Please follow the below template, it will help us to help you!
Expected Behaviour:
DNS Resolution works with port 53 on eth0 closed to Internet
Actual Behaviour:
If I open port 53 on eth0 all work fine, but if it is closed, nothing work. nslookup, dig and ping fail too.
Debug Token:
_$ pihole -d
This process collects information from your Pi-hole, and optionally uploads it to a unique and random directory on tricorder.pi-hole.net.
The intent of this script is to allow users to self-diagnose their installations. This is accomplished by running tests against our software and providing the user with links to FAQ articles when a problem is detected. Since we are a small team and Pi-hole has been growing steadily, it is our hope that this will help us spend more time on development.
NOTE: All log files auto-delete after 48 hours and ONLY the Pi-hole developers can access your data via the given token. We have taken these extra steps to secure your data and will work to further reduce any personal information gathered.
*** [ INITIALIZING ]
[i] 2018-09-12:15:59:43 debug log has been initialized.
*** [ INITIALIZING ] Sourcing setup variables
[i] Sourcing /etc/pihole/setupVars.conf...
*** [ DIAGNOSING ]: Core version
[i] Core: v4.0 (https://discourse.pi-hole.net/t/how-do-i-update-pi-hole/249)
[i] Branch: master
[i] Commit: v4.0-0-gddbdb51
*** [ DIAGNOSING ]: Web version
[i] Web: v4.0 (https://discourse.pi-hole.net/t/how-do-i-update-pi-hole/249)
[i] Branch: master
[i] Commit: v4.0-0-gaf8c926
*** [ DIAGNOSING ]: FTL version
[✓] FTL: v4.0 (https://discourse.pi-hole.net/t/how-do-i-update-pi-hole/249)
*** [ DIAGNOSING ]: dnsmasq version
[i] 2.76
*** [ DIAGNOSING ]: lighttpd version
[i] opt
*** [ DIAGNOSING ]: php version
[i] 7.0.30
*** [ DIAGNOSING ]: Operating system
[✓] Debian GNU/Linux 9 (stretch)
*** [ DIAGNOSING ]: SELinux
[i] SELinux not detected
*** [ DIAGNOSING ]: Processor
[i] x86_64
*** [ DIAGNOSING ]: Networking
[✓] IPv4 address(es) bound to the tun0 interface:
10.8.0.1/24 does not match the IP found in /etc/pihole/setupVars.conf (https://discourse.pi-hole.net/t/use-ipv6-ula-addresses-for-pi-hole/2127)
[✓] IPv6 address(es) bound to the tun0 interface:
fe80::3dfb:a957:cf1f:592e does not match the IP found in /etc/pihole/setupVars.conf (https://discourse.pi-hole.net/t/use-ipv6-ula-addresses-for-pi-hole/2127)
^ Please note that you may have more than one IP address listed.
As long as one of them is green, and it matches what is in /etc/pihole/setupVars.conf, there is no need for concern.
The link to the FAQ is for an issue that sometimes occurs when the IPv6 address changes, which is why we check for it.
[i] Default IPv4 gateway: 94.177.234.1
* Pinging 94.177.234.1...
[✗] Gateway did not respond. (https://discourse.pi-hole.net/t/why-is-a-default-gateway-important-for-pi-hole/3546)
[i] Default IPv6 gateway: fe80::1
* Pinging fe80::1...
[✗] Gateway did not respond. (https://discourse.pi-hole.net/t/why-is-a-default-gateway-important-for-pi-hole/3546)
*** [ DIAGNOSING ]: Ports in use
*:111 rpcbind (IPv4)
*:111 rpcbind (IPv6)
*: [CENSORED] sshd (IPv4)
*: [CENSORED] sshd (IPv6)
127.0.0.1:6379 redis-serv (IPv4)
127.0.0.1:3306 mysqld (IPv4)
*:80 apache2 (IPv6)
*:80 apache2 (IPv6)
*:80 apache2 (IPv6)
*:80 apache2 (IPv6)
*: [CENSORED] pure-ftpd- (IPv4)
*: [CENSORED] pure-ftpd- (IPv6)
127.0.0.1:25 exim4 (IPv4)
[::1]:25 exim4 (IPv6)
*:80 apache2 (IPv6)
*:80 apache2 (IPv6)
*:80 apache2 (IPv6)
*:80 apache2 (IPv6)
*:80 apache2 (IPv6)
*:80 apache2 (IPv6)
*:80 apache2 (IPv6)
*:53 pihole-FTL (IPv4)
*:53 pihole-FTL (IPv6)
127.0.0.1:4711 pihole-FTL (IPv4)
[::1]:4711 pihole-FTL (IPv6)
*** [ DIAGNOSING ]: Name resolution (IPv4) using a random blocked domain and a known ad-serving domain
[✗] Failed to resolve bob136.web3000.com via localhost (127.0.0.1)
[✗] Failed to resolve bob136.web3000.com via Pi-hole ([CENSORED public IP])
[✓] doubleclick.com is 216.58.213.142 via a remote, public DNS server (8.8.8.8)
*** [ DIAGNOSING ]: Name resolution (IPv6) using a random blocked domain and a known ad-serving domain
[✓] protection32.in.net is :: via localhost (::1)
[✗] Failed to resolve protection32.in.net via Pi-hole ([CENSORED public IP])
[✓] doubleclick.com is 2a00:1450:4007:811::200e via a remote, public DNS server (2001:4860:4860::8888)
*** [ DIAGNOSING ]: Pi-hole processes
[✗] dnsmasq daemon is failed
[✗] lighttpd daemon is inactive
[✓] pihole-FTL daemon is active
*** [ DIAGNOSING ]: Setup variables
PIHOLE_INTERFACE=tun0
IPV4_ADDRESS=10.8.0.1/24
IPV4_ADDRESS=[CENSORED public IP]/24
IPV6_ADDRESS=[CENSORED public IP]
PIHOLE_DNS_1=8.8.8.8
PIHOLE_DNS_2=8.8.4.4
QUERY_LOGGING=true
INSTALL_WEB_SERVER=false
INSTALL_WEB_INTERFACE=true
LIGHTTPD_ENABLED=false
*** [ DIAGNOSING ]: Dashboard and block page
[✗] Block page X-Header: X-Header does not match or could not be retrieved.
HTTP/1.1 200 OK
Date: Wed, 12 Sep 2018 14:02:29 GMT
Server: Apache/2.4.25 (Debian)
Last-Modified: Mon, 22 May 2017 11:57:10 GMT
ETag: "29cd-5501b922ac672"
Accept-Ranges: bytes
Content-Length: 10701
Vary: Accept-Encoding
Content-Type: text/html
[✗] Web interface X-Header: X-Header does not match or could not be retrieved.
HTTP/1.1 200 OK
Date: Wed, 12 Sep 2018 14:02:29 GMT
Server: Apache/2.4.25 (Debian)
Set-Cookie: PHPSESSID=hnv52uq48vnbpnqenci4bo5g25; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
*** [ DIAGNOSING ]: Gravity list
-rw-r--r-- 1 root root 3046249 Sep 12 12:48 /etc/pihole/gravity.list
-----head of gravity.list------
0.0.0.0
0.r.msn.com
0.start.bz
000.0x1f4b0.com
-----tail of gravity.list------
zzz.clickbank.net
zzzezeroe.fr
zzzpooeaz-france.com
zzzrtrcm2.com
*** [ DIAGNOSING ]: contents of /etc/pihole
-rw-r--r-- 1 root root 381 Sep 12 12:08 /etc/pihole/adlists.list
https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
https://mirror1.malwaredomains.com/files/justdomains
http://sysctl.org/cameleon/hosts
https://zeustracker.abuse.ch/blocklist.php?download=domainblocklist
https://s3.amazonaws.com/lists.disconnect.me/simple_tracking.txt
https://s3.amazonaws.com/lists.disconnect.me/simple_ad.txt
https://hosts-file.net/ad_servers.txt
-rw-r--r-- 1 root root 127 Sep 12 12:48 /etc/pihole/local.list
[CENSORED public IP] Tasende
[CENSORED public IP] Tasende
[CENSORED public IP] pi.hole
[CENSORED public IP] pi.hole
10.8.0.2 piholeVPS.vpn
-rw-r--r-- 1 root root 234 Sep 12 12:08 /etc/pihole/logrotate
/var/log/pihole.log {
su root root
daily
copytruncate
rotate 5
compress
delaycompress
notifempty
nomail
}
/var/log/pihole-FTL.log {
su root root
weekly
copytruncate
rotate 3
compress
delaycompress
notifempty
nomail
}
*** [ DIAGNOSING ]: contents of /etc/dnsmasq.d
-rw-r--r-- 1 root root 1508 Sep 12 12:08 /etc/dnsmasq.d/01-pihole.conf
addn-hosts=/etc/pihole/gravity.list
addn-hosts=/etc/pihole/black.list
addn-hosts=/etc/pihole/local.list
localise-queries
no-resolv
cache-size=10000
log-queries=extra
log-facility=/var/log/pihole.log
local-ttl=2
log-async
server=8.8.8.8
server=8.8.4.4
interface=tun0
*** [ DIAGNOSING ]: contents of /etc/lighttpd
*** [ DIAGNOSING ]: contents of /etc/cron.d
-rw-r--r-- 1 root root 1496 Sep 12 12:08 /etc/cron.d/pihole
25 3 * * 7 root PATH="$PATH:/usr/local/bin/" pihole updateGravity
00 00 * * * root PATH="$PATH:/usr/local/bin/" pihole flush once quiet
@reboot root /usr/sbin/logrotate /etc/pihole/logrotate
*/10 * * * * root PATH="$PATH:/usr/local/bin/" pihole updatechecker local
30 12 * * * root PATH="$PATH:/usr/local/bin/" pihole updatechecker remote
@reboot root PATH="$PATH:/usr/local/bin/" pihole updatechecker remote reboot
*** [ DIAGNOSING ]: contents of /var/log/lighttpd
/var/log/lighttpd does not exist.
ls: cannot access '/var/log/lighttpd': No such file or directory
*** [ DIAGNOSING ]: contents of /var/log
-rw-r--r-- 1 pihole pihole 26493 Sep 12 15:59 /var/log/pihole-FTL.log
-----head of pihole-FTL.log------
[2018-09-12 12:08:28.020] ########## FTL started! ##########
[2018-09-12 12:08:28.020] FTL branch:
[2018-09-12 12:08:28.020] FTL version: v4.0
[2018-09-12 12:08:28.020] FTL commit: 8493df4
[2018-09-12 12:08:28.020] FTL date: 2018-08-05 13:40:30 -0700
[2018-09-12 12:08:28.020] FTL user: pihole
[2018-09-12 12:08:28.020] Starting config file parsing (/etc/pihole/pihole-FTL.conf)
[2018-09-12 12:08:28.020] SOCKET_LISTENING: only local
[2018-09-12 12:08:28.020] AAAA_QUERY_ANALYSIS: Show AAAA queries
[2018-09-12 12:08:28.020] MAXDBDAYS: max age for stored queries is 365 days
[2018-09-12 12:08:28.020] RESOLVE_IPV6: Resolve IPv6 addresses
[2018-09-12 12:08:28.020] RESOLVE_IPV4: Resolve IPv4 addresses
[2018-09-12 12:08:28.020] DBINTERVAL: saving to DB file every minute
[2018-09-12 12:08:28.020] DBFILE: Using /etc/pihole/pihole-FTL.db
[2018-09-12 12:08:28.020] MAXLOGAGE: Importing up to 24.0 hours of log data
[2018-09-12 12:08:28.020] PRIVACYLEVEL: Set to 0
[2018-09-12 12:08:28.020] IGNORE_LOCALHOST: Show queries from localhost
[2018-09-12 12:08:28.020] BLOCKINGMODE: Null IPs for blocked domains
[2018-09-12 12:08:28.020] REGEX_DEBUGMODE: Inactive
[2018-09-12 12:08:28.020] Finished config file parsing
[2018-09-12 12:08:28.020] INFO: No whitelist file found
[2018-09-12 12:08:28.020] Compiled 0 Regex filters and -1 whitelisted domains in 0.0 msec (0 errors)
[2018-09-12 12:08:28.020] db_init() - Cannot open database (14): unable to open database file
[2018-09-12 12:08:28.020] Creating new (empty) database
[2018-09-12 12:08:28.035] Database successfully initialized
[2018-09-12 12:08:28.035] Imported 0 queries from the long-term database
[2018-09-12 12:08:28.035] -> Total DNS queries: 0
[2018-09-12 12:08:28.035] -> Cached DNS queries: 0
[2018-09-12 12:08:28.035] -> Forwarded DNS queries: 0
[2018-09-12 12:08:28.035] -> Exactly blocked DNS queries: 0
[2018-09-12 12:08:28.035] -> Unknown DNS queries: 0
[2018-09-12 12:08:28.036] -> Unique domains: 0
[2018-09-12 12:08:28.036] -> Unique clients: 0
[2018-09-12 12:08:28.036] -> Known forward destinations: 0
[2018-09-12 12:08:28.036] Successfully accessed setupVars.conf
-----tail of pihole-FTL.log------
[2018-09-12 15:59:33.680] DBFILE: Using /etc/pihole/pihole-FTL.db
[2018-09-12 15:59:33.680] MAXLOGAGE: Importing up to 24.0 hours of log data
[2018-09-12 15:59:33.680] PRIVACYLEVEL: Set to 0
[2018-09-12 15:59:33.680] IGNORE_LOCALHOST: Show queries from localhost
[2018-09-12 15:59:33.680] BLOCKINGMODE: Null IPs for blocked domains
[2018-09-12 15:59:33.680] REGEX_DEBUGMODE: Inactive
[2018-09-12 15:59:33.680] Finished config file parsing
[2018-09-12 15:59:33.680] INFO: No whitelist file found
[2018-09-12 15:59:33.680] Compiled 0 Regex filters and -1 whitelisted domains in 0.0 msec (0 errors)
[2018-09-12 15:59:33.681] Database successfully initialized
[2018-09-12 15:59:33.681] Notice: Increasing queries struct size from 0 to 10000
[2018-09-12 15:59:33.681] Notice: Increasing domains struct size from 0 to 1000
[2018-09-12 15:59:33.681] Notice: Increasing clients struct size from 0 to 10
[2018-09-12 15:59:33.681] New forward server: 8.8.4.4 (0/0)
[2018-09-12 15:59:33.681] Notice: Increasing forwarded struct size from 0 to 4
[2018-09-12 15:59:33.681] Notice: Increasing overTime struct size from 0 to 100
[2018-09-12 15:59:33.682] New forward server: 8.8.8.8 (1/4)
[2018-09-12 15:59:33.683] Imported 1955 queries from the long-term database
[2018-09-12 15:59:33.684] -> Total DNS queries: 1955
[2018-09-12 15:59:33.684] -> Cached DNS queries: 232
[2018-09-12 15:59:33.684] -> Forwarded DNS queries: 1612
[2018-09-12 15:59:33.684] -> Exactly blocked DNS queries: 111
[2018-09-12 15:59:33.684] -> Unknown DNS queries: 0
[2018-09-12 15:59:33.684] -> Unique domains: 204
[2018-09-12 15:59:33.684] -> Unique clients: 3
[2018-09-12 15:59:33.684] -> Known forward destinations: 2
[2018-09-12 15:59:33.684] Successfully accessed setupVars.conf
[2018-09-12 15:59:33.699] PID of FTL process: 4607
[2018-09-12 15:59:33.699] Listening on port 4711 for incoming IPv4 telnet connections
[2018-09-12 15:59:33.699] Listening on port 4711 for incoming IPv6 telnet connections
[2018-09-12 15:59:33.699] Listening on Unix socket
[2018-09-12 15:59:33.700] FATAL: Trying to free NULL pointer in free_whitelist_domains() (regex.c:72)
[2018-09-12 15:59:33.700] INFO: No whitelist file found
[2018-09-12 15:59:33.700] Compiled 0 Regex filters and -1 whitelisted domains in 0.0 msec (0 errors)
[2018-09-12 15:59:33.944] /etc/pihole/gravity.list: parsed 133209 domains (took 244.5 ms)
*** [ DIAGNOSING ]: Locale
LANG=en_US.UTF-8
*** [ DIAGNOSING ]: Pi-hole log
-rw-r--r-- 1 pihole pihole 11683904 Sep 12 16:04 /var/log/pihole.log
-----head of pihole.log------
Sep 12 12:07:28 dnsmasq[7331]: started, version 2.76 cachesize 10000
Sep 12 12:07:28 dnsmasq[7331]: compile time options: IPv6 GNU-getopt DBus i18n IDN DHCP DHCPv6 no-Lua TFTP conntrack ipset auth DNSSEC loop-detect inotify
Sep 12 12:07:28 dnsmasq[7331]: warning: ignoring resolv-file flag because no-resolv is set
Sep 12 12:07:28 dnsmasq[7331]: using nameserver 8.8.4.4#53
Sep 12 12:07:28 dnsmasq[7331]: using nameserver 8.8.8.8#53
Sep 12 12:07:28 dnsmasq[7331]: read /etc/hosts - 6 addresses
Sep 12 12:07:28 dnsmasq[7331]: read /etc/pihole/local.list - 5 addresses
Sep 12 12:07:28 dnsmasq[7331]: failed to load names from /etc/pihole/black.list: No such file or directory
[✗] Sep 12 12:07:28 dnsmasq[7331]: bad address at /etc/pihole/gravity.list line 2 (https://discourse.pi-hole.net/t/why-do-i-see-bad-address-at-in-pihole-log/3972)
[✗] Sep 12 12:07:28 dnsmasq[7331]: bad address at /etc/pihole/gravity.list line 3 (https://discourse.pi-hole.net/t/why-do-i-see-bad-address-at-in-pihole-log/3972)
[✗] Sep 12 12:07:28 dnsmasq[7331]: bad address at /etc/pihole/gravity.list line 4 (https://discourse.pi-hole.net/t/why-do-i-see-bad-address-at-in-pihole-log/3972)
[✗] Sep 12 12:07:28 dnsmasq[7331]: bad address at /etc/pihole/gravity.list line 5 (https://discourse.pi-hole.net/t/why-do-i-see-bad-address-at-in-pihole-log/3972)
[✗] Sep 12 12:07:28 dnsmasq[7331]: bad address at /etc/pihole/gravity.list line 6 (https://discourse.pi-hole.net/t/why-do-i-see-bad-address-at-in-pihole-log/3972)
[✗] Sep 12 12:07:28 dnsmasq[7331]: bad address at /etc/pihole/gravity.list line 7 (https://discourse.pi-hole.net/t/why-do-i-see-bad-address-at-in-pihole-log/3972)
[✗] Sep 12 12:07:28 dnsmasq[7331]: bad address at /etc/pihole/gravity.list line 8 (https://discourse.pi-hole.net/t/why-do-i-see-bad-address-at-in-pihole-log/3972)
[✗] Sep 12 12:07:28 dnsmasq[7331]: bad address at /etc/pihole/gravity.list line 9 (https://discourse.pi-hole.net/t/why-do-i-see-bad-address-at-in-pihole-log/3972)
[✗] Sep 12 12:07:28 dnsmasq[7331]: bad address at /etc/pihole/gravity.list line 10 (https://discourse.pi-hole.net/t/why-do-i-see-bad-address-at-in-pihole-log/3972)
[✗] Sep 12 12:07:28 dnsmasq[7331]: bad address at /etc/pihole/gravity.list line 11 (https://discourse.pi-hole.net/t/why-do-i-see-bad-address-at-in-pihole-log/3972)
[✗] Sep 12 12:07:28 dnsmasq[7331]: bad address at /etc/pihole/gravity.list line 12 (https://discourse.pi-hole.net/t/why-do-i-see-bad-address-at-in-pihole-log/3972)
[✗] Sep 12 12:07:28 dnsmasq[7331]: bad address at /etc/pihole/gravity.list line 13 (https://discourse.pi-hole.net/t/why-do-i-see-bad-address-at-in-pihole-log/3972)
********************************************
********************************************
[✓] ** FINISHED DEBUGGING! **
_
I set up pihole on my VPS running Debian 9
$ sudo lsb_release -a
No LSB modules are available.
Distributor ID: Debian
Description: Debian GNU/Linux 9.5 (stretch)
Release: 9.5
Codename: stretch
$ uname -a
Linux Tasende 4.9.0-8-amd64 #1 SMP Debian 4.9.110-3+deb9u4 (2018-08-21) x86_64 GNU/Linux
I disabled dhcpcd beacuse otherwise system won't connect to the network, but it was expected due pihole use dhcpcd5.
I won't show at the whole internet my 53 port, due avoid risk of DNS amplification attack so i configured a working VPN using OpenVPN.
I didn't install lighttpd beacuse I have some site running on my VPS using Apache2, but if I open 53 port on iptables the pihole's web interface works fine.
I set the following rules concerning pihole in my iptables:
-A INPUT -i tun0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i tun0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i lo -p tcp -m tcp --dport 4711:4720 -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
And port 80 of course.
No filter for outgoing connections.
After installing pihole and dnsmasq, without open port 53 I can't ping (it works only if I enter an IP), dig or nslookup.
Now, if I open the port 53 on eth0, pihole works fine, but why? Why it need INPUT connection on that port and eth0 interface?
Thanks for helping.