Pi-hole showing only local client, not filtering for remote clients


#1

Expected Behaviour:

Pi-hole to show client requests and filter

Actual Behaviour:

So I’ve installed pi-hole without any issues and it seems to work for all requests originating on the PI itself. But it seems to get completely bypassed when a DNS lookup is done from another client on the network.

Interface listening behavior is set to listen all, permit all, but the following lookup does not register in the query log (pi-hole’s static IP is 192.168.0.111):

`nslookup google.com 192.168.0.111
Server: 192.168.0.111
Address: 192.168.0.111#53

Non-authoritative answer:
Name: google.com
Address: 216.58.214.110`

No blacklisted domains are blocked when looked up from a client with the DNS server set to 192.168.0.111

Any help is appreciated.

Debug Token:

d2cbrfyz4o


#2

I remember something similar before:


#3

Well, I have no named running in parallel (which seems to have been the solution there):

pi@raspberrypi:~ $ sudo netstat -nltup | grep ":53 "
tcp        0      0 0.0.0.0:53              0.0.0.0:*               LISTEN      535/dnsmasq         
tcp6       0      0 :::53                   :::*                    LISTEN      535/dnsmasq         
udp        0      0 0.0.0.0:53              0.0.0.0:*                           535/dnsmasq         
udp6       0      0 :::53                   :::*                                535/dnsmasq      

and dig reports from a client:

dig apple.com @192.168.0.111  

; <<>> DiG 9.10.3-P4-Ubuntu <<>> apple.com @192.168.0.111
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60378
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;apple.com.                     IN      A

;; ANSWER SECTION:
apple.com.              1776    IN      A       17.178.96.59
apple.com.              1776    IN      A       17.142.160.59
apple.com.              1776    IN      A       17.172.224.47

;; Query time: 13 msec
;; SERVER: 192.168.0.111#53(192.168.0.111)
;; WHEN: Tue May 15 16:01:20 CEST 2018
;; MSG SIZE  rcvd: 86

which looks ok, i.e. it asks the pi-hole box.

dnsmasq version is also ok:

pi@raspberrypi:~ $ dnsmasq -v
Dnsmasq version 2.76  Copyright (c) 2000-2016 Simon Kelley
Compile time options: IPv6 GNU-getopt DBus i18n IDN DHCP DHCPv6 no-Lua TFTP conntrack ipset auth DNSSEC loop-detect inotify

I do have an old Fritzbox 7170 as default gateway, but since dig reports that my pi-hole answers the DNS request, that can’t have any influence

can it?


#4

The router is not blocking DNS queries on the local LAN as the dig command gets a reply.

First tail the Pi-hole logs like so:

tailf /var/log/pihole.log

Or even grep for a client IP:

tailf /var/log/pihole.log | grep <CLIENT_IP_ADDRESS>

Now when on the client PC, you do the same dig, can you see the query appearing in the logs?

If not, whats outcome for below ones on Pi-hole?

grep QUERY_LOGGING /etc/pihole/setupVars.conf

grep "log-queries\|log-facility" -R /etc/dnsmasq.d/

And on the client PC, whats in:

cat /etc/resolv.conf

EDIT: I changed one of the greps a bit.


#5

Nothing in that log while I dig.

QUERY_LOGGING=true

/etc/dnsmasq.d/01-pihole.conf:log-queries=extra
/etc/dnsmasq.d/01-pihole.conf:log-facility=/var/log/pihole.log
# This file is managed by man:systemd-resolved(8). Do not edit.
#
# 127.0.0.53 is the systemd-resolved stub resolver.
# run "systemd-resolve --status" to see details about the actual nameservers.
nameserver 127.0.0.53

(I have the same problem when testing this from a Windows client where I manually set the DNS server in the network settings - the requests apparently go to my pi-hole but don’t “trigger”)


#6

Disk full maybe ?

df -h

I have no idea.
Wait for one of the devs to have a look at the token or someone else???


#7

plenty of space…


#8

So if you run pihole -t and make a query from a client, nothing shows up? (try making a query which has not been cached). If something does show up, share the output.


#9

right, nothing shows up, I just ran dig on a domain which I never queried before:

dig walmart.com @192.168.0.111       

; <<>> DiG 9.10.3-P4-Ubuntu <<>> walmart.com @192.168.0.111
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41353
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;walmart.com.                   IN      A

;; ANSWER SECTION:
walmart.com.            120     IN      A       161.170.239.170
walmart.com.            120     IN      A       161.170.232.170
walmart.com.            120     IN      A       161.170.230.170

;; Query time: 136 msec
;; SERVER: 192.168.0.111#53(192.168.0.111)
;; WHEN: Tue May 15 20:21:44 CEST 2018
;; MSG SIZE  rcvd: 88

#10

You might be running into a version of this issue:


#11

You mean client-side, right? At any rate, running the same dig command from a Ubuntu 14 VM also yields no trace on the pi-hole.


#12

I mean that you may have the systemd stub resolver running instead of Pi-hole’s Dnsmasq. What is the output of sudo service dnsmasq status -l


#13

Also, what is the output of dig chaos txt version.bind +short ?


#14
pi@raspberrypi:~ $ sudo service dnsmasq status -l
● dnsmasq.service - dnsmasq - A lightweight DHCP and caching DNS server
   Loaded: loaded (/lib/systemd/system/dnsmasq.service; enabled; vendor preset: enabled)
   Active: active (running) since Wed 2018-05-16 16:51:06 CEST; 12min ago
  Process: 538 ExecStartPost=/etc/init.d/dnsmasq systemd-start-resolvconf (code=exited, status=0/SUCCESS)
  Process: 519 ExecStart=/etc/init.d/dnsmasq systemd-exec (code=exited, status=0/SUCCESS)
  Process: 507 ExecStartPre=/usr/sbin/dnsmasq --test (code=exited, status=0/SUCCESS)
 Main PID: 537 (dnsmasq)
   CGroup: /system.slice/dnsmasq.service
           └─537 /usr/sbin/dnsmasq -x /run/dnsmasq/dnsmasq.pid -u dnsmasq -r /run/dnsmasq/resolv.conf -7 /etc/dnsmasq.d,.dpkg-d

May 16 16:51:02 raspberrypi systemd[1]: Starting dnsmasq - A lightweight DHCP and caching DNS server...
May 16 16:51:02 raspberrypi dnsmasq[507]: dnsmasq: syntax check OK.
May 16 16:51:06 raspberrypi dnsmasq[538]: Too few arguments.
May 16 16:51:06 raspberrypi systemd[1]: Started dnsmasq - A lightweight DHCP and caching DNS server.
pi@raspberrypi:~ $ dig chaos txt version.bind +short
"dnsmasq-2.76"

#15

Do the files /etc/dnsmasq.conf and /etc/dnsmasq.d/01-pihole.conf exist? What are their contents?


#16

They do, see here (can’t upload here…)


#17

I cant seem to open or download the files on dropbox without creating an account.
Could you please cat the files and paste content here or on Pastebin (and post resulting link here) ?
Or better yet, post output for:

sudo grep -v '^#\|^$' -R /etc/dnsmasq*


#18
/etc/dnsmasq.conf:conf-dir=/etc/dnsmasq.d
/etc/dnsmasq.d/01-pihole.conf:addn-hosts=/etc/pihole/gravity.list
/etc/dnsmasq.d/01-pihole.conf:addn-hosts=/etc/pihole/black.list
/etc/dnsmasq.d/01-pihole.conf:addn-hosts=/etc/pihole/local.list
/etc/dnsmasq.d/01-pihole.conf:localise-queries
/etc/dnsmasq.d/01-pihole.conf:no-resolv
/etc/dnsmasq.d/01-pihole.conf:cache-size=10000
/etc/dnsmasq.d/01-pihole.conf:log-queries=extra
/etc/dnsmasq.d/01-pihole.conf:log-facility=/var/log/pihole.log
/etc/dnsmasq.d/01-pihole.conf:local-ttl=2
/etc/dnsmasq.d/01-pihole.conf:log-async
/etc/dnsmasq.d/01-pihole.conf:server=208.67.222.222
/etc/dnsmasq.d/01-pihole.conf:server=208.67.220.220
/etc/dnsmasq.d/01-pihole.conf:except-interface=nonexisting

#19

And maybe that DropBox Link now works…


#20

Only difference compared to my setup are these ones that seem to be lacking on yours:

/etc/dnsmasq.d/01-pihole.conf:bogus-priv
/etc/dnsmasq.d/01-pihole.conf:interface=eth0

And I dont have below one in my config:

/etc/dnsmasq.d/01-pihole.conf:except-interface=nonexisting

On my Pi:

pi@noads:~ $ grep -v '^#\|^$' -R /etc/dnsmasq*
/etc/dnsmasq.conf:conf-dir=/etc/dnsmasq.d
/etc/dnsmasq.d/01-pihole.conf:addn-hosts=/etc/pihole/gravity.list
/etc/dnsmasq.d/01-pihole.conf:addn-hosts=/etc/pihole/black.list
/etc/dnsmasq.d/01-pihole.conf:addn-hosts=/etc/pihole/local.list
/etc/dnsmasq.d/01-pihole.conf:localise-queries
/etc/dnsmasq.d/01-pihole.conf:no-resolv
/etc/dnsmasq.d/01-pihole.conf:cache-size=10000
/etc/dnsmasq.d/01-pihole.conf:log-queries
/etc/dnsmasq.d/01-pihole.conf:log-facility=/var/log/pihole.log
/etc/dnsmasq.d/01-pihole.conf:local-ttl=2
/etc/dnsmasq.d/01-pihole.conf:log-async
/etc/dnsmasq.d/01-pihole.conf:server=10.0.0.1
/etc/dnsmasq.d/01-pihole.conf:domain-needed
/etc/dnsmasq.d/01-pihole.conf:bogus-priv
/etc/dnsmasq.d/01-pihole.conf:interface=eth0

But that could be related to different Pi-hole versions and some minor differences in the settings configured on the web GUI.
Try opening up entirely by configuring “Listen on all interfaces, permit all origins” and remove the tags for forwarding queries: