PiHole DNS fail after upgrade to v6, cannot us PiHole as DNS server

Yunoa · February 23, 2025, 4:12pm

For previous version (Pi-hole [v5.18.3] FTL [v5.25.2] Web Interface [v5.21]) of PiHole I had setup

IP of Linux server 192.168.1.102
On this Linux, I had installed docker container with PiHole
Next on main router I had setup PiHole as DNS server (192.168.1.102)
I was able to reach ouit website of pihole configuration
After connection of any device to my local network, I obtained IP from DHCP from main router and DNS was set to my linux server with pihole (192.168.1.102)

After update to latest version of PiHole Docker Tag [2025.02.4] Core [v6.0.3] FTL [v6.0.2] Web interface [v6.0.1]

I am able to connect to PiHole website (192.168.1.102:8081) from any device but once I will set up on my devices for instance on laptop DNS to 192.168.1.102, pages cannot be resolved.

Expected Behaviour:

On the laptop I should be able to set up IP address of PiHole as DNS server.
I should be able to reach out google.com

Actual Behaviour:

I am able to connect to PiHole website (192.168.1.102:8081) from any device but once I will set up on my devices for instance on laptop DNS to 192.168.1.102, pages cannot be resolved.

Bucking_Horn · February 24, 2025, 11:52pm

Please upload a debug log and post just the token URL that is generated after the log is uploaded by running the following command from the Pi-hole host terminal:

pihole -d

or if you run your Pi-hole as a Docker container:

docker exec -it <pihole-container-name-or-id> pihole -d

where you substitute <pihole-container-name-or-id> as required.

Yunoa · February 25, 2025, 9:28am

moderator edit: explicit debug log removed

https://tricorder.pi-hole.net/hU2kbi6k/

Bucking_Horn · February 25, 2025, 1:58pm

(For your own privacy and security, please do not post your full, unsanitised debug log. We just ask for the token. I've uploaded the log for you.)

Your Pi-hole is configured to listen on ports 80/HTTP and 443/HTTPS:

  [webserver]
     port = "80o,443os,[::]:80o,[::]:443os"

As you are running Pi-hole in a Docker container, exposed and published ports may differ.

Assuming they are identical, what's the output of:

curl -sSLI  http://pi.hole:80/admin

Also, please share your docker compose or docker run script.

Yunoa · February 25, 2025, 3:30pm

I executed:

curl -sSLI  http://<local-IP-address>:8081/admin

Output:

HTTP/1.1 308 Permanent Redirect
Location: /admin/
Cache-Control: max-age=3600
Content-Security-Policy: default-src 'self' 'unsafe-inline';
X-Frame-Options: DENY
X-XSS-Protection: 0
X-Content-Type-Options: nosniff
Referrer-Policy: strict-origin-when-cross-origin
Access-Control-Allow-Headers: *
Access-Control-Allow-Methods: *
Content-Length: 0
Date: Tue, 25 Feb 2025 15:27:02 GMT
Connection: close

HTTP/1.1 302 Found
Location: /admin/login

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store, must-revalidate, private, max-age=0
Expires: 0
Pragma: no-cache
Content-Security-Policy: default-src 'self' 'unsafe-inline';
X-Frame-Options: DENY
X-XSS-Protection: 0
X-Content-Type-Options: nosniff
Referrer-Policy: strict-origin-when-cross-origin
Content-Type: text/html; charset=utf-8
Date: Tue, 25 Feb 2025 15:27:02 GMT
Connection: close

docker-compose.yml

services:
  pihole:
    container_name: pihole
    image: pihole/pihole:latest
    # For DHCP it is recommended to remove these ports and instead add: network_mode: "host"
    ports:
      # DNS Ports
      - "53:53/tcp"
      - "53:53/udp"
      # Uncomment the below if using Pi-hole as your DHCP Server
      #- "67:67/udp"
      # Default HTTP Port
      - "8081:80/tcp"
      # Default HTTPs Port. FTL will generate a self-signed certificate
      - "44343:443/tcp"
    environment:
      # Set the appropriate timezone for your location (https://en.wikipedia.org/wiki/List_of_tz_database_time_zones),
      TZ: 'Europe/Warsaw'
      # Set a password to access the web interface. Not setting one will result in a random password being assigned
      FTLCONF_webserver_api_password: '<password>'

    # Volumes store your data between container upgrades
    volumes:
      # For persisting Pi-hole's databases and common configuration file
      - '/opt/pihole/etc-pihole:/etc/pihole'
      # Uncomment the below if you have custom dnsmasq config files that you want to persist. Not needed for most starting fresh with Pi-hole v6. If you're upgrading from v5 you and have used this directory before, you should keep it enabled for the first v6 container start to allow for a complete migration. It can be removed afterwards. Needs environment variable FTLCONF_misc_etc_dnsmasq_d: 'true'
      #- '/opt/pihole/etc-dnsmasq.d:/etc/dnsmasq.d'
    restart: unless-stopped

Bucking_Horn · February 25, 2025, 3:37pm

As curl demonstrates that Pi-hole's web pages are accessible via its IP address, and as accessing via IP does not involve DNS at all, that would indicate that you should be able to always access Pi-hole's web pages, regardless of DNS servers used.

Are you positive that you cannot open Pi-hole's web page from a machine once you change that machine's DNS server to your Pi-hole machine's IP?

Yunoa · February 25, 2025, 4:14pm

I can visit the pi hole website but I can't use the internet. I can't visit google.com for example when my pi hole server is set as the DNS server.

curl was executed from server where pi hole is installed

nero355 · February 25, 2025, 5:48pm

What happens when you use nslookup or dig in the following two ways :

Just execute the command and read the results.
Specify your Pi-Hole Server explicitly by mentioning the IP Address 192.168.1.102 inline ?!

And did you check if your Forward DNS Servers are setup correctly ??

Yunoa · February 26, 2025, 7:55am

when I set up DNS to 192.168.1.102 (pihole) on my laptop and execute command
nslookup google.com

as a result I received DNS request timed out

Cytat
And did you check if your Forward DNS Servers are setup correctly ??

when I should check this?

Inside Pi-hole diagnosis I see
DNSMASQ_WARN
Warning in dnsmasq core:

ignoring query from non-local network 192.168.1.22 (logged only once)

Yunoa · February 26, 2025, 8:38am

I updated Pi hole to the latest version.
In new documentation I see that variable

      # If using Docker's default `bridge` network setting the dns listening mode should be set to 'all'
      FTLCONF_dns_listeningMode: 'all'

should be added.

I added this variable to docker compose and all is working

BUT

I see after adding above variable new config is

Without above parameters, setting was "Allow only local requests"

Bucking_Horn · February 26, 2025, 8:40am

Depending on your chosen Docker network mode, Docker may isolate your Pi-hole container into its own network.

Please use Settings | DNS to switch Pi-hole's Interface settings to Respond only on interface....

Afterwards, please share the results of (assuming Docker is running on 192.168.1.102):

nslookup pi.hole 192.168.1.102

nslookup flurry.com 192.168.1.102

nslookup discourse.pi-hole.net 192.168.1.102

Yunoa · February 26, 2025, 8:50am

Command:

nslookup pi.hole 192.168.1.102

Output:

Server:  UnKnown
Address:  192.168.1.102

Name:    pi.hole
Address:  172.18.0.3

Command:

nslookup flurry.com 192.168.1.102

Output:

Server:  UnKnown
Address:  192.168.1.102

DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
Name:    flurry.com
Addresses:  ::
          0.0.0.0

Command:

nslookup discourse.pi-hole.net 192.168.1.102

Output:

Server:  UnKnown
Address:  192.168.1.102

Non-authoritative answer:
Name:    www.net.com.pl
Address:  188.128.255.251
Aliases:  discourse.pi-hole.net.com.pl

Bucking_Horn · February 26, 2025, 9:35am

Those results demonstrate that Pi-hole is generally accessible via 192.168.1.102.
It was used as DNS server for those lookups, has correctly blocked flurry.com, and has succeeded in resolving a public domain.

But your nslookups always show the DNS server as Server: UnKnown, where pi.hole would have been expected.
Together with the timeouts, that would indicate that something is interfering with DNS resolution, either on your network or on the client that ran the nslookups.

You wouldn't run any local firewall or antivirus package on that Windows client, e.g. AVG Secure DNS or AVAST Real-Site?

What do those nslookups return when run from another PC or laptop in your network?

Yunoa · February 26, 2025, 9:54am

I run the same command on the other laptop where I have installed ESET Endpoint Security but before I executed nslookup I disabled ESET fully.

Result was the same Server: UnKnown

It seems that for Permit all origins and for Respond only on interface, Pi Hole as DNS server is working fine but when I set Allow only local requests it is not working

system · March 19, 2025, 9:55am

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.