No DNS on internal LAN but via VPN

Rico_Lino · April 6, 2018, 12:03pm

Please follow the below template, it will help us to help you!

I recently installed PiVPN besides Pi-hole (both updated yesterday).
All was working good until I did a "pihole -up" today.
It updated with no errors but now I can only make DNS queries on the VPN connected devices. On my local LAN pinging to an external IP is possible but no DNS queries anymore.

Expected Behaviour:

DNS queries should be possible via LAN and VPN.

Actual Behaviour:

DNS queries are only possible via VPN (see text at the top).

Debug Token:

pk7pbom4ew

Thanks a lot

deHakkelaar · April 6, 2018, 3:24pm

Are you running Jessie by chance ?
Read this blog about dnsmasq version and Jessie:

Try post some nslookup results on the clients (not Pi-hole) like below examples:

Querying my router for "pi.hole" :

C:\>nslookup pi.hole 10.0.0.1
Server:  router.asus.com
Address:  10.0.0.1

*** router.asus.com can't find pi.hole: Non-existent domain

Querying Pi-hole for "pi.hole" :

C:\>nslookup pi.hole 10.0.0.2
Server:  noads.dehakkelaar.nl
Address:  10.0.0.2

Name:    pi.hole
Address:  10.0.0.2

Querying without explicit DNS server:

C:\>nslookup pi.hole
Server:  noads.dehakkelaar.nl
Address:  10.0.0.2

Name:    pi.hole
Address:  10.0.0.2

RamSet · April 6, 2018, 5:12pm

Maybe double check the Interface listening behavior (and select Listen on all interfaces, permit all origins) ?

DL6ER · April 6, 2018, 5:22pm

From @Rico_Lino tricorder log, I can already see that he has his interface listening behavior set up correctly and is participating in the FTLDNS beta phase.

Some questions, hoping to narrow down the scope of this issue:

When you run

dig google.com +short @127.0.0.1
dig google.com +short @192.168.0.10 (replace the IP by your Pi-hole's internal networking IP)
dig google.com +short @10.0.0.10 (replace the IP by your Pi-hole's VPN IP)

on your Pi-hole does it return an IP address?

When you query some pages from clients in your local network, does they show up if you run pihole -t on your Pi-hole?

Rico_Lino · April 6, 2018, 6:15pm

I think you will have an idea seeing my outputs:

pi@fr0sh-pi:~ $ dig google.com +short @127.0.0.1
172.217.18.14
pi@fr0sh-pi:~ $ dig google.com +short @192.168.178.5

; <<>> DiG 9.10.3-P4-Raspbian <<>> google.com +short @192.168.178.5
;; global options: +cmd
;; connection timed out; no servers could be reached
pi@fr0sh-pi:~ $ dig google.com +short @10.8.0.1
216.58.210.14

The internal clients don't show up (192.168.178.26 was my internal device):

pi@fr0sh-pi:~ $ pihole -t
_ [i] Press Ctrl-C to exit_
Apr 6 20:09:07 dnsmasq[21570]: * 127.0.0.1/35157 reply com is DNSKEY keytag 46967, algo 8
Apr 6 20:09:07 dnsmasq[21570]: * 127.0.0.1/35157 reply com is DNSKEY keytag 30909, algo 8
Apr 6 20:09:07 dnsmasq[21570]: * 127.0.0.1/35157 reply google.com is no DS
Apr 6 20:09:07 dnsmasq[21570]: 1 127.0.0.1/35157 validation result is INSECURE
Apr 6 20:09:07 dnsmasq[21570]: 1 127.0.0.1/35157 reply google.com is 172.217.18.14
Apr 6 20:10:13 dnsmasq[21570]: 2 10.8.0.1/39963 query[A] google.com from 10.8.0.1
Apr 6 20:10:13 dnsmasq[21570]: 2 10.8.0.1/39963 forwarded google.com to 1.0.0.1
Apr 6 20:10:13 dnsmasq[21570]: 2 10.8.0.1/39963 forwarded google.com to 1.1.1.1
Apr 6 20:10:13 dnsmasq[21570]: 2 10.8.0.1/39963 validation result is INSECURE
Apr 6 20:10:13 dnsmasq[21570]: 2 10.8.0.1/39963 reply google.com is 216.58.210.14

I have hope that you can help me...
Thanks!

DL6ER · April 6, 2018, 6:46pm

So this indicates that your Pi-hole listening on lo and tun0, but not on eth0 (or whatever your Ethernet port may be called). What's the output of

netstat -anp | grep "53 "

?

Rico_Lino · April 6, 2018, 6:54pm

pi@fr0sh-pi:~ $ sudo netstat -anp | grep "53 "
tcp 0 0 0.0.0.0:38353 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:53 0.0.0.0:* LISTEN 22398/pihole-FTL
tcp6 0 0 :::53 :::* LISTEN 22398/pihole-FTL
udp 0 0 0.0.0.0:5353 0.0.0.0:* 323/avahi-daemon: r
udp 0 0 0.0.0.0:53 0.0.0.0:* 22398/pihole-FTL
udp6 0 0 :::5353 :::* 323/avahi-daemon: r
udp6 0 0 :::53 :::* 22398/pihole-FTL

DL6ER · April 6, 2018, 6:55pm

Hmm, that seems fine, do you know if PiVPN installed any firewall rules? How about

sudo iptables -L

Rico_Lino · April 6, 2018, 6:58pm

Everything default (I also flushed it, just to test it):

pi@fr0sh-pi:~ $ sudo iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Andre_M · April 6, 2018, 9:05pm

Hi,
i had the same problem here

as posted in my last comment.
Try out
in /etc/pihole/setupVars.conf

PIHOLE_INTERFACE=eth0
PIHOLE_INTERFACE=tun0

make a new file in /etc/dnsmasq.d and call it 02-pihole-own.conf
Write in this file just 3 lines

interface=eth0
interface=tun0
interface=lo

check /etc/dnsmasq.conf and /etc/dnsmasq.d/* for a file with

except-interface=nonexisting

if this is in a file, delete it.

After that reboot the container, pihole restartdns is not enough here.

I'm not sure why this changes is needed now, on my old jessie containers it worked a long time but on stretch it works at this way only

Rico_Lino · April 7, 2018, 7:31am

I edited the configs as stated (but: /etc /pihole /setupVars.conf).
Now it is working again as expected.

Maybe on monday I can try to dig deeper if all changes are really needed or not.

But for now: thanks a lot!

Andre_M · April 7, 2018, 2:54pm

i think the most important is the dnsmasq conf at this point.
i tried with except-interface=nonexisting (that means the same as list all interfaces separatly)
and i tried with
interface=eth0
interface=tun0
only and that hadn't worked for me. I must specify the lo too.

The chances in setupVars.conf are optional but if you don't do this, a pihole -r would break your config again.

But this is my experience only, i'm very interested in your findings

Rico_Lino · April 9, 2018, 10:19am

My findings are nearly the same.
I used https://marcstan.net/blog/2017/06/25/PiVPN-and-Pi-hole/ as a guide to install PiVPN besides pi-hole.
And there's also no mention of the lo-Interface.
So I think it is related to it (but can't imagine why...).

Btw: In the web-settings of pi-hole this is shown now:
Pi-hole Ethernet Interface: tun0
Do you also have this instead of eth0?

Greetings

Rico_Lino · April 9, 2018, 2:10pm

The issue was also solved by this:

delete the 02-ovpn.conf in /etc/dnsmasq.d/
be sure to have the line "except-interface=nonexisting" active in 01-pihole.conf in /etc/dnsmasq.conf/
/etc/pihole/setupVars should only have PIHOLE_INTERFACE=eth0 (and no other interfaces)

This was mentioned wrong / outdated in the link I posted earlier.

Greetings

Andre_M · April 9, 2018, 8:30pm

yes, its the same for me. Before i change the configs there was my th0 device... after changes there is the tun device listed

system · April 30, 2018, 8:30pm

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.