Pihole only accepts DNS queries coming from localhost (127.0.0.1) everything else is not accepted

zakhooi · September 4, 2024, 7:25am

Please follow the below template, it will help us to help you!

If you are Experiencing issues with a Pi-hole install that has non-standard elements (e.g you are using `nginx` instead of `lighttpd`, or there is some other aspect of your install that is customised) - please use the Community Help category.

Expected Behaviour:

Pihole should listen to all interfaces when in de admin page is configured accordingly but is only listening on localhost 127.0.0.1
OS: Raspbian 32bit
Core: v5.18.3
Web: v5.21
FTL: v5.25.2

Actual Behaviour:

eventhough netstat output states that DNS service is running in all interfaces (0.0.0.0:53) pihole is only responding to queries coming from localhost.
There is no iptables preventing this as no packets are denied when there is a connection attempt on pihole interface on port 53, so that's not the problem.
The only workaround it to add the interfaces to /etc/dnsmasq.d/01-pihole.conf like:
interface=eth0
interface=wlan0
If those lines are missing pihole is only accepting DNS requests on 127.0.0.1 port 53.
The problem was not there inititally but was introduced after cloudflared was installed an properly uninstalled again. Then this issue started.

Debug Token:

https://tricorder.pi-hole.net/co1FdgpV/

Bucking_Horn · September 4, 2024, 7:59am

Your debug log shows you have applied a custom dnsmasq configuration file that explicitly restricts your Pi-hole to a specific interface:

*** [ DIAGNOSING ]: contents of /etc/dnsmasq.d

-rw-r--r-- 1 root root 52 Aug 29 08:39 /etc/dnsmasq.d/02-pivpn.conf
   addn-hosts=/etc/pivpn/hosts.wireguard
   interface=wg0

Removing interface=wg0 will return Pi-hole to consider all interfaces.

zakhooi · September 4, 2024, 8:43am

O wow, I'm surprised I missed that, maybe because it's in the pivpn configuration. Thank you for your quick help.

zakhooi · September 19, 2024, 5:01pm

On the second thought, this change will break pivpn.
Because of removing that line pivpn is now only working for reaching my local network not the internet.
So the change fixed pihole but broke pivpn.

The question is:
How to make pihole listen on all interfaces and make pivpn (which runs on the same host) use pihole to reach both local network as well as internet.

Bucking_Horn · September 19, 2024, 5:33pm

How so?

PiVPN is a CLI frontend for configuring a VPN, Wireguard in your case.

pihole-FTL/dnsmasq has no part in that Wireguard configuration.

PiVPN only creates that custom configuration to allow Pi-hole to assign names to Wireguard peer IP addresses.
It incorrectly assumes that it has to add wg0 as an interface.
But with Pi-hole's default Allow only local requests listening, all interfaces of the machine running Pi-hole are covered already.

Again, note that configuration only affects how pihole-FTL/dnsmasq receives DNS requests.

It does not change anything about a client's Wireguard configuration.

I'll add to this that I run PiVPN alongside Pi-hole in the same configuration myself (i.e. with the wg0 interface removed), without any issues.

EDIT:

Furthermore, the resulting config when removing `wg0` from `02-pivpn.conf`, combined with Pi-hole's default *Allow only local requests* listening, is exactly what PiVPN's setup script is configuring when it detects Pi-hole during PiVPN installation: (click for details)"

pivpn/auto_install/install.sh at 4e4d608b35255680eb1545bfb5555c5b74411b31 · pivpn/pivpn · GitHub

The significant lines are:
-- linking wireguard peer names via a custom config:

echo "addn-hosts=/etc/pivpn/hosts.${VPN}"

Note the absence of any interface directive.

Instead, the PiVPN installation takes care of that by
-- configuring Pi-hole to Allow only local requests

 ${SUDO} pihole -a -i local

This could suggest that @zakhooi's 02-pivpn.conf was created by an older version of PiVPN.
Removing wg0 as recommended will bring the configuration back in line with the current PiVPN installer.

deHakkelaar · September 19, 2024, 8:00pm

Below a solution that can coexist with that PiVPN directive:

zakhooi · September 19, 2024, 8:32pm

That's not a solution either since it requires pihole to listen on a single interface. I'd like to have pihole listen on all interfaces and still be able to use pivpn

deHakkelaar · September 19, 2024, 8:41pm

Then you have to remove all interface= directives and run: pihole -a -i all

EDIT:

$ man dnsmasq
[..]
       -i, --interface=<interface name>
              Listen only on the specified interface(s). Dnsmasq au-
              tomatically adds the loopback (local) interface to the
              list  of interfaces to use when the --interface option
              is used. If no --interface or --listen-address options
              are  given dnsmasq listens on all available interfaces
              except any given  in  --except-interface  options.  On
              Linux, when --bind-interfaces or --bind-dynamic are in
              effect, IP alias interface labels  (eg  "eth1:0")  are
              checked,  rather than interface names. In the degener-
              ate case when  an  interface  has  one  address,  this
              amounts  to  the  same thing but when an interface has
              multiple addresses it allows  control  over  which  of
              those  addresses  are  accepted.   The  same effect is
              achievable in default mode by using  --listen-address.
              A  simple  wildcard, consisting of a trailing '*', can
              be used in --interface and --except-interface options.

Bucking_Horn · September 19, 2024, 8:53pm

That's what you get when you strip wg0 from that custom file.

If Wireguard clients are not working, then it's likely that your Wireguard configurations are causing your troubles.

Which brings us back to my question:

system · October 10, 2024, 8:53pm

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.