables
sudo reboot

#Enable ipv4 forwarding then reboot to make changes active

sudo perl -pi -e 's/#{1,}?net.ipv4.ip_forward ?= ?(0|1)/net.ipv4.ip_forward = 1/g' /etc/sysctl.conf
sudo reboot

#see if it is working (should be "1"):
sysctl net.ipv4.ip_forward


#generate keys
[...]

#configure wg0 interface
sudo nano /etc/wireguard/wg0.conf

[Interface]
Address = 192.168.177.1/24
SaveConfig = true
ListenPort = 51820
PrivateKey = [...]

PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostUp = sysctl net.ipv4.conf.%i.forwarding=1 net.ipv4.conf.$(sed -n 3p /DietPi/dietpi/.network).forwarding=1
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

[Peer]
#p1
PublicKey = [...]
AllowedIPs = 192.168.177.2/32

[Peer]
#p2
PublicKey = [...]
AllowedIPs = 192.168.177.3/32

#--- PEER-config ---#

[Interface]
Address = 192.168.177.2/32
PrivateKey = [...]
DNS = 192.168.177.1

[Peer]
PublicKey = [...]
Endpoint = [...]:51820
AllowedIPs = 172.167.177.1/32, 192.168.178.0/24
PersistentKeepalive = 25


#start Wireguard
sudo wg-quick up wg0

#check Wireguard
sudo wg

#set autostart
sudo systemctl enable wg-quick@wg0

Those rules change the routing of packets and probably cause issues. But that's beyond what we can provide guidance or assistance with.

I commented these 3 lines out and tested it again.
It is still not working as expected.
I think that the DNS server is starting before the wg0 interface is correctly up and there is some hassle then.
Can I somehow delay the start of the DNS server for like 20 seconds?

Not that I know of.

Maybe a configuration (sequence, dependency) in the Daemon file?

In the file /lib/systemd/system/unbound.service I have

[Unit]
Description=Unbound DNS resolver
After=network.target redis-server.service
Before=nss-lookup.target
Wants=nss-lookup.target

Something that just came to mind.

Can you remove (temporarily) the line except-interface=nonexisting from /etc/dnsmasq.d/01-pihole.conf and reboot to see if that improves anything?

There is no line like this. :frowning:

root@fr0sh-pi:~# grep interface /etc/dnsmasq.d/01-pihole.conf
root@fr0sh-pi:~#

Can you cat /etc/dnsmasq.d/01-pihole.conf?

root@fr0sh-pi:~# cat /etc/dnsmasq.d/01-pihole.conf
# Pi-hole: A black hole for Internet advertisements
# (c) 2017 Pi-hole, LLC (https://pi-hole.net)
# Network-wide ad blocking via your own hardware.
#
# Dnsmasq config for Pi-hole's FTLDNS
#
# This file is copyright under the latest version of the EUPL.# Please see LICENSE file for your rights under this license.

###############################################################################
#      FILE AUTOMATICALLY POPULATED BY PI-HOLE INSTALL/UPDATE PROCEDURE.      #
# ANY CHANGES MADE TO THIS FILE AFTER INSTALL WILL BE LOST ON THE NEXT UPDATE #
#                                                                             #
#        IF YOU WISH TO CHANGE THE UPSTREAM SERVERS, CHANGE THEM IN:          #
#                      /etc/pihole/setupVars.conf                             #
#                                                                             #
#        ANY OTHER CHANGES SHOULD BE MADE IN A SEPARATE CONFIG FILE           #
#                    WITHIN /etc/dnsmasq.d/yourname.conf                      #
###############################################################################

addn-hosts=/etc/pihole/local.list
addn-hosts=/etc/pihole/custom.list


localise-queries


no-resolv



cache-size=10000

log-queries
log-facility=/var/log/pihole.log

local-ttl=2

log-async






server=127.0.0.1#5353
dnssec
trust-anchor=.,19036,8,2,49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5
trust-anchor=.,20326,8,2,E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D

local-service
server=/fritz.box/192.168.178.1
server=/178.168.192.in-addr.arpa/192.168.178.1
server=/use-application-dns.net/
root@fr0sh-pi:~#

Ah, looks like that's been updated to use:

local-service

Accept DNS queries only from hosts whose address is on a local subnet, ie a subnet for which an interface exists on the server. This option only has effect if there are no --interface , --except-interface , --listen-address or --auth-server options. It is intended to be set as a default on installation, to allow unconfigured installations to be useful but also safe from being used for DNS amplification attacks.

So if the interface is not online when FTL starts, then it does not know that it's a valid subnet to answer questions for.

1 Like

This would be eth0 in my case.
(I did not check VPN after a reboot yet...)

So is there a way to start FTL a bit "slower"?

See my previous answer to the question.

You can probably do something like wait for the interface to come up properly, but I just have the following in /etc/rc.local on my pi zero which takes a bit longer for its usb network to initialize.

sleep 15
pihole restartdns

1 Like

rc.local is deprecated on DietPi.
So i placed a script "wait.sh" in "/var/lib/dietpi/postboot.d/" and made it +x.

#!/bin/bash
sleep 10
pihole restartdns

After testing two times it seems to be working fine.

Thanks a lot!

1 Like

You can open a feature request for this and we can add a setting for it. This is really an easy task and the code can be implemented and tested within minutes.