Pi-hole server cannot resolve domains itself, leading to failed list updates

Hi,

I've installed the latest version of pi-hole on a pi zero running a new, vanilla raspbian install. I set it up with a static IP, and it is the one and only DHCP server on my network. Other computers on my network can successfully perform DNS queries on the pi-hole, and do have their ads blocked, but the pi that is running pi-hole itself cannot. The ip in /etc/resolv.conf is set automatically to 127.0.0.1. When I manually change this to the ip of the local ip of the pi-hole (192.168.0.126, in my case), it temporarily works (this is how I updated the lists once). However, the ip in resolv.conf soon reverts to 127.0.0.1, after which list updates (or any dns request through e.g. nslookup or dig) cease to function.

I've set up pi-hole to listen on all interfaces, and accept queries from ip's at most 1 hop away. No port blocking is being done (iptables -L shows policy ACCEPT on all chains) and netstat shows dnsmaqs is indeed listening on all interfaces:

tcp 0 0 0.0.0.0:53 0.0.0.0:* LISTEN 1855/dnsmasq

What could be going on here?

Thanks in advance,

Jeroen

On the Pi-hole device can you run dig google.com @127.0.0.1? The reason your changes to resolv.conf are overwritten is due to that file being automatically generated by resolvconf, that file is not meant to be edited by hand.

Also is dnsmasq only listening on TCP or is it also listening on UDP? sudo nestat -tulpn would give us a better view of things.

Hi,

Thanks for your reply!

Entering dig google.com @127.0.0.1 gives me:

; <<>> DiG 9.9.5-9+deb8u10-Raspbian <<>> google.com @127.0.0.1
;; global options: +cmd
;; connection timed out; no servers could be reached

And the output of sudo netstat -tanpl is:

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      639/lighttpd
tcp        0      0 0.0.0.0:53              0.0.0.0:*               LISTEN      1855/dnsmasq
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      539/sshd
tcp        0      0 192.168.0.126:80        192.168.0.186:55454     TIME_WAIT   -
tcp        0      0 192.168.0.126:80        192.168.0.186:55463     TIME_WAIT   -
tcp        0      0 192.168.0.126:80        192.168.0.186:55460     TIME_WAIT   -
tcp        0    224 192.168.0.126:22        192.168.0.186:55457     ESTABLISHED 4965/sshd: pi [priv
tcp        0      0 192.168.0.126:80        192.168.0.186:55467     ESTABLISHED 639/lighttpd
tcp        0      0 192.168.0.126:80        192.168.0.186:55464     TIME_WAIT   -
tcp        0      0 192.168.0.126:80        192.168.0.186:55459     TIME_WAIT   -
tcp        0      0 192.168.0.126:80        192.168.0.186:55465     TIME_WAIT   -
tcp6       0      0 :::80                   :::*                    LISTEN      639/lighttpd
tcp6       0      0 :::53                   :::*                    LISTEN      1855/dnsmasq
tcp6       0      0 :::22                   :::*                    LISTEN      539/sshd

So it does look like dnsmasq is only listening on TCP, right?

sudo netstat -tulpn is the command, the t is for tcp and the u is for the udp. Your check is missing the u for udp query.

Oh, whoops, sorry :). Here's the output for sudo netstat -tulpn (it's quite long!):

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      639/lighttpd
tcp        0      0 0.0.0.0:53              0.0.0.0:*               LISTEN      1855/dnsmasq
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      539/sshd
tcp6       0      0 :::80                   :::*                    LISTEN      639/lighttpd
tcp6       0      0 :::53                   :::*                    LISTEN      1855/dnsmasq
tcp6       0      0 :::22                   :::*                    LISTEN      539/sshd
udp        0      0 0.0.0.0:43408           0.0.0.0:*                           1855/dnsmasq
udp        0      0 0.0.0.0:60319           0.0.0.0:*                           1855/dnsmasq
udp        0      0 0.0.0.0:31137           0.0.0.0:*                           1855/dnsmasq
udp        0      0 0.0.0.0:10151           0.0.0.0:*                           1855/dnsmasq
udp        0      0 0.0.0.0:38315           0.0.0.0:*                           1855/dnsmasq
udp        0      0 0.0.0.0:48299           0.0.0.0:*                           1855/dnsmasq
udp        0      0 0.0.0.0:29868           0.0.0.0:*                           1855/dnsmasq
udp        0      0 0.0.0.0:51126           0.0.0.0:*                           1855/dnsmasq
udp        0      0 0.0.0.0:2235            0.0.0.0:*                           1855/dnsmasq
udp        0      0 0.0.0.0:14796           0.0.0.0:*                           1855/dnsmasq
udp        0      0 0.0.0.0:49358           0.0.0.0:*                           1855/dnsmasq
udp        0      0 0.0.0.0:6098            0.0.0.0:*                           1855/dnsmasq
udp        0      0 0.0.0.0:58085           0.0.0.0:*                           1855/dnsmasq
udp        0      0 0.0.0.0:5353            0.0.0.0:*                           335/avahi-daemon: r
udp        0      0 0.0.0.0:45548           0.0.0.0:*                           1855/dnsmasq
udp        0      0 0.0.0.0:20206           0.0.0.0:*                           1855/dnsmasq
udp        0      0 0.0.0.0:46831           0.0.0.0:*                           1855/dnsmasq
udp        0      0 0.0.0.0:41711           0.0.0.0:*                           1855/dnsmasq
udp        0      0 0.0.0.0:7156            0.0.0.0:*                           1855/dnsmasq
udp        0      0 0.0.0.0:55541           0.0.0.0:*                           1855/dnsmasq
udp        0      0 0.0.0.0:51703           0.0.0.0:*                           1855/dnsmasq
udp        0      0 0.0.0.0:65277           0.0.0.0:*                           1855/dnsmasq
udp        0      0 0.0.0.0:26628           0.0.0.0:*                           1855/dnsmasq
udp        0      0 0.0.0.0:40724           0.0.0.0:*                           1855/dnsmasq
udp        0      0 0.0.0.0:30487           0.0.0.0:*                           1855/dnsmasq
udp        0      0 0.0.0.0:53016           0.0.0.0:*                           1855/dnsmasq
udp        0      0 0.0.0.0:56094           0.0.0.0:*                           1855/dnsmasq
udp        0      0 0.0.0.0:47412           0.0.0.0:*                           335/avahi-daemon: r
udp        0      0 0.0.0.0:53              0.0.0.0:*                           1855/dnsmasq
udp        0      0 0.0.0.0:1590            0.0.0.0:*                           1855/dnsmasq
udp        0      0 0.0.0.0:34361           0.0.0.0:*                           1855/dnsmasq
udp        0      0 0.0.0.0:7481            0.0.0.0:*                           1855/dnsmasq
udp        0      0 0.0.0.0:17468           0.0.0.0:*                           1855/dnsmasq
udp        0      0 0.0.0.0:46656           0.0.0.0:*                           1855/dnsmasq
udp        0      0 0.0.0.0:67              0.0.0.0:*                           1855/dnsmasq
udp        0      0 0.0.0.0:68              0.0.0.0:*                           536/dhcpcd
udp        0      0 0.0.0.0:19270           0.0.0.0:*                           1855/dnsmasq
udp        0      0 0.0.0.0:63303           0.0.0.0:*                           1855/dnsmasq
udp        0      0 0.0.0.0:18503           0.0.0.0:*                           1855/dnsmasq
udp        0      0 0.0.0.0:29513           0.0.0.0:*                           1855/dnsmasq
udp        0      0 0.0.0.0:35914           0.0.0.0:*                           1855/dnsmasq
udp        0      0 0.0.0.0:36434           0.0.0.0:*                           1855/dnsmasq
udp        0      0 0.0.0.0:12120           0.0.0.0:*                           1855/dnsmasq
udp        0      0 0.0.0.0:14175           0.0.0.0:*                           1855/dnsmasq
udp        0      0 0.0.0.0:41824           0.0.0.0:*                           1855/dnsmasq
udp        0      0 192.168.0.126:123       0.0.0.0:*                           564/ntpd
udp        0      0 127.0.0.1:123           0.0.0.0:*                           564/ntpd
udp        0      0 0.0.0.0:123             0.0.0.0:*                           564/ntpd
udp        0      0 0.0.0.0:14718           0.0.0.0:*                           1855/dnsmasq
udp        0      0 0.0.0.0:33410           0.0.0.0:*                           1855/dnsmasq
udp        0      0 0.0.0.0:65411           0.0.0.0:*                           1855/dnsmasq
udp        0      0 0.0.0.0:7304            0.0.0.0:*                           1855/dnsmasq
udp        0      0 0.0.0.0:42376           0.0.0.0:*                           1855/dnsmasq
udp        0      0 0.0.0.0:27529           0.0.0.0:*                           1855/dnsmasq
udp        0      0 0.0.0.0:34441           0.0.0.0:*                           1855/dnsmasq
udp        0      0 0.0.0.0:29834           0.0.0.0:*                           1855/dnsmasq
udp        0      0 0.0.0.0:43917           0.0.0.0:*                           1855/dnsmasq
udp        0      0 0.0.0.0:50063           0.0.0.0:*                           1855/dnsmasq
udp6       0      0 :::5353                 :::*                                335/avahi-daemon: r
udp6       0      0 :::53                   :::*                                1855/dnsmasq
udp6       0      0 :::55910                :::*                                335/avahi-daemon: r
udp6       0      0 fe80::26a5:b629:f94:123 :::*                                564/ntpd
udp6       0      0 ::1:123                 :::*                                564/ntpd
udp6       0      0 :::123                  :::*                                564/ntpd

That's rather interesting, just to check on a few baseline things, do you mind sending over the token from the pihole -d run?

I would, but it's apparently not able to upload to tricorder :(. The error message is nc: getaddrinfo: Name or service not known. Same issue, I suppose. Is there another (secure, since I see password info in there) way to get the log to you? Or, alternatively, is there anything in particular I can look up in the local copy?

Thanks for your time,

Jeroen

That's the doubly hashed value of the password. Pretty much near impossible to reverse that out to the actual password, but if you'd like, can you paste everything to pastebin and then delete that password line.

How's this:

That shows that the direct dig also fails. dig google.com @8.8.8.8 shouldn't take anything from /etc/resolv.conf into consideration. Do both dig google.com@127.0.0.1 and that dig to 8.8.8.8 both fail manually?

Yes, they both fail with the same connection timed out; no servers could be reached message.

ping 172.217.20.78 (which is the IP google.com resolves to) works though. And ping 8.8.8.8 works as well.

Sounds like there may be a firewall issue? If you can't dig google's DNS server directly, then something is blocking port 53 TCP/UDP from the Pi-hole to 8.8.8.8. It's not just a local issue. A positive ping is good for connectivity, we know you can reach 8.8.8.8 but something is blocking DNS queries to that address as well as to your localhost address.

Argh, you're right, it is! There was a traffic rule in my router specifically disallowing outgoing DNS requests. This is a countermeasure suggested by some tutorial I followed against savvy kids trying to bypass opendns by forcing their computer to use another DNS server. I completely forgot about that.

So sorry to have wasted your time!

Regards, and thanks for a great product (donation is on its way).

Jeroen

Not a waste of time, glad we found out the problem and could resolve it.

And thank you for the donation, it really is appreciated!

A post was split to a new topic: Pi-hole device can not access internet

A post was split to a new topic: Firewall problem