Pi-hole with AT&T router

Bob1 · January 16, 2020, 11:47pm

I am new to the Pi World but thought building an ad blocker would be a good learning tool.
I had no trouble getting my Raspberry Pi working, Raspbian, and Pi-hole installed. And after it was running, I pointed a client dns to the pi-hole and it worked beautifully.

My main trouble was with the AT&T router. It does not allow changing the DNS or disabling DHCP. I found a response to what I thought was a similar problem on this site and changed the DHCP to assign one address only on my LAN, and then turned on the pi-hole's DHCP. That seems to be working as new IPs are being assigned to network devices.

Trouble is that now very few ads are being blocked. The pi-hole log shows that it is doing something, blocking and allowing various queries, but the ads are getting through in abundance where before I started messing with the lan settings there was a nice readable webpage just about free of popups and popovers.

I would be happy to configure each of the devices on my network individually except that Android 9 will not allow a change in dns unless it is the new secure dns. And I really would like to have all my networked devices using pi-hole if that is at all possible with the AT&T Pace router.

Debug reported a problem trying to send you the script. I'm hopeful that you can tell me what to do next.

Too new to know,
Bob

jfb · January 16, 2020, 11:47pm

This will temporarily reset the nameserver on the Pi to bypass Pi-Hole DNS.

sudo nano /etc/resolv.conf

edit nameserver 127.0.0.1 to nameserver 9.9.9.9 or your preferred third party DNS service, save and exit

Run pihole -d and upload the debug log

Bob1 · January 17, 2020, 12:10am

I changed the nameserver to 9.9.9.9 and still the debug log would not send.

Evidently, something is wrong! I am over my knowledge level with this.

Bob

jfb · January 17, 2020, 12:12am

Message me the log and I'll take a look.

Bob1 · January 17, 2020, 12:46am

I cannot get the file to you. Your site will not accept a *.log file upload (has to be a txt file) and I get an error message when I try to change the name. Any suggestions?
Bob

Bob1 · January 17, 2020, 1:04am

Moderator removed debug and made it private

Finally figured it out.
Bob

jfb · January 17, 2020, 3:28am

Your debug log is completely normal. This is the DNS traffic in the past 24 hours - Pi-Hole is blocking domains you have told it to block.

   [2020-01-16 15:57:25.712 5733] Imported 7439 queries from the long-term database
   [2020-01-16 15:57:25.713 5733]  -> Total DNS queries: 7439
   [2020-01-16 15:57:25.713 5733]  -> Cached DNS queries: 424
   [2020-01-16 15:57:25.714 5733]  -> Forwarded DNS queries: 2998
   [2020-01-16 15:57:25.714 5733]  -> Exactly blocked DNS queries: 4017
   [2020-01-16 15:57:25.714 5733]  -> Unknown DNS queries: 0
   [2020-01-16 15:57:25.714 5733]  -> Unique domains: 1116
   [2020-01-16 15:57:25.715 5733]  -> Unique clients: 5
   [2020-01-16 15:57:25.715 5733]  -> Known forward destinations: 2

Since you are still seeing ads, there are several possibilities.

Some of the DNS traffic is not going to Pi-Hole, but is going elsewhere. Since the router is still performing a DHCP function, it may also be providing a non-Pi-Hole DNS path.

From a client that you believe should be connected to the Pi-Hole for DNS, from the command prompt or terminal on that client (and not via ssh or Putty to the Pi), what is the output of

nslookup pi.hole

if a PC, also include the output of ipconfig /all

Some ads cannot be easily blocked by a domain blocker such as Pi-Hole. Typically YouTube and other services that serve ads from the same domain as the content. Can you provide an example URL where you are seeing ads?

These tools can also help determine where ads are coming from:

Bob1 · January 17, 2020, 2:01pm

test.txt (4.0 KB)
Here is the output of the two commands from my desktop which I had manually set to go to pi-hole for dns service. This is also the machine where pi-hole was working well before I tried to make the lan changes. And now the ads stream in on this one.
Bob

jfb · January 17, 2020, 3:09pm

On this forum, you can paste the output directly as text into a reply,

This is not the correct answer, since niether of those addresses are the IP of your Pi-Hole (192.168.1.86). This answer did not come from Pi-Hole. Here is what it should look like: the server is the IP of the Pi-Hole, the DNS address that answered it is port 53 on the Pi-Hole, the answer is pi.hole, and the address is the IP of the Pi-Hole.

nslookup pi.hole
Server: 192.168.0.155
Address: 192.168.0.155#53
Name: pi.hole
Address: 192.168.0.155

From your ipconfig/all output, the computer shows two active network interfaces, ethernet and WLAN.

The WLAN interface has IP address 169.254.127.119, and DNS server 192.168.1.254 (your gateway).

Wireless LAN adapter Wi-Fi:

   Connection-specific DNS Suffix  . : attlocal.net
   Description . . . . . . . . . . . : Qualcomm QCA9565 802.11b/g/n Wireless Adapter
   Physical Address. . . . . . . . . : FC-01-7C-3C-99-83
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::bc8e:25aa:11a0:7f77%5(Preferred) 
   Autoconfiguration IPv4 Address. . : 169.254.127.119(Preferred) 
   Subnet Mask . . . . . . . . . . . : 255.255.0.0
   Default Gateway . . . . . . . . . : 
   DHCPv6 IAID . . . . . . . . . . . : 100401532
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-22-7B-CF-EE-8C-EC-4B-72-1A-C2
   DNS Servers . . . . . . . . . . . : 192.168.1.254

The ethernet interface has a different IP address and different DNS servers. One of them is Pi-Hole, but others are not and that is where some of the DNS traffic is going (bypassing Pi-Hole).

Ethernet adapter Ethernet:

   Connection-specific DNS Suffix  . : lan
   Description . . . . . . . . . . . : Realtek PCIe GBE Family Controller
   Physical Address. . . . . . . . . : 8C-EC-4B-72-1A-C2
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . : 2600:1700:4be0:3360::510(Preferred) 
   Lease Obtained. . . . . . . . . . : Thursday, January 16, 2020 3:24:33 PM
   Lease Expires . . . . . . . . . . : Saturday, February 15, 2020 3:24:33 PM
   IPv6 Address. . . . . . . . . . . : 2600:1700:4be0:3360:cce7:8996:3773:3f00(Preferred) 
   Temporary IPv6 Address. . . . . . : 2600:1700:4be0:3360:1db9:8d94:eb45:e9a1(Preferred) 
   Link-local IPv6 Address . . . . . : fe80::cce7:8996:3773:3f00%16(Preferred) 
   IPv4 Address. . . . . . . . . . . : 192.168.1.173(Preferred) 
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Friday, January 17, 2020 7:33:12 AM
   Lease Expires . . . . . . . . . . : Saturday, January 18, 2020 7:33:10 AM
   Default Gateway . . . . . . . . . : fe80::fa18:97ff:feb7:c55d%16
                                       192.168.1.254
   DHCP Server . . . . . . . . . . . : 192.168.1.86
   DHCPv6 IAID . . . . . . . . . . . : 76344395
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-22-7B-CF-EE-8C-EC-4B-72-1A-C2
   DNS Servers . . . . . . . . . . . : 2600:1700:4be0:3360::1
                                       192.168.1.86
                                       68.94.156.9
                                       2600:1700:4be0:3360::1

The other IPv4 DNS server is from sbcglobal - AT&T

dig -x 68.94.156.9

;9.156.94.68.in-addr.arpa. IN PTR

;; ANSWER SECTION:

9.156.94.68.in-addr.arpa. 7200 IN PTR dns156r9.sbcglobal.net.

I would do this to resolve.

Choose one network interface for the PC and disable the other.
Disable IPv6 on the router and PC.
Renew the DHCP lease on the PC and check that the only DNS server listed is Pi-Hole.

Bob1 · January 17, 2020, 3:52pm

Wooohooo!
from ipconfig:
Lease Expires . . . . . . . . . . : Saturday, January 18, 2020 9:27:14 AM
Default Gateway . . . . . . . . . : fe80::fa18:97ff:feb7:c55d%16
192.168.1.254
DHCP Server . . . . . . . . . . . : 192.168.1.86
DHCPv6 IAID . . . . . . . . . . . : 76344395
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-22-7B-CF-EE-8C-EC-4B-72-1A-C2
DNS Servers . . . . . . . . . . . : 2600:1700:4be0:3360::1
192.168.1.86
68.94.156.9

The secondary dns is the old AT&T (as backup in case the rpi fails)
The only fly in the ointment today:
C:\Users\Bob>nslookup pi.hole
DNS request timed out.
timeout was 2 seconds.
Server: UnKnown
Address: 2600:1700:4be0:3360::1

But pi-hole is working! Ads are blocked!
And it seems to be working all over the network. A laptop on my lan produced the correct response for nslookup pi.hole and ads blocked.

Is there anything further I need to do?
Bob

Bob1 · January 17, 2020, 4:33pm

With AT&T, you cannot change the dns or disable the DHCP.
So the key for getting pi-hole working on AT&T with a Pace router is after installing pi-hole:

Change the router's DHCP to narrow it down to one address. (I used the static address of the raspberry pi, but I'm not sure it makes a difference what address you use other than your gateway.)
Disable IPv6 on the router.
Follow the instructions for using pi-hole's DHCP.

Thank you so much for your help! This was way over my level of understanding and I could not have done it without you.
Bob

jfb · January 17, 2020, 10:48pm

This will not give you the result you expect. There is no reliable concept of a "backup" DNS, and if a client has more than one DNS available, it can use either or both. Providing a second DNS that is not a Pi-Hole will result in some of your DNs traffic bypassing Pi-Hole.

As a backup, some users install a second instance of Pi-Hole and run that in parallel with the existing instance, and then set the DNS to both of them. Either can handle all the traffic if the other fails.

If you have a UPS, power the Pi from that to prevent crashes on power loss.

Bob1 · January 17, 2020, 11:55pm

Thank you very much! Everything cleared up when I restored automatic setting of the dns from DHCP.

Now pi-hole is handing all of the duties for all of the network and I am actually enjoying reading web pages again!

Bob

system · February 7, 2020, 11:56pm

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.