Loop (?) between Pi-Hole and router

Help
1

Hi,

I have set-up Pi-Hole in raspberry pi inside my private Lan.
I put a static IP adress (192.168.0.88) outside the router (192.168.0.1) DHCP range. (up to 192.168.0.80)
I put my ISP DNS server in Pi-Hole setup.

Pi-Hole is working great if I harcode in my machine to use 192.168.0.88 as DNS (tested with Windows 10 PC and iPhone/iPad).
Yet, I would like that all my machine use Pi-Hole and for doing so would like that the router (Gargoyle, and OpenWRT derivative) broadcast 192.168.0.88 as DNS.

In my router, I deactivated "rebind protection" to avoid surprise...yet:
Once I put 192.168.0.88 as DNS in my router, Pi-Hole web interface start to be very very slow (overload) and the number of DNS request is exploding. On client side, no more internet access.

Here is an extract of the log on the PiHole:

Dec 22 21:38:43 dnsmasq[5981]: query[A] guzzoni.apple.com from 192.168.0.1 Dec 22 21:38:43 dnsmasq[5981]: forwarded guzzoni.apple.com to 212.27.40.241 Dec 22 21:38:43 dnsmasq[5981]: forwarded guzzoni.apple.com to 212.27.40.240 Dec 22 21:38:43 dnsmasq[5981]: query[A] guzzoni.apple.com from 192.168.0.1 Dec 22 21:38:43 dnsmasq[5981]: forwarded guzzoni.apple.com to 212.27.40.241 Dec 22 21:38:43 dnsmasq[5981]: forwarded guzzoni.apple.com to 212.27.40.240 Dec 22 21:38:43 dnsmasq[5981]: query[A] guzzoni.apple.com from 192.168.0.1 Dec 22 21:38:43 dnsmasq[5981]: forwarded guzzoni.apple.com to 212.27.40.241 Dec 22 21:38:43 dnsmasq[5981]: forwarded guzzoni.apple.com to 212.27.40.240 Dec 22 21:38:43 dnsmasq[5981]: query[A] guzzoni.apple.com from 192.168.0.1 Dec 22 21:38:43 dnsmasq[5981]: forwarded guzzoni.apple.com to 212.27.40.241 Dec 22 21:38:43 dnsmasq[5981]: forwarded guzzoni.apple.com to 212.27.40.240 Dec 22 21:38:43 dnsmasq[5981]: query[A] guzzoni.apple.com from 192.168.0.1 Dec 22 21:38:43 dnsmasq[5981]: forwarded guzzoni.apple.com to 212.27.40.241 Dec 22 21:38:43 dnsmasq[5981]: forwarded guzzoni.apple.com to 212.27.40.240 Dec 22 21:38:43 dnsmasq[5981]: query[A] guzzoni.apple.com from 192.168.0.1 Dec 22 21:38:43 dnsmasq[5981]: forwarded guzzoni.apple.com to 212.27.40.241 Dec 22 21:38:43 dnsmasq[5981]: forwarded guzzoni.apple.com to 212.27.40.240 Dec 22 21:38:43 dnsmasq[5981]: query[A] guzzoni.apple.com from 192.168.0.1 Dec 22 21:38:43 dnsmasq[5981]: forwarded guzzoni.apple.com to 212.27.40.241 Dec 22 21:38:43 dnsmasq[5981]: forwarded guzzoni.apple.com to 212.27.40.240

Here is an extract log on the router side (not in the same time but in similar situation):

Sun Jan 1 19:14:03 2017 daemon.info dnsmasq[20633]: using nameserver 95.142.171.235#53 for domain micro Sun Jan 1 19:14:03 2017 daemon.info dnsmasq[20633]: using nameserver 95.211.32.162#53 for domain micro Sun Jan 1 19:14:03 2017 daemon.info dnsmasq[20633]: using nameserver 66.244.95.20#53 for domain micro Sun Jan 1 19:14:03 2017 daemon.info dnsmasq[20633]: using nameserver 95.142.171.235#53 for domain oss Sun Jan 1 19:14:03 2017 daemon.info dnsmasq[20633]: using nameserver 95.211.32.162#53 for domain oss Sun Jan 1 19:14:03 2017 daemon.info dnsmasq[20633]: using nameserver 66.244.95.20#53 for domain oss Sun Jan 1 19:14:03 2017 daemon.info dnsmasq[20633]: using nameserver 95.142.171.235#53 for domain null Sun Jan 1 19:14:03 2017 daemon.info dnsmasq[20633]: using nameserver 95.211.32.162#53 for domain null Sun Jan 1 19:14:03 2017 daemon.info dnsmasq[20633]: using nameserver 66.244.95.20#53 for domain null Sun Jan 1 19:14:03 2017 daemon.info dnsmasq[20633]: using nameserver 95.142.171.235#53 for domain ing Sun Jan 1 19:14:03 2017 daemon.info dnsmasq[20633]: using nameserver 95.211.32.162#53 for domain ing Sun Jan 1 19:14:03 2017 daemon.info dnsmasq[20633]: using nameserver 66.244.95.20#53 for domain ing Sun Jan 1 19:14:03 2017 daemon.info dnsmasq[20633]: using nameserver 95.142.171.235#53 for domain indy Sun Jan 1 19:14:03 2017 daemon.info dnsmasq[20633]: using nameserver 95.211.32.162#53 for domain indy Sun Jan 1 19:14:03 2017 daemon.info dnsmasq[20633]: using nameserver 66.244.95.20#53 for domain indy Sun Jan 1 19:14:03 2017 daemon.info dnsmasq[20633]: using nameserver 95.142.171.235#53 for domain gopher Sun Jan 1 19:14:03 2017 daemon.info dnsmasq[20633]: using nameserver 95.211.32.162#53 for domain gopher Sun Jan 1 19:14:03 2017 daemon.info dnsmasq[20633]: using nameserver 66.244.95.20#53 for domain gopher Sun Jan 1 19:14:03 2017 daemon.info dnsmasq[20633]: using nameserver 95.142.171.235#53 for domain geek Sun Jan 1 19:14:03 2017 daemon.info dnsmasq[20633]: using nameserver 95.211.32.162#53 for domain geek Sun Jan 1 19:14:03 2017 daemon.info dnsmasq[20633]: using nameserver 66.244.95.20#53 for domain geek Sun Jan 1 19:14:03 2017 daemon.info dnsmasq[20633]: using nameserver 95.142.171.235#53 for domain fur Sun Jan 1 19:14:03 2017 daemon.info dnsmasq[20633]: using nameserver 95.211.32.162#53 for domain fur Sun Jan 1 19:14:03 2017 daemon.info dnsmasq[20633]: using nameserver 66.244.95.20#53 for domain fur Sun Jan 1 19:14:03 2017 daemon.info dnsmasq[20633]: using nameserver 95.142.171.235#53 for domain free Sun Jan 1 19:14:03 2017 daemon.info dnsmasq[20633]: using nameserver 95.211.32.162#53 for domain free Sun Jan 1 19:14:03 2017 daemon.info dnsmasq[20633]: using nameserver 66.244.95.20#53 for domain free Sun Jan 1 19:14:03 2017 daemon.info dnsmasq[20633]: using nameserver 95.142.171.235#53 for domain bbs Sun Jan 1 19:14:03 2017 daemon.info dnsmasq[20633]: using nameserver 95.211.32.162#53 for domain bbs Sun Jan 1 19:14:03 2017 daemon.info dnsmasq[20633]: using nameserver 66.244.95.20#53 for domain bbs Sun Jan 1 19:14:03 2017 daemon.info dnsmasq[20633]: using nameserver 95.142.171.235#53 for domain dyn Sun Jan 1 19:14:03 2017 daemon.info dnsmasq[20633]: using nameserver 95.211.32.162#53 for domain dyn Sun Jan 1 19:14:03 2017 daemon.info dnsmasq[20633]: using nameserver 66.244.95.20#53 for domain dyn Sun Jan 1 19:14:03 2017 daemon.info dnsmasq[20633]: using nameserver 95.142.171.235#53 for domain parody Sun Jan 1 19:14:03 2017 daemon.info dnsmasq[20633]: using nameserver 95.211.32.162#53 for domain parody Sun Jan 1 19:14:03 2017 daemon.info dnsmasq[20633]: using nameserver 66.244.95.20#53 for domain parody Sun Jan 1 19:14:03 2017 daemon.info dnsmasq[20633]: using nameserver 95.142.171.235#53 for domain glue Sun Jan 1 19:14:03 2017 daemon.info dnsmasq[20633]: using nameserver 95.211.32.162#53 for domain glue Sun Jan 1 19:14:03 2017 daemon.info dnsmasq[20633]: using nameserver 66.244.95.20#53 for domain glue Sun Jan 1 19:14:03 2017 daemon.info dnsmasq[20633]: using nameserver 176.58.118.172#53 for domain bit Sun Jan 1 19:14:03 2017 daemon.info dnsmasq[20633]: using nameserver 106.187.47.17#53 for domain bit Sun Jan 1 19:14:03 2017 daemon.info dnsmasq[20633]: using nameserver 178.32.31.41#53 for domain bit Sun Jan 1 19:14:03 2017 daemon.info dnsmasq[20633]: using local addresses only for domain lan Sun Jan 1 19:14:03 2017 daemon.info dnsmasq[20633]: using nameserver 192.168.0.88#53 Sun Jan 1 19:14:03 2017 daemon.info dnsmasq[20633]: using nameserver 192.168.0.88#53

Sun Jan 1 19:14:11 2017 daemon.warn dnsmasq[20633]: Maximum number of concurrent DNS queries reached (max: 150) Sun Jan 1 19:14:17 2017 daemon.warn dnsmasq[20633]: Maximum number of concurrent DNS queries reached (max: 150) Sun Jan 1 19:14:24 2017 daemon.warn dnsmasq[20633]: Maximum number of concurrent DNS queries reached (max: 150)

So it clearly seems there is a loop somewhere (number of DNS query exploding), but can't find where and why

Any hint welcome!

2

You may also want to ask on a Gargoyle forum since I have no clue why the router floods the DNS server like that. Might be that there is a bug and it also does this with external DNS servers which are more powerful and can handle hundreds of concurrent requests?

Still, an enormous (useless) waste of bandwidth.

3

I did...but with no clue so far: Gargoyle and Pi-Hole (ad-blocking) - Gargoyle Forum

4

Maybe your router does something silly like DNS catching (100% hypothetical):

First with router set to ISP DNS and one of your computers set to Pi-hole DNS

  1. computer asks Pi-hole for address
  2. Pi-hole asks ISP for address
  3. Router catches/blocks this request and asks the ISP himself
  4. Router gets the answer, redirects it to the Pi-hole which gives it to your computer
  5. Name resolved

Now Pi-hole as DNS server in the router:

  1. computer asks Pi-hole for address (as before)
  2. Pi-hole asks ISP for address (as before)
  3. Router catches/blocks this request and asks the Pi-hole himself
  4. Pi-hole asks ISP for address
  5. Router catches/blocks this request and asks the Pi-hole himself
  6. Pi-hole asks ISP for address
  7. Router catches/blocks this request and asks the Pi-hole himself
  8. the never ending story

You get my point? Might be a firewall issue on Gargoyles side. We have many users which successfully use OpenWRT devices without a problem, so an experiences programmer on their side should know about if they have some special rule like this.

5

Is there a way at pi-hole level to trace more precisely what's going on?

6

No, what you see is everything we and the DNS server knows.
We know where the query comes from and what is asked for. What do you think we could know in addition?

7

As for the large amount of queries, I believe guzzoni.apple.com is used for Apple's Siri and Dictation services; are you running any Macs on your network? If you don't have Enhanced Dictation enabled, the voice queries are sent up to Apple's servers, which may be causing some of your traffic.

8

I don't have any macs but iPhone / iPad

9

OK, well those use Siri/Dictation as well. It's possible it could be something else, but I think it's a good place to start.

Without knowing too much about your setup, I would first suggest finding where the excessive queries are coming from and then troubleshooting from there:

  1. Find the IP of one of your iPhones/iPads
  2. Search the query log for that address
  3. See if there are a lot of queries for that domain

Using a bit of scripting on the log file, you can get some quick counts:

grep -E 'guzzoni.*<some ip address here>' test | wc -l

will search for queries in the log that have guzzoni and the IP address of a certain client and tell you how many entries there are. This should help narrow down which devices are causing the issue. From there, you can determine what service (possibly Siri or Dictation in this case), is causing the issue.

But since it looks like your Pi-hole is set to the router, it will appear that every request is coming from 192.168.0.1 (presumably your router). So you may want to temporarily set it in the DHCP options instead so each client sets the Pi-hole as their DNS server.

So to reiterate, I would figure where the excessive queries are coming from first and then see if it's related to what you are seeing on your router, which appears to also be running dnsmasq?

10

I am progressing.
I have changed the log in my router in order to see all DNS request made.
I discover that my pi-hole (192.168.0.88: static ip outside the DHCP range of the router) is making its DNS request through my router!
E.G:

Sat Jan 7 17:11:44 2017 daemon.info dnsmasq[6049]: query[AAAA] browserchannel-docs.l.google.com from 192.168.0.88 Sat Jan 7 17:11:44 2017 daemon.info dnsmasq[6049]: forwarded browserchannel-docs.l.google.com to 212.27.40.240
So, how can I be sure that Pi-Hole is asking directly my DNS server? (=not through the router DNS)
Where can I crosscheck the setting of my Pi-Hole?

EDIT, example with a random website request from a PC (192.168.0.10) with hardcoded pi-hole as DNS


pi-hole:
Jan  7 18:04:51 dnsmasq[451]: query[A] www.prout.fr from 192.168.0.10
Jan  7 18:04:51 dnsmasq[451]: forwarded www.prout.fr to 212.27.40.241
Jan  7 18:04:51 dnsmasq[451]: query[A] www.prout.fr from 192.168.0.10
Jan  7 18:04:51 dnsmasq[451]: forwarded www.prout.fr to 212.27.40.240
Jan  7 18:04:51 dnsmasq[451]: forwarded www.prout.fr to 212.27.40.241
Jan  7 18:04:51 dnsmasq[451]: reply www.prout.fr is 149.202.133.35

Router:
Sat Jan  7 18:04:51 2017 daemon.info dnsmasq[6049]: query[A] www.prout.fr from 192.168.0.88
Sat Jan  7 18:04:51 2017 daemon.info dnsmasq[6049]: forwarded www.prout.fr to 212.27.40.240
Sat Jan  7 18:04:51 2017 daemon.info dnsmasq[6049]: query[A] www.prout.fr from 192.168.0.88
Sat Jan  7 18:04:51 2017 daemon.info dnsmasq[6049]: forwarded www.prout.fr to 212.27.40.240
Sat Jan  7 18:04:51 2017 daemon.info dnsmasq[6049]: query[A] www.prout.fr from 192.168.0.88
Sat Jan  7 18:04:51 2017 daemon.info dnsmasq[6049]: forwarded www.prout.fr to 212.27.40.241
Sat Jan  7 18:04:51 2017 daemon.info dnsmasq[6049]: forwarded www.prout.fr to 212.27.40.240
Sat Jan  7 18:04:51 2017 daemon.info dnsmasq[6049]: reply www.prout.fr is 149.202.133.35
Sat Jan  7 18:04:51 2017 daemon.info dnsmasq[6049]: reply www.prout.fr is 149.202.133.35
11

Your Pi-hole is sending its request directly to 212.27.40.240 - is this the address of your router?

See:

[...] forwarded browserchannel-docs.l.google.com to 212.27.40.240

I think you misinterpret what is going on. I still think that this happens here (with log evidence in each step):

  1. Your PC asks the Pi-hole who www.prout.fr is
(Pi-hole log)
query[A] www.prout.fr from 192.168.0.10
  1. Your Pi-hole forwards this to the DNS server 212.27.40.240 
(Pi-hole log)
forwarded browserchannel-docs.l.google.com to 212.27.40.240
  1. However, your router doesn't let the Pi-hole do this and captures the request. Afterwards, it tells you that your Pi-hole has asked him for the DNS record (which is not what should be happening)
(router log)
query[A] www.prout.fr from 192.168.0.88
  1. The router is now able to really ask 212.27.40.240 
(router log)
forwarded www.prout.fr to 212.27.40.240
  1. and is getting an answer
(router log)
reply www.prout.fr is 149.202.133.35
  1. this is then passed to the Pi-hole
(Pi-hole log)
reply www.prout.fr is 149.202.133.35
  1. and makes it to your PC eventually.

Still, I think your Router is capturing your request instead of permitting it going to where the Pi-hole want to send its request. Do you still have the infinite loop issue?

12

So I found the root cause...
Browsing iptable and dnsmasq config, I eventually found something about "intercepting DNS" which makes me think about a Gargoyle DNS option "Force clients to use router DNS server". I did not really understand how "powerful" this option was and once I deactivate it, everything goes to normal.
Thanks to all and hope this forum thread would help other...

13

So my assumption was correct :slight_smile:

What remains open is why is there such an option like

Force clients to use router DNS server

and rather: Why didn't the guys on the www.gargoyle-router.com forum didn't knew about their own option? Your posts there were quite specific so they should have though about that.

14

Hi,

I too have a little problem.

All is working oke, pi-hole and gargoyle.

Except, the router is broadcasting his own dns, so all devices sends request thruw the router, and the router sends it to the pihole.

So now all requests in the pihole come from the router IP, i would like to see every individual ip in the pihole so that i can see wich device makes a request.

So how can i make my router broadcast the IP dns of my pihole instead of his own dns?

I see on more websites something about browsing ip-table and dnsmasq config, but i have no clue.

I already have "Force Clients To Use Router DNS Servers" turned off, i never used it anyway. But now ive got custom dns server filled in with the raspberry pihole,

I don't want to put the pihole dns ip into every device, since ive got like 200 ip's handed out that is not an option

someone? Thanks