Local DNS getting external IP - only machines with ip6 - pihole 6.0.4

hope · February 25, 2025, 9:32pm

Expected Behaviour:

I am using caddy reverse proxy so there is a DNS record on the internet for portainer.mydomain.com. I try to visit portainer.mydomain.com on a variety of machines (windows 11, raspbian, debian, android). I expect to get 192.168.1.15 when at home and 89.89.89.89 when not at home.

Actual Behaviour:

On many machines I get the expected result. On others, the ones with ip6 enabled, the dns comes back with the remote address and the connection fails.

Solutions that are not ideal

disable ip6 on each device
manually set the ip6 address of the pihole on each machine as the ip6 DNS server (not sure if this is a goer because I don't think the pihole has a fixed ip6 adress and it is on docker anyway which I don't think supports ip6?

I looked at the pihole.toml and could only find these settings which made no difference no difference:

   # Should FTL try to resolve IPv6 addresses to hostnames?
   resolveIPv6 = false ### CHANGED, default = true
 
   # Should Pi-hole make an attempt to also satisfy IPv6 address requests (be aware that
   # IPv6 works a whole lot different than IPv4)
   ipv6 = false

nslookup with ip6 enabled gives me:

Server: UnKnown
Address: an IPv6 address

Non-authoritative answer:
Name: portainer.mydomain.com
Address: 89.89.89.89

with ip6 disabled on the device I immediately get the expected result:

Server: pihole.mydomain.com
Address: 192.168.1.2

Name: portainer.mydomain.com
Address: 192.168.1.15

I imagine that this is something easy and I am just not finding the setting. It worked perfectly with my v5 for a long time.

Cheers for any help.

Debug Token:

https://tricorder.pi-hole.net/dSdzsnMD/

hope · February 25, 2025, 9:39pm

As usual typing these things gives clarity and I realised I can disable IPv6 on my WiFi router - this immediately fixed things of course.

hope · February 26, 2025, 7:30am

Sadly my android phone will create an ipv6 address whether the network is IPv6 or not it appears, and this still causes it to swerve the DNS. So the above is a partial solution only.

This was not a problem in v5 so I imagine I just need to find the magic setting.

hope · February 26, 2025, 7:43am

And THAT my friends was android being weird. Although I am on DHCP and OpenDNS servers in pihole, when I first connect to the DHCP I get my pihole address but android quietly slips in 8.8.8.8 later!!!!!!!!

https://www.reddit.com/r/pihole/comments/m8h2ad/android_defaults_to_8888_as_secondary_dns_with/

and

So in my docker compose I added

    volumes:
      - './etc-dnsmasq.d:/etc/dnsmasq.d'

And made a file local.conf with this one line

dhcp-option=6,192.168.1.2,192.168.1.3

This is the real solution. I wonder how this can be done in the .toml file?

hope · February 26, 2025, 8:26am

Sadly this appears not to work. I am still getting only one DNS from the DHCP on my pihole.

hope · February 26, 2025, 11:00pm

The only way I could fix this was to install pihole "bare metal" (into a proxmox lxc) and disable ip6 altogether.

I tried another DHCP server that pushed out two DNS servers but my phone added a 3rd IPv6 one(!) and it still bypassed local addresses for addresses that existed with dns.

Bucking_Horn · February 26, 2025, 11:16pm

This is dhcp.multiDNS, which is also exposed via Pi-hole's UI:
Under Settings | DHCP » Advanced DHCP Settings, you can tick Advertise DNS server multiple times:

Advertise DNS server multiple times to clients. Some devices will add their own proprietary DNS servers to the list of DNS servers, which can cause issues with Pi-hole. This option will advertise the Pi-hole DNS server multiple times to clients, which should prevent this from happening.

Note that for this to work, DHCP clients must acquire their DHCP lease through Pi-hole's DHCP server, which has to be both enabled as well as accessible for broadcasts.

hope · February 27, 2025, 1:39pm

Sadly, I have that ticked, AND no ip6 but my phone has just stuffed in 8.8.8.8 once more. It also does it for my wife's phone.

Bucking_Horn · February 27, 2025, 1:50pm

Do your clients have an active DHCP lease with Pi-hole's DHCP server?

What's your Pi-hole container's network mode?

hope · February 27, 2025, 2:02pm

I am now running the pihole on an unprivileged proxmox lxc with IPv6 switched off - but that was not the issue because the bypassing DNS appears in IPv4 as 8.8.8.8 or 8.8.4.4. Currently trying the dhcp-option=6,10.2.3.23,10.2.3.2 with a cloned lxc on the second address (with its DHCP switched off) and restart but I only see one DNS at the moment. The second address is there on my phone but greyed out as 8.8.4.4 and pingtools says DNS2 not provided. I think it takes a while for the 8.8.4.4 to appear.

I am trying to upload the log of that machine to you but getting

[?] Would you like to upload the log? [y/N] y
    * Using curl for transmission.
    * curl failed, contact Pi-hole support for assistance.
    * Error message: curl: (22) The requested URL returned error: 400

hope · February 27, 2025, 2:04pm

Yes, internet is working fine and blocking is working most of the time - BUT it fails eventually and I can't see my externally available (public DNS enabled - Caddy reverse proxied) machines when the 8.8.8.8 takes over.

Bucking_Horn · February 27, 2025, 2:08pm

That doesn't answer my questions?

Please share a screenshot showing active leases from Settings | DHCP.

Your debug log was created by a Pi-hole Docker container?
Please share its docker compose or docker run script.

hope · February 27, 2025, 2:22pm

Clients have an active lease. It is currently set to 1h and I have forgotten it on the phone and reconnected with no problem.

It is no longer a docker container. It is a debian 12 lxc with pihole installed "bare metal" according to curl -sSL https://install.pi-hole.net | bash in the documentation.

As I say "bare metal" in a lxc on proxmox. Though I am currently building a pi3 up to try to see if proxmox is the problem.

I have tried to upload the script but no joy once more. Here is the top part until it gets to the personal stuff.

[i] 2025-02-27:14:19:33 debug log has been initialized.
[i] System has been running for 0 days, 0 hours, 24 minutes

*** [ DIAGNOSING ]: Core version
[✓] Version: v6.0.4
[i] Remotes: origin     https://github.com/pi-hole/pi-hole.git (fetch)
             origin     https://github.com/pi-hole/pi-hole.git (push)
[i] Branch: master
[i] Commit: v6.0.4-0-g567bb72

*** [ DIAGNOSING ]: Web version
[✓] Version: v6.0.1
[i] Remotes: origin     https://github.com/pi-hole/web.git (fetch)
             origin     https://github.com/pi-hole/web.git (push)
[i] Branch: master
[i] Commit: v6.0.1-0-g42e7279

*** [ DIAGNOSING ]: FTL version
[✓] Version: v6.0.2
[i] Branch: master
[i] Commit: ac500d5f

*** [ DIAGNOSING ]: Operating system
[✓] Distro:  Debian
[✓] Version: 12
[✓] dig return code: 0
[i] dig response: "Raspbian=11,12 Ubuntu=20,22,23,24 Debian=11,12 Fedora=40,41 CentOS=9"
[✓] Distro and version supported

*** [ DIAGNOSING ]: SELinux
[i] SELinux not detected

*** [ DIAGNOSING ]: FirewallD
[i] Firewalld service inactive

*** [ DIAGNOSING ]: System hardware configuration
[i] lshw -short
H/W path       Device   Class          Description
==================================================
                        system         Computer
/0                      bus            Motherboard
/0/0                    memory         31GiB System memory
/0/1                    processor      Intel(R) Core(TM) i5-9400 CPU @ 2.90GHz
/0/100                  bridge
/0/100/1                bridge
/0/100/1/0     nvme0    storage        KINGSTON SNV2S500G
/0/100/1/0/0   hwmon0   disk           NVMe disk
/0/100/1/0/2   ng0n1    disk           NVMe disk
/0/100/1/0/1   nvme0n1  disk           NVMe disk
/0/100/2                display
/0/100/12               generic
/0/100/14               bus
/0/100/14.2             memory
/0/100/14.5    mmc0     bus            MMC Host
/0/100/16               communication
/0/100/17               storage
/0/100/1f               bridge
/0/100/1f/0             system         PnP device PNP0c02
/0/100/1f/1             system         PnP device PNP0c02
/0/100/1f/2             generic        PnP device INT3f0d
/0/100/1f/3             system         PnP device PNP0c02
/0/100/1f/4             system         PnP device PNP0c02
/0/100/1f/5             system         PnP device PNP0c02
/0/100/1f/6             system         PnP device PNP0c02
/0/100/1f.3    card0    multimedia     PCH
/0/100/1f.3/0  input10  input          HDA Intel PCH HDMI/DP,pcm=7
/0/100/1f.3/1  input11  input          HDA Intel PCH HDMI/DP,pcm=8
/0/100/1f.3/2  input5   input          HDA Intel PCH Mic
/0/100/1f.3/3  input6   input          HDA Intel PCH Mic
/0/100/1f.3/4  input7   input          HDA Intel PCH Line Out
/0/100/1f.3/5  input8   input          HDA Intel PCH Front Headphone
/0/100/1f.3/6  input9   input          HDA Intel PCH HDMI/DP,pcm=3
/0/100/1f.4             bus
/0/100/1f.5             bus
/0/100/1f.6             network
/1             input0   input          Sleep Button
/2             input1   input          Power Button
/3             input2   input          Power Button
/4             input3   input          PC Speaker
/5             input4   input          Video Bus

*** [ DIAGNOSING ]: Processor details
[i] lscpu
Architecture:                         x86_64
CPU op-mode(s):                       32-bit, 64-bit
Address sizes:                        39 bits physical, 48 bits virtual
Byte Order:                           Little Endian
CPU(s):                               6
On-line CPU(s) list:                  0
Off-line CPU(s) list:                 1-5
Vendor ID:                            GenuineIntel
Model name:                           Intel(R) Core(TM) i5-9400 CPU @ 2.90GHz
CPU family:                           6
Model:                                158
Thread(s) per core:                   1
Core(s) per socket:                   6
Socket(s):                            1
Stepping:                             13
CPU(s) scaling MHz:                   95%
CPU max MHz:                          4100.0000
CPU min MHz:                          800.0000
BogoMIPS:                             5799.77
Flags:                                fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx pdpe1gb rdtscp lm constant_tsc art arch_perfmon pebs bts rep_good nopl xtopology nonstop_tsc cpuid aperfmperf pni pclmulqdq dtes64 monitor ds_cpl vmx est tm2 ssse3 sdbg fma cx16 xtpr pdcm pcid sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand lahf_lm abm 3dnowprefetch cpuid_fault epb ssbd ibrs ibpb stibp ibrs_enhanced tpr_shadow flexpriority ept vpid ept_ad fsgsbase tsc_adjust bmi1 avx2 smep bmi2 erms invpcid mpx rdseed adx smap clflushopt intel_pt xsaveopt xsavec xgetbv1 xsaves dtherm ida arat pln pts hwp hwp_notify hwp_act_window hwp_epp vnmi md_clear flush_l1d arch_capabilities
Virtualization:                       VT-x
L1d cache:                            192 KiB (6 instances)
L1i cache:                            192 KiB (6 instances)
L2 cache:                             1.5 MiB (6 instances)
L3 cache:                             9 MiB (1 instance)
NUMA node(s):                         1
NUMA node0 CPU(s):                    0-5
Vulnerability Gather data sampling:   Mitigation; Microcode
Vulnerability Itlb multihit:          KVM: Mitigation: Split huge pages
Vulnerability L1tf:                   Not affected
Vulnerability Mds:                    Not affected
Vulnerability Meltdown:               Not affected
Vulnerability Mmio stale data:        Mitigation; Clear CPU buffers; SMT disabled
Vulnerability Reg file data sampling: Not affected
Vulnerability Retbleed:               Mitigation; Enhanced IBRS
Vulnerability Spec rstack overflow:   Not affected
Vulnerability Spec store bypass:      Mitigation; Speculative Store Bypass disabled via prctl
Vulnerability Spectre v1:             Mitigation; usercopy/swapgs barriers and __user pointer sanitization
Vulnerability Spectre v2:             Mitigation; Enhanced / Automatic IBRS; IBPB conditional; RSB filling; PBRSB-eIBRS SW sequence; BHI SW loop, KVM SW loop
Vulnerability Srbds:                  Mitigation; Microcode
Vulnerability Tsx async abort:        Not affected

*** [ DIAGNOSING ]: Disk usage
   Filesystem                           Size  Used Avail Use% Mounted on
   /dev/mapper/vmdata-vm--103--disk--1  7.8G  1.6G  5.9G  21% /
   none                                 492K  4.0K  488K   1% /dev
   udev                                  16G     0   16G   0% /dev/tty
   tmpfs                                 16G   14M   16G   1% /dev/shm
   tmpfs                                6.3G   96K  6.3G   1% /run
   tmpfs                                5.0M     0  5.0M   0% /run/lock
   tmpfs                                3.2G     0  3.2G   0% /run/user/1000

*** [ DIAGNOSING ]: Network interfaces and addresses
   1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
       link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
       inet 127.0.0.1/8 scope host lo
          valid_lft forever preferred_lft forever
   2: eth0@if28: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
       link/ether bc:24:11:f7:51:f6 brd ff:ff:ff:ff:ff:ff link-netnsid 0
       inet 10.27.3.23/24 brd 10.27.3.255 scope global eth0
          valid_lft forever preferred_lft forever

*** [ DIAGNOSING ]: Network routing table
   default via 10.27.3.1 dev eth0 onlink
   10.27.3.0/24 dev eth0 proto kernel scope link src 10.27.3.23

*** [ DIAGNOSING ]: Networking
[i] Default IPv4 gateway(s):
     10.27.3.1%eth0
   * Pinging first gateway 10.27.3.1...
[✓] Gateway responded.
[i] Default IPv6 gateway(s):

*** [ DIAGNOSING ]: Ports in use
[✓] udp:0.0.0.0:53 is in use by pihole-FTL
    udp:0.0.0.0:67 is in use by pihole-FTL
[✓] udp:[::]:53 is in use by pihole-FTL
[✓] tcp:0.0.0.0:443 is in use by pihole-FTL
[✓] tcp:0.0.0.0:53 is in use by pihole-FTL
[✓] tcp:0.0.0.0:80 is in use by pihole-FTL
    tcp:127.0.0.1:25 is in use by master
[✓] tcp:[::]:443 is in use by pihole-FTL
[✓] tcp:[::]:53 is in use by pihole-FTL
    tcp:*:22 is in use by sshd
[✓] tcp:[::]:80 is in use by pihole-FTL

*** [ DIAGNOSING ]: Name resolution (IPv4) using a random blocked domain and a known ad-serving domain
[✓] live.rezync.com is NOERROR on lo (127.0.0.1)
[✓] live.rezync.com is NOERROR on eth0 (10.27.3.23)
[✓] doubleclick.com is 142.250.200.46 via a remote, public DNS server (8.8.8.8)

*** [ DIAGNOSING ]: Name resolution (IPv6) using a random blocked domain and a known ad-serving domain
[✓] No IPv6 address available on lo
[✓] No IPv6 address available on eth0
[✗] Failed to resolve doubleclick.com via a remote, public DNS server (2001:4860:4860::8888)

*** [ DIAGNOSING ]: Discovering active DHCP servers (takes 6 seconds)
   Scanning all your interfaces for DHCP servers and IPv6 routers
   Timeout: 6 seconds

   Error while sending Router Solicitation on eth0: Address not available
   * Received 329 bytes from 10.27.3.23 @ eth0
     Offered IP address: 10.27.3.131
     Server IP address: 10.27.3.23
     Relay-agent IP address: N/A
     BOOTP server: (empty)
     BOOTP file: (empty)
     DHCP options:
      Message type: DHCPOFFER (2)
      server-identifier: 10.27.3.23
      lease-time: 3600 ( 1h )
      renewal-time: 1800 ( 30m )
      rebinding-time: 3150 ( 52m 30s )
      netmask: 255.255.255.0
      broadcast: 10.27.3.255
      domain-name: "theoldmanse.net"
      hostname: "pihole-lxc"
      dns-server: 10.27.3.23
      dns-server: 10.27.3.23
      dns-server: 10.27.3.23
      router: 10.27.3.1
      --- end of options ---

   Received 1 DHCP (IPv4) and 0 RA (IPv6) answers on eth0

*** [ DIAGNOSING ]: Pi-hole processes
[✓] pihole-FTL daemon is active

*** [ DIAGNOSING ]: Pi-hole-FTL full status
   * pihole-FTL.service - Pi-hole FTL
     Loaded: loaded (/etc/systemd/system/pihole-FTL.service; enabled; preset: enabled)
     Active: active (running) since Thu 2025-02-27 13:54:44 UTC; 24min ago
    Process: 151 ExecStartPre=/opt/pihole/pihole-FTL-prestart.sh (code=exited, status=0/SUCCESS)
   Main PID: 170 (pihole-FTL)
      Tasks: 8 (limit: 38035)
     Memory: 103.3M
        CPU: 4.875s
     CGroup: /system.slice/pihole-FTL.service
             `-170 /usr/bin/pihole-FTL -f

Feb 27 13:54:44 pihole-lxc pihole-FTL[170]: 2025-02-27 13:54:44.834 UTC [170M] INFO: FTL user: pihole
Feb 27 13:54:44 pihole-lxc pihole-FTL[170]: 2025-02-27 13:54:44.834 UTC [170M] INFO: Compiled for linux/amd64 (compiled on CI) using cc (Alpine 14.2.0) 14.2.0
Feb 27 13:54:44 pihole-lxc pihole-FTL[170]: 2025-02-27 13:54:44.837 UTC [170M] INFO: Wrote config file:
Feb 27 13:54:44 pihole-lxc pihole-FTL[170]: 2025-02-27 13:54:44.837 UTC [170M] INFO:  - 152 total entries
Feb 27 13:54:44 pihole-lxc pihole-FTL[170]: 2025-02-27 13:54:44.837 UTC [170M] INFO:  - 130 entries are default
Feb 27 13:54:44 pihole-lxc pihole-FTL[170]: 2025-02-27 13:54:44.837 UTC [170M] INFO:  - 22 entries are modified
Feb 27 13:54:44 pihole-lxc pihole-FTL[170]: 2025-02-27 13:54:44.837 UTC [170M] INFO:  - 0 entries are forced through environment
Feb 27 13:54:44 pihole-lxc pihole-FTL[170]: 2025-02-27 13:54:44.845 UTC [170M] INFO: Parsed config file /etc/pihole/pihole.toml successfully
Feb 27 13:54:44 pihole-lxc pihole-FTL[170]: 2025-02-27 13:54:44.845 UTC [170M] INFO: PID file does not exist or not readable
Feb 27 13:54:47 pihole-lxc pihole-FTL[170]: 2025-02-27 13:54:44.845 UTC [170M] INFO: No other running FTL process found.

*** [ DIAGNOSING ]: Pi-hole FTL Query Database
-rw-r----- 1 pihole pihole 9.9M Feb 27 13:54 /etc/pihole/pihole-FTL.db

*** [ DIAGNOSING ]: Gravity Database
-rw-rw---- 1 pihole pihole 7.4M Feb 26 22:56 /etc/pihole/gravity.db

*** [ DIAGNOSING ]: Info table
   property              value
   --------------------  ----------------------------------------
   version               19
   gravity_restored      false
   updated               1740610584
   gravity_count         127472
   Last gravity run finished at: Wed Feb 26 22:56:24 UTC 2025

   ----- First 10 Gravity Domains -----
   localhost.localdomain
   0.0.0.0
   ad-assets.futurecdn.net
   ck.getcookiestxt.com
   eu1.clevertap-prod.com
   wizhumpgyros.com
   coccyxwickimp.com
   webmail-who-int.000webhostapp.com
   010sec.com
   01mspmd5yalky8.com


*** [ DIAGNOSING ]: Groups
   id    enabled  name                                                date_added           date_modified        description
   ----  -------  --------------------------------------------------  -------------------  -------------------  --------------------------------------------------
   0           1  Default                                             2025-02-25 19:55:36  2025-02-25 19:55:36  The default group

*** [ DIAGNOSING ]: Domainlist (0/1 = exact white-/blacklist, 2/3 = regex white-/blacklist)

*** [ DIAGNOSING ]: Clients

*** [ DIAGNOSING ]: Adlists
   id     enabled  group_ids     address                                                                                               date_added           date_modified        comment

   -----  -------  ------------  ----------------------------------------------------------------------------------------------------  -------------------  -------------------  --------------------------------------------------
   1            1  0             https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts                                      2025-02-25 19:55:36  2025-02-25 19:55:36  Migrated from /etc/pihole/adlists.list

*** [ DIAGNOSING ]: contents of /etc/pihole

-rw-rw---- 1 pihole pihole 8.0K Feb 26 23:25 /etc/pihole/dnsmasq.conf
   hostsdir=/etc/pihole/hosts
   no-resolv
   port=53
   server=208.67.222.222
   server=208.67.220.220
   cache-size=10000
   localise-queries
   log-facility=/var/log/pihole/pihole.log
   expand-hosts
   use-stale-cache=3600
   local-service
   domain=theoldmanse.net
   local=/theoldmanse.net/
   dhcp-authoritative
   dhcp-leasefile=/etc/pihole/dhcp.leases
   dhcp-range=10.27.3.100,10.27.3.199,1h
   dhcp-option=option:router,10.27.3.1
   dhcp-rapid-commit
   dhcp-option=option:dns-server,0.0.0.0,0.0.0.0,0.0.0.0```

hope · February 27, 2025, 2:56pm

This works (gives two DNS out) once you have found the pihole.toml setting on line 1040:

  # Should FTL load additional dnsmasq configuration files from /etc/dnsmasq.d/?
  etc_dnsmasq_d = true ### CHANGED, default = false

This blocks the two DNS on my phone and fingers crossed it has not invented a new DNS yet. Time will tell.

hope · February 27, 2025, 3:08pm

No, the phone has already invented a 3rd DNS server and now bypasses pihole for a local IP which is set up as a Local DNS and which is also a different IP on the internet because I reverse proxy.

Maybe I have set it up wrong but it worked flawlessly on v5.

e.g.

myserver - set up in dnasmasq.d/09-mydomain-machines.conf as

address=/myserver.mydomain.net/10.10.10.15

Where 10.10.10.15 is my Caddy reverse proxy

Then in my domain host the external address of my router is set up as an A record:

myserver.mydomain.com on e.g. 48.111.123.12

myserver.mydomain.com works perfectly on my laptop, but on my phone no joy. I never had this problem with v5 but will be testing that hypothesis soon.

hope · February 27, 2025, 4:21pm

I give up. I have reverted to my pihole5 setup in docker on a pi3B from backup. And the phone keeps doing the same thing. Ad blocking is fine.

Whether I do local DNS in the GUI or through dnsmasq rules, eventually the phone sees the internet IP address. I am guessing this is beyond the bounds of pihole and will keep investigating. If I find a permanent solution I will put it here.

system · March 20, 2025, 4:21pm

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.