Help with conditional forwarding setup - v5.1

Hi all,

I am trying to get conditional forwarding set up to show devices on my local network (Ubuntu install - Ubuntu 20.04.1 LTS).

My current network setup is:

Sky Hub acting as modem with static IP of 10.0.0.1 -> Netgear RAX200 with static IP of 10.0.1.1 (DHCP range 10.0.1.2-10.0.1.254)

I have tried the setup as below but sites load incredibly slow if at all. No local devices names show in the query log in pihole - stays as 10.0.1.1

Local Network: 10.0.1.1/24
IP address of DHCP server: 10.0.1.1
Local domain name: (blank, as my router does not allow me to specify one)

Any help would be much appreciated!

JD

What DNS server is 10.0.1.1 using? Does a dig using 10.0.1.1 for a local host name show the right response? Does a dig -x for a host IP address return the right response?

Hi Dan,

Thank you for the quick response, the Netgear router is set to use 10.0.1.22 as the DNS server (pihole static IP running on the Ubuntu VM).

dig 10.0.1.1

; <<>> DiG 9.16.1-Ubuntu <<>> 10.0.1.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 63705
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;10.0.1.1. IN A

;; AUTHORITY SECTION:
. 86400 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2020072701 1800 900 604800 86400

;; Query time: 47 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Mon Jul 27 18:09:22 UTC 2020
;; MSG SIZE rcvd: 112

dig -x 10.0.1.1

; <<>> DiG 9.16.1-Ubuntu <<>> -x 10.0.1.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 46679
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;1.1.0.10.in-addr.arpa. IN PTR

;; Query time: 23 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Mon Jul 27 18:14:41 UTC 2020
;; MSG SIZE rcvd: 50

I hope that helps!

This sounds like a DNS loop.

So you have configured your Netgear router to use Pihole (10.0.1.22) as upstream DNS server. What is the upstream DNS server configured in Pihole?

Please post the output of these commands from one of your clients.

dig pi.hole
dig google.com
dig pi.hole @10.0.1.22

Yes, the Netgear router is set to use Pihole as the upstream DNS server and Pihole is using Cloudflare as ipv4 and ipv6 upstream DNS servers.

; <<>> DiG 9.16.1-Ubuntu <<>> pi.hole
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 3949
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;pi.hole. IN A

;; AUTHORITY SECTION:
. 85042 IN SOA a.root-servers.net. nstld.verisi gn-grs.com. 2020072800 1800 900 604800 86400

;; Query time: 23 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Tue Jul 28 09:32:17 UTC 2020
;; MSG SIZE rcvd: 111

; <<>> DiG 9.16.1-Ubuntu <<>> google.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52723
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;google.com. IN A

;; ANSWER SECTION:
google.com. 121 IN A 216.58.204.238

;; Query time: 39 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Tue Jul 28 09:34:47 UTC 2020
;; MSG SIZE rcvd: 65

; <<>> DiG 9.16.1-Ubuntu <<>> pi.hole @ 10.0.1.22
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34146
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;pi.hole. IN A

;; ANSWER SECTION:
pi.hole. 2 IN A 10.0.1.22

;; Query time: 0 msec
;; SERVER: 10.0.1.22#53(10.0.1.22)
;; WHEN: Tue Jul 28 09:35:15 UTC 2020
;; MSG SIZE rcvd: 52

Did you run these commands from a client? Or from the device hosting pihole?

The client is using cloudflare as upstream DNS server, not your router or pihole directly.

I ran the commands through Putty on my desktop PC. Pihole is running on an Ubuntu VM on a Freenas server on my network.

What OS is your desktop PC? Windows? Please run from windows cmd

nslookup pi.hole

Desktop OS is Windows 10

C:\WINDOWS\system32>nslookup pi.hole
DNS request timed out.
timeout was 2 seconds.
Server: UnKnown
Address: 2002:a00:2:0:2a80:88ff:fe37:d317

DNS request timed out.
timeout was 2 seconds.
Name: pi.hole
Addresses: fdc7:d96c:62bf:1:2a0:98ff:fe49:34a0
10.0.1.22

Seems like you have connectivity issues (on IPv4?) and the answer came from an IPv6 server.

Please run

nslookup google.com

And generate a debug token on the pihole device with pihole -d or via the web interface Tools/Generate Debug Token.

Thanks for the help!

I have run the nslookup and here is the debug:

https://tricorder.pi-hole.net/cnoc44y1co

C:\WINDOWS\system32>nslookup google.com
DNS request timed out.
timeout was 2 seconds.
Server: UnKnown
Address: 2002:a00:2:0:2a80:88ff:fe37:d317

DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
*** Request to UnKnown timed-out

Thanks. If time permits, a moderator will have a look in the debug token to look for the root of the errors.

Your client send DNS requests to a DNS server with the address shown above. This server seems to not be able to resolve google.com due to a request timeout (connectivity issue).

Let's see what your Windows is using as DNS servers:

netsh interface ip show dnsservers

And we still don't know whether your Netgear router (at 10.0.1.1), which you intend to use in Conditional Forwarding, is capable of doing so (that's what Dan suggested to find out). The dig commands are exemplary for the type of queries that your router will receive by enabling CF.

dig @10.0.1.1 <local-hostname> 
dig @10.0.1.1 -x <local-host-ip> 

Replace <local-hostname> with a local hostname you expect to be resolved, and replace <local-host-ip> with that device's IP.
Use name and IP of a known device other than Pi-hole for this test.

So netsh interface is below:

C:\WINDOWS\system32>netsh interface ip show dnsservers

Configuration for interface "Ethernet"
DNS servers configured through DHCP: 10.0.1.1
Register with which suffix: Primary only

Configuration for interface "WiFi"
DNS servers configured through DHCP: None
Register with which suffix: Primary only

Configuration for interface "Local Area Connection* 10"
DNS servers configured through DHCP: None
Register with which suffix: Primary only

Configuration for interface "Local Area Connection* 11"
DNS servers configured through DHCP: None
Register with which suffix: Primary only

Configuration for interface "Bluetooth Network Connection"
DNS servers configured through DHCP: None
Register with which suffix: Primary only

Configuration for interface "Loopback Pseudo-Interface 1"
Statically Configured DNS Servers: None
Register with which suffix: Primary only

I have also tried the dig command for my iphone on my local network (i hope this is what you were expecting below)

ragetti@ubuntu-vm:~$ dig @ 10.0.1.1 Woodrow

; <<>> DiG 9.16.1-Ubuntu <<>> @ 10.0.1.1 Woodrow
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 36334
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;Woodrow. IN A

;; AUTHORITY SECTION:
. 86400 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2020072800 1800 900 604800 86400

;; Query time: 23 msec
;; SERVER: 10.0.1.1#53(10.0.1.1)
;; WHEN: Tue Jul 28 14:50:45 UTC 2020
;; MSG SIZE rcvd: 111

ragetti@ubuntu-vm:~$ dig @ 10.0.1.1 10.0.1.30

; <<>> DiG 9.16.1-Ubuntu <<>> @ 10.0.1.1 10.0.1.30
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6818
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;10.0.1.30. IN A

;; ANSWER SECTION:
10.0.1.30. 0 IN A 10.0.1.30

;; Query time: 3 msec
;; SERVER: 10.0.1.1#53(10.0.1.1)
;; WHEN: Tue Jul 28 14:51:01 UTC 2020
;; MSG SIZE rcvd: 54

Please use the commands exactly as I've posted them.

Depending on your browser and availability of javascript, you may use the copy button appearing in a post as a hover in the top right corner of a command field.

It should be @10.0.1.1 - no space between @ and IP for both commands; and the second, reverse lookup for the IP address is missing the -x parameter.


The netsh command shows your Windows PC to use your router's IPv4 as DNS server. Is that what you intend it to use?

Let's also check for IPv6 DNS on your Windows:

netsh interface ipv6 show dnsservers

My netgear router is set to use 10.0.1.22 as it's primary DNS server, so I was under the impression that without having to manually set all devices on my network to point to the pihole ip address, the router would do that for me? Is this not the case?

C:\WINDOWS\system32>netsh interface ipv6 show dnsservers

Configuration for interface "Ethernet"
DNS servers configured through DHCP: 2002:a00:2:0:2a80:88ff:fe37:d317
2002:a00:2:0:2a80:88ff:fe37:d317
Register with which suffix: Primary only

Configuration for interface "WiFi"
DNS servers configured through DHCP: fec0:0:0:ffff::1%1
fec0:0:0:ffff::2%1
fec0:0:0:ffff::3%1
Register with which suffix: Primary only

Configuration for interface "Local Area Connection* 10"
DNS servers configured through DHCP: fec0:0:0:ffff::1%1
fec0:0:0:ffff::2%1
fec0:0:0:ffff::3%1
Register with which suffix: Primary only

Configuration for interface "Local Area Connection* 11"
DNS servers configured through DHCP: fec0:0:0:ffff::1%1
fec0:0:0:ffff::2%1
fec0:0:0:ffff::3%1
Register with which suffix: Primary only

Configuration for interface "Bluetooth Network Connection"
DNS servers configured through DHCP: fec0:0:0:ffff::1%1
fec0:0:0:ffff::2%1
fec0:0:0:ffff::3%1
Register with which suffix: Primary only

Configuration for interface "Loopback Pseudo-Interface 1"
Statically Configured DNS Servers: fec0:0:0:ffff::1%1
fec0:0:0:ffff::2%1
fec0:0:0:ffff::3%1
Register with which suffix: Primary only

My apologies, I did forget the -x parameter so I will re-post new outputs below.

When copying the commands yesterday, I did copy exactly as you posted without the space; however I am unable to @ when posting in here as a new member as I receive a message saying new users are not allowed to mention other users so I have had to amend the copied output to include a space, otherwise I was unable to post a reply.

ragetti@ubuntu-vm:~$ dig @ 10.0.1.1 Woodrow

; <<>> DiG 9.16.1-Ubuntu <<>> @ 10.0.1.1 Woodrow
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 43209
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;Woodrow. IN A

;; AUTHORITY SECTION:
. 86400 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2020072900 1800 900 604800 86400

;; Query time: 23 msec
;; SERVER: 10.0.1.1#53(10.0.1.1)
;; WHEN: Wed Jul 29 09:57:11 UTC 2020
;; MSG SIZE rcvd: 111

ragetti@ubuntu-vm:~$ dig @ 10.0.1.1 -x 10.0.1.30

; <<>> DiG 9.16.1-Ubuntu <<>> @ 10.0.1.1 -x 10.0.1.30
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 52715
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;30.1.0.10.in-addr.arpa. IN PTR

;; Query time: 0 msec
;; SERVER: 10.0.1.1#53(10.0.1.1)
;; WHEN: Wed Jul 29 09:58:52 UTC 2020
;; MSG SIZE rcvd: 40

You've configured your router to use Pi-hole as its upstream DNS server then, and that IPv6 address returned by `netsh` belongs to your Netgear as well. (click for more)

That is a valid and working configuration:
Your clients will continue to send DNS queries to your router, and your router will then forward them to your Pi-hole.
Hence, Pi-hole will see all DNS requests as originating from your router. In such a setup, you won't be able to associate DNS queries to individual clients in Pi-hole's Query Log, and you cannot apply any client-based filtering rules.

It would be preferable to have your router distribute Pi-hole as local DNS server via DHCP. That way, your clients would send DNS queries directly to Pi-hole.
However, not all router's support this.
If that's the case for you as well, you could just live with your current upstream DNS configuration, or you could try to disable your router's DHCP server and turn on Pi-hole's instead.


Posting @ should be possible as long as you use the editor's </> Preformatted text menu option to format your text, instead of the comment/quote you seem to be using. :wink:

The results of your dig commands show that your Netgear doesn't know any hostnames for your devices, and it also refuses to resolve reverse IP lookups.

What's worse, since your Netgear is using Pi-hole as upstream DNS, it would seem that your router -in lieu of a hostname- forwards the query to Pi-hole, which in turn triggers Conditional Forwarding to hand the query to your router, creating a DNS loop.
That's why you see timeouts.

As a first measure, disable Conditional Forwarding. In your current configuration with all queries being sent by your router, it won't add any real benefit anyway.

It's still odd that your Netgear doesn't seem to know hostnames for your devices (though there are routers that just ignore hostnames as provided by clients during DHCP lease negotiation for IPv4).

Try to verify whether that is indeed the case, or if another DHCP server is interfering somehow (you mentioned a Sky Hub on your network).

Depending on your findings, you should consider using Pi-hole as DHCP server instead.

1 Like

Hi, thanks for the help!

I have turned off the DHCP on the SKY router - I am just using that as a Modem as the configuration and WiFi capabilities on that particular router are not great.

The Netgear router shows Hostnames within the Routers config pages when viewing attached devices; it just appears to not forward this onto the Pi-hole.

I have found out after taking a look into the IPV6 settings on the Netgear router, that it is set to use passthrough settings onto the SKY router for DNS servers. I have manually changed that to act as IPV6 DHCP, with the pihole IPV6 address acting as the primary DNS server but I receive the following message after copying the IPV6 address across from pihole settings page:

The Primary DNS Server is not valid; it has to be a global unicast address.

The netgear router then automatically fills the field to the following: FDC7:D96C:62BF:0001:02A0:98FF:FE49:34A0

Could this be the reason why it is causing the loop?

Thanks again for your help and advice.

JD

The DNS loop as previously observed was caused by your router using Pi-hole as its upstream DNS server and enabling Conditional Forwarding in Pi-hole at the same time.
Changing either of those two conditions will avoid the DNS loop.

In your situation as described initially, there is no need to enable Conditional Forwarding at all. Therefore, I recommended disabling CF as a first measure.

You can now either
a) disable CF
b) sort your network issues and have your router distribute Pi-hole solely as local DNS via DHCP. Re-enabling CF on Pi-hole is only an option if your router provides correct DNS answers for local names
c) disable your router's DHCP server, enable it on Pi-hole (no need for CF then, unless a third DHCP server would be active)

When it comes to specific config options for your devices, my advice necessarily has to be somewhat generic only. You may improve chances for a more knowledgeable answer by also consuting your routers' manuals and support resources.