Pihole DHCP assigning IP address, but device is not using DNS server

walrusbutterfly · March 16, 2023, 5:05am

Hello,

I'm trying to get my Pihole working with DHCP and DNS inside a Kubernetes cluster. My router doesn't have settings for setting a DNS server, so I've always relied on this setup. I've had success running it in Docker container so I know it's possible.

In my current setup, the DHCP server is accepting DHCP requests and sending back DHCP offers for IP's. I can even see the IP's leases in the PiHole server, so I believe it's working. The problem is that any device that gets this IP isn't talking to the PiHole DNS server. In the admin dashboard, I don't see any queries to the Pihole instance.

I tried to run nslookup pi.hole on my local machine that was given an IP by the Pihole DHCP server, but I don't get any results due to timeout. However, if I query the Pihole DNS server directly using dig @192.168.1.201 pi.hole, then I get the correct address for the server 192.168.201.

Setup:

Pihole in Kubernetes Cluster
Pihole container is privileged, on hostNetwork, and has NET_ADMIN capabilities
Pihole DHCP server is enabled
Pihole DHCP server and DNS server are both running on 192.168.1.201
192.168.1.201 is a virtual IP that's provided by the cluster load balancer.
No other DHCP servers on the network (disabled on router)
I have one file mounted which is /etc/dnsmasq.d/01-dhcp-options.conf. It contains the static IP address for the Pi-hole DNS server: dhcp-option=option:dns-server,192.168.1.201.
Pihole is fully stateless. No persistent storage mounted.

Assumptions:

DHCP is working: All my devices are getting their IP from the Pihole instance. I can see the leases in the Pihole admin dashboard.
DNS is working: Can query the DNS server directly for domain name resolution, e.g. dig @192.168.1.201 pi.hole

Expected Behavior

When a device is given an IP from the Pihole DHCP server, it should use the Pihole DNS server for domain name resolution. The side effect of this is that ads are blocked on the machine and nslookup pi.hole queries the PiHole DNS server to resolve the domain.

Actual Behavior

When a device is given an IP from the Pihole DHCP, it doesn't use the Pihole's DNS server. I'm not really sure how to further debug this or what the issue could be.

At first, I thought adding the /etc/dnsmasq.d/01-dhcp-options.conf config with dhcp-option=option:dns-server,192.168.1.201 would work, but I'm still running into the same issue.

A moonshot thought was maybe it could be an issue with IPv6 since I don't really know how any of that works. I don't know if my devices are even using IPv6 but they are all Apple devices.

I do see some queries in the Pihole dashboard, however, they are all for debug.opendns.com. Haven't seen queries for any of the websites that I've been visiting on my machine.

Debug Token:

https://tricorder.pi-hole.net/7pykXFGu/

rdwebdesign · March 16, 2023, 7:58am

Your debug log shows Pi-hole is using 192.168.1.164:

*** [ DIAGNOSING ]: Networking
[✓] IPv4 address(es) bound to the eth0 interface:
    192.168.1.164/24

walrusbutterfly · March 16, 2023, 8:31am

192.168.1.164 was the physical node that the instance was running on at the time. Since the Pihole instance is running on the host network, it's also exposed under the node's IP. Note that this IP is not static b/c Kubernetes can spin up an ephemeral Pihole instance onto any cluster node, which can be either 192.168.1.155 or 192.168.1.164 (2 node cluster). I plan to add more nodes soon, so the physical node IP is not a reliable address.

This is why I have a cluster load balancer that sits in front of all services b/c it also provides a static IP of 192.168.1.201 that load balances across all the PiHole instances. This is why DNS queries are resolvable using both dig @192.168.1.201 s.youtube.com and also dig @192.168.1.164 s.youtube.com, however, the latter only works when the Pihole instance is deployed on that specific node.

Ideally, I wouldn't need to run the Pihole container on the host network so that clients would be forced to use the static IP, however, this seems to be a requirement for getting the DHCP service to work. In the future, I might consider splitting DNS and DHCP traffic so that only DHCP traffic uses the host networking. This will ensure that DNS traffic isn't publicly exposed on the physical nodes

To summarize, this specific Pi instance has IP 192.168.1.164, but can also be access via the static IP 192.168.1.201 which is a load balancer that forwards the request to an arbitrary Pihole. Have confirmed several times that DNS queries work through the static IP. Since each Pihole instance doesn't know that there's a load balancer sitting in front of it, I have tried updating various configs to ensure that the DNS server IP in the DHCP offer response is the static IP 192.168.1.201. Maybe this is what's not working? I'm not super familiar with networking so I don't know how to debug this issue. How do I tell what DNS server my devices are using? Is it possible to check what DNS server is returned in the DHCP response? Is there any additional configuration I could have missed that might be causing this issue?

For example:

set FTLCONF_LOCAL_IPV4 to 192.168.1.201
create 01-dhcp-options.conf with dhcp-option=option:dns-server,10.0.0.201

walrusbutterfly · March 16, 2023, 10:49am

solved the issue. it was indeed ipv6. devices were bypassing pihole by ipv6 routing. after disabling ipv6 in my router, everything works as expected.