I have PiHole configured to use only OpenDNS servers and have their filtering turned on to filter out some nasties for the kids. This appears to be working very well.
Today I have gone a step further, not that I think I need to just yet, and have put in place firewall rules to block all port 53 access to anything except those OpenDNS IP addresses. I have also included a logging function so I can see who (if anyone) is attempting to get around the DNS filters.
Actual Behaviour:
So PiHole is coming up in the logs constantly attempting to access google's DNS servers (8.8.8.8 and 8.8.4.4) despite these not being selected.
Snip from syslogs:
SRC=XX.XX.XX.XX DST=8.8.8.8 LEN=71 TOS=0x00 PREC=0x00 TTL=63 ID=52773 DF PROTO=UDP SPT=45621 DPT=53 LEN=51
It's worth saying that everything appears to be working as it should on my devices, it's just very odd that I'm seeing all these blocked access requests from PiHole.
Debug Token:
The debug failed to upload, I have the sanitised file sitting here if needed.
Each time I hit one of those errors there is a massive wait as the request times out again and again.
Now, if I go and add an exception to my firewall to allow PiHole to talk to any DNS server it likes then everything works instantly without any errors:
So why is PiHole ignoring it's own DNS server settings? Or is there a setting somewhere I have missed?
The only hard-coded DNS I am aware of for Google server is during the debug script, where Pi-hole verifies that it can resolve a single DNS query through the Google DNS server 8.8.8.8.
[✓] doubleclick.com is 172.217.9.46 via a remote, public DNS server (8.8.8.8)
I absolutely have a firewall rule to block anything other than OpenDNS. As I said, when the PiHole has to abide by that rule the updates don't work and due to time outs take a while to work that out (outputs shown in the screen shots above).
When I add PiHole to the exception list then everything works just fine. Even the diagnostics go through much faster with the exception turned on. Also, with the exception on the debug works fine and uploads without issue:
Of interest, there are at least 19,700 lines shown in your whitelist file in the debug log, including a significant number of duplicates. This is unusual. There are so many whitelist entries that the debug log was not uploaded completely - the line limit was exceeded during the whitelist output.
# Generated by NetworkManager
nameserver 8.8.8.8
nameserver 8.8.4.4
So this is where that DNS is coming from then?
I don't think I have actually added anything to the whitelist manually and when I try and access that page through the web interface it just times out. Where is this stored that I can manually look it up?
EDIT: I looked that up (/etc/pihole/) and found it had 43,672 lines... no idea where they have come from and I've manually removed the file to see what happens.
[root@localhost /]# sudo grep forwarded /var/log/pihole.log | tail -n 30
Mar 23 14:26:34 dnsmasq[2546]: forwarded content-system.gog.com to 208.67.222.222
Mar 23 14:26:39 dnsmasq[2546]: forwarded google.com to 208.67.222.222
Mar 23 14:26:52 dnsmasq[2546]: forwarded mesu.g.aaplimg.com to 208.67.222.222
Mar 23 14:27:04 dnsmasq[2546]: forwarded update.googleapis.com to 208.67.222.222
Mar 23 14:27:10 dnsmasq[2546]: forwarded graph.facebook.com to 208.67.222.222
Mar 23 14:27:11 dnsmasq[2546]: forwarded i.ozpda.com to 208.67.222.222
Mar 23 14:27:11 dnsmasq[2546]: forwarded http://www.google.com to 208.67.222.222
Mar 23 14:27:14 dnsmasq[2546]: forwarded rollingwood.logs.roku.com to 208.67.222.222
Mar 23 14:27:15 dnsmasq[2546]: forwarded lithium.facebook.com to 208.67.222.222
Mar 23 14:27:15 dnsmasq[2546]: forwarded p60-buy.itunes.apple.com to 208.67.222.222
Mar 23 14:27:17 dnsmasq[2546]: forwarded video.fmel8-1.fna.fbcdn.net to 208.67.222.222
Mar 23 14:27:17 dnsmasq[2546]: forwarded scontent.fmel8-1.fna.fbcdn.net to 208.67.222.222
Mar 23 14:27:19 dnsmasq[2546]: forwarded external.fmel8-1.fna.fbcdn.net to 208.67.222.222
Mar 23 14:27:22 dnsmasq[2546]: forwarded www.facebook.com to 208.67.222.222
Mar 23 14:27:23 dnsmasq[2546]: forwarded edge-mqtt.facebook.com to 208.67.222.222
Mar 23 14:27:23 dnsmasq[2546]: forwarded instagram.c10r.facebook.com to 208.67.222.222
Mar 23 14:27:24 dnsmasq[2546]: forwarded instagram.fmel8-1.fna.fbcdn.net to 208.67.222.222
Mar 23 14:27:26 dnsmasq[2546]: forwarded redirector.googlevideo.com to 208.67.222.222
Mar 23 14:27:27 dnsmasq[2546]: forwarded gsp-ssl.ls.apple.com to 208.67.222.222
Mar 23 14:27:29 dnsmasq[2546]: forwarded myip.opendns.com to 208.67.222.222
Mar 23 14:27:29 dnsmasq[2546]: forwarded instagram.fhyd6-1.fna.fbcdn.net to 208.67.222.222
Mar 23 14:27:29 dnsmasq[2546]: forwarded instagram.fagc1-1.fna.fbcdn.net to 208.67.222.222
Mar 23 14:27:45 dnsmasq[2546]: forwarded gateway.fe.apple-dns.net to 208.67.222.222
Mar 23 14:27:46 dnsmasq[2546]: forwarded gcs-asia-00002.content-storage-upload.googleapis.com to 208.67.222.222
Mar 23 14:27:50 dnsmasq[2546]: forwarded mesu.g.aaplimg.com to 208.67.222.222
Mar 23 14:27:51 dnsmasq[2546]: forwarded presence.gog.com to 208.67.222.222
Mar 23 14:27:53 dnsmasq[2546]: forwarded d.docs.live.net to 208.67.222.222
Mar 23 14:28:03 dnsmasq[2546]: forwarded time-ios.apple.com to 208.67.222.222
Mar 23 14:28:12 dnsmasq[2546]: forwarded clients4.google.com to 208.67.222.222
Mar 23 14:28:14 dnsmasq[2546]: forwarded c.apple.news to 208.67.222.222
This is why the traffic from your Pi is hitting the Google servers. This isn't Pi-Hole doing it, it is the Pi OS. By default, Pi-Hole sets the nameserver to 127.0.0.1 so the Pi traffic goes through Pi-Hole.
You must have. The default whitelist is empty, and the only way to add entries is through the web GUI or by editing the whitelist file directly. Pi-Hole whitelists nothing by itself.
/etc/pihole/whitelist.txt
This output shows that Pi-Hole is using the DNS server you told it to use, Open DNS. The Pi itself is using the google servers, and since you have blocked those requests, the Pi cannot process the queries to GitHub to load updates. The fix should be to modify your firewall to allow traffic from the Pi-Hole host to access DNS other than OpenDNS.
I think I updated an earlier post while you were replying. The whitelist had 43k+ entries. I'm not sure where they came from, but having a little dig shows I did use this:
Clearing the whitelist then running those scrips only ends with 250ish lines in the white list so I'm still a little lost on where the rest might have come from. Maybe I did dig up other lists and just throw them all in... maybe? The last clean install was 6 months ago, maybe I did something then.
I have updated /etc/resolv.conf to point at 127.0.0.1
A little bit later:
Further investigation seems to show that script us using gawk to remove duplicates and that is failing so every time it runs it is adding the same list of duplicate entries to the end of the whitelist file.
I might have set a cron job for that script to update the list daily which would have ended up with the stupidly long file over time full of duplicates, but I can't seem to find any reference to it anywhere.
I have now edited the scripts to use uniq instead and they appear to be working as they should, I've also scheduled it as a daily task so we will see soon enough if it's working as it should be or if it runs riot again.
On a side note, when I pull unique entries from that 43,000 line file I end up with 300 lines.
