LAN devices not connected to internet

The issue I am facing:
I am running pihole in a docker on a qnap NAS. After updating the container in container station, running pihole in bridge mode with privilege rights, my LAN connected devices (TV, Netatmo, Sonos, etc.) are not connected to internet, by my WLAN connected devices (Mac, iPhone) seems to work normally. I am also relying on PiHole's DHCP server (after disabling my Router's one).

From the debug log it seems that my device is not recognises:

*** [ DIAGNOSING ]: Operating system
[i] Pi-hole Docker Container: 2024.07.0
[i] Distro: Debian
[i] Version: 11
[✗] dig return code: 9
[✗] dig response: ;; connection timed out; no servers could be reached
[✗] Error: dig command failed - Unable to check OS

Details about my system:
PiHole in docker bridge mode on qnap NAS

What I have changed since installing Pi-hole:
I cloned the latest image and set up a new docker container replacing the old one.

My debug token is: https://tricorder.pi-hole.net/XiruYqfh/

Please share your Docker configuration for your Pi-hole container.

We'd be interested specifically in the DNS environment variable for that container.

Hi @Bucking_Horn thanks for your quick response!

My container config attached below. Also, I realised that the issue is not only limited to LAN devices since the Netatmo is WLAN based.

{
AppArmorProfile:""
Args:[]
Config:{
AttachStderr:false
AttachStdin:false
AttachStdout:false
Domainname:""
Entrypoint:[
"/s6-init"
]
Env:[
"DNSMASQ_USER=pihole"
"IPv6=True"
"PHP_ERROR_LOG=/var/log/lighttpd/error-pihole.log"
"S6_CMD_WAIT_FOR_SERVICES_MAXTIME=0"
"S6_KEEP_ENV=1"
"phpver=php"
"FTLCONF_LOCAL_IPV4=192.168.1.35"
"FTL_CMD=no-daemon"
"PATH=/opt/pihole:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
"S6_BEHAVIOUR_IF_STAGE2_FAILS=2"
]
ExposedPorts:{
53/tcp:{}
53/udp:{}
67/udp:{}
80/tcp:{}
}
Healthcheck:{}
Hostname:"454a31a5e684"
Image:"pihole/pihole:latest"
Labels:{}
OpenStdin:true
StdinOnce:false
Tty:true
User:""
WorkingDir:""
}
Created:"2025-02-12T20:42:47.895197139Z"
Driver:"overlay2"
ExecIDs:[]
GraphDriver:{}
HostConfig:{
AutoRemove:false
Binds:[
"etc-dnsmasq.d:/etc/dnsmasq.d"
"etc-pihole:/etc/pihole"
]
BlkioWeight:0
Cgroup:""
CgroupParent:""
CgroupnsMode:"host"
ConsoleSize:[]
ContainerIDFile:""
CpuCount:0
CpuPercent:0
CpuPeriod:0
CpuQuota:0
CpuRealtimePeriod:0
CpuRealtimeRuntime:0
CpuShares:0
CpusetCpus:""
CpusetMems:""
DeviceCgroupRules:[]
Dns:[]
IOMaximumBandwidth:0
IOMaximumIOps:0
Init:false
IpcMode:"private"
Isolation:""
LogConfig:{}
Memory:0
MemoryReservation:0
MemorySwap:0
NanoCpus:0
NetworkMode:"qnet-static-eth1-79e6cc"
OomKillDisable:false
OomScoreAdj:0
PidMode:""
PortBindings:{}
Privileged:true
PublishAllPorts:false
ReadonlyRootfs:false
RestartPolicy:{}
Runtime:"runc"
SecurityOpt:[
"label=disable"
]
ShmSize:67108864
UTSMode:""
Ulimits:[
{
Hard:65535
Name:"nofile"
Soft:65535
}
]
UsernsMode:""
VolumeDriver:""
VolumesFrom:[]
}
HostnamePath:"/share/CACHEDEV5_DATA/Containers/container-station-data/lib/docker/containers/454a31a5e684609602ed210044d80600d733af174d338a49acdbca7aeabea630/hostname"
HostsPath:"/share/CACHEDEV5_DATA/Containers/container-station-data/lib/docker/containers/454a31a5e684609602ed210044d80600d733af174d338a49acdbca7aeabea630/hosts"
Id:"454a31a5e684609602ed210044d80600d733af174d338a49acdbca7aeabea630"
Image:"sha256:3eeaf548cbf6d43433a2522c47dea777c843c16b76a6b99df6f7f0b6a3a37d70"
LogPath:"/share/CACHEDEV5_DATA/Containers/container-station-data/lib/docker/containers/454a31a5e684609602ed210044d80600d733af174d338a49acdbca7aeabea630/454a31a5e684609602ed210044d80600d733af174d338a49acdbca7aeabea630-json.log"
MountLabel:""
Mounts:[
{
Destination:"/etc/dnsmasq.d"
Driver:"local"
Mode:"z"
Name:"etc-dnsmasq.d"
Propagation:""
RW:true
Source:"/share/CACHEDEV5_DATA/Containers/container-station-data/lib/docker/volumes/etc-dnsmasq.d/_data"
Type:"volume"
}
{
Destination:"/etc/pihole"
Driver:"local"
Mode:"z"
Name:"etc-pihole"
Propagation:""
RW:true
Source:"/share/CACHEDEV5_DATA/Containers/container-station-data/lib/docker/volumes/etc-pihole/_data"
Type:"volume"
}
]
Name:"/pihole"
NetworkSettings:{
Bridge:""
EndpointID:""
Gateway:""
GlobalIPv6Address:""
GlobalIPv6PrefixLen:0
HairpinMode:false
IPAddress:""
IPPrefixLen:0
IPv6Gateway:""
LinkLocalIPv6Address:""
LinkLocalIPv6PrefixLen:0
MacAddress:""
Networks:{
qnet-static-eth1-79e6cc:{
Aliases:[
"454a31a5e684"
]
DNSNames:[
"pihole"
"454a31a5e684"
]
EndpointID:"34014a7d833cdcde4e8b29ae7b56e37f83b5d315f24e08f6251a30ca0bcd64d6"
Gateway:"192.168.1.1"
GlobalIPv6Address:""
GlobalIPv6PrefixLen:0
IPAMConfig:{
IPv4Address:"192.168.1.35"
}
IPAddress:"192.168.1.35"
IPPrefixLen:24
IPv6Gateway:""
MacAddress:"02:42:74:bc:1e:96"
NetworkID:"471773cda87f620206ed0f371d18a751334d19950a0421fa6ede0a9ade42b70f"
}
}
Ports:{}
SandboxID:"a1e9e05562a879c6f041bbc49510d545f55cfea444ea1cdcdc5625efca25d9bd"
SandboxKey:"/var/run/docker/netns/a1e9e05562a8"
}
Path:"/s6-init"
Platform:"linux"
ProcessLabel:""
ResolvConfPath:"/share/CACHEDEV5_DATA/Containers/container-station-data/lib/docker/containers/454a31a5e684609602ed210044d80600d733af174d338a49acdbca7aeabea630/resolv.conf"
RestartCount:0
State:{}
}

I don't see any DNS settings in there, which could explain your dig command failure.

For docker-compose, you'd typcially add a section like:

        dns:
            - 127.0.0.1
            - 1.1.1.1

EDIT: Note that supplying those would just address your dig command failure. It won't do anything about your connection issues.

Yours is neither a docker-compose or docker run script, so I can't advise how or where to add that.

Run from a client, what is the output of:

nslookup pi.hole

nslookup flurry.com

I obtained the block above from QNAP's container station when inspecting the container.

When I run the commands above I get the following

(base) fs@Florians-MacBook-Pro ~ % nslookup pi.hole
Server: 192.168.1.35
Address: 192.168.1.35#53

Name: pi.hole
Address: 192.168.1.35

(base) fs@Florians-MacBook-Pro ~ % nslookup flurry.com
Server: 192.168.1.35
Address: 192.168.1.35#53

Name: flurry.com
Address: 0.0.0.0

Those results look ok, demonstrating that your macbook client is using Pi-hole for DNS, and Pi-hole's blocking is active for it.

Does that macbook client have Internet access?

If so, what would those nslookups return on a client that you observe as lacking Internet access?

Yes my MacBook has internet and works as intended, but it´s hard to tell because all devices I can access by terminal are functioning. Its only the "peripheral" devices which don't seem to work:

• TV
• Netatmo
• Some Sonos speakers

If I try the command above with a specified ip the connection times out. Below is an attempt for one of the Sonos speakers:

(base) fs@Florians-MacBook-Pro ~ % nslookup pi.hole 192.168.1.229
;; connection timed out; no servers could be reached

However, I can ping the ip

(base) fs@Florians-MacBook-Pro ~ % ping 192.168.1.229
PING 192.168.1.229 (192.168.1.229): 56 data bytes
64 bytes from 192.168.1.229: icmp_seq=0 ttl=64 time=4.408 ms
64 bytes from 192.168.1.229: icmp_seq=1 ttl=64 time=5.181 ms
64 bytes from 192.168.1.229: icmp_seq=2 ttl=64 time=4.916 ms
64 bytes from 192.168.1.229: icmp_seq=3 ttl=64 time=5.190 ms
^C
--- 192.168.1.229 ping statistics ---
4 packets transmitted, 4 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 4.408/4.924/5.190/0.317 ms

Then they probably are connected, but dislike Pi-hole's blocking.

You could inspect Pi-hole's Query Log to learn which domains a specific client IP has requested and how Pi-hole processed them, e.g. by clicking on such a client as shown in Pi-hole's dashboard under Top Clients.

How do I determine what domain an ad is coming from? may also help.

That's expected - you are misunderstanding what that nslookup does.
You are asking 192.168.1.229 for DNS resolution, but there is no DNS server on 192.168.1.229.

Screenshot 2025-02-14 at 09.39.191980×1586 335 KB

Ok, I checked the requests and it seems that there are a lot of Retried ones...

Run from your macbook client, what's the result of e.g.:

nslookup ap.spotify.com

(base) fs@Florians-MacBook-Pro ~ % nslookup ap.spotify.com       
Server:		fdaa:bbcc:ddee:<redacted>e5
Address:	fdaa:bbcc:ddee:<redacted>e5#53

Non-authoritative answer:
ap.spotify.com	canonical name = ap.single-gslb.spotify.com.
Name:	ap.single-gslb.spotify.com
Address: 34.158.1.133

I just checked the pihole diagnostics and now got two entries:

not giving name localhost.lan to the DHCP lease of 192.168.1.221 because 
the name exists in /etc/hosts with address 127.0.0.1

May it be that there is some old config/cash somewhere which is causing troubles?

ip 192.168.1.221 is from my TV

Ok, that's bad - not necessarily related to your issue, but bad, as your router's DNS server has handled that query, i.e. your Pi-hole may be by-passed via IPv6.

That definitely needs attention.

But let's first see how Pi-hole would handle that query:

nslookup ap.spotify.com 192.168.1.35

(base) fs@Florians-MacBook-Pro ~ % nslookup ap.spotify.com 192.168.1.35
;; connection timed out; no servers could be reached

When I use pihole the connection times out

No, Pi-hole has handed out a DHCP lease (as you should be able to verify by inspecting Pi-hole's DHCP leases and your TV's queries), it just refused the name that device was trying to claim for itself. (I guess that TV is perhaps an older Samsung model, as they are notorious for naming themselves localhost (which is really stupid to do, as any device will use that name internally))

If you want a nice name for your TV, create a static lease reservation with a Hostname for that TV in Pi-hole's DHCP server, or just add a Local DNS record.

But it doesn't contribute to your observation.

That's strange, as your macbook had no issues talking to Pi-hole in your earlier lookup:

How is your macbook connecting to your router, via ethernet or wifi?

And could you run that nslookup from your Pi-hole machine?

yeah its indeed an older Samsung

The MacBook is connected via WIFI

When I run nslookup from the docker container I get:

root@454a31a5e684:/# nslookup ap.spotify.com
Server:         127.0.0.11
Address:        127.0.0.11#53

Non-authoritative answer:
ap.spotify.com  canonical name = ap.single-gslb.spotify.com.
Name:   ap.single-gslb.spotify.com
Address: 34.158.1.133

But when I specify the ip of pihole I again get a connection timeout:

root@454a31a5e684:/# nslookup ap.spotify.com 192.168.1.35
;; connection timed out; no servers could be reached

That's also expected, as that IP is unknown inside the container.
But it should work if you run it from the machine hosting your Pi-hole container.

Ahh I see, sorry ...

So when running it from the NAS which is hosting my container I get:

[Florian@FloriNAS ~]$ nslookup ap.spotify.com
Server:		127.0.1.1
Address:	127.0.1.1#53

Non-authoritative answer:
ap.spotify.com	canonical name = ap.single-gslb.spotify.com.
Name:	ap.single-gslb.spotify.com
Address: 34.158.1.133

and

[Florian@FloriNAS ~]$ nslookup ap.spotify.com 192.163.1.35
;; connection timed out; no servers could be reached

That would suggest that either Pi-hole is down, or a firewall on your NAS is blocking port 53.

However, as earlier lookups through 192.163.1.35 succeeded, the former seems more likely.

Is 192.168.1.35 your NAS, or just your Pi-hole container?
Another possible explanation would be that you haven't set a static IP on your NAS, and that it has relinquished its 192.168.1.35 after its (router issued) DHCP lease expired, or that you're running your Pi-hole container in macvlan mode, as Docker's macvlan isolation prevents direct communication between your Pi-hole container and the Docker host (but the latter wouldn't explain why your macbook suddenly also fails to contact 192.168.1.35).

And you also may see timeouts if your Pi-hole's upstream servers would be inaccessible.

Ok some thought:

1. Pi-hole seems to be up and running since I can access the web admin panel and see that queries are processed.
2. 192.168.1.35 is the ip of my Pi-hole container, I set it to be static
3. My NAS has ip 192.168.1.52 which is also static.
4. The container of Pi-hole runs in bridge mode

I hope this helps and is useful?