Pi-Hole not working with Apple devices

I have received feedback in the meantime and unfortunately it still doesn't work. Here is the desired screenshot


Message: Safari could not open the page because the server is no longer responding

This appears to be a setup issue on the IOS device or a router issue. The user will have to troubleshoot and resolve it. They can manually assign a DNS in the IOS device and bypass Pi-Hole, for example.

From the debug log, there does not appear to be any Pi-Hole problems.

This screenshot shows a 4G connection. How are you trying to resolve(use Pi-hole) via 4g/LTE ?

I don't think there's a way to bypass the Carrier (Cell provider) DNS via iOS (unless jailbroken or via VPN).

You can use this guide to bypass the carrier's DNS setting when using cell data connection:
https://docs.pi-hole.net/guides/vpn/dual-operation/

This will allow use of carrier's full speed connection and Pi-hole resolution for DNS (I've been using this for months now).

@RamSet It connects via VPN to the raspberry. This also works perfectly on all non-apple devices. ios simply doesn't show this in the status bar... for whatever reason

@jfb at the moment i only have the friend's computer set up to use the pihole as dns. the ios device currently only connects to the pihole via vpn. however, the problem also exists if i manually set the dns address of the ios phone and only connect trough wifi.

There's something going on there with that iOS device.

I have 3 iOS devices that connect to 4 (available) different VPN servers all using Pi-hole as DNS and they all work.

Pi-hole + VPN combos are hosted on different hardware, even different continents.

i checked the output of the debug log again and saw that dnsmasq is inactive because port 53 is already used... but despite... it seems to work for all other devices without any problems.

sudo netstat -anlp | grep ":53"

tcp        0      0 0.0.0.0:53         0.0.0.0:*       LISTEN      9612/pihole-FTL     
tcp6       0      0 :::53              :::*            LISTEN      9612/pihole-FTL     
udp        0      0 0.0.0.0:53         0.0.0.0:*                   9612/pihole-FTL     
udp        0      0 0.0.0.0:5353       0.0.0.0:*                   481/avahi-daemon: r 
udp6       0      0 :::53              :::*                        9612/pihole-FTL     
udp6       0      0 :::5353            :::*                        481/avahi-daemon: r 

sudo service dnsmasq status

dnsmasq.service - dnsmasq - A lightweight DHCP and caching DNS server
Loaded: loaded (/lib/systemd/system/dnsmasq.service; disabled; vendor preset: enabled)
Active: inactive (dead)

sudo systemctl status dnsmasq.service

dnsmasq.service - dnsmasq - A lightweight DHCP and caching DNS server
Loaded: loaded (/lib/systemd/system/dnsmasq.service; disabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Tue 2018-10-16 01:21:08 CEST; 12s ago
Process: 24822 ExecStart=/etc/init.d/dnsmasq systemd-exec (code=exited, status=2)
Process: 24819 ExecStartPre=/usr/sbin/dnsmasq --test (code=exited, status=0/SUCCESS)

Okt 16 01:21:08 PiHole systemd[1]: Starting dnsmasq - A lightweight DHCP and caching DNS server...
Okt 16 01:21:08 PiHole dnsmasq[24819]: dnsmasq: Syntaxprüfung OK.
Okt 16 01:21:08 PiHole dnsmasq[24822]: dnsmasq: Konnte Empfangs-Socket für port 53: Die Adresse wird bereits verwendet nicht erzeugen
Okt 16 01:21:08 PiHole systemd[1]: dnsmasq.service: Control process exited, code=exited status=2
Okt 16 01:21:08 PiHole systemd[1]: Failed to start dnsmasq - A lightweight DHCP and caching DNS server.
Okt 16 01:21:08 PiHole systemd[1]: dnsmasq.service: Unit entered failed state.
Okt 16 01:21:08 PiHole systemd[1]: dnsmasq.service: Failed with result 'exit-code'.

dnsmasq is no longer used as part of Pi-hole.

Pi-hole uses FTLDNS (pihole-FTL) which is an in-house fork of dnsmasq.

Pi-hole works as intended :slight_smile:

hmm weird...

i created another log but haven't changed anything in the meantime

token: n3hd5gmicx

Can you share the contents of your server.conf ?
How is the VPN log looking on the iOS device?

dev tun
proto udp
port 1194
ca /path/to/ca.crt
cert /path/to/certificate.crt
key /path/to/key.key
dh none
ecdh-curve abcde1234
topology subnet
server 10.8.0.0 255.255.255.0
# Set your primary domain name server address for clients
push "dhcp-option DNS 10.8.0.1"
push "block-outside-dns"
# Override the Client default gateway by using 0.0.0.0/1 and
# 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of
# overriding but not wiping out the original default gateway.
push "redirect-gateway def1"
client-to-client
keepalive 1800 3600
remote-cert-tls client
tls-version-min 1.2
tls-crypt /path/to/ta.key
cipher ABC-DEF-GHI
auth ABC123
compress lz4
user nobody
group nogroup
persist-key
persist-tun
crl-verify /etc/openvpn/crl.pem
status /var/log/openvpn-status.log 20
status-version 3
syslog
verb 3
#DuplicateCNs allow access control on a less-granular, per user basis.
#Remove # if you will manage access by user instead of device.

I will tell him to make a screenshot while connected but I'll be able to post it tomorrow at the earliest.

and despite that the problem is the same if he is only connected to the pihole as dns via wifi.

replace

with

push "redirect-gateway def1 bypass-dhcp"

You can set a secondary DNS IP with push "dhcp-option DNS 192.168.178.20" (Replace with the LAN IP of the Pi-hole).

Restart openvpn and try again.

i can try it. but however that doesn't explain why it doesn't work in his home network without being connected via vpn. server.conf has no influence on the functionality of pihole or does it?

Unless you have the Pi-hole hosting device, opened to the public (port 53 forwarded or exposed to the internet), he will not be able to use your Pi-hole as his DNS.

It has no influence over Pi-hole. It does however provide connection details and network settings to the connecting clients.

So I should set up a port forwarding for the IPhone on the router or how should I understand this? What I have done is to exchange the default DNS server with the IP of the raspberry on the router. so each device should use whatever settings it has the pihole as dns and if I'm connected via vpn it automatically uses the pihole as dns or not?
Sorry to have to ask. english is not my native language.

Edit: not any settings of course. if the dns server was changed manually, of course not.

No you should not. It will expose your Pi-hole (dns server) to the entire world and that is never a good idea (unless you know what you are getting into and how to secure it properly).

Leave it as is (for your own security).

Your friend will have to be connected via VPN in order to use YOUR Pi-hole.

Sounds like your router is set up to take care of your LAN clients.

Your VPN however seems to be a little bit messed up (looks like you didn't use the official guide bellow to set it up)

https://docs.pi-hole.net/guides/vpn/overview/

Follow this guide for the VPN server and it will fix all your VPN related issues.

ah ^^ as i said at the beginning, it's not my raspberry. it's on a friend's network. i simply have root access via vpn to the raspberry and his router, so i can follow the instructions here. in case of an emergency, i still run a restorescript via crontab if i make a wrong setting and can't reach the raspberry any more. so the settings are reset and the raspberry reboots. safe is safe. and no revealing the pihole to the internet was never a plan of mine... i don't know enough about network security to risk such a thing :wink:

in my network everything works fine. but i also don't have any apple devices that could cause problems :wink:

i can test how it behaves when he connects to my raspberry at my home... i don't assume that it will work because i installed my image on his raspberry and reinstalled vpn to generate new keys. so it's practically a 1:1 copy... so far i haven't actually had any problems with the vpn but i'll check your link.

as far as I could see the only things I had to add was this:

server.conf
push "route 192.168.178.0 255.255.255.0"

and your

push "redirect-gateway def1 bypass-dhcp"

If that works ... :slight_smile:

so i will tell him to try it again with vpn on his own raspberry and if it still should not work he should connect to my raspberry by vpn (which still contains the above errors mentioned at the very beginning of this post)... and if it works then... I cry :smile:

I have now tested some older iphones with my own setup. All attempts worked without problems. It seems that only iPhone X is affected by this problem. I can't say exactly yet because I'm still waiting for my friend's feedback regarding the above attempts. I also have to check which iOS versions worked for me.