Last night I replaced my TP-Link Archer C7 with an ASUS RT-AX88U Pro and I'm not sure how to setup the new router to properly direct DHCP clients to my pi-hole for DNS requests.
When I set the DNS server in WAN or LAN the pi-hole receives DNS requests but my browser (Google Chrome) returns an ERR_NAME_NOT_RESOLVED error.
When the IP address of the pi-hole is set in WAN settings the Query Log states that requests are originating from my router's IP address.
When the IP address of the pi-hole is set in LAN settings the Query Log states the IP address of the actual client requesting the DNS lookup.
In both cases the client browser receives an ERR_NAME_NOT_RESOLVED error.
I have read through multiple threads and documentation pages about ASUS routers and the suggested setups do not work for me: [Wireless Router] How to configure router to use Pi-Hole? | Official Support | ASUS Global suggests placing the pi-hole into the WAN DNS settings only. ASUS router - Pi-hole documentation notes that ASUS documentation states that the pi-hole should be in the WAN DNS settings for newer firmware versions, but that the pi-hole team suggests that the pi-hole IP be placed in the LAN settings instead. Configuring DNS Server - LAN or WAN Settings on ASUS Router? suggests that when using the ASUS router as the DHCP server for the network the pi-hole IP address should be entered in the LAN DNS field. It also notes that ASUS routers include the router's IP address as a LAN DNS address i.e. "LAN DNS requests could potentially bypass the Pi-Hole by going directly to the ASUS router instead of the pi-Hole". Many threads mention that Asuswrt-Merlin offers an enable/disable setting to disable this behavior.
That particular DNS advertisement setting is now available on official ASUS router firmware (at least as of 3.0.0.6.102_33308-gfb75e0b_344-g69f33). In all testing I performed above I disabled this setting: so that the pi-hole is the only DNS server being advertised to DHCP clients.
What am I doing wrong? What is the correct setup to get this working? Again, DNS being resolved by the pi-hole is working when the pi-hole IP address is set as the DNS server in either LAN or WAN, but those DNS resolution requests never make it back to the client's browser resulting in an ERR_NAME_NOT_RESOLVED error.
EDIT: Perhaps it's worth noting that with my previous router (the TP-Link Archer C7) it was enough to set the pi-hole IP as the DNS server in the DHCP settings and continue to use the router as the DHCP server. I'm not sure why the same kind of setup is not working with the ASUS router.
nslookup can be expected to append the local search domain to its requests, so those queries are normal. But the N/A replies for the FQDNS are not - they indicate that PI-hole has never received an answer for those.
At least, your LAN DNS Server 1 output demonstrates that your router's DHCP server is correctly handing out Pi-hole's IP address as DNS server.
The results also tell us that Pi-hole's local replies work after some attempts (including blocks), but public resolution (or google.com) is not working.
Combined with the N/A replies from your screenshot, this may suggest that your router discards Pi-hole's DNS requests, or that your chosen upstreams were inaccessible at the time.
In addition, the timeouts may also suggest that something is interfering with DNS, probably with the DNS replies of the machine that ran the nslookups only.
You wouldn't run some antivirus software like AVAST or AVG on that machine?
Do you get the same results when running those nslookups from another machine?
pi-hole host machine is running nslookup 9.18.18-0ubuntu0.22.04.1-Ubuntu on Ubuntu 22.04.3 LTS. The router lives at 192.168.50.1.
With pi-hole configured as LAN DNS Server 1:
$ nslookup google.com
;; communications error to 208.67.222.222#53: timed out
;; communications error to 208.67.222.222#53: timed out
;; communications error to 208.67.222.222#53: timed out
;; communications error to 208.67.220.220#53: timed out
;; no servers could be reached
$ nslookup google.com 1.1.1.1
;; communications error to 1.1.1.1#53: timed out
;; communications error to 1.1.1.1#53: timed out
;; communications error to 1.1.1.1#53: timed out
;; no servers could be reached
$ nslookup google.com 192.168.50.1
Server: 192.168.50.1
Address: 192.168.50.1#53
Non-authoritative answer:
Name: google.com
Address: 142.250.113.100
Name: google.com
Address: 142.250.113.101
Name: google.com
Address: 142.250.113.113
Name: google.com
Address: 142.250.113.138
Name: google.com
Address: 142.250.113.102
Name: google.com
Address: 142.250.113.139
Name: google.com
Address: 2607:f8b0:4023:1000::71
Name: google.com
Address: 2607:f8b0:4023:1000::66
Name: google.com
Address: 2607:f8b0:4023:1000::64
Name: google.com
Address: 2607:f8b0:4023:1000::65
With pi-hole configured as WAN DNS Server 1:
$ nslookup google.com
;; communications error to 208.67.222.222#53: timed out
;; communications error to 208.67.222.222#53: timed out
;; communications error to 208.67.222.222#53: timed out
;; communications error to 208.67.220.220#53: timed out
;; no servers could be reached
$ nslookup google.com 1.1.1.1
;; communications error to 1.1.1.1#53: timed out
;; communications error to 1.1.1.1#53: timed out
;; communications error to 1.1.1.1#53: timed out
;; no servers could be reached
$ nslookup google.com 192.168.50.1
;; communications error to 192.168.50.1#53: timed out
;; communications error to 192.168.50.1#53: timed out
;; communications error to 192.168.50.1#53: timed out
;; no servers could be reached
Your nslookup demonstrate that DNS requests do not receive an answer, even when the OS of the machine running your Pi-hole is sendig them to public DNS server.
This suggests that your router is silently dropping those DNS requests.
Unless you can figure why your router is doing so and how to stop it, it would seem that model won't cooperate with Pi-hole.
You could try to disable the router's DHCP server and enable Pi-hole's.
Be sure to manually configure a static IP on your Pi-hole machine before doing so, and to dis- and reconnect clients once its enabled, so DHCP clients will pick up the new DHCP server.
But before you try that:
With LAN DNS Server 1, your router answers DNS for public domains requests.
You could try if using your Pi-hole as LAN DNS Server 1, and configuring your Pi-hole to use your router as its only upstream would mitigate your issue.
I believe I was able to trace this to my Ubuntu server (which runs pi-hole) configuring a default ip route with gateway of 192.168.0.1 despite the gateway existing at 192.168.50.1.
I was forwarding some ports of other services that run on the host and discovered that outside traffic could not reach the machine and testing connections against those ports using other LAN clients was also failing. This led me to discover the default ip route with the incorrect gateway.
I think? this explains why the host could not reach out to DNS servers unless querying the router directly. Not entirely sure. I'm definitely not a networking guru.
I changed my router to 192.168.0.1 and configured its DHCP to hand out addresses in the 192.168.0.x range. This seems to have resolved my main issue. I configured the pi-hole in the LAN DNS Server 1 field and DNS requests from internal clients are querying the pi-hole.
One thing I'm still not entirely sure about is whether I should configure my router to use my pi-hole for WAN DNS instead of or in addition to the LAN DNS. From the pi-hole host DNS requests are still being handled by the router and not being directed back to the pi-hole:
In general, if your router distributes Pi-hole as local DNS server, setting Pi-hole as your router's upstream would not be required.
Your Pi-hole host is using OpenDNS, a public DNS resolver at 208.67.222.222.
It's actually not a bad idea to have your Pi-hole host using a public DNS server, as that would allow you to still run updates and Pi-hole's scripts on that machine even if Pi-hole would be inoperational.
It looks like the WAN setting on the RT-AX88U Pro simply affects what server the RT-AX88U uses for its own DNS requests. It doesn't seem to affect LAN devices, they still go through the Pi-hole. Setting the WAN DNS to the Pi-hole host IP tells the router to reach out to the Pi-hole for lookups. Pi-hole then uses its own configuration for resolving that request (in my case 1.1.1.1).
It looks like the Pi-hole host itself still uses OpenDNS when the router is handing out the Pi-hole as the local DNS server:
All in all none of this thread's problems were directly caused by the router or the Pi-hole software. It was all because of some nuanced network interface configuration on the Pi-hole host itself. I'm still not entirely certain why I was ending up with a routing table that directed traffic to a gateway that didn't exist, but that's off-topic for this forum.
After resolving the problem by changing subnets to match the default route I think setting the Pi-hole as the LAN DNS server in the router settings is all that is needed. Unsurprisingly the Pi-hole documentation was right all along.
Thanks for all your help and insights @Bucking_Horn.
