Proper DNSMASQ_LISTENING setting

aaronburro · March 15, 2022, 1:18am

I upgraded from a few versions back, and have had quite a few problems. I think I've narrowed it down to the DNSMASQ_LISTENING setting and I want to make sure I pick the right one.

I have a pretty standard pi-hole installation on a 3B+ which listens on eth0. I also have two OpenVPN servers running, one on tun2 and one on tun3. The tun3 also uses the pihole DNS. I accomplish this by putting INTERFACE=eth0 in setupVars and adding interface=tun3 into an additional file under /etc/dnsmasq.d and it seems to work as expected.

When I look at the "migration," it seems the DNSMASQ_LISTENING setting is a new thing and was set to local (probably this PR, despite there being an interface in the setupVars.conf file. Somehow that local causes all hell to break loose. I notice the /etc/dnsmasq.d/01-pihole.conf file makes no mention of the eth0 interface, and instead uses the local-service setting, which i'm guessing is the root of my issues. When I change that to interface=eth0 and restart, everything works.

I guess my question is, is this how I am supposed to configure it for my usage scenario? And, might it be a good idea to modify the settings migration code to recognize when there is an interface in setupVars.conf and choose DNSMASQ_LISTENING=single instead? It really only affects folks who are upgrading, but whoa nelly was that tough to chase down. I have noticed that I can do a pihole -r with the DNSMASQ_LISTENING setting missing and get similar results, btw.

yubiuser · March 15, 2022, 11:38am

Thanks for your report and sorry for the inconvenience you experienced.

We did change the default listening mode in the Dec 2021 release to DNSMASQ_LISTENING=local as this is the most "secure". The PR you mentioned took care of the migration process as it preserves the DNSMASQ_LISTENING setting if it was set, otherwise it will set it to `local

github.com/pi-hole/pi-hole

automated%20install/basic-install.sh

899cac0aa


      
              echo "IPV6_ADDRESS=${IPV6_ADDRESS}"
              echo "PIHOLE_DNS_1=${PIHOLE_DNS_1}"
              echo "PIHOLE_DNS_2=${PIHOLE_DNS_2}"
              echo "QUERY_LOGGING=${QUERY_LOGGING}"
              echo "INSTALL_WEB_SERVER=${INSTALL_WEB_SERVER}"
              echo "INSTALL_WEB_INTERFACE=${INSTALL_WEB_INTERFACE}"
              echo "LIGHTTPD_ENABLED=${LIGHTTPD_ENABLED}"
              echo "CACHE_SIZE=${CACHE_SIZE}"
              echo "DNS_FQDN_REQUIRED=${DNS_FQDN_REQUIRED:-true}"
              echo "DNS_BOGUS_PRIV=${DNS_BOGUS_PRIV:-true}"
              echo "DNSMASQ_LISTENING=${DNSMASQ_LISTENING:-local}"
          }>> "${setupVars}"
          chmod 644 "${setupVars}"
          
          # Set the privacy level
          sed -i '/PRIVACYLEVEL/d' "${PI_HOLE_CONFIG_DIR}/pihole-FTL.conf"
          echo "PRIVACYLEVEL=${PRIVACY_LEVEL}" >> "${PI_HOLE_CONFIG_DIR}/pihole-FTL.conf"
          
          # Bring in the current settings and the functions to manipulate them
          source "${setupVars}"
          source "${PI_HOLE_LOCAL_REPO}/advanced/Scripts/webpage.sh"

We always export the PIHOLE_INTERFACE to setupVars.conf but only write it to /etc/dnsmasq.d/01-pihole.conf in case DNSMASQ_LISTENING is single or bind

github.com/pi-hole/pi-hole

advanced/Scripts/webpage.sh

899cac0aa


      
          if [[ "${DNSMASQ_LISTENING}" == "all" ]]; then
              # Listen on all interfaces, permit all origins
              add_dnsmasq_setting "except-interface" "nonexisting"
          elif [[ "${DNSMASQ_LISTENING}" == "local" ]]; then
              # Listen only on all interfaces, but only local subnets
              add_dnsmasq_setting "local-service"
          else
              # Options "bind" and "single"
              # Listen only on one interface
              # Use eth0 as fallback interface if interface is missing in setupVars.conf
              if [ -z "${PIHOLE_INTERFACE}" ]; then
                  PIHOLE_INTERFACE="eth0"
              fi
          
              add_dnsmasq_setting "interface" "${PIHOLE_INTERFACE}"
          
              if [[ "${DNSMASQ_LISTENING}" == "bind" ]]; then
                  # Really bind to interface
                  add_dnsmasq_setting "bind-interfaces"
              fi
          fi

__

If I get your right, you want to Pi-hole to listen on eth0 and tun3 but not tun2? Then I would recommend to keep

and choose **Respond only on interface eth0** which translates to DNSMASQ_LISTENING=single in setupVars.conf. That way, Pi-hole will write interface=eth0 to /etc/dnsmasq.d/01-pihole.conf.

aaronburro · March 16, 2022, 5:22pm

Heh, it did seem quite "secure," as nothing could connect at all under that configuration. Is that the expected behaviour, or is it just what happens with the additional interface option in the other dnsmasq file? It's definitely a very surprising end result, so i'm not sure if there is any way to check the config when migrating to possibly avoid that. Then again, it is just migration, so once you have the setting it's not a big deal.

yubiuser · March 17, 2022, 7:59pm

Before we had "Listen only on XXX" which could have been insecure in case users accidentally connect their Pi host via the selected interface to the public internet.

system · April 7, 2022, 8:00pm

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.