Local Hosts Resolve in some VLANs but not ALL

Help Community Help
1

This may be a mixture of a certain DNS config setting and fw rules I could be misunderstanding fundamentally, but I will include all network details as well in case it is an issue there. In short, I am running one instance of Pihole and I have multiple VLANS configured on my network.

Apologies if this is too much information. I just wanted to get everything laid out for context.

Network Configuration

  • Hardware: Unifi
  • DHCP Server is my router (USG-3P)
  • Networks:
    • Default - VLAN1 (mgmt network for all Unifi equipment)
      • Subnet = 10.19.91.0/24
      • DHCP Mode = DHCP Server
      • mDNS = disabled
        I am wondering if this is my issue and I need to enable this. I originally chose not to enable this to simply reduce unnecessary traffic since this is my mgmt network. I read whenever mDNS is enabled ".local" gets appended to the hostname, correct?
      • DHCP Default GW = Auto
      • DHCP DNS Server = 10.19.91.3 (Pihole host)
      • Domain Name = localdomain (default)
        does this matter? Should it be listed?
    • Main - VLAN2 (network for my secure computers, tablets, phones)
      • Subnet = 10.19.92.0/24
      • DHCP Mode = DHCP Server
      • mDNS = enabled
      • DHCP Default GW = Auto
      • DHCP DNS Server = 10.19.91.3 (Pihole host)
      • Domain Name = none
    • IOT - VLAN3 (all my IOT devices including ATVs)
      • Subnet = 10.19.93.0/24
      • DHCP Mode = DHCP Server
      • mDNS = enabled
      • DHCP Default GW = Auto
      • DHCP DNS Server = 10.19.91.3 (Pihole host)
      • Domain Name = none
    • Guest - VLAN4 (devices for guests)
      • Subnet = 10.19.94.0/24
      • DHCP Mode = DHCP Server
      • mDNS = enabled
      • DHCP Default GW = Auto
      • DHCP DNS Server = Auto
        I want guest to not complain about blocked Ads so I avoid Pihole here
      • Domain Name = none
    • Security Cameras - VLAN5 (Unifi Protect cameras)
      • Subnet = 10.19.95.0/24
      • DHCP Mode = DHCP Server
      • mDNS = disabled
      • DHCP Default GW = Auto
      • DHCP DNS Server = 10.19.91.3 (Pihole host)
      • Domain Name = none
    • Lab Environment - VLAN9 (additional network equipment not related to my home network)
      • Subnet = 10.19.99.0/24
      • DHCP Mode = DHCP Server
      • mDNS = disabled
      • DHCP Default GW = Auto
      • DHCP DNS Server = Auto
        Another router may be connected here. I want this environment to use its default DNS
      • Domain Name = none
  • My UniFi Network and Protect applications run on a CKG2+
    • Unifi Console OS Settings:
      • IP Config = Static
      • GW = 10.19.91.1
      • IP Address = 10.19.91.2
      • Primary DNS = 10.19.91.1
        I wasn't sure what was the best approach here. I ran into a chicken/egg scenario before when I forgot I had Pihole set as the DNS, and I changed my Pihole's host IP address AND my network subnets.
      • Secondary DNS - 1.1.1.1
        Again, not sure what the best approach here is.

PiHole Configuration

  • Hardware: RPi4 8GB
  • Installation: Docker Container
  • hostname: mgmt-pi
  • Pihole host is NOT hosting Unbound for DNS upstream requests.

Host Config:

  • less /etc/dhcpcd.conf:
interface eth0
static ip_address=10.19.91.3/24
static routers=10.19.91.1
static domain_name_servers=127.0.0.1
  • less resolve.conf shows
 # Generated by resolvconf
nameserver 127.0.0.1

Pihole GUI Config:

  • DNS:
    • Upstream DNS = [Cloudflare (DNSSEC), OpenDNS (DNSSEC)]
    • Never forward non-FQDN A and AAAA queries = disabled
    • Never forward reverse lookups for private IP ranges = disabled
    • Use DNSSEC = enabled
    • Use Conditional Forwarding = enabled
      I read this is relevant if you want to see host names on the dashboard when your router is your DHCP Server
      • local network CIDR = 10.0.0.0/8
      • IP Address of your DHCP Server = 10.19.91.1
      • local domain = none
        Does ".local" get utilized if this is left blank? What about my mgmt VLAN with the default ".localdomain" configured? Should something be changed?
    • Interface Settings = Permit all origins
      This setting seems vague to me. I originally had "Respond only on interface eth0" and I think I was getting the same results. I figured with multiple VLANs configured this was the best option?

Firewall Config (that is relevant)

Profiles configured:

  1. DNS
    Port Group:
    • 53
  2. Pihole Servers
    IPV4 Addr:
    • 10.19.91.3
  3. Pihole Networks
    IPV4 Addr:
    • 10.19.91.0/24
    • 10.19.92.0/24
    • 10.19.93.0/24
    • 10.19.95.0/24
  4. RFC1918
    IPV4 Addr:
    • 192.168.0.0/16
    • 172.16.0.0/12
    • 10.0.0.08
  5. Raspberry Pies
    IPV4 Addr:
    • 10.19.91.3
    • 10.19.93.3

Rules

  1. Established/Related States
    LAN IN, ACCEPT, ALL
    SOURCE:ANY/ANY
    DEST:ANY/ANY
    Match State Established = enabled, Match State Related = enabled
  2. Invalid State
    LAN IN, DROP, ALL
    SOURCE:ANY/ANY
    DEST:ANY/ANY
    Match State Invalid = enabled
  3. Default Network to ALL VLANs
    LAN IN, ACCEPT, ALL
    SOURCE:Network=Default
    DEST:IPV4 Group=RFC1918
  4. Request DNS to Pihole
    LAN IN, ACCEPT, TCP/UDP
    SOURCE:IPV4 Group=RFC1918
    DEST:IPV4 Group=Pihole DNS Servers, Port Group=DNS
  5. Pihole Resolve DNS
    LAN IN, ACCEPT TCP/UDP
    SOURCE:IPV4 Group=Pihole DNS Servers
    DEST:Port Group=DNS
  6. Alternate DNS Request
    LAN IN, DROP, TCP/UDP
    SOURCE:IPV4 Group=Pihole Networks
    DEST:Port Group=DNS
  7. Main Network to Raspberry Pies
    LAN IN, ACCEPT, ALL
    SOURCE:Network=Main
    DEST:IPV4 Group=Raspberry Pies
  8. Inter-VLAN Routing
    LAN IN, DROP, ALL
    SOURCE:IPV4 Group=RFC1918
    DEST:IPV4 Group=RFC1918

Expected Behaviour:

If I am on my Mac, in VLAN2, I should be able to ping or SSH to...

  • mgmt-pi.local, in VLAN1
  • iot-pi.local, in VLAN3
  • Another computer hostname, in VLAN2

Actual Behaviour:

If I am on my Mac, in VLAN2, and I want to...

  • ping mgmt-pi, in VLAN1, I get "Cannot resolve: Unknown host"
  • ping mgmt-pi.local, in VLAN1, I get "Cannot resolve: Unknown host"
  • ping mgmt-pi.localdomain, in VLAN1, I get "Cannot resolve: Unknown host"
  • ping iot-pi, in VLAN3, I get "Request timeout"
  • ping iot-pi.local, in VLAN3, I get a successful response
  • ping iot-pi.localdomain, in VLAN3, I get "Cannot resolve: Unknown host"
  • ping Sarah-MBP, in VLAN2, I get a successful response
  • ping Sarah-MBP.local, in VLAN2, I get "Cannot resolve: Unknown host"
  • ping Sarah-MBP.localdomain, in VLAN2, I get "Cannot resolve: Unknown host"

Debug Token:

https://tricorder.pi-hole.net/JeybcaQs/

Additional Help

  • I have an additional RPi, iot-pi, that I would like to utilize as a secondary Pihole instance, but it has to live in my IOT network to manage IOT services (i.e. Homebridge, ZWave, etc.) - Is this still possible with using gravity across VLANs or does it need to be in the same Layer 2? This would also be a Docker installation.
3

In all likelihood, Pi-hole is not involved in this.

VLANs are controlled by specialised network equipment like a VLAN capable router, so you should consider consulting your specific VLAN equipment's documentation and support channels for assistance.

In general, for your Pi-hole host to be able to communicate with hosts from different VLANs, that machine would either need to have a separate network interface connected to each of your VLANs, or your equipment needs to allow inter-VLAN communication for traffic destined to Pi-hole's IP address.

Also note that ping is inadequate to analyse DNS issues, as it uses additional means of resolving hostnames, not just plain DNS.

One of those means would be mDNS, which makes use of the reserved .local TLD showing up in your ping trials.

You should use ping with IP addresses to test for connectivity, and use nslookup or dig to test DNS operation (avoiding .local TLD names altogether).

4

Yes, I do allow traffic to connect to my Pihole on all networks.

5

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.