Local dig works, but dig with external ip it doesn't

;; ANSWER SECTION:
pi-hole.net. 177 IN A 206.189.252.21

Obviously that works.

Somewhere along this thread, I've lost track of the problem. The local dig working and external IP dig not working was a problem on the Pi (from the Pi terminal), a client, or both?

Please post the exact commands you are running from both the Pi terminal and client, along with the complete output of the commands.

I've installed a raspberry pi with arch linux. The ip address is 192.168.0.170
I've installed pihole with pihole-FTL.
ON THE PIHOLE:

dig @localhost google.com

;; ANSWER SECTION:
google.com. 261 IN A 216.58.207.206

dig @localhost s.amazon-adsystem.com

;; ANSWER SECTION:
s.amazon-adsystem.com. 2 IN A 0.0.0.0

Good. Pi hole works!

Now ON THE PIHOLE AGAIN:

dig @192.168.0.170 google.com

; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached

ON A CLIENT:

dig @192.168.0.170 google.com

; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached

Pi hole works, but something is blocking dns requests towards the pihole. Probably some firewall issue?

tail /etc/resov.conf:

nameserver 127.0.0.1

I assume the Pi is visible on your network at the 170 IP? Are you using ssh to the Pi via port 22, or do you control the Pi via a keyboard and mouse and monitor?

Also, please generate a Pi-Hole debug log, upload it when prompted and post the token here.

Yes, I can ssh to 192.168.0.170. That's the way I use my pi.
Can't post a debug log because I'm using arch.

Pi-hole debug options are disabled.

ArchLinux distribution of Pi-hole is not supported by official project and this debug report CAN NOT be uploaded to their debug team.
Follow instructions carefully on the project wiki page (Pi-hole - ArchWiki) and please refer to AUR package web page for support and debugging (AUR (en) - pi-hole-server).

Apologies - I see you posted Arch in an earlier reply. Since Arch isn't a supported platform and we can't get a debug log, I don't think we'll be able to help much. I would head over to the Arch Pi-Hole site and see what they can offer.

It does appear that something is blocking port 53 traffic to the Pi.

Ok, so iptables was empty.
I've executed these commannds:

iptables -A INPUT -p tcp --dport 53 -j ACCEPT
iptables -A INPUT -p udp --dport 53 -j ACCEPT

It still doesn't work.

Now it looks like this:
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT udp -- anywhere anywhere udp dpt:domain

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Seems a bit weird. I don't see the ports mentioned.

Ok, it is not a firewall.

nc -zvw3 192.168.0.170 53

pi.hole [192.168.0.170] 53 (domain) open
-> port is open

Edit:

telnet 192.168.0.170 53

Trying 192.168.0.170...
Connected to 192.168.0.170.
Escape character is '^]'.
Connection closed by foreign host.

This is correct behavior I guess?

dehakkelaar@laptop:~$ dig +short @10.0.0.2 chaos txt version.bind
"dnsmasq-pi-hole-2.80"

dehakkelaar@laptop:~$ dig +short +tcp @10.0.0.2 chaos txt version.bind
"dnsmasq-pi-hole-2.80"

dehakkelaar@laptop:~$ dig +short +notcp @10.0.0.2 chaos txt version.bind
"dnsmasq-pi-hole-2.80"

dehakkelaar@laptop:~$ nc -zvw3 10.0.0.2 53
Connection to 10.0.0.2 53 port [tcp/domain] succeeded!

dehakkelaar@laptop:~$ telnet 10.0.0.2 53
Trying 10.0.0.2...
Connected to 10.0.0.2.
Escape character is '^]'.
^]
telnet> quit
Connection closed.

Check if interface configured for Pi-hole is the same as the one holding IP 192.168.0.170:

grep PIHOLE_INTERFACE /etc/pihole/setupVars.conf

ip a

Could be rebind protection:

If suspect rebind protection and cant find any settings related in the router settings, you could connect a PC/laptop configured with static IP directly to the Pi-hole box (no router/switch inbetween) to see if replies to dig/nslook/host etc.

dig +short +tcp @192.168.0.170 chaos txt version.bind "dnsmasq-pi-hole-2.80"

;; communications error to 192.168.0.170#53: end of file
;; communications error to 192.168.0.170#53: end of file
;; communications error to 192.168.0.170#53: end of file
;; communications error to 192.168.0.170#53: end of file

grep PIHOLE_INTERFACE /etc/pihole/setupVars.conf

PIHOLE_INTERFACE=tun0

ip a

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether b9:23:ec:de:c3:12 brd ff:ff:ff:ff:ff:ff
inet 192.168.0.170/24 brd 192.168.0.255 scope global dynamic eth0
valid_lft 2142sec preferred_lft 2142sec
inet 192.168.0.171/24 brd 192.168.0.255 scope global secondary noprefixroute eth0
valid_lft forever preferred_lft forever
3: wlan0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc fq_codel state DOWN group default qlen 1000
link/ether d2:4e:4f:35:8d:e4 brd ff:ff:ff:ff:ff:ff
4: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
link/none
inet x.x.x.x/24 brd x.x.x.x scope global noprefixroute tun0
valid_lft forever preferred_lft forever

The x.x.x.x is replacing a real ip.

Try change below Pi-hole DNS setting:

image

1 Like

Lol, I only have CLI.

Edit: You mean in the pi hole admin settings.
THANKS. IT WORKS. YOU ARE MY HERO!

1 Like

You can change with cli ... hold on :wink:

1 Like

I was too fast. Problem solved!
Thanks again!

How ? For posterity :wink:

Well, in pi hole admin panel:
Settings > DNS
There you see the same as in the screenshot of de Hakkelaar.
Select Listen on all interfaces, permit all origins and click the save button.

I thought you'd done it via shell :smiley:
Its possible but I would have to search and am too lazy atm :wink:

EDIT: Probably below directive:

pi@noads:~ $ grep DNSMASQ_LISTENING /etc/pihole/setupVars.conf
DNSMASQ_LISTENING=all

Would have to run Pi-hole repair afterwards to propagate:

pihole -r

Lol. There are much more settings on the admin panel than I thought. Probs to the devs.

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.