NETGEAR C7500 problems

jrf · August 1, 2020, 2:59pm

Debug token:
qysuoih1gr

I've been trying for months to get Pihole to run smoothly on my home network. But it always comes down to the same thing.

There is a place on my router to configure the DNS server(s). The second I put in the IP for the Raspberry Pi running Pihole (192.168.0.8), the network comes down. I've gone through multiple reinstalls of the software, both on Raspbian and (currently) UBuntu server, and it's always the same result. Because I've been trying this for so long, Pihole itself has moved through a few versions. I'm running latest everything.

If I leave this setting to use ISP DNS servers, or manually configure to 1.1.1.1, etc.., then the network returns to normal, but of course nobody is using the Pihole.

At first I thought that for some reason the router just could not also remain the DHCP server (though I could think of no technical reason why), so a couple of months ago I made the Pihole the DHCP server (turning it off on the router, obviously). I can see that all devices on the network are indeed getting their addresses from the Pihole. But this did not fix the problem.

If I specifically configure a device to use 192.168.0.8 for DNS, then ad blocking might or might not work. I've done this with my own devices. Some days the dashboard says it's blocking some queries, other days nothing happens. After awhile, I decide to try setting the DNS in the router again, the network comes down, and family members storm into home office saying "Did you plug in the Pihole again??".

I just wonder if the router is doing something like hijacking all traffic on port 53 and if the DNS is the PiHole, it starts an endless loop of going back and forth with a query. I see this in the log, which makes me think this might be the case:

Aug 1 14:23:11 dnsmasq[1427]: Maximum number of concurrent DNS queries reached (max: 150)

I've done a lot of googling, and I did find a few hits on Reddit where people had problems getting this to work with NetGear routers. One guy rolled his router firm ware back one version, and that worked for a while. Another ended up getting a new router.

Is it possible that this router will just not play nice with the PiHole?

yubiuser · August 1, 2020, 6:46pm

In your router config: did you set pihole as WAN upstream DNS or do you distribute pihole's IP as DNS server for clients via DHCP?

What is the upstream DNS you configured in pihole?

Bucking_Horn · August 1, 2020, 7:15pm

There are indeed difficult routers out there.

Some just allow you to define upstream DNS (as opposed to local DNS via DHCP).
This is ok, you only lose the abillity to associate DNS queries to individual devices (and client-based filtering), but Pi-hole will work.
If such a router allows to disable its DHCP server, enabling Pi-hole's will get that sorted.

Then there are routers that still distribute themselves as DNS server, no matter what.
This will lead to all of your clients using the router for some queries, so some of your DNS traffic will bypass Pi-hole.
This can only be addressed on the router.

Then there are routers that do indeed interfere with port 53/DNS traffic.
These are the worst. They may deny connections to private IP DNS ranges, or they may divert port 53 traffic to a DNS server of their chosing. They may do so for their entire network, or just for either the wireless or the LAN part.
If they do it for the whole network: That would be the only instance where I would recommend a replacement straight away.
If it's only for part of the network, you may limit your traffic to the unaffected part. Extend that part by switches and/or APs if you have to, especially if your router is ISP commissioned or forced upon you otherwise.

So much for general advice.

Not so long ago, I had a topic where a Netgear disagreed with distributing a local (private address) DNS server, so it could well be your router falls into some misbehaving category - though it's still unclear how it disagrees in your case.

Answering yubiuser's question will advance the discussion to find out about it.

jrf · August 1, 2020, 7:27pm

In the router configuration, the DNS is set under Advanced|Setup|Internet Setup. I don't see any wording anywhere that distinguishes between "WAN upstream DNS" and "local DNS". I didn't know that a router might make such a distinction. I've been through every page in the router configuration; this is the only place to set it. And it does require something (I tried not setting it).

DHCP is disabled on the router. I'm looking on the Pi-hole DHCP page to see if there is someplace to configure what DNS is given to DHCP clients. I don't see anything, but I think that makes sense, it already knows it is 192.168.0.8, I assume it gives that out, and there is never any reason to change this.

Just tried this: went to a W7 laptop, renewed the DHCP address. Verified DHCP and DNS are both 192.168.0.8 (the Pi-Hole). Good news! No, the ads are there, but today I qualify on some free shipping on silver coins!

On the Pi-hole, upstream DNS is Google (ECS) and Cloudfare.

yubiuser · August 1, 2020, 7:34pm

I think this is the WAN side.

It advertises it's own IP as DNS server. In your case 192.168.0.8.

That's good. This configuration does not cause a DNS loop which might have explained your experienced issues.

For your clients it looks like this for DNS requests: Client -> Pihole -> Cloudflare
For your router's own DNS requests it is: Router -> Pihole -> Cloudflare

To dig further, please generate a debug token by pihole -d or via Web interface Tools/Generate Debug log.

Bucking_Horn · August 1, 2020, 7:38pm

A DNS loop may still partially be closed if jrf had enabled Conditional Forwarding.

The concurrent DNS queries reached message may hint at that.

yubiuser · August 1, 2020, 7:39pm

Good point.

jrf · August 2, 2020, 12:36am

I generated that for my original post, let me know if you need a new one.

jrf · August 2, 2020, 12:46am

Is this relevant?

Bucking_Horn · August 2, 2020, 7:47am

No, it isn't.

To elaborate on this:
Blocking port 53 (exempting Pi-hole!) is not a bad choice in itself.
Blocking the DNS port in your router will prevent clients from successfully bypassing Pi-hole and resolve hostnames through some public server.
It won't stop such clients from trying to bypass Pi-hole in the first place. They will still do so, even if that port is disabled. Depending on how your clients react to receiving no DNS answers, they may appear to slow down or stutter considerably (for repeating those unsuccessful queries), or they may concur after a few attempts to use the designated DNS server for the network, Pi-hole.

But it doesn't at all address your issue of losing DNS resolution the moment you configure Pi-hole as DNS in your router.

I had a look at your debug log initially (looks normal), but the debug log won't provide many leads to router configuration issues. And Conditional Forwarding wasn't enabled for the token you posted.
Did you enable it since, or play with it at some time?

Do those max concurrent DNS queries still happen? Can you trace this down to a ceratin client?

jrf · August 2, 2020, 4:45pm

Have not changed anything since creating the log. I don't remember ever messing with this setting.

AFAIK, this only appears in the log when I change the DNS IP in the router to point at the Pi-hole. I believe it's the router.

system · August 23, 2020, 4:45pm

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.