Pihole doesn't receive queries from devices on local network

Help
1

Expected Behaviour:

Pihole should receive queries from devices on my local network. I configured router (TP-Link AX1800 Wi-Fi 6 Router) to use Pihole as Primary DNS Server in the DHCP section. I assigned it a static IP (192.162.1.160)

Actual Behaviour:

I can pull up the GUI and see that there are some queries it receives, but only from clients localhost and pi.hole. I am on Windows 10, and when I run nslookup www.google.com it shows it's trying to use the pihole 192.168.1.160 but just times out.

Debug Token:

https://tricorder.pi-hole.net/jyOuTzHp/

I looked through some of the related topics on here but nothing has worked so far.

2

Your debug log shows your router's DHCP server to hand out 8.8.8.8 in addition to your Pi-hole host machine's 192.162.1.160:

*** [ DIAGNOSING ]: Discovering active DHCP servers (takes 10 seconds)
   Scanning all your interfaces for DHCP servers
   
   * Received 300 bytes from enxb827eb38198e:192.168.1.1
     Offered IP address: 192.168.1.160
     DHCP options:
      Message type: DHCPOFFER (2)
      dns-server: 192.168.1.160
      dns-server: 8.8.8.8
      router: 192.168.1.1
      --- end of options ---

This will allow clients to by-pass your Pi-hole via 8.8.8.8.

You'd have to remove 8.8.8.8 from your router settings and renew your client DHCP leases.

3

I removed 8.8.8.8 as secondary dns server from the setting on my router, and rebooted the router and pi. Unfortunately, the issue as described initially persists. When I run pihole -d again, I now get this:

   * Received 300 bytes from enxb827eb38198e:192.168.1.1
     Offered IP address: 192.168.1.160
     Server IP address: 192.168.1.1
     Relay-agent IP address: N/A
     BOOTP server: (empty)
     BOOTP file: (empty)
     DHCP options:
      Message type: DHCPOFFER (2)
      server-identifier: 192.168.1.1
      lease-time: Infinite
      netmask: 255.255.255.0
      broadcast: 192.168.1.255
      dns-server: 192.168.1.160
      dns-server: 192.168.1.1
      router: 192.168.1.1
      --- end of options ---

Somehow, its has my router as dns-server now at 192.168.1.1. Is this the issue?

4

Pi-hole has to be the sole DNS server for your clients.

Try filling all accessible DNS server slots in your router's DHCP configuration with your Pi-hole host's IP.

5

OK, I filled all DNS slots (primary and secondary) with 192.160.1.160. Now, it does not resolve any queries.

*** [ DIAGNOSING ]: Discovering active DHCP servers (takes 10 seconds)
   Scanning all your interfaces for DHCP servers
   Timeout: 10 seconds

   * Received 300 bytes from enxb827eb38198e:192.168.1.1
     Offered IP address: 192.168.1.160
     Server IP address: 192.168.1.1
     Relay-agent IP address: N/A
     BOOTP server: (empty)
     BOOTP file: (empty)
     DHCP options:
      Message type: DHCPOFFER (2)
      server-identifier: 192.168.1.1
      lease-time: Infinite
      netmask: 255.255.255.0
      broadcast: 192.168.1.255
      dns-server: 192.168.1.160
      dns-server: 192.168.1.160
      router: 192.168.1.1
      --- end of options ---

new debug token: https://tricorder.pi-hole.net/xwjzHAwa/

For some reason, the pi does not actually get any queries. It's definitely reachable on the local network since I can ssh into it. I also tried setting DNS server on my computer to 192.168.1.160, but no luck.

6

Above output looks good except for the "lease-time: Infinite" part.
That was most certainly not the default setting on your router or was it?

Does below one reply when run on a client (Windows/MacOS/Linux) in a CMD/terminal prompt (not via SSH to the Pi-hole host):

nslookup pi.hole 192.168.1.160

If not, there could be several reasons:

Check your router settings for below:

Or any other settings on the router that can interfere with DNS.

If there are any firewalls active on the Pi-hole host or in your network, they should allow below ports (not for the WAN port on your router!):

Some antivirus software can interfere with DNS on the client.
I believe AVG is one of them.
Do you have another device to test, a phone/pad etc?
Make sure that client renews its DHCP lease by dis and reconnecting it from/to network!
If you browse to below URL on phone or pad, it should show you the Pi-hole webGUI:

http://pi.hole

And you should see queries on the dashboard/logs etc.

7

Your debug log shows that that Pi-hole cannot receive DNS queries on port 53 on the configured interface.

*** [ DIAGNOSING ]: Name resolution (IPv4) using a random blocked domain and a known ad-serving domain
[✓] the-bitcoineedom.financialmarketsworld.com is 0.0.0.0 on lo (127.0.0.1)
[✗] Failed to resolve the-bitcoineedom.financialmarketsworld.com on enxb827eb38198e (192.168.1.160)
[✓] No IPv4 address available on wlan0
[✓] the-bitcoineedom.financialmarketsworld.com is 0.0.0.0 on tun0 (10.8.0.1)
[✓] doubleclick.com is 142.251.40.46 via a remote, public DNS server (8.8.8.8)

Check your firewall settings. Any DNS redirections in a firewall? Something appears to be blocking port 53 traffic to the Pi.

lease-time: Infinite

As another user commented, don't do this.

8

I'm at a loss.

  1. nslookup pi.hole 192.168.1.160 just times out on Windows
  2. my router does not support DNS rebind protection, so that cannot be the issue
  3. The firewall settings on my router don't seem have options to manipulate how port 53 traffic is handled
    There is a bunch of stuff enabled in the "Security" section of the router that I don't know what it is:
  • SPI Firewall
  • PPTP Passthrough
  • L2TP Passthrough
  • IPSec Passthrough
  • FTP ALG
  • TFTP ALG
  • RTSP ALG
  • H323 ALG
  • SIP ALG
    Actually, I am confused about that part. As for the IPv4 resolution Diagnosis, shouldn't it fail to resolve on the ethernet port (this is what 192.168.1.160 is associated with). When I pull up the GUI I see the-bitcoineedom.financialmarketsworld.com being blocked for clients localhost and pi.hole.
  1. As for the infinite lease time, I don't know where that would be configured. On the router it's configured as 120min
9

Not for the pi.hole domain and also no time outs.

Is it running bare metal, virtual or in Docker?
If have a shell, what do below ones output (checking local firewall rules)?

hostnamectl | grep Operating

sudo nft list ruleset

sudo iptables -nvL

I cant see into those debug logs you uploaded, only devs & mods can.

10

It's running bare metal.

hostnamectl | grep Operating returns Operating System: Raspbian GNU/Linux 10 (buster)

sudo nft list ruleset returns sudo: nft: command not found

sudo iptables -nvL returns

Chain INPUT (policy ACCEPT 6575 packets, 2146K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 3921 packets, 947K bytes)
 pkts bytes target     prot opt in     out     source               destination
11

Can you ping the Pi-hole on that address from Windows?

What happens if you browse to http://192.168.1.160/admin in Windows, do you see the Pi-hole login page?

Do you have any anti-virus software, such as AVG, running on your Windows machine? Some of those have a feature where they route all DNS through their own servers. You can test for redirection with these commands, run from a command prompt on the Windows machine.

nslookup -class=chaos -type=txt version.bind 192.168.1.160

That should return something from your Pi-hole like "dnsmasq-pi-hole-v2.89-9461807"

nslookup -class=chaos -type=txt version.bind 198.41.0.4

That should return "ATLAS"

12
  • http://192.168.1.160/admin pulls up the GUI as expected
  • ssh pi@192.168.1.160 works
  • ping 192.168.1.160 works
  • firewall disabled, no antivirus running on Windows machine
  • pihole does not receive queries from any device on the network, e.g. phone
  • nslookup -class=chaos -type=txt version.bind 198.41.0.4 returns
in-addr.arpa    nameserver = e.in-addr-servers.arpa
in-addr.arpa    nameserver = f.in-addr-servers.arpa
in-addr.arpa    nameserver = d.in-addr-servers.arpa
in-addr.arpa    nameserver = c.in-addr-servers.arpa
in-addr.arpa    nameserver = b.in-addr-servers.arpa
in-addr.arpa    nameserver = a.in-addr-servers.arpa
e.in-addr-servers.arpa  internet address = 203.119.86.101
e.in-addr-servers.arpa  AAAA IPv6 address = 2001:dd8:6::101
f.in-addr-servers.arpa  internet address = 193.0.9.1
f.in-addr-servers.arpa  AAAA IPv6 address = 2001:67c:e0::1
d.in-addr-servers.arpa  internet address = 200.10.60.53
d.in-addr-servers.arpa  AAAA IPv6 address = 2001:13c7:7010::53
c.in-addr-servers.arpa  internet address = 196.216.169.10
c.in-addr-servers.arpa  AAAA IPv6 address = 2001:43f8:110::10
b.in-addr-servers.arpa  internet address = 199.253.183.183
b.in-addr-servers.arpa  AAAA IPv6 address = 2001:500:87::87
a.in-addr-servers.arpa  internet address = 199.180.182.53
a.in-addr-servers.arpa  AAAA IPv6 address = 2620:37:e000::53
Server:  UnKnown
Address:  198.41.0.4

version.bind    text =

        "ATLAS"
13

Thanks for running those. They show that Pi-hole is reachable by IP and that nothing is messing with the lookups. I just noticed from an earlier post and your last debug log that the lookups on the Pi-hole itself are not working, as mentioned by jfb. It appears that something on the Pi-hole itself is preventing lookups from taking place on the configured interface.

Is Pi OS itself running a firewall of any kind, eg iptables. nftables or a specific application?

Can you first fix the router DHCP so the lease time is no longer infinite, but set to, eg 24 hours. That will help stale info to expire.

Then reboot the Pi-hole and then run the commands below. What are the outputs? They are testing lookups using its own interfaces. Curious to see what they do after the reboot.

nslookup flurry.com 127.0.0.1

nslookup flurry.com 192.168.1.160
14

It appears no firewall rules are active.

From above debug output, it seems blocking on the enxb827eb38198e IP is failing but not on the tun0 IP (belonging most likely to OpenVPN).
I suspect a rogue config file might be bugging your setup.
What do below two output?

grep DNSMASQ_LISTENING= /etc/pihole/setupVars.conf

sudo rgrep -v '^ *#\|^$' /etc/dnsmasq.*

15

Can you first fix the router DHCP so the lease time is no longer infinite, but set to, eg 24 hours. That will help stale info to expire.

Strangely, the configuration in my router is such that lease time is set to 120 minutes. I went through all options on the router and there is no other place where this can be configured.

nslookup flurry.com 127.0.0.1 returns

Server:         127.0.0.1
Address:        127.0.0.1#53

Name:   flurry.com
Address: 0.0.0.0
Name:   flurry.com
Address: ::

(and I see in the GUI that it's blocking this request for client localhost)

nslookup flurry.com 192.168.1.160 returns ;; connection timed out; no servers could be reached
(and nothing shows up in the GUI)

From above debug output, it seems blocking on the enxb827eb38198e IP is failing but not on the tun0 IP (belonging most likely to OpenVPN).

But isn't that domain supposed to be blocked on that interface?

grep DNSMASQ_LISTENING= /etc/pihole/setupVars.conf returns DNSMASQ_LISTENING=all

sudo rgrep -v '^ *#\|^$' /etc/dnsmasq.*

returns

/etc/dnsmasq.conf:conf-dir=/etc/dnsmasq.d
/etc/dnsmasq.conf.old:conf-dir=/etc/dnsmasq.d
/etc/dnsmasq.d/01-pihole.conf:addn-hosts=/etc/pihole/local.list
/etc/dnsmasq.d/01-pihole.conf:addn-hosts=/etc/pihole/custom.list
/etc/dnsmasq.d/01-pihole.conf:localise-queries
/etc/dnsmasq.d/01-pihole.conf:no-resolv
/etc/dnsmasq.d/01-pihole.conf:log-queries
/etc/dnsmasq.d/01-pihole.conf:log-facility=/var/log/pihole/pihole.log
/etc/dnsmasq.d/01-pihole.conf:log-async
/etc/dnsmasq.d/01-pihole.conf:cache-size=10000
/etc/dnsmasq.d/01-pihole.conf:server=208.67.222.222
/etc/dnsmasq.d/01-pihole.conf:server=208.67.220.220
/etc/dnsmasq.d/01-pihole.conf:domain-needed
/etc/dnsmasq.d/01-pihole.conf:expand-hosts
/etc/dnsmasq.d/01-pihole.conf:bogus-priv
/etc/dnsmasq.d/01-pihole.conf:except-interface=nonexisting
/etc/dnsmasq.d/06-rfc6761.conf:server=/test/
/etc/dnsmasq.d/06-rfc6761.conf:server=/localhost/
/etc/dnsmasq.d/06-rfc6761.conf:server=/invalid/
/etc/dnsmasq.d/06-rfc6761.conf:server=/bind/
/etc/dnsmasq.d/06-rfc6761.conf:server=/onion/
/etc/dnsmasq.d/02-ovpn.conf:interface=tun0
16

Above is the rogue config file that doesnt belong to Pi-hole.

Change listening behaviour for the pihole-FTL daemon from "all" into "single" with below:

pihole -a -i single

If you run below one again, you'll see the interface= directive shows up twice now with both interfaces:
(EDIT: Its a sort of hack but it means you dont have to delete that rogue config file)

sudo rgrep -v '^ *#\|^$' /etc/dnsmasq.*

FYI (local is the default):

$ pihole -a -i -h
Usage: pihole -a -i [interface]
Example: 'pihole -a -i local'
Specify dnsmasq's network interface listening behavior

Interfaces:
  local               Only respond to queries from devices that
                      are at most one hop away (local devices)
  single              Respond only on interface eth0
  bind                Bind only on interface eth0
  all                 Listen on all interfaces, permit all origins
1 Like
17

This: pihole -a -i single
fixed my issue!

Thank you guys so much for your help and patience. I would have never figured that out by myself.

1 Like
18

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.