Interesting behavior with 2 Pi-Holes

ras07 · January 10, 2019, 9:22am

I'm running 2 Pi-Holes (one in a VM on a pretty beefy box over gigabit Ethernet, the other on a Pi Zero W over wifi) on a home network that serves a variety of Windows 10, Windows 7, Ubuntu, Android, iOS, and Chromebook devices.They are configured similarly and use the same blocklists. [EDIT: To clarify, they are configured in parallel, not "stacked" - they are both configured to use the same two upstream servers (OpenDNS).]

The VM is obviously faster, and ends up carrying the bulk of the load; over a 24-hour period the VM serves about 3 times as many queries as the Pi does. That makes sense. The interesting thing is that the VM blocks queries at a rate about 10 times that of the Pi - right now, the VM is showing that it's blocked 33% of the queries in the past 24 hours, whereas the Pi has blocked only 3%. This is true even if you look at only a single client - for example, if you look at the machine that typically gets the most use (a Windows 10 laptop) the VM is currently showing that over the past 24 hours it has blocked 3049 out of 14,204 requests for that client (a 21% block rate) whereas the Pi, looking at data from the same client, shows it has blocked only 66 of 6311 queries (a block rate of just over a 1%).

There's no obvious indication that the Pi is letting through queries that it should be blocking, and in fact if I shut down the VM and let the Pi handle the whole load, the Pi's block rate goes way up. Rather, it appears that the clients are making fundamentally different requests from the different DNS servers, when they have a choice.

I know it's pretty much up to the OS to decide which DNS server to query when multiple ones are configured, but I'm at a loss to explain this dramatic difference. Any thoughts on what could be driving this behavior?

RamSet · January 10, 2019, 8:20pm

It is normal behavior.

The queries go first to the first DNS server you specified and sometimes they "fall" onto the second ...
Here's my daily report with 3 nodes:

Logically, the specified DNS servers should be queried in the order that they are specified. 1,2 ... If one fails, go to 2 ... At least, that was it's initial intent.
However a single point of failure setting, is not the best when it comes to networking and the discrepancy happens due to the OS attempting to use the specified DNS servers in a round-robin type of approach.

I know for a fact if your Node 1 fails, Node 2 will take the full load

ras07 · January 10, 2019, 8:38pm

I get the failover part - what I don't understand is why the VM ends up blocking ~30% of its requests whereas the Pi only blocks ~3%.

For some reason, devices are only making queries for "good" domains to the second (Pi) DNS server.

RamSet · January 10, 2019, 9:00pm

If you switch the default DNS line-up (where DNS1 setting is propagated/set-up with the Pi ip address and DNS2 would be the VM) you will see the same behavior where the Pi this time will take the bulk of it.

Again, it is up to the OS' in how the the DNS servers are queried.

ras07 · January 11, 2019, 5:03am

Yes, I know (I made that point in the original post). I'm just curious as to why the clients seem to only query "good" domains from DNS2.

To be clear, I'm convinced that both PiHoles are behaving correctly. I just can't figure out why the clients behave like they do.

system · February 1, 2019, 5:05am

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.