Clients able to access websites.
Edgerouter 4, EdgeSwitch 8, Raspberry Pi 3B
Raspberry Pi OS (64bit)
Client's not able to resolve addresses with pihole dns address
Pi-hold diagnosis (2)
Clients get "Hmmm... Can't reach this page"
Switching DHCP server DNS to 1.1.1.1 works fine
Cannot access diagnosis file on Pihole. access denied.
The domain that was tested in the debug came back from Cloudflare with SERVFAIL. it may be that your system clock is wrong, since their server uses DNSSEC which requires an accurate clock.
You can also try enabling the Pi-hole option Settings > DNS > Use DNSSEC. This makes Pi-hole show the DNSSEC responses in more detail in the Query Log. If you try using Pi-hole again and it doesn't work, check the Query Log and see if you are seeing a lot of entries marked as BOGUS.
Try running the command below in a terminal on your Pi. Is it showing the correct date, time and timezone or is it wrong? Is NTP active?
timedatectl
Date, time, zone are correct. NTP active
Use DNSSEC now enabled
Pi-hole diagnosis (1) now
Getting (example): 'www.amazon.com's server IP address could not be found." on clients when set to Pihole DNS.
snip from query log:
024-01-25 20:41:46 AAAA app.sbz.workers.dev pi.hole OK (cache)
INSECURE IP (0.1ms) Blacklist
2024-01-25 20:41:46 AAAA app.sbz.workers.dev pi.hole OK (cache)
INSECURE IP (0.1ms) Blacklist
2024-01-25 20:41:46 DNSKEY dev pi.hole OK (answered by one.one.one.one#53)
SECURE DNSSEC (12.9ms)
2024-01-25 20:41:46 DS workers.dev pi.hole OK (answered by one.one.one.one#53) NODATA (41.6ms)
updated diagnosis
https://tricorder.pi-hole.net/lrRuLWcm/
Thanks for checking the time settings. You can disable the DNSSEC setting if you prefer now, since the clock has been ruled out. Or leave it enabled if you like the extra info provided (it does increase log sizes a bit but won't be a problem).
Are the clients on the same subnet as the Pi-hole? Pi-hole is on 192.168.3.4/24 and the Pi-hole diags section (Tools > Pi-hole diagnosis) has a message saying it ignored a query from 192.168.200.100 which is a different subnet. Is that the client that wasn't able to resolve the Amazon address? The default setting is to process same subnet only (Settings > DNS > Allow only local requests).
What do you get when running the commands below in a terminal on the Pi-hole itself?
nslookup flurry.com 127.0.0.1
nslookup flurry.com 192.168.3.4
nslookup flurry.com 1.1.1.1
nslookup -class=chaos -type=txt version.bind 192.168.3.4
nslookup -class=chaos -type=txt version.bind 198.41.0.4
Might there be any settings in the EdgeRouter which are blocking DNS between clients and the Pi-hole?
The Interface settings was the culprit. I switched that to "Permit all origins" and got the expected behavior from other local subnets.
I had upgraded Pihole and at the same time moved those clients to different subnets on my LAN, didn't recognize that was going to be an issue.
Thanks for your assistance!!!
This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.