The issue I am facing:
No internet connection on other devices when using pi-hole DNS (LanIP or TailscaleIP)
Details about my system:
I'm new to some of the tools that I will list below (the bold ones), so... be patient:
Pi-Hole Server
Desktop computer running Xubuntu22.04.4 with:
- tailscale, exit node and magicDNS enabled
- followed all on tailscale KB for the pi-hole ( Access a Pi-hole from anywhere · Tailscale Docs )
- pi-hole, linked my wlan interface at install (should it be linked to tailscaled0? naaaah!)
- lighttpd for Pi-Hole webUI (pointed to port 8080 as I need port 80 for apache2/Nextcloud server)
- ufw: port 53 open or closed on the firewall made no diference (it shouldn't be necessary because of tailscale)
Other Devices
Android 13 Phone with tailscale installed and part of the tailnet
HP laptop running Windows11 with tailscale and part of the tailnet
What I have changed since installing Pi-hole:
- uninstalled and reinstalled pi-hole
- added some lists (not the issue)
- tried DHCP on the phone's wifi settings - works as expected but, of course, no ads blocked
- tried static ip on the phone with LanIP as DNS from pi-hole - connected, no internet
- tried static ip on the phone with TailscaleIP as DNS - connected, no internet
- tried opening the 53 port on ufw and used phone with both LanIP/DNS and TailscaleIP/DNS - connected, no internet for either IP/DNS
- disabled tailscale on the android phone, tried LanIP/DNS - connected, no internet
- tried all this on multiple networks, no avail
- tried on a windows11 laptop, TailscaleIP/DNS: no ads blocked; LanIP/DNS: ads blocked
- removed Android Phone from tailnet and re-added, no joy
Pi-Hole is running fine on the Desktop, bloking ads with no issues
The first time I used pi-hole it worked out of the box with normal configuration and tailscale, I had to reinstall the OS (for other reasons) now I get this error.
I think the issue is with the pi-hole because it doesnt work with tailscale disabled and using the pi-hole LanIP/DNS.
The DNS I should be using is the LanIP or TailscaleIP? It should be the Tailscale one to route when I'm outside of the Lan, right?
I must be missing something along the way. I will be much apreciated if someone can point me in the right direction or give some advice regarding my set up.
debug token: https://tricorder.pi-hole.net/7MsMpaEo/
Thank you for the help,
P.S. - at the end of pi-hole install we can see the IPv4/IPv6 to use as DNS on the dialog, where can we find them on the pi-hole webUI?
- from the URL of the web session if the IP is being used
- in Tools > Network and look for all instances of
pi.hole
- if you can open a terminal on the network,
ping pi.hole
- create a debug log in Tools > Generate debug log (no need to upload) and look for the Networking section to see the interfaces in use and the addresses bound to it. Eg in your case it's this (I've redacted the MAC):
*** [ DIAGNOSING ]: Networking
[✓] IPv4 address(es) bound to the wlx<redacted> interface:
192.168.1.100/24
192.168.1.163/24
[✓] IPv6 address(es) bound to the wlx<redacted> interface:
2001:<redacted>/64
2001:<redacted>/64
fe80::<redacted>/64
By default, Pi-hole will listen on all your host device's network interfaces and their associated IP addresses.
You can list those IP addresses with your usual OS network tools, e.g.
ip address
What DNS servers is your Desktop using?
Run from a local client directly connected to your network, please share the output of (preferably as text):
nslookup pi.hole
nslookup flurry.com 192.168.1.100
What does
nslookup pi.hole
return when issued from a remote client connecting through tailscale?
Hi there,
Thank you for the help!
for what I can see, I have a IPv4 that shouldn't be there (192.168.1.163 is not used in my network) and the IPv6 is completly diferent from the one pi-hole provided at the end of the install (192.160.1.100 and fd7a:115c:a1e0::ec01:6d1a - these are the ones I'm using in the Desktop with pi-hole alongside Quad9)
from the Desktop (pi-hole server)
nslookup pi.hole
Server: 192.168.1.100
Address: 192.168.1.100#53
Name: pi.hole
Address: 192.168.1.100
Name: pi.hole
Address: 2001:818:ded3:1000:4849:85c3:af3e:e656
nslookup flurry.com 192.168.1.100
Server: 192.168.1.100
Address: 192.168.1.100#53
Name: flurry.com
Address: 0.0.0.0
Name: flurry.com
Address: ::
from the Windows11 with tailscale
nslookup pi.hole
Server: magicdns.localhost-tailscale-daemon
Address: 100.100.100.100
DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
*** Request to magicdns.localhost-tailscale-daemon timed-out
nslookup flurry.com 192.168.1.100
DNS request timed out.
timeout was 2 seconds.
Server: UnKnown
Address: 192.168.1.100
DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
*** Request to UnKnown timed-out
Remembered one thing! The first time I installed pi-hole I forgot to set up static IP address (I need it to be 192.168.1.100) and pi-hole provided an IP for 192.168.1.163- Then I uninstall pi-hole, set up the static on 192.168.1.100 and re-installed. That might be why the 163 is appearing there.
Hope I provided all the info you needed. Again, thanks for the help!
Your nslookup results from a tailscale client reveals that a tailscale client is using 100.100.100.100 for DNS, and those requests do time-out.
I can't verify (as your debug log has expired, please share a fresh one), but if that 100.100.100.100 would not be your Pi-hole machine's tailscale IP address, then you'd possibly have to inquire with tailscale how they apply their magic DNS to use your Pi-hole instead of their own DNS services.
Your nslookup results from a local client demonstrate that using your Pi-hole at 192.168.1.100, and Pi-hole's blocking is operational.
Would you also be able to resolve a public domain from a local client, e.g.
nslookup pi-hole.net 192.168.1.100
Thank you for your help
100.100.100,100 is not my tailscale IP for the pi-hole machine.
Here is a fresh debug log: https://tricorder.pi-hole.net/XO4uB6e5/
running
nslookup pi-hole.net 192.168.1.100
Server: 192.168.1.100
Address: 192.168.1.100#53
Non-authoritative answer:
Name: pi-hole.net
Address: 3.18.136.52
Odd thing is that I edited all my wifi connections (server, clients) to use Quad9 or Cloudflare DNS in the meantime and that way all seems to be working. I cannot see ads on my devices and the test from canyoublockit.com doesn't show adds.
So if I'm using tailscale, instead of the pi-hole IP/DNS (192.168.1.100) I should be using tailscale's Quad100 IP from the pi-hole server?
also, should I disable the exit node?
Still trying to understand...
I don't think so...
I just posted the link to explain what is 100.100.100.100 in Tailscale network.
I'm not an expert in Tailscale configuration.
Actually I just used it once, but if I remember correctly, I created a Tailscale Subnet with my local subnet range (192.168.0.0/24 - because I was running Tailscale docker container with macvlan) and added my internal Pi-hole IP in the magicDNS settings.
When Tailscale is connected it should use 100.100.100.100 and forward the DNS queries to your Pi-hole. They will show up in Pi-hole dashboard.
Well, I just uninstalled tailscale, removed all my tailnet, uninstall pi-hole and put it all back. Now everything is working as expected. Tailscale is up, pi-hole running, ads are beeing blocked for all devices on the network and internet working when using pi-hole DNS. All good
I think this topic may be closed.
Thank you all for the help!