Pi-hole showing only local client, not filtering for remote clients

arminus · May 15, 2018, 9:12am

Expected Behaviour:

Pi-hole to show client requests and filter

Actual Behaviour:

So I've installed pi-hole without any issues and it seems to work for all requests originating on the PI itself. But it seems to get completely bypassed when a DNS lookup is done from another client on the network.

Interface listening behavior is set to listen all, permit all, but the following lookup does not register in the query log (pi-hole's static IP is 192.168.0.111):

`nslookup google.com 192.168.0.111
Server: 192.168.0.111
Address: 192.168.0.111#53

Non-authoritative answer:
Name: google.com
Address: 216.58.214.110`

No blacklisted domains are blocked when looked up from a client with the DNS server set to 192.168.0.111

Any help is appreciated.

Debug Token:

d2cbrfyz4o

deHakkelaar · May 15, 2018, 10:58am

I remember something similar before:

arminus · May 15, 2018, 2:11pm

Well, I have no named running in parallel (which seems to have been the solution there):

pi@raspberrypi:~ $ sudo netstat -nltup | grep ":53 "
tcp        0      0 0.0.0.0:53              0.0.0.0:*               LISTEN      535/dnsmasq         
tcp6       0      0 :::53                   :::*                    LISTEN      535/dnsmasq         
udp        0      0 0.0.0.0:53              0.0.0.0:*                           535/dnsmasq         
udp6       0      0 :::53                   :::*                                535/dnsmasq

and dig reports from a client:

dig apple.com @192.168.0.111  

; <<>> DiG 9.10.3-P4-Ubuntu <<>> apple.com @192.168.0.111
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60378
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;apple.com.                     IN      A

;; ANSWER SECTION:
apple.com.              1776    IN      A       17.178.96.59
apple.com.              1776    IN      A       17.142.160.59
apple.com.              1776    IN      A       17.172.224.47

;; Query time: 13 msec
;; SERVER: 192.168.0.111#53(192.168.0.111)
;; WHEN: Tue May 15 16:01:20 CEST 2018
;; MSG SIZE  rcvd: 86

which looks ok, i.e. it asks the pi-hole box.

dnsmasq version is also ok:

pi@raspberrypi:~ $ dnsmasq -v
Dnsmasq version 2.76  Copyright (c) 2000-2016 Simon Kelley
Compile time options: IPv6 GNU-getopt DBus i18n IDN DHCP DHCPv6 no-Lua TFTP conntrack ipset auth DNSSEC loop-detect inotify

I do have an old Fritzbox 7170 as default gateway, but since dig reports that my pi-hole answers the DNS request, that can't have any influence

can it?

deHakkelaar · May 15, 2018, 2:31pm

The router is not blocking DNS queries on the local LAN as the dig command gets a reply.

First tail the Pi-hole logs like so:

tailf /var/log/pihole.log

Or even grep for a client IP:

tailf /var/log/pihole.log | grep <CLIENT_IP_ADDRESS>

Now when on the client PC, you do the same dig, can you see the query appearing in the logs?

If not, whats outcome for below ones on Pi-hole?

grep QUERY_LOGGING /etc/pihole/setupVars.conf

grep "log-queries\|log-facility" -R /etc/dnsmasq.d/

And on the client PC, whats in:

cat /etc/resolv.conf

EDIT: I changed one of the greps a bit.

arminus · May 15, 2018, 3:37pm

Nothing in that log while I dig.

QUERY_LOGGING=true

/etc/dnsmasq.d/01-pihole.conf:log-queries=extra
/etc/dnsmasq.d/01-pihole.conf:log-facility=/var/log/pihole.log

# This file is managed by man:systemd-resolved(8). Do not edit.
#
# 127.0.0.53 is the systemd-resolved stub resolver.
# run "systemd-resolve --status" to see details about the actual nameservers.
nameserver 127.0.0.53

(I have the same problem when testing this from a Windows client where I manually set the DNS server in the network settings - the requests apparently go to my pi-hole but don't "trigger")

deHakkelaar · May 15, 2018, 3:41pm

Disk full maybe ?

df -h

I have no idea.
Wait for one of the devs to have a look at the token or someone else???

arminus · May 15, 2018, 4:17pm

plenty of space...

Mcat12 · May 15, 2018, 4:35pm

So if you run pihole -t and make a query from a client, nothing shows up? (try making a query which has not been cached). If something does show up, share the output.

arminus · May 15, 2018, 6:22pm

right, nothing shows up, I just ran dig on a domain which I never queried before:

dig walmart.com @192.168.0.111       

; <<>> DiG 9.10.3-P4-Ubuntu <<>> walmart.com @192.168.0.111
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41353
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;walmart.com.                   IN      A

;; ANSWER SECTION:
walmart.com.            120     IN      A       161.170.239.170
walmart.com.            120     IN      A       161.170.232.170
walmart.com.            120     IN      A       161.170.230.170

;; Query time: 136 msec
;; SERVER: 192.168.0.111#53(192.168.0.111)
;; WHEN: Tue May 15 20:21:44 CEST 2018
;; MSG SIZE  rcvd: 88

Mcat12 · May 16, 2018, 2:38pm

You might be running into a version of this issue:
https://github.com/pi-hole/pi-hole/issues/2179

arminus · May 16, 2018, 2:49pm

You mean client-side, right? At any rate, running the same dig command from a Ubuntu 14 VM also yields no trace on the pi-hole.

Mcat12 · May 16, 2018, 2:51pm

I mean that you may have the systemd stub resolver running instead of Pi-hole's Dnsmasq. What is the output of sudo service dnsmasq status -l

DL6ER · May 16, 2018, 2:54pm

Also, what is the output of dig chaos txt version.bind +short ?

arminus · May 16, 2018, 3:05pm

pi@raspberrypi:~ $ sudo service dnsmasq status -l
â— dnsmasq.service - dnsmasq - A lightweight DHCP and caching DNS server
   Loaded: loaded (/lib/systemd/system/dnsmasq.service; enabled; vendor preset: enabled)
   Active: active (running) since Wed 2018-05-16 16:51:06 CEST; 12min ago
  Process: 538 ExecStartPost=/etc/init.d/dnsmasq systemd-start-resolvconf (code=exited, status=0/SUCCESS)
  Process: 519 ExecStart=/etc/init.d/dnsmasq systemd-exec (code=exited, status=0/SUCCESS)
  Process: 507 ExecStartPre=/usr/sbin/dnsmasq --test (code=exited, status=0/SUCCESS)
 Main PID: 537 (dnsmasq)
   CGroup: /system.slice/dnsmasq.service
           â””â”€537 /usr/sbin/dnsmasq -x /run/dnsmasq/dnsmasq.pid -u dnsmasq -r /run/dnsmasq/resolv.conf -7 /etc/dnsmasq.d,.dpkg-d

May 16 16:51:02 raspberrypi systemd[1]: Starting dnsmasq - A lightweight DHCP and caching DNS server...
May 16 16:51:02 raspberrypi dnsmasq[507]: dnsmasq: syntax check OK.
May 16 16:51:06 raspberrypi dnsmasq[538]: Too few arguments.
May 16 16:51:06 raspberrypi systemd[1]: Started dnsmasq - A lightweight DHCP and caching DNS server.

pi@raspberrypi:~ $ dig chaos txt version.bind +short
"dnsmasq-2.76"

DL6ER · May 17, 2018, 6:39am

Do the files /etc/dnsmasq.conf and /etc/dnsmasq.d/01-pihole.conf exist? What are their contents?

arminus · May 17, 2018, 7:13am

They do, see here (can't upload here...)

deHakkelaar · May 17, 2018, 12:33pm

I cant seem to open or download the files on dropbox without creating an account.
Could you please cat the files and paste content here or on Pastebin (and post resulting link here) ?
Or better yet, post output for:

sudo grep -v '^#\|^$' -R /etc/dnsmasq*

arminus · May 17, 2018, 12:42pm

/etc/dnsmasq.conf:conf-dir=/etc/dnsmasq.d
/etc/dnsmasq.d/01-pihole.conf:addn-hosts=/etc/pihole/gravity.list
/etc/dnsmasq.d/01-pihole.conf:addn-hosts=/etc/pihole/black.list
/etc/dnsmasq.d/01-pihole.conf:addn-hosts=/etc/pihole/local.list
/etc/dnsmasq.d/01-pihole.conf:localise-queries
/etc/dnsmasq.d/01-pihole.conf:no-resolv
/etc/dnsmasq.d/01-pihole.conf:cache-size=10000
/etc/dnsmasq.d/01-pihole.conf:log-queries=extra
/etc/dnsmasq.d/01-pihole.conf:log-facility=/var/log/pihole.log
/etc/dnsmasq.d/01-pihole.conf:local-ttl=2
/etc/dnsmasq.d/01-pihole.conf:log-async
/etc/dnsmasq.d/01-pihole.conf:server=208.67.222.222
/etc/dnsmasq.d/01-pihole.conf:server=208.67.220.220
/etc/dnsmasq.d/01-pihole.conf:except-interface=nonexisting

arminus · May 17, 2018, 12:48pm

And maybe that DropBox Link now works...

deHakkelaar · May 17, 2018, 1:03pm

Only difference compared to my setup are these ones that seem to be lacking on yours:

/etc/dnsmasq.d/01-pihole.conf:bogus-priv
/etc/dnsmasq.d/01-pihole.conf:interface=eth0

And I dont have below one in my config:

/etc/dnsmasq.d/01-pihole.conf:except-interface=nonexisting

On my Pi:

pi@noads:~ $ grep -v '^#\|^$' -R /etc/dnsmasq*
/etc/dnsmasq.conf:conf-dir=/etc/dnsmasq.d
/etc/dnsmasq.d/01-pihole.conf:addn-hosts=/etc/pihole/gravity.list
/etc/dnsmasq.d/01-pihole.conf:addn-hosts=/etc/pihole/black.list
/etc/dnsmasq.d/01-pihole.conf:addn-hosts=/etc/pihole/local.list
/etc/dnsmasq.d/01-pihole.conf:localise-queries
/etc/dnsmasq.d/01-pihole.conf:no-resolv
/etc/dnsmasq.d/01-pihole.conf:cache-size=10000
/etc/dnsmasq.d/01-pihole.conf:log-queries
/etc/dnsmasq.d/01-pihole.conf:log-facility=/var/log/pihole.log
/etc/dnsmasq.d/01-pihole.conf:local-ttl=2
/etc/dnsmasq.d/01-pihole.conf:log-async
/etc/dnsmasq.d/01-pihole.conf:server=10.0.0.1
/etc/dnsmasq.d/01-pihole.conf:domain-needed
/etc/dnsmasq.d/01-pihole.conf:bogus-priv
/etc/dnsmasq.d/01-pihole.conf:interface=eth0

But that could be related to different Pi-hole versions and some minor differences in the settings configured on the web GUI.
Try opening up entirely by configuring "Listen on all interfaces, permit all origins" and remove the tags for forwarding queries: