Problem with port 53 and DNS resolution

Please follow the below template, it will help us to help you!

Expected Behaviour:

DNS Resolution works with port 53 on eth0 closed to Internet

Actual Behaviour:

If I open port 53 on eth0 all work fine, but if it is closed, nothing work. nslookup, dig and ping fail too.

Debug Token:

_$ pihole -d
This process collects information from your Pi-hole, and optionally uploads it to a unique and random directory on tricorder.pi-hole.net.

The intent of this script is to allow users to self-diagnose their installations.  This is accomplished by running tests against our software and providing the user with links to FAQ articles when a problem is detected.  Since we are a small team and Pi-hole has been growing steadily, it is our hope that this will help us spend more time on development.

NOTE: All log files auto-delete after 48 hours and ONLY the Pi-hole developers can access your data via the given token. We have taken these extra steps to secure your data and will work to further reduce any personal information gathered.

*** [ INITIALIZING ]
[i] 2018-09-12:15:59:43 debug log has been initialized.

*** [ INITIALIZING ] Sourcing setup variables
[i] Sourcing /etc/pihole/setupVars.conf...

*** [ DIAGNOSING ]: Core version
[i] Core: v4.0 (https://discourse.pi-hole.net/t/how-do-i-update-pi-hole/249)
[i] Branch: master
[i] Commit: v4.0-0-gddbdb51

*** [ DIAGNOSING ]: Web version
[i] Web: v4.0 (https://discourse.pi-hole.net/t/how-do-i-update-pi-hole/249)
[i] Branch: master
[i] Commit: v4.0-0-gaf8c926

*** [ DIAGNOSING ]: FTL version
[✓] FTL: v4.0 (https://discourse.pi-hole.net/t/how-do-i-update-pi-hole/249)

*** [ DIAGNOSING ]: dnsmasq version
[i] 2.76

*** [ DIAGNOSING ]: lighttpd version
[i] opt

*** [ DIAGNOSING ]: php version
[i] 7.0.30

*** [ DIAGNOSING ]: Operating system
[✓] Debian GNU/Linux 9 (stretch)

*** [ DIAGNOSING ]: SELinux
[i] SELinux not detected

*** [ DIAGNOSING ]: Processor
[i] x86_64

*** [ DIAGNOSING ]: Networking
[✓] IPv4 address(es) bound to the tun0 interface:
   10.8.0.1/24 does not match the IP found in /etc/pihole/setupVars.conf (https://discourse.pi-hole.net/t/use-ipv6-ula-addresses-for-pi-hole/2127)

[✓] IPv6 address(es) bound to the tun0 interface:
   fe80::3dfb:a957:cf1f:592e does not match the IP found in /etc/pihole/setupVars.conf (https://discourse.pi-hole.net/t/use-ipv6-ula-addresses-for-pi-hole/2127)

   ^ Please note that you may have more than one IP address listed.
   As long as one of them is green, and it matches what is in /etc/pihole/setupVars.conf, there is no need for concern.

   The link to the FAQ is for an issue that sometimes occurs when the IPv6 address changes, which is why we check for it.

[i] Default IPv4 gateway: 94.177.234.1
   * Pinging 94.177.234.1...
[✗] Gateway did not respond. (https://discourse.pi-hole.net/t/why-is-a-default-gateway-important-for-pi-hole/3546)

[i] Default IPv6 gateway: fe80::1
   * Pinging fe80::1...
[✗] Gateway did not respond. (https://discourse.pi-hole.net/t/why-is-a-default-gateway-important-for-pi-hole/3546)


*** [ DIAGNOSING ]: Ports in use
*:111 rpcbind (IPv4)
*:111 rpcbind (IPv6)
*: [CENSORED] sshd (IPv4)
*: [CENSORED] sshd (IPv6)
127.0.0.1:6379 redis-serv (IPv4)
127.0.0.1:3306 mysqld (IPv4)
*:80 apache2 (IPv6)
*:80 apache2 (IPv6)
*:80 apache2 (IPv6)
*:80 apache2 (IPv6)
*: [CENSORED] pure-ftpd- (IPv4)
*: [CENSORED] pure-ftpd- (IPv6)
127.0.0.1:25 exim4 (IPv4)
[::1]:25 exim4 (IPv6)
*:80 apache2 (IPv6)
*:80 apache2 (IPv6)
*:80 apache2 (IPv6)
*:80 apache2 (IPv6)
*:80 apache2 (IPv6)
*:80 apache2 (IPv6)
*:80 apache2 (IPv6)
*:53 pihole-FTL (IPv4)
*:53 pihole-FTL (IPv6)
127.0.0.1:4711 pihole-FTL (IPv4)
[::1]:4711 pihole-FTL (IPv6)

*** [ DIAGNOSING ]: Name resolution (IPv4) using a random blocked domain and a known ad-serving domain
[✗] Failed to resolve bob136.web3000.com via localhost (127.0.0.1)
[✗] Failed to resolve bob136.web3000.com via Pi-hole ([CENSORED public IP])
[✓] doubleclick.com is 216.58.213.142 via a remote, public DNS server (8.8.8.8)

*** [ DIAGNOSING ]: Name resolution (IPv6) using a random blocked domain and a known ad-serving domain
[✓] protection32.in.net is :: via localhost (::1)
[✗] Failed to resolve protection32.in.net via Pi-hole ([CENSORED public IP])
[✓] doubleclick.com is 2a00:1450:4007:811::200e via a remote, public DNS server (2001:4860:4860::8888)

*** [ DIAGNOSING ]: Pi-hole processes
[✗] dnsmasq daemon is failed
[✗] lighttpd daemon is inactive
[✓] pihole-FTL daemon is active

*** [ DIAGNOSING ]: Setup variables
    PIHOLE_INTERFACE=tun0
    IPV4_ADDRESS=10.8.0.1/24
    IPV4_ADDRESS=[CENSORED public IP]/24
    IPV6_ADDRESS=[CENSORED public IP]
    PIHOLE_DNS_1=8.8.8.8
    PIHOLE_DNS_2=8.8.4.4
    QUERY_LOGGING=true
    INSTALL_WEB_SERVER=false
    INSTALL_WEB_INTERFACE=true
    LIGHTTPD_ENABLED=false

*** [ DIAGNOSING ]: Dashboard and block page
[✗] Block page X-Header: X-Header does not match or could not be retrieved.
HTTP/1.1 200 OK
Date: Wed, 12 Sep 2018 14:02:29 GMT
Server: Apache/2.4.25 (Debian)
Last-Modified: Mon, 22 May 2017 11:57:10 GMT
ETag: "29cd-5501b922ac672"
Accept-Ranges: bytes
Content-Length: 10701
Vary: Accept-Encoding
Content-Type: text/html

[✗] Web interface X-Header: X-Header does not match or could not be retrieved.
HTTP/1.1 200 OK
Date: Wed, 12 Sep 2018 14:02:29 GMT
Server: Apache/2.4.25 (Debian)
Set-Cookie: PHPSESSID=hnv52uq48vnbpnqenci4bo5g25; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8


*** [ DIAGNOSING ]: Gravity list
-rw-r--r-- 1 root root 3046249 Sep 12 12:48 /etc/pihole/gravity.list
   -----head of gravity.list------
   0.0.0.0
   0.r.msn.com
   0.start.bz
   000.0x1f4b0.com

   -----tail of gravity.list------
   zzz.clickbank.net
   zzzezeroe.fr
   zzzpooeaz-france.com
   zzzrtrcm2.com

*** [ DIAGNOSING ]: contents of /etc/pihole

-rw-r--r-- 1 root root 381 Sep 12 12:08 /etc/pihole/adlists.list
   https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
   https://mirror1.malwaredomains.com/files/justdomains
   http://sysctl.org/cameleon/hosts
   https://zeustracker.abuse.ch/blocklist.php?download=domainblocklist
   https://s3.amazonaws.com/lists.disconnect.me/simple_tracking.txt
   https://s3.amazonaws.com/lists.disconnect.me/simple_ad.txt
   https://hosts-file.net/ad_servers.txt

-rw-r--r-- 1 root root 127 Sep 12 12:48 /etc/pihole/local.list
   [CENSORED public IP] Tasende
   [CENSORED public IP] Tasende
   [CENSORED public IP] pi.hole
   [CENSORED public IP] pi.hole
   10.8.0.2     piholeVPS.vpn

-rw-r--r-- 1 root root 234 Sep 12 12:08 /etc/pihole/logrotate
   /var/log/pihole.log {
        su root root
        daily
        copytruncate
        rotate 5
        compress
        delaycompress
        notifempty
        nomail
   }
   /var/log/pihole-FTL.log {
        su root root
        weekly
        copytruncate
        rotate 3
        compress
        delaycompress
        notifempty
        nomail
   }

*** [ DIAGNOSING ]: contents of /etc/dnsmasq.d

-rw-r--r-- 1 root root 1508 Sep 12 12:08 /etc/dnsmasq.d/01-pihole.conf
   addn-hosts=/etc/pihole/gravity.list
   addn-hosts=/etc/pihole/black.list
   addn-hosts=/etc/pihole/local.list
   localise-queries
   no-resolv
   cache-size=10000
   log-queries=extra
   log-facility=/var/log/pihole.log
   local-ttl=2
   log-async
   server=8.8.8.8
   server=8.8.4.4
   interface=tun0

*** [ DIAGNOSING ]: contents of /etc/lighttpd

*** [ DIAGNOSING ]: contents of /etc/cron.d

-rw-r--r-- 1 root root 1496 Sep 12 12:08 /etc/cron.d/pihole
   25 3   * * 7   root    PATH="$PATH:/usr/local/bin/" pihole updateGravity
   00 00   * * *   root    PATH="$PATH:/usr/local/bin/" pihole flush once quiet
   @reboot root /usr/sbin/logrotate /etc/pihole/logrotate
   */10 *  * * *   root    PATH="$PATH:/usr/local/bin/" pihole updatechecker local
   30 12  * * *   root    PATH="$PATH:/usr/local/bin/" pihole updatechecker remote
   @reboot root    PATH="$PATH:/usr/local/bin/" pihole updatechecker remote reboot

*** [ DIAGNOSING ]: contents of /var/log/lighttpd
/var/log/lighttpd does not exist.
ls: cannot access '/var/log/lighttpd': No such file or directory

*** [ DIAGNOSING ]: contents of /var/log

-rw-r--r-- 1 pihole pihole 26493 Sep 12 15:59 /var/log/pihole-FTL.log
   -----head of pihole-FTL.log------
   [2018-09-12 12:08:28.020] ########## FTL started! ##########
   [2018-09-12 12:08:28.020] FTL branch:
   [2018-09-12 12:08:28.020] FTL version: v4.0
   [2018-09-12 12:08:28.020] FTL commit: 8493df4
   [2018-09-12 12:08:28.020] FTL date: 2018-08-05 13:40:30 -0700
   [2018-09-12 12:08:28.020] FTL user: pihole
   [2018-09-12 12:08:28.020] Starting config file parsing (/etc/pihole/pihole-FTL.conf)
   [2018-09-12 12:08:28.020]    SOCKET_LISTENING: only local
   [2018-09-12 12:08:28.020]    AAAA_QUERY_ANALYSIS: Show AAAA queries
   [2018-09-12 12:08:28.020]    MAXDBDAYS: max age for stored queries is 365 days
   [2018-09-12 12:08:28.020]    RESOLVE_IPV6: Resolve IPv6 addresses
   [2018-09-12 12:08:28.020]    RESOLVE_IPV4: Resolve IPv4 addresses
   [2018-09-12 12:08:28.020]    DBINTERVAL: saving to DB file every minute
   [2018-09-12 12:08:28.020]    DBFILE: Using /etc/pihole/pihole-FTL.db
   [2018-09-12 12:08:28.020]    MAXLOGAGE: Importing up to 24.0 hours of log data
   [2018-09-12 12:08:28.020]    PRIVACYLEVEL: Set to 0
   [2018-09-12 12:08:28.020]    IGNORE_LOCALHOST: Show queries from localhost
   [2018-09-12 12:08:28.020]    BLOCKINGMODE: Null IPs for blocked domains
   [2018-09-12 12:08:28.020]    REGEX_DEBUGMODE: Inactive
   [2018-09-12 12:08:28.020] Finished config file parsing
   [2018-09-12 12:08:28.020] INFO: No whitelist file found
   [2018-09-12 12:08:28.020] Compiled 0 Regex filters and -1 whitelisted domains in 0.0 msec (0 errors)
   [2018-09-12 12:08:28.020] db_init() - Cannot open database (14): unable to open database file
   [2018-09-12 12:08:28.020] Creating new (empty) database
   [2018-09-12 12:08:28.035] Database successfully initialized
   [2018-09-12 12:08:28.035] Imported 0 queries from the long-term database
   [2018-09-12 12:08:28.035]  -> Total DNS queries: 0
   [2018-09-12 12:08:28.035]  -> Cached DNS queries: 0
   [2018-09-12 12:08:28.035]  -> Forwarded DNS queries: 0
   [2018-09-12 12:08:28.035]  -> Exactly blocked DNS queries: 0
   [2018-09-12 12:08:28.035]  -> Unknown DNS queries: 0
   [2018-09-12 12:08:28.036]  -> Unique domains: 0
   [2018-09-12 12:08:28.036]  -> Unique clients: 0
   [2018-09-12 12:08:28.036]  -> Known forward destinations: 0
   [2018-09-12 12:08:28.036] Successfully accessed setupVars.conf

   -----tail of pihole-FTL.log------
   [2018-09-12 15:59:33.680]    DBFILE: Using /etc/pihole/pihole-FTL.db
   [2018-09-12 15:59:33.680]    MAXLOGAGE: Importing up to 24.0 hours of log data
   [2018-09-12 15:59:33.680]    PRIVACYLEVEL: Set to 0
   [2018-09-12 15:59:33.680]    IGNORE_LOCALHOST: Show queries from localhost
   [2018-09-12 15:59:33.680]    BLOCKINGMODE: Null IPs for blocked domains
   [2018-09-12 15:59:33.680]    REGEX_DEBUGMODE: Inactive
   [2018-09-12 15:59:33.680] Finished config file parsing
   [2018-09-12 15:59:33.680] INFO: No whitelist file found
   [2018-09-12 15:59:33.680] Compiled 0 Regex filters and -1 whitelisted domains in 0.0 msec (0 errors)
   [2018-09-12 15:59:33.681] Database successfully initialized
   [2018-09-12 15:59:33.681] Notice: Increasing queries struct size from 0 to 10000
   [2018-09-12 15:59:33.681] Notice: Increasing domains struct size from 0 to 1000
   [2018-09-12 15:59:33.681] Notice: Increasing clients struct size from 0 to 10
   [2018-09-12 15:59:33.681] New forward server: 8.8.4.4 (0/0)
   [2018-09-12 15:59:33.681] Notice: Increasing forwarded struct size from 0 to 4
   [2018-09-12 15:59:33.681] Notice: Increasing overTime struct size from 0 to 100
   [2018-09-12 15:59:33.682] New forward server: 8.8.8.8 (1/4)
   [2018-09-12 15:59:33.683] Imported 1955 queries from the long-term database
   [2018-09-12 15:59:33.684]  -> Total DNS queries: 1955
   [2018-09-12 15:59:33.684]  -> Cached DNS queries: 232
   [2018-09-12 15:59:33.684]  -> Forwarded DNS queries: 1612
   [2018-09-12 15:59:33.684]  -> Exactly blocked DNS queries: 111
   [2018-09-12 15:59:33.684]  -> Unknown DNS queries: 0
   [2018-09-12 15:59:33.684]  -> Unique domains: 204
   [2018-09-12 15:59:33.684]  -> Unique clients: 3
   [2018-09-12 15:59:33.684]  -> Known forward destinations: 2
   [2018-09-12 15:59:33.684] Successfully accessed setupVars.conf
   [2018-09-12 15:59:33.699] PID of FTL process: 4607
   [2018-09-12 15:59:33.699] Listening on port 4711 for incoming IPv4 telnet connections
   [2018-09-12 15:59:33.699] Listening on port 4711 for incoming IPv6 telnet connections
   [2018-09-12 15:59:33.699] Listening on Unix socket
   [2018-09-12 15:59:33.700] FATAL: Trying to free NULL pointer in free_whitelist_domains() (regex.c:72)
   [2018-09-12 15:59:33.700] INFO: No whitelist file found
   [2018-09-12 15:59:33.700] Compiled 0 Regex filters and -1 whitelisted domains in 0.0 msec (0 errors)
   [2018-09-12 15:59:33.944] /etc/pihole/gravity.list: parsed 133209 domains (took 244.5 ms)

*** [ DIAGNOSING ]: Locale
    LANG=en_US.UTF-8

*** [ DIAGNOSING ]: Pi-hole log
-rw-r--r-- 1 pihole pihole 11683904 Sep 12 16:04 /var/log/pihole.log
   -----head of pihole.log------
   Sep 12 12:07:28 dnsmasq[7331]: started, version 2.76 cachesize 10000
   Sep 12 12:07:28 dnsmasq[7331]: compile time options: IPv6 GNU-getopt DBus i18n IDN DHCP DHCPv6 no-Lua TFTP conntrack ipset auth DNSSEC loop-detect inotify
   Sep 12 12:07:28 dnsmasq[7331]: warning: ignoring resolv-file flag because no-resolv is set
   Sep 12 12:07:28 dnsmasq[7331]: using nameserver 8.8.4.4#53
   Sep 12 12:07:28 dnsmasq[7331]: using nameserver 8.8.8.8#53
   Sep 12 12:07:28 dnsmasq[7331]: read /etc/hosts - 6 addresses
   Sep 12 12:07:28 dnsmasq[7331]: read /etc/pihole/local.list - 5 addresses
   Sep 12 12:07:28 dnsmasq[7331]: failed to load names from /etc/pihole/black.list: No such file or directory
   [✗] Sep 12 12:07:28 dnsmasq[7331]: bad address at /etc/pihole/gravity.list line 2 (https://discourse.pi-hole.net/t/why-do-i-see-bad-address-at-in-pihole-log/3972)
   [✗] Sep 12 12:07:28 dnsmasq[7331]: bad address at /etc/pihole/gravity.list line 3 (https://discourse.pi-hole.net/t/why-do-i-see-bad-address-at-in-pihole-log/3972)
   [✗] Sep 12 12:07:28 dnsmasq[7331]: bad address at /etc/pihole/gravity.list line 4 (https://discourse.pi-hole.net/t/why-do-i-see-bad-address-at-in-pihole-log/3972)
   [✗] Sep 12 12:07:28 dnsmasq[7331]: bad address at /etc/pihole/gravity.list line 5 (https://discourse.pi-hole.net/t/why-do-i-see-bad-address-at-in-pihole-log/3972)
   [✗] Sep 12 12:07:28 dnsmasq[7331]: bad address at /etc/pihole/gravity.list line 6 (https://discourse.pi-hole.net/t/why-do-i-see-bad-address-at-in-pihole-log/3972)
   [✗] Sep 12 12:07:28 dnsmasq[7331]: bad address at /etc/pihole/gravity.list line 7 (https://discourse.pi-hole.net/t/why-do-i-see-bad-address-at-in-pihole-log/3972)
   [✗] Sep 12 12:07:28 dnsmasq[7331]: bad address at /etc/pihole/gravity.list line 8 (https://discourse.pi-hole.net/t/why-do-i-see-bad-address-at-in-pihole-log/3972)
   [✗] Sep 12 12:07:28 dnsmasq[7331]: bad address at /etc/pihole/gravity.list line 9 (https://discourse.pi-hole.net/t/why-do-i-see-bad-address-at-in-pihole-log/3972)
   [✗] Sep 12 12:07:28 dnsmasq[7331]: bad address at /etc/pihole/gravity.list line 10 (https://discourse.pi-hole.net/t/why-do-i-see-bad-address-at-in-pihole-log/3972)
   [✗] Sep 12 12:07:28 dnsmasq[7331]: bad address at /etc/pihole/gravity.list line 11 (https://discourse.pi-hole.net/t/why-do-i-see-bad-address-at-in-pihole-log/3972)
   [✗] Sep 12 12:07:28 dnsmasq[7331]: bad address at /etc/pihole/gravity.list line 12 (https://discourse.pi-hole.net/t/why-do-i-see-bad-address-at-in-pihole-log/3972)
   [✗] Sep 12 12:07:28 dnsmasq[7331]: bad address at /etc/pihole/gravity.list line 13 (https://discourse.pi-hole.net/t/why-do-i-see-bad-address-at-in-pihole-log/3972)


********************************************
********************************************
[✓] ** FINISHED DEBUGGING! **
_

I set up pihole on my VPS running Debian 9
$ sudo lsb_release -a
No LSB modules are available.
Distributor ID: Debian
Description: Debian GNU/Linux 9.5 (stretch)
Release: 9.5
Codename: stretch
$ uname -a
Linux Tasende 4.9.0-8-amd64 #1 SMP Debian 4.9.110-3+deb9u4 (2018-08-21) x86_64 GNU/Linux

I disabled dhcpcd beacuse otherwise system won't connect to the network, but it was expected due pihole use dhcpcd5.
I won't show at the whole internet my 53 port, due avoid risk of DNS amplification attack so i configured a working VPN using OpenVPN.
I didn't install lighttpd beacuse I have some site running on my VPS using Apache2, but if I open 53 port on iptables the pihole's web interface works fine.
I set the following rules concerning pihole in my iptables:
-A INPUT -i tun0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i tun0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i lo -p tcp -m tcp --dport 4711:4720 -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
And port 80 of course.
No filter for outgoing connections.

After installing pihole and dnsmasq, without open port 53 I can't ping (it works only if I enter an IP), dig or nslookup.
Now, if I open the port 53 on eth0, pihole works fine, but why? Why it need INPUT connection on that port and eth0 interface?

Thanks for helping.

Are you running this on a cloud server? If so, use a VPN to access the Pi-hole instead of opening the port.

You need access to port 53 because that is the port that is used for DNS.

Thanks for very fast reply.
Yes, cloud server.
I use a VPN and I have port 53 open for the VPN's interface in input.
Devices connected through VPN works fine and resolve both pi.hole than other addresses.
C:\WINDOWS\system32>nslookup.exe google.it
Server: UnKnown
Address: 10.8.0.1
Risposta da un server non autorevole:
Nome: google.it
Addresses: 2a00:1450:4007:808::2003
216.58.215.35
C:\WINDOWS\system32>nslookup.exe pi.hole
Server: UnKnown
Address: 10.8.0.1
Nome: pi.hole
Addresses: [CENSORED correct ip]

But VPS can't resolve name (I can't use apt, ping, dig, nslookup...) unless I open port 53 over eth0.

Check /etc/resolv.conf to make sure it's using localhost.

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.