How to determine if pihole is communicating with the upstream dns server (Google 8.8.8.8 and 8.8.4.4)?

maniejv · December 15, 2025, 11:05pm

Expected Behaviour:

When I perform a dig command on a domain name that is not cached, I expected to see communication between my pihole and upstream dns server in Wireshark, which is currently set to Google - 8.8.8.8 and 8.8.4.4

pihole

raspberry pi

Actual Behaviour:

When I perform a dig command on a domain name that is not cached, I’m not seeing, via Wireshark, the communication between my pihole and upstream dns server of Google - 8.8.8.8 and 8.8.4.4. The only communication I'm seeing is between my client and pihole.

Debug Token:

maniejv · December 15, 2025, 11:26pm

My assumption is that I should be able to capture the request from pihole to Google and the response from Google to pihole if the domain I’m looking up is not already cached.

rdwebdesign · December 15, 2025, 11:32pm

How to determine if pihole is communicating with the upstream dns server

Just go to the Query Log page on the web interface and look for the query.

If you execute dig google.com and Pi-hole is the DNS server, the query will show up on the Query Log table.
Click on the table row to show the details:

In my example, the upstream server is unbound at 192.168.0.194. In your case, you will see 8.8.8.8.

maniejv · December 15, 2025, 11:59pm

I executed dig yahoo.com and I did see a query in the log where it did forward to 8.8.4.4#53.

Is there any reason why I’m not able to capture that forwarded communication in Wireshark? Is there a way to capture network / vlan traffic instead of local interface network traffic? Also, if I install unbound locally on my raspberry pi and then change the upstream DNS to 127.0.0.1#5335, I should then see the traffic being forwarded to 127.0.0.1#5335 instead of 8.8.4.4, correct?

Bucking_Horn · December 16, 2025, 8:13am

What machine are you running Wireshark on?

maniejv · December 16, 2025, 12:44pm

On the same machine I performed the dig command on, which is a Mac Book.

rdwebdesign · December 16, 2025, 7:57pm

Then you can only see the packages on the Mac Book.

Pi-hole is in a different machine. You won't be able to see the traffic between Pi-hole and the upstream servers.

robgill · December 17, 2025, 7:16pm

You can view it in real time on the system you are running Pi-hole.

sudo tcpdump -i eth0 port 53
(replace eth0 with the device you want to monitor, or even replace with any to capture all networks)

You can alternatively capture it to a file for analysis within wireshark.

eg
sudo tcpdump -i etho port 53 -w dns_traffic.pcap
(replace eth0 again).

Once you stop the collection (use control-c), you can then send the dns_traffic.pcap file to your mac and view the contents in wireshark.

(You may need to install tcpdump:
sudo apt install tcpdump )

system · January 7, 2026, 7:16pm

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.