PiHole and DoH (cloudflared) not working?

GordonShumway · February 14, 2021, 9:28am

Installed cloudflared on pihole. Either via manual or automatic mode https://1.1.1.1/help is showing that DoH is not active. Although testing after installation (with "dig") shows that everything is fine.
I've already tried (in the manual installation) Toby's Solution, but no change.
Pihole Dashboard shows an increasing number of https-requests. So via CLI and Dashboard it looks like, that DoH is already working. But 1.1.1.1 is still showing "No".
Any ideas on how to solve this?

Thanks in advance!

Expected Behaviour:

1.1.1.1/help should show DoH status as "Yes".

Actual Behaviour:

1.1.1.1/help

dig @127.0.0.1 -p 5053 google.com

; <<>> DiG 9.11.5-P4-5.1+deb10u2-Raspbian <<>> @127.0.0.1 -p 5053 google.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47494
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;google.com.			IN	A

;; ANSWER SECTION:
google.com.		218	IN	A	209.85.200.138
google.com.		218	IN	A	209.85.200.100
google.com.		218	IN	A	209.85.200.102
google.com.		218	IN	A	209.85.200.101
google.com.		218	IN	A	209.85.200.113
google.com.		218	IN	A	209.85.200.139

;; Query time: 18 msec
;; SERVER: 127.0.0.1#5053(127.0.0.1)
;; WHEN: So Feb 14 10:25:44 CET 2021
;; MSG SIZE  rcvd: 195

Debug Token:

Debug Token

DL6ER · February 14, 2021, 12:03pm

There seems to be an issue with networking following the debug log:

*** [ DIAGNOSING ]: Networking
[✗] No IPv4 address(es) found on the eth0 interface.

[✗] No IPv6 address(es) found on the eth0 interface.

[i] Default IPv4 gateway: 10.11.12.1
   * Pinging 10.11.12.1...
[✗] Gateway did not respond. (https://discourse.pi-hole.net/t/why-is-a-default-gateway-important-for-pi-hole/3546)

Others than that, your Pi-hole configuration seems correct as in only 127.0.0.1#5053 is configured as upstream server.

Which client did you use to run the test? If this wasn't on the Pi-hole itself, you may need to check the if the client uses the Pi-hole exclusively. Only in this case the test can succeed.

GordonShumway · February 14, 2021, 3:06pm

Thanks for response.

All done directly from the Pihole CLI:
Well, there is no "eth0" listed, if I do a ip address show. There is only an adapter named "enxb827ebc729ca". This one has the IP address assigned. Is there any difference between the adapter name shown via CLI or Pihole Webfrontend? How do I change the IP of eth0?
If I do an ip -4 route show default | awk '{print $3}', I got 10.11.12.1 (which is my default router). From there it is pingable.

I did the test from my MacBook (connected via LAN only; WiFi turned off; only DNS was the Pihole IP) and from my iPhone (connected via WiFi; again only DNS was the Pihole).

DL6ER · February 14, 2021, 4:46pm

@DanSchaper a bug in the debugger?

I'm out of ideas here because I have no experience with Apple devices. When

they are properly configured to use only the Pi-hole, and
the Pi-hole is configured to use only Cloudflare, and
the Cloudflare test works,

you should get the expected report. I expect the error to be in no. 1 because we checked no 2. and I don't think no. 3 is something we should worry about (we couldn't do anything about it in the end).

Maybe there is some change the queries can circumvent your Pi-hole by an in-browser special DNS handling or whatnot.

jfb · February 14, 2021, 4:48pm

This website does not return correct results depending on the DNSSEC setting in Pi-hole. Toggle your DNSSEC setting to false and see if this changes the response from the test site.

DanSchaper · February 14, 2021, 5:48pm

~~The debugger really doesn't work for Docker installs.~~

Edit: Sorry, thought this was a Docker issue.

We use the interface listed in setupVars.conf for the connectivity test and this setup was configured to use eth0.

    PIHOLE_INTERFACE=eth0
    IPV4_ADDRESS=10.11.12.197/24

github.com

pi-hole/pi-hole/blob/cbfb58f7a283c2a3e7aad95a834a0287175ccb24/advanced/Scripts/piholeDebug.sh#L646


      
                  fi
              fi
          }
          
          detect_ip_addresses() {
              # First argument should be a 4 or a 6
              local protocol=${1}
              # Use ip to show the addresses for the chosen protocol
              # Store the values in an arry so they can be looped through
              # Get the lines that are in the file(s) and store them in an array for parsing later
              mapfile -t ip_addr_list < <(ip -"${protocol}" addr show dev "${PIHOLE_INTERFACE}" | awk -F ' ' '{ for(i=1;i<=NF;i++) if ($i ~ '/^inet/') print $(i+1) }')
          
              # If there is something in the IP address list,
              if [[ -n ${ip_addr_list[*]} ]]; then
                  # Local iterator
                  local i
                  # Display the protocol and interface
                  log_write "${TICK} IPv${protocol} address(es) bound to the ${PIHOLE_INTERFACE} interface:"
                  # Since there may be more than one IP address, store them in an array
                  for i in "${!ip_addr_list[@]}"; do
                      # For each one in the list, print it out

DL6ER · February 14, 2021, 9:55pm

Thanks. I should have read the output in more detail. It said

[✗] No IPv4 address(es) found on the eth0 interface.

which is accurate when there is no eth0...

Philipp_Reuther · February 17, 2021, 2:24pm

Ok. That did the trick...with DNSSEC unchecked it says DoH is actived.

Thanks to all for your help!

hikari · February 23, 2021, 5:42pm

I had a similar issue. I had cloudflared querying OpenDNS DoH for some weeks, then it just stopped working. OpenDNS DoH test works, pihole forwarding to OpenDNS works, but digging cloudflared failed. I had changed nothing when it stopped.

I just gave up and installed DNSCrypt. I set it up for using cisco (OpenDNS DNSCrypt) and cisco-doh. Now it's all working, DNSCrypt log reports digs that I do to it directly and that I do to pihole. I couldn't find any evidence of leaks.

system · March 16, 2021, 5:43pm

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.