Hello everyone. I bought an orange pi one plus board, I've installed Debian stretch on it. Then I've installed Pi-hole, then OpenVPN and finally DNScrypt. Everything works fine except for the fact that pi-hole blocks ads only when I'm connected through OpenVPN with my Android phone (it also passes the DNSSEC test). When I use my PC (windows 10) pi-hole doesn't do its job. I've noticed though that using pi-hole IP (192.168.1.76) as DNS on my WiFi card it perfectly works. So I think that there could be a problem with my router tp-link TD-W8980. Of course I've inserted in it the pi-hole IP as the only DNS to use. I've also enabled DHCP on pi-hole (on the router it's turned off) but still doesn't work unless I change DNS on my all devices, but I want to avoid it. How can I fix this problem? Thank you
what listening behavior is selected in the settings>DNS Tab of the Web UI ?
I've selected "Listen on all interfaces", I thought it was the one to choose for OpenVPN
Yes. the top of the three options is correct.
I-t seems your devices are not getting the correct DNS server from your DHCP. Regardless of whether you are using the built in one or your routers.
Do you have an anti virus or anything like that which has a "smart DNS" feature or anything like that built in?
I don't think it could be an antivirus problem since Pi-hole doesn't work on my phone either without VPN. The only thing I could think of is this: the principal router (192.168.1.254), the one where I take internet from, is at my mom's house. I receive the signal with wireless antennas and then it arrives at my router (192.168.1.1). The problem is that I can't turn off DNS from the principal router because there isn't that option. Now I don't know if that could be the problem, but I think that the two routers are independents each other. So I think I have to consider only my router as the cause of the problem
My setup is similar although wired. ISP modem router combo is left as is with My router in the dmz.
If your isp is redirecting port 53 that may be why you're seeing this
Make sure it's set-up like this:
You probably installed Pi-hole with tun0 as your default interface.
By enabling it like this, you will allow Pi-hole to answer to queries originating from different interfaces.
Just make sure that port 53 is not exposed to the outside.
I've installed Pi-hole as eth0 as I did it for OpenVPN. Anyway I've chosen "Listen on all interfaces, permit all origins" and nothing changed. How can I be sure that port 53 isn't exposed by the routers? I've only opened the port for OpenVPN on my router
On a client, what's the output of
nslookup flurry.com
and
nslookup flurry.com 192.168.1.72
nslookup flurry.com
Server: 127.0.0.1
Address: 127.0.0.1#53
Name: flurry.com
Address: 0.0.0.0
nslookup flurry.com 192.168.1.76
Server: 192.168.1.76
Address: 192.168.1.76#53
Name: flurry.com
Address: 0.0.0.0
Sorry I've written my IP's Pi-hole wrong, now I've changed it in the first post and redo the operation
This shows the request as blocked (and that's good). You ran this on the Pi-hole device.
This on the other hand ... doesn't seem to have worked. Is that the IP of the Pi-hole ?
Can you run a pihole -d and upload the token ?
I've edited the previous post
Both of those queries worked as expected (check the Pi-hole admin interface and you will see those queries blocked in the logs).
You seem to have run those on the Pi-hole device.
Can you run them on a connected device to the network ?
Like a computer where you can run a command prompt/console ?
Yes I've used Putty for the previous test. Now I've used my PC
nslookup flurry.com
Server: dsldevice.lan
Address: 192.168.1.254
Risposta da un server non autorevole:
Nome: flurry.com
Addresses: 74.6.136.153
98.136.103.26
212.82.100.153
nslookup flurry.com 192.168.1.76
Server: Orangepi
Address: 192.168.1.76
Nome: flurry.com
Addresses: ::
0.0.0.0
THIS is what's taking over your DNS requests.
You have a few options here.
Option 1. Manually specify 192.168.1.76 as your ONLY dns on the clients
Here's why:
Option 2. You can see if you can use the DNS setting in your 192.168.1.254 and specify the IP of Pi-hole as your DNS.
Option 3. You can try to disable DHCP in 192.168.1.254 and enable it in 192.168.1.76 (Pi-hole) and let Pi-hole manage the DHCP settings (that way, everything that connects to the network will get the Pi-hole IP as it's DNS).
Option 4. If 2 and 3 are not available, you will have to tweak the DHCP settings in your 192.168.1.254 and then use option 3 ... something like this:
https://discourse.pi-hole.net/t/swapped-to-new-router-please-help/18602/13?u=ramset
Thank you for your support. I finally found how to change DNS on my principal router (at least I guess) but I think they are not really changed (I had to set cloudflare as DNS because using Pi-hole's IP was a mess), because if I test it with "nslookup flurry.com" this is the answer
Server: dsldevice.lan
Address: 192.168.1.254
Risposta da un server non autorevole:
Nome: flurry.com
Addresses: 74.6.136.153
98.136.103.26
212.82.100.153
So nothing changed even if I changed DNS. The error is there but sadly the router that ISP gave me is a crap, but that's the way to fix the problem. Now I can set a static DNS to every device I have or buy new router where I can finally set proper DNSs. Thank you
Post make/model of your router.
Someone might know.
The router given to me by my ISP is the "Technicolor TG1100"
Was about to say you did post router make model:
Try find below settings page and enter the Pi-hole IP in the "Primary DNS" field.
Leave the "Secondary DNS" field empty or if not accepted, enter the Pi-hole IP here as well or enter 0.0.0.0.
Need to renew clients DHCP leases afterwards by disconnecting them from network and reconnect ... or reboot them.
And test with below one on a client:
nslookup flurry.com
I've followed that guide to change DNS, I've inserted cloudflare's DNS but then the result is always the same. It's like they fool you around changing DNS that will never change for real (I'm talking about my ISP router). Speaking about the tp-link router it's easier to change DNS, I did it before opening this thread but it wasn't working. All the troubles come from ISP router