Pi-Hole doesn't resolve dns from eth0

Thumpermat · September 26, 2021, 10:11pm

For the last few days (started on Friday), I experience the following issue on my pi-hole on Raspberry Pi:

I have installed wireguard on the pi (using a DDNS address from my ISP) and can connect to my pi from my laptop when I'm not home. My pi's IP address is 192.168.1.99. I also have and IPv6 address.

If I connect via wireguard, then pi-hole works without an itch. But from home, it used to work but not anymore. Tried to repair and/or reconfigure; to no avail.

From my laptop at home (with ISP DNS) if in the terminal I type dig google.com, it works but if I type dig google.com @192.168.1.99 -p 53 I get a timeout.

But if I connect my laptop via wireguard it works.

Looking at the debug log, I see the following:

` *** [ DIAGNOSING ]: Name resolution (IPv4) using a random blocked domain and a known ad-serving domain
[✓] wiadomosci-dnia.waw.pl is 0.0.0.0 on lo (127.0.0.1)
[✗] Failed to resolve wiadomosci-dnia.waw.pl on eth0 (192.168.1.99)
[✓] No IPv4 address available on wlan0
[✓] wiadomosci-dnia.waw.pl is 0.0.0.0 on wg0 (10.10.10.1)
[✓] doubleclick.com is 142.250.203.110 via a remote, public DNS server (8.8.8.8)

*** [ DIAGNOSING ]: Name resolution (IPv6) using a random blocked domain and a known ad-serving domain
[✓] adsrv.adplus.co.id is :: on lo (::1)
[✗] Failed to resolve adsrv.adplus.co.id on eth0 (2a02:120b:c3ea:6d00:4d51:188e:1bf3:83bc)
[✗] Failed to resolve adsrv.adplus.co.id on eth0 (fe80::2518:9dcf:9b10:6a69)
[✓] No IPv6 address available on wlan0
[✓] No IPv6 address available on wg0
[✓] doubleclick.com is 2a00:1450:400a:801::200e via a remote, public DNS server (2001:4860:4860::8888)`

I also noticed that although I'm using unbound, the address in /etc/resolv.conf is 1.1.1.1

Debug Token:

https://tricorder.pi-hole.net/EXGILXXU/

Thank you in advance for your help.

Bucking_Horn · September 28, 2021, 7:54am

This usually hints at something preventing access to required port 53/DNS on your Pi-hole host machine, which would be in line with your debug log reporting resolution is also failing via your host's IPv6 addresses. The most common cause would be a firewall interfering.

In your case, however, your debug log shows you've created a custom configuration for your wireguard interface:

*** [ DIAGNOSING ]: contents of /etc/dnsmasq.d
-rw-r--r-- 1 root root 14 Sep 23 23:26 /etc/dnsmasq.d/wg0.conf
   interface=wg0

This is restricting Pi-hole to answer only requests received via wg0, which is conflicting with Pi-hole's Interface listening behaviour as modifiable via Pi-hole's UI (and restricting to wg0 also wouldn't be necessary for a private home network Pi-hole installation).

Remove that custom configuration and switch to one of the Listen on all... options via Pi-hole's DNS settings pane.

Unrelated to your issue, I've noticed that you've configured unbound as your upstream DNS server for as much as 4 times:

*** [ DIAGNOSING ]: Setup variables
    PIHOLE_DNS_1=127.0.0.1#5335
    PIHOLE_DNS_2=127.0.0.1#5335
    PIHOLE_DNS_3=2a02:120b:c3ea:6d00:4d51:188e:1bf3:83bc#5335
    PIHOLE_DNS_4=2a02:120b:c3ea:6d00:4d51:188e:1bf3:83bc#5335

It would be fully sufficient to use a single 127.0.0.1#5335 as Pi-hole's sole upstream DNS server, as detailed in our unbound guide.

Furthermore, your router is distributing itself as local DNS server via DHCP:

*** [ DIAGNOSING ]: Discovering active DHCP servers (takes 10 seconds)
   Scanning all your interfaces for DHCP servers
   
   * Received 333 bytes from eth0:192.168.1.1
     DHCP options:
      Message type: DHCPOFFER (2)
      server-identifier: 192.168.1.1
      dns-server: 192.168.1.1
      router: 192.168.1.1
         --- end of options ---

This is a valid setup, especially if your router wouldn't suppport configuring DHCP to switch the local DNS server to Pi-hole.

However, you will not be able to attribute DNS requests from Pi-hole's Query Log to individual clients, and consequentially, client-specific blocking via Pi-hole's Group Management won't work.

If you would indeed be able to configure your router to distribute Pi-hole as local DNS server via DHCP, you should also consider to remove your regex blocks for reverse DNS queries, at least for your private network (in order for Pi-hole to show hostnames instead of client IP addresses).

id     type  enabled  group_ids     domain
-----  ----  -------  ------------  ---------------------------------------
193       3     0     0             ^.*p\.(([0-9]{1,3}\.){4})in-addr\.arpa$
194       3     0     0             ^.*(([0-9]{1,3}\.){4})in-addr\.arpa$

Thumpermat · September 28, 2021, 10:26am

Thank you very much. Removing the /etc/dnsmasq.d/wg0.conf did the trick.

I still have a few questions about your remarks:

for the unbound configuration, for IPv6 connections shouldn't I put the IPv6 pi's local address as well?
As I don't want to put pi-hole as DNS resolver for all my devices, I configure the devices individually and I use the router's DHCP function for giving the devices an address.
I put the regex blocks because I was getting a lot of in-addr.arpa.fqdn entries in the log. Should I leave those entries (PTR records)?

Bucking_Horn · September 28, 2021, 10:48am

No, not necessary.
The DNS protocol is indifferent to the transport protocol used..

PTR lookups are both common and expected.
Pi-hole itself will issue reverse lookups in an effort to get to know hostnames associated to IP addresses.

Thumpermat · September 28, 2021, 12:45pm

Thank you very much. You have been extremely helpful.

One last question. I have configured a new device and in pi-hole the log shows the new device with its IP(v4) address and not a hostname. Can I do anything to change this?

system · October 19, 2021, 12:46pm

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.