I got literally nothing from that. Odd...
pi@raspberrypi:~ $ tcpdump -n -ttt -r /tmp/dns.pcap -vvv
reading from file /tmp/dns.pcap, link-type RAW (Raw IP)
...and that's the end of the output. I did make sure it was running the test while it was capturing, as well. I also tried just using Wireshark from a VM I have (which I have verified does capture traffic from the entire network) and I also see nothing.
I have to admit that I'm not sure at all that this means. At first glance, this means your computer was not sending any packet over port 53. Which seems wrong. Because it should have recorded at least the queries being sent to the Pi-hole (even when they are never replied to).
Do you have multiple interfaces? Maybe tcpdump happened to record on the wrong one.
Oops, my bad. Yeah I was listening on the wrong interface. I actually don't know why the Wireshark GUI doesn't show anything, I'm not too great with using it. Here's the tcpdump from my pi.
dns.zip (2.7 KB)
I found this, seems a little odd:
149.112.112.112.53 > 10.0.0.80.33116: [udp sum ok] 18871 ServFail q: AAAA? cd511cea-624b-4c73-9fc0-9ab27eaeff7d.test.dnsleaktest.com. 0/0/0 (75)
But this was with your Pi-hole ON 
And your Pi-hole did ask this server so the response you saw didn't come out of the nothing.
Can you repeat the recording with Pi-hole OFF?
And then also with Pi-hole OFF and on the computer we want to test?
The latter should, ideally, only contain requests (but no responses) and ideally they should only go out to your Pi-hole.
I'll have to leave now but will make sure to check back with you once I'm back.
Dammit! My bad lol, I'm getting tired. After this I'm not responding until later in the morning, it's getting late. I can put tcpdump on my desktop and test it from there if you'd like too. I appreciate the patience though!
Here's one with PiHole off.
dns.zip (2.2 KB)
Sorry, it got a lot later than I expected, yesterday. I wouldn't have had the appropriate time to respond to you, so I'm just doing this now.
Findings: There are only queries but NO responses in your new recording. This is a good things because it means it's not your Pi-hole doing these/getting back the strange server requests.
So, yes, please
My apologies too, was a bit of a busy day. Here's a pcap file along with the associated DNS test.
That's somewhat fascinating. There is neither a request to this IP in your file nor is there any response (from anywhere!) in there. So the query comes in from something else than standard DNS. Maybe DNS-over-TLS or something in your local browser.
Could you try recording again, this time without any filter (so a capture-all recording)?
sudo tcpdump -w /tmp/dns.pcap
The file may grow quickly. If it gets too large, you may want to check with the IP shown in the browser (seems to vary?):
sudo tcpdump -n -ttt -r /tmp/dns.pcap -vvv src 1.2.3.4 or dst 1.2.3.4
(replace 1.2.3.4 by the IP address revealed during the DNS leak test)
As things are getting bizarre, there is no guarantee this will be successful...
Just a thought:
Your devices wouldn't make use of additional DNS services as offered by anti-virus software, e.g. AVG Secure DNS or AVAST Real-Site?
Or perhaps you are running a VPN gateway on your network?
Wow.. wow. That seemed so random yet on the dot. That's exactly what the issue was, as far as I can tell. Now, effectively no internet when PiHole is off, and all ads blocked as expected when it's on. Thanks a lot to both of you guys, you've been really helpful. I won't close this topic for another day just to make sure everything is as expected.
Glad we found it. One of the reasons I'm not using antivirus. It is rarely good when others "know" what is good for you. Especially when it is a free product (they somehow have to make money). Pi-hole is a shining exception from this and everything is open-source.
This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.
