No DNS requests resolve on client computer when using per-device DNS setup

Please follow the below template, it will help us to help you!

Expected Behaviour:

When I manually configure my Macbook's (11.3.1) DNS to use my Pi-hole's (standard Pi 400) IP, websites/dig load (with ads blocked, though loading would be a prerequisite!).

Actual Behaviour:

When I manually configure the DNS entry for wifi (option 3 here: How do I configure my devices to use Pi-hole as their DNS server?), no sites will load, and, for example, dig www.cnn.com fails:

; <<>> DiG 9.10.6 <<>> www.cnn.com
;; global options: +cmd
;; connection timed out; no servers could be reached

Notably, the query shows up in my Pi-hole's logs as OK, for the relevant entries. But that information, for whatever reason, doesn't make its way back to my laptop.

For context, I am using the manual configuration per-device option, because I have a router (Spectrum 6), which doesn't seem to support good configuration. I'm attempting to bypass that, and if it means manually setting up DNS per-device, I'd be fine with it. Unfortunately, even that doesn't seem to work.

Things I have tried:

• changing between upstream DNS providers
• toggling IPv6 boxes on settings/DNS page (currently set the way the setup script left them)
• messing with DHCP setting
• looking for this setting but I don't think it's available to me, and I'm not sure if it's relevant when setting up DNS the way I am.
• I don't have Private Relay set up (re: this)

Debug Token:

H95Dhh9

Run from your Macbook client, what's the output of:

nslookup pi.hole

nslookup flurry.com 192.168.1.193

nslookup flurry.com 80.241.218.68

Thanks for your help!

Results:

> nslookup pi.hole
;; connection timed out; no servers could be reached

> nslookup flurry.com 192.168.1.193
;; connection timed out; no servers could be reached

> nslookup flurry.com 80.241.218.68

Server:		80.241.218.68
Address:	80.241.218.68#53

Name:	flurry.com
Address: 0.0.0.0

Noting that I see flurry.com in the Pi's admin interface for the second one.

What DNS servers is the Mac using? From the Mac terminal, what us the output of the following:

scutil --dns

> scutil --dns

DNS configuration

resolver #1
  search domain[0] : lan
  nameserver[0] : 192.168.1.193
  flags    : Request A records, Request AAAA records
  reach    : 0x00020002 (Reachable,Directly Reachable Address)

resolver #2
  domain   : local
  options  : mdns
  timeout  : 5
  flags    : Request A records, Request AAAA records
  reach    : 0x00000000 (Not Reachable)
  order    : 300000

resolver #3
  domain   : 254.169.in-addr.arpa
  options  : mdns
  timeout  : 5
  flags    : Request A records, Request AAAA records
  reach    : 0x00000000 (Not Reachable)
  order    : 300200

resolver #4
  domain   : 8.e.f.ip6.arpa
  options  : mdns
  timeout  : 5
  flags    : Request A records, Request AAAA records
  reach    : 0x00000000 (Not Reachable)
  order    : 300400

resolver #5
  domain   : 9.e.f.ip6.arpa
  options  : mdns
  timeout  : 5
  flags    : Request A records, Request AAAA records
  reach    : 0x00000000 (Not Reachable)
  order    : 300600

resolver #6
  domain   : a.e.f.ip6.arpa
  options  : mdns
  timeout  : 5
  flags    : Request A records, Request AAAA records
  reach    : 0x00000000 (Not Reachable)
  order    : 300800

resolver #7
  domain   : b.e.f.ip6.arpa
  options  : mdns
  timeout  : 5
  flags    : Request A records, Request AAAA records
  reach    : 0x00000000 (Not Reachable)
  order    : 301000

DNS configuration (for scoped queries)

resolver #1
  search domain[0] : lan
  nameserver[0] : 192.168.1.193
  if_index : 6 (en0)
  flags    : Scoped, Request A records, Request AAAA records
  reach    : 0x00020002 (Reachable,Directly Reachable Address)

Thanks!

(this is the static IP for my Pi)

Something is interfering with DNS flow on port 53 on your network. Are you running any firewalls, VLANs, etc.?

Not intentionally! I have a very vanilla set up. Could it possibly be something proprietary from my ISP (Spectrum)? FWIW, everything works fine without the Pi-hole in the mix. Out of curiosity, is there anything in particular in those results I shared that's leading you to think that? Also, to clarify, do you mean a firewall (for instance) on my laptop, Pi device, or router?

Firewall would be on the Mac itself. Are you running any Security software, like an antivirus package (AVG, Norton, McAfee, for example) on this device? Some of these may have a firewall or DNS component that's getting in the way. Just a thought.

Gotcha. Yeah, not intentionally. One more data point here: I also tried setting custom DNS up on my phone, and got the same result: loading any page hangs then fails. To me, I guess this suggests a Pi or router setup issue, but it could be a coincidence.

Post results for below two:

sudo iptables -nL

sudo nft list ruleset

They should list firewall rules on the Raspi ... if any.

EDIT: Below the ports that need to be allowed:

> sudo iptables -nL
Chain INPUT (policy ACCEPT)
target          prot opt source                    destination

Chain FORWARD (policy ACCEPT)
target          prot opt source                    destination

Chain OUTPUT (policy ACCEPT)
target          prot opt source                    destination


> sudo nft list ruleset
sudo: nft: command not found

should I install nft?

On your Mac what do these two commands give?

dig CHAOS TXT authors.bind @192.168.1.193 +short
dig CHAOS TXT version.bind @192.168.1.193 +short

Pi-hole answers with "Simon Kelley" for the first and nothing for the second.

No.
iptables is for older distros.
nft for newer ones.

The output shows no rules active locally

They both time out: ;; connection timed out; no servers could be reached

Apologies if this is a silly question, but is that good or bad? Looked at the link you sent and I'm not sure what to make of the firewall section--am I supposed to have set that up before running the install script? I guess I thought the script was taking care of that, but that could've been mistaken.

No firewall rules would just seem to indicate that there is no firewall running on your Pi (assuming that's where you ran the firewall commands from). So that would mean it's not a firewall on the Pi blocking your access to Pihole. I'm sure more suggestions will be forthcoming.

Apologies accepted
Thats not an easy question to answer.
Some say you need to run a firewall on every system.
Some say if you know what ports are listening, you wont need one.

Before or after doesnt matter (before is preferred).
But as soon as you want to make use of the Pi-hole service, those required ports need to be allowed on any firewalls that sit between your clients and Pi-hole.

Pi-hole is not gona touch your firewall as there are many firewall tools available and many ways to setup a firewall.

Huh, but if I've got no firewall, which the earlier results showed, that means it's not a necessary step, right? Putting security aside for the minute, in the interest of just getting things working. So my failing to do that wouldn't be the issue at hand?

For context, I'm setting all this up on a brand new Pi.

Above could also be the upstream configured DNS servers for Pi-hole not responding.
What DNS server(s) is/are configured in Pi-hole?

dig +short @localhost chaos txt servers.bind

And what if you try to query those from the Raspi:

dig @<DNS_SERVER_IP> flurry.com

Eg:

pi@ph5b:~ $ dig @8.8.8.8 flurry.com

; <<>> DiG 9.16.22-Raspbian <<>> @8.8.8.8 flurry.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11375
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;flurry.com.                    IN      A

;; ANSWER SECTION:
flurry.com.             300     IN      A       98.136.103.23
flurry.com.             300     IN      A       212.82.100.150
flurry.com.             300     IN      A       74.6.136.150

;; Query time: 29 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Wed Feb 22 22:30:30 CET 2023
;; MSG SIZE  rcvd: 87