Make sure it's set-up like this:
You probably installed Pi-hole with tun0 as your default interface.
By enabling it like this, you will allow Pi-hole to answer to queries originating from different interfaces.
Just make sure that port 53 is not exposed to the outside.
I've installed Pi-hole as eth0 as I did it for OpenVPN. Anyway I've chosen "Listen on all interfaces, permit all origins" and nothing changed. How can I be sure that port 53 isn't exposed by the routers? I've only opened the port for OpenVPN on my router
On a client, what's the output of
nslookup flurry.com
and
nslookup flurry.com 192.168.1.72
nslookup flurry.com
Server: 127.0.0.1
Address: 127.0.0.1#53
Name: flurry.com
Address: 0.0.0.0
nslookup flurry.com 192.168.1.76
Server: 192.168.1.76
Address: 192.168.1.76#53
Name: flurry.com
Address: 0.0.0.0
Sorry I've written my IP's Pi-hole wrong, now I've changed it in the first post and redo the operation
This shows the request as blocked (and that's good). You ran this on the Pi-hole device.
This on the other hand ... doesn't seem to have worked. Is that the IP of the Pi-hole ?
Can you run a pihole -d and upload the token ?
I've edited the previous post
Both of those queries worked as expected (check the Pi-hole admin interface and you will see those queries blocked in the logs).
You seem to have run those on the Pi-hole device.
Can you run them on a connected device to the network ?
Like a computer where you can run a command prompt/console ?
Yes I've used Putty for the previous test. Now I've used my PC
nslookup flurry.com
Server: dsldevice.lan
Address: 192.168.1.254
Risposta da un server non autorevole:
Nome: flurry.com
Addresses: 74.6.136.153
98.136.103.26
212.82.100.153
nslookup flurry.com 192.168.1.76
Server: Orangepi
Address: 192.168.1.76
Nome: flurry.com
Addresses: ::
0.0.0.0
THIS is what's taking over your DNS requests.
You have a few options here.
Option 1. Manually specify 192.168.1.76 as your ONLY dns on the clients
Here's why:
Option 2. You can see if you can use the DNS setting in your 192.168.1.254 and specify the IP of Pi-hole as your DNS.
Option 3. You can try to disable DHCP in 192.168.1.254 and enable it in 192.168.1.76 (Pi-hole) and let Pi-hole manage the DHCP settings (that way, everything that connects to the network will get the Pi-hole IP as it's DNS).
Option 4. If 2 and 3 are not available, you will have to tweak the DHCP settings in your 192.168.1.254 and then use option 3 ... something like this:
https://discourse.pi-hole.net/t/swapped-to-new-router-please-help/18602/13?u=ramset
Thank you for your support. I finally found how to change DNS on my principal router (at least I guess) but I think they are not really changed (I had to set cloudflare as DNS because using Pi-hole's IP was a mess), because if I test it with "nslookup flurry.com" this is the answer
Server: dsldevice.lan
Address: 192.168.1.254
Risposta da un server non autorevole:
Nome: flurry.com
Addresses: 74.6.136.153
98.136.103.26
212.82.100.153
So nothing changed even if I changed DNS. The error is there but sadly the router that ISP gave me is a crap, but that's the way to fix the problem. Now I can set a static DNS to every device I have or buy new router where I can finally set proper DNSs. Thank you
Post make/model of your router.
Someone might know.
The router given to me by my ISP is the "Technicolor TG1100"
Was about to say you did post router make model:
Try find below settings page and enter the Pi-hole IP in the "Primary DNS" field.
Leave the "Secondary DNS" field empty or if not accepted, enter the Pi-hole IP here as well or enter 0.0.0.0.
Need to renew clients DHCP leases afterwards by disconnecting them from network and reconnect ... or reboot them.
And test with below one on a client:
nslookup flurry.com
I've followed that guide to change DNS, I've inserted cloudflare's DNS but then the result is always the same. It's like they fool you around changing DNS that will never change for real (I'm talking about my ISP router). Speaking about the tp-link router it's easier to change DNS, I did it before opening this thread but it wasn't working. All the troubles come from ISP router
If have doubts about settings being pushed by router to clients, try install nmap on Pi-hole:
sudo apt install nmap
And do a dhcp-discovery against the router that does DHCP for your clients with below one:
sudo nmap -sU -p67 --script dhcp-discover <ROUTER_IP_ADDRESS>
Example with 10.0.0.2 doing DHCP for my network:
xbian@avr ~ $ sudo nmap -sU -p67 --script dhcp-discover 10.0.0.2
Starting Nmap 7.40 ( https://nmap.org ) at 2019-02-21 06:31 CET
Nmap scan report for noads.dehakkelaar.nl (10.0.0.2)
Host is up (0.00066s latency).
PORT STATE SERVICE
67/udp open dhcps
| dhcp-discover:
| DHCP Message Type: DHCPACK
| Server Identifier: 10.0.0.2
| Subnet Mask: 255.255.255.0
| Broadcast Address: 10.0.0.255
| Domain Name Server: 10.0.0.2
| Domain Name: dehakkelaar.nl
| Hostname: avr
|_ Router: 10.0.0.1
MAC Address: B8:27:EB:EE:1B:BD (Raspberry Pi Foundation)
Nmap done: 1 IP address (1 host up) scanned in 4.20 seconds
I have a question that probably could fix my problem. What if I change the Gateway address, during pi-hole configuration, and instead of setting 192.168.1.254 (my ISP router) I set 192.168.1.1 (the router I have into my house)? Then I can enable into my router the DHCP. But then how reacts the ISP router with DHCPs? I can't turn it off there because my mom and brother use that router to their home. Also I tried yesterday to turn it off, using only Pi-hole as DHCP, but none of my devices wroked, it looks like the ISP router has to have DHCP on otherwise nothing works.
I have no idea how your network topology looks like ... but
both the Technicolor and TP-link routers allow you to configure the DNS server(s) to be pushed via DHCP to the clients:
And you have to make sure when you change any DHCP settings, you'll have to reboot the client PC used for testing, or renew DHCP lease in other way, for these changes to become effective on the client.
I did a dhcp-discovery against my both routers and these are the results
sudo nmap -sU -p67 --script dhcp-discover 192.168.1.254
Starting Nmap 7.40 ( https://nmap.org ) at 2019-04-07 00:53 CEST
Nmap scan report for 192.168.1.254
Host is up (0.0062s latency).
PORT STATE SERVICE
67/udp open|filtered dhcps
MAC Address: XX:XX:XX:XX:XX:XX (Technicolor)
Nmap done: 1 IP address (1 host up) scanned in 6.94 seconds
sudo nmap -sU -p67 --script dhcp-discover 192.168.1.1
Starting Nmap 7.40 ( https://nmap.org ) at 2019-04-07 00:54 CEST
Nmap scan report for 192.168.1.1
Host is up (0.00023s latency).
PORT STATE SERVICE
67/udp closed dhcps
MAC Address: XX:XX:XX:XX:XX:XX (Tp-link Technologies)
Nmap done: 1 IP address (1 host up) scanned in 1.96 seconds
And this is the test with DNS properly set
nslookup flurry.com
Server: dsldevice.lan
Address: 192.168.1.254
Risposta da un server non autorevole:
Nome: flurry.com
Addresses: 98.136.103.26
74.6.136.153
212.82.100.153
So today I decided to set DNS to Technicolor router (ISP router), I had troubles because every time I changed DNS all the IP's given by that router were resetted after the reboot of itself. So it was hard to set the right DNS with the same IP of Pi-hole, but in the end I had success. I changed also DNS to my TP-Link router and the result is that Pi-hole doesn't work: or at least that's what this page tells me, but from the Pi-hole's web page I can see that it blocks queries. So as you can see from the tests above it seems that there are still problems (for sure related by my ISP and its router, one of the worst router ever) but from the Pi-hole's web page seems that somenthing works. While, if I change DNS into my PC's Wi-Fi card, everything works, even DNSSEC test. I still don't understand what's going on here 
This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.