Pi-hole intermittently, but regularly, drops DNS traffic. This causes mobile devices to disconnect from my WiFi network.
Details about my system:
I have 3 private networks at home. I need pi-hole to respond to DNS queries from all 3, so have deliberately enabled "Permit all origins" in the DNS Interface Settings. (Thanks for alternate suggestions in other threads, but there's a good reason it's only on one of the 3 networks. I cannot change that.)
Since upgrading to Version 6 of pi-hole I've noticed that DNS queries are intermittently but regularly being dropped.
The main symptom is that mobile devices keep saying that the WiFi has no internet connection. I was actively browsing the web one time when DNS stopped responding before I my Android phone reported this error and dropped off my WiFi.
My Pi-hole is running on a dedicated but small Debian 12 (bookworm) VM (with 1 x 2GHz CPU and 1 GB RAM). I've never had reason to believe it's low on resources. It currently has 1.295k domains on lists.
What I have changed since installing Pi-hole:
I have made a handful of changes from default (such as disabling IPv6 and the new time server) but my Pi-hole has never had issues before upgrading to version 6. Since upgrading from v5, I had to reconfigure all my DNS Settings as they were changed back to defaults (by design?). Aside from putting them back how they were before, I haven't actually changed anything.
I do use a Custom DNS server on my linux firewall/router as a downstream server (for reasons I won't elaborate here) so have configured Conditional forwarding in Pi-hole.
Pi-hole doesn't drop DNS, specifically not for only a subset of clients.
In case it would be inoperational at times, no DNS requests would be answered at all.
About the only way that Pi-hole could be involved in this would be if one of your blocklists would deny access to a domain that a wifi device uses to determine online connectivity.
To verify, you should inspect Pi-hole's Query Log at the times of observed connectivity losses, specifically looking for requests from your wifi client:
Do they register at all? If not, your issue would be with wifi connectivity, or wifi clients using alternative DNS servers.
Which of your wifi client queries would be blocked? Try allowing those that are related to connectivity checks.
The two smartphones which I've noticed this problem on both use an external DNS provides (in this case NextDNS, because they need to "roam" and I don't want to set up a VPN or run my Pi-hole on the internet!). So all these devices ever query the Pi-Hole is literally three domains!
<string>.dns.nextdns.io
connectivitycheck.gstatic.com
www.google.com (because Android? I don't use that search engine)
That's it.
Yesterday, before I posted here, I explicitly added these domains as "Regex allow":
connectivitycheck.gstatic.com
*.dns\.nextdns\.io$ and it turns out that I had previously added (\.|^)nextdns\.io$ it seems! (Not sure which is best - I'll reconsider that later)
Despite this the problem has happened at least 6 times today (at least twice more in the past few hours)
In summary:
The two phones never lose WiFi signal, Android just decides that the network has no internet access as "Private DNS server cannot be accessed". I have 3 access points at home (complete overkill!) and have strong coverage everywhere inside the house, where this problem happens.
My firewall/router isn't blocking the traffic to the Private DNS server (NextDNS)
The required DNS domains are explicitly allowed by pi-hole
There's no record of denials for these two phones. Everything in the Recent Queries in the UI is Green for these devices.
There's no errors in the pihole.log and none in FTL.log
I've never had this problem before running pi-hole version 6 even though everything else was the same (my firewall/router, access points, phones and NextDNS config)
Do you have any suggestions how I should troubleshoot this please?
So let me summarise your observations:
Two of your phones sometimes lose internet access, showing "Private DNS server cannot be accessed", they never lose wifi signal, and apart from the initial lookup for that private DNS server (nextDNS), they don't use Pi-hole for DNS at all, which registers all your phone's DNS queries as allowed/green, forwarding them to its only upstream, your router, for resolution.
This makes me wonder why you label your topic as Pi-hole dropping DNS when you are aware that your Query Log confirms the opposite: that your phone's DNS requests have been received, forwarded and replied by Pi-hole.
Other than checking the DNS reply that your router provides, I don't see how Pi-hole could be involved in this.
As I recall you mentioning that you block access to public DNS servers on your router, you should probably match your firewall rules allowing NextDNS against aforementioned DNS replies, especially if those rules would operate on IP addresses.
DNS records can be expected to point to different IP addresses over time.
Thanks again, but this is most definitely a pi-hole problem. You've missed a little detail.
Also please remember that this problem started occuring immediately after the version 6 upgrade and hasn't stopped since.
All the devices we regularly use on our WiFi network lose internet access every few hours with an Android message (which is associated with Private DNS, but I believe means Android can't resolve DNS to find the Private DNS server). They don't actually disconnect from the WiFi, but incorrectly report that the WiFi can't offer an internet connection.
While they don't use Pi-hole for ongoing DNS, they do regularly look up the 3 domains I listed. I can't see a pattern to when they look up these domains, but it's at least a few times an hour. At one point when looking up these domains I believe that they do not recieve a response and Android decides that the internet is down.
My WiFi network is not on the same network as my Pi-hole. It is routed to the Pi-hole and so I rely on the "Permit all origins" Interface Setting (which reverted itself back to "Respond only on interface" when both upgrading to version 6 originally and then when upgrading core to 6.0.4!).
It seems the way "permit all origins" and "conditional forwarding" is handled has changed. I wonder if the problem could be related to those.
I can easily prompt that error switching on Private DNS on my smartphone, with the related DNS requests showing up as blocked/red in Pi-hole's Query Log.
I can only repeat myself:
As you've observed all related queries as allowed/green, the only remaining DNS related cause might be the received reply:
My previous suggestions where to look should help you investigating this further.
Sorry, I missed this the first time. Yes, I should check the DNS reply.
I'll find the pihole-FTL sqlite3 syntax again and see if we're getting consistent responses. (EDIT: I can't easily query my router. It's running unbound but isn't logging by default to save disk)
If this isn't caused by the Pi-hole upgrade, the timing is awfully coincident.
Sorry, you may be right about it not being Pi-hole, although the timing of this problem has exactly matched when I updated to version 6!
I've now found evidence that my firewall/router has blocked some queries to the "Private DNS" server my Android devices use. I have correlated these to some of the times that the events occured.
Recently NextDNS has been resolving to two additional IPs from my location. As it's a globally distributed service I have noticed them adding and remove points of presence on occasion.
I've previously observed some devices constantly trying to avoid my internal DNS server (pi-hole) so I carefully set up my firewall/router to block DNS (over TCP, UDP and TLS) from the web. (I also block HTTPS to common DNS services to prevent DoH).
Anyway, I've now carefully ensured that all IPs for NextDNS can be reached from the internally networking hosting WiFi.
I'll leave it a few days to see if the problem keeps occuring.
