Local dig works, but dig with external ip it doesn't

TheBestGuru · December 29, 2019, 8:48pm

Please follow the below template, it will help us to help you!

Expected Behaviour:

dig @ google.com

;; ANSWER SECTION:
google.com. 220 IN A 216.58.207.206

Actual Behaviour:

dig @ google.com

; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached

This might be of good info:

> netstat -tulpen | grep 53

(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      0          15312      -                   
tcp        0      0 0.0.0.0:4369            0.0.0.0:*               LISTEN      197        15344      -                   
tcp        0      0 0.0.0.0:53              0.0.0.0:*               LISTEN      972        376284     -                   
tcp6       0      0 :::4369                 :::*                    LISTEN      197        15345      -                   
tcp6       0      0 :::53                   :::*                    LISTEN      972        376286     -                   
udp        0      0 0.0.0.0:53              0.0.0.0:*                           972        376283     -                   
udp6       0      0 :::53                   :::*                                972        376285     -

I think I need to open a port, but I'm not sure.

jfb · December 29, 2019, 8:53pm

Is this the exact command you ran? The command should be dig google.com

jfb · December 29, 2019, 8:55pm

What is the complete output of this command from the Pi-Hole terminal?

sudo netstat -nltup | grep 'Proto\|:53 \|:5053 \|:5353 \|:8953 \|:67 \|:80 \|:471'

Also, please generate a Pi-Hole debug log, upload it and post the token here.

TheBestGuru · December 29, 2019, 8:59pm

Sorry, command was

dig @ 127.0.0.1 google.com

-> works

dig @ 192.168.0.170 google.com

-> doesn't work

> sudo netstat -nltup | grep 'Proto\|:53 \|:5053 \|:5353 \|:8953 \|:67 \|:80 \|:471'

Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 127.0.0.1:4711          0.0.0.0:*               LISTEN      22712/pihole-FTL    
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      296/lighttpd        
tcp        0      0 0.0.0.0:53              0.0.0.0:*               LISTEN      22712/pihole-FTL    
tcp6       0      0 :::53                   :::*                    LISTEN      22712/pihole-FTL    
udp        0      0 0.0.0.0:53              0.0.0.0:*                           22712/pihole-FTL    
udp6       0      0 :::53                   :::*                                22712/pihole-FTL

I don't have a debug log as I am running this on Arch

TheBestGuru · December 30, 2019, 8:05pm

dig @192.168.0.170 google.com

; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached

TheBestGuru · December 30, 2019, 9:28pm

The pi hole.
Note: I've installed pihole-FTL which means I don't have dnsmasq on my raspberry.

TheBestGuru · December 31, 2019, 9:43pm

;; ANSWER SECTION:
pi-hole.net. 177 IN A 206.189.252.21

Obviously that works.

jfb · December 31, 2019, 11:31pm

Somewhere along this thread, I've lost track of the problem. The local dig working and external IP dig not working was a problem on the Pi (from the Pi terminal), a client, or both?

Please post the exact commands you are running from both the Pi terminal and client, along with the complete output of the commands.

TheBestGuru · January 1, 2020, 2:31pm

I've installed a raspberry pi with arch linux. The ip address is 192.168.0.170
I've installed pihole with pihole-FTL.
ON THE PIHOLE:

dig @localhost google.com

;; ANSWER SECTION:
google.com. 261 IN A 216.58.207.206

dig @localhost s.amazon-adsystem.com

;; ANSWER SECTION:
s.amazon-adsystem.com. 2 IN A 0.0.0.0

Good. Pi hole works!

Now ON THE PIHOLE AGAIN:

dig @192.168.0.170 google.com

; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached

ON A CLIENT:

dig @192.168.0.170 google.com

; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached

Pi hole works, but something is blocking dns requests towards the pihole. Probably some firewall issue?

tail /etc/resov.conf:

nameserver 127.0.0.1

jfb · January 1, 2020, 3:23pm

I assume the Pi is visible on your network at the 170 IP? Are you using ssh to the Pi via port 22, or do you control the Pi via a keyboard and mouse and monitor?

Also, please generate a Pi-Hole debug log, upload it when prompted and post the token here.

TheBestGuru · January 1, 2020, 3:35pm

Yes, I can ssh to 192.168.0.170. That's the way I use my pi.
Can't post a debug log because I'm using arch.

Pi-hole debug options are disabled.

ArchLinux distribution of Pi-hole is not supported by official project and this debug report CAN NOT be uploaded to their debug team.
Follow instructions carefully on the project wiki page (Pi-hole - ArchWiki) and please refer to AUR package web page for support and debugging (AUR (en) - pi-hole-server).

jfb · January 1, 2020, 3:37pm

Apologies - I see you posted Arch in an earlier reply. Since Arch isn't a supported platform and we can't get a debug log, I don't think we'll be able to help much. I would head over to the Arch Pi-Hole site and see what they can offer.

It does appear that something is blocking port 53 traffic to the Pi.

TheBestGuru · January 1, 2020, 8:44pm

Ok, so iptables was empty.
I've executed these commannds:

iptables -A INPUT -p tcp --dport 53 -j ACCEPT
iptables -A INPUT -p udp --dport 53 -j ACCEPT

It still doesn't work.

Now it looks like this:
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT udp -- anywhere anywhere udp dpt:domain

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Seems a bit weird. I don't see the ports mentioned.

TheBestGuru · January 2, 2020, 8:13pm

Ok, it is not a firewall.

nc -zvw3 192.168.0.170 53

pi.hole [192.168.0.170] 53 (domain) open
-> port is open

Edit:

telnet 192.168.0.170 53

Trying 192.168.0.170...
Connected to 192.168.0.170.
Escape character is '^]'.
Connection closed by foreign host.

This is correct behavior I guess?

deHakkelaar · January 2, 2020, 8:46pm

dehakkelaar@laptop:~$ dig +short @10.0.0.2 chaos txt version.bind
"dnsmasq-pi-hole-2.80"

dehakkelaar@laptop:~$ dig +short +tcp @10.0.0.2 chaos txt version.bind
"dnsmasq-pi-hole-2.80"

dehakkelaar@laptop:~$ dig +short +notcp @10.0.0.2 chaos txt version.bind
"dnsmasq-pi-hole-2.80"

dehakkelaar@laptop:~$ nc -zvw3 10.0.0.2 53
Connection to 10.0.0.2 53 port [tcp/domain] succeeded!

dehakkelaar@laptop:~$ telnet 10.0.0.2 53
Trying 10.0.0.2...
Connected to 10.0.0.2.
Escape character is '^]'.
^]
telnet> quit
Connection closed.

deHakkelaar · January 2, 2020, 8:56pm

Check if interface configured for Pi-hole is the same as the one holding IP 192.168.0.170:

grep PIHOLE_INTERFACE /etc/pihole/setupVars.conf

ip a

Could be rebind protection:

If suspect rebind protection and cant find any settings related in the router settings, you could connect a PC/laptop configured with static IP directly to the Pi-hole box (no router/switch inbetween) to see if replies to dig/nslook/host etc.

TheBestGuru · January 2, 2020, 9:23pm

dig +short +tcp @192.168.0.170 chaos txt version.bind "dnsmasq-pi-hole-2.80"

;; communications error to 192.168.0.170#53: end of file
;; communications error to 192.168.0.170#53: end of file
;; communications error to 192.168.0.170#53: end of file
;; communications error to 192.168.0.170#53: end of file

grep PIHOLE_INTERFACE /etc/pihole/setupVars.conf

PIHOLE_INTERFACE=tun0

ip a

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether b9:23:ec:de:c3:12 brd ff:ff:ff:ff:ff:ff
inet 192.168.0.170/24 brd 192.168.0.255 scope global dynamic eth0
valid_lft 2142sec preferred_lft 2142sec
inet 192.168.0.171/24 brd 192.168.0.255 scope global secondary noprefixroute eth0
valid_lft forever preferred_lft forever
3: wlan0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc fq_codel state DOWN group default qlen 1000
link/ether d2:4e:4f:35:8d:e4 brd ff:ff:ff:ff:ff:ff
4: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
link/none
inet x.x.x.x/24 brd x.x.x.x scope global noprefixroute tun0
valid_lft forever preferred_lft forever

The x.x.x.x is replacing a real ip.

deHakkelaar · January 2, 2020, 9:27pm

Try change below Pi-hole DNS setting:

TheBestGuru · January 2, 2020, 9:28pm

Lol, I only have CLI.

Edit: You mean in the pi hole admin settings.
THANKS. IT WORKS. YOU ARE MY HERO!

deHakkelaar · January 2, 2020, 9:29pm

You can change with cli ... hold on