Query results not return to LAN computers

#1

Please follow the below template, it will help us to help you!

Expected Behaviour:

Computers with DNS set to pi-hole IP 192.168.1.15 should query and get query results from pi-hole returned

Actual Behaviour:

tcpdump -i int udp 53 shows results being received by pi-hole machine but results are not resolved and returned to the machines. nmap shows port 53 udp open as filtered on this linux pi-hole.

Debug Token:

https://tricorder.pi-hole.net/ydlcnvtkhz!

#2

nslookup -type=txt -class=chaos version.bind 192.168.1.15

On Pi-hole as well as on one of your clients (linux/win/mac) ?

#3

Thanks for your reply, so i have the results of the command:
Pi-hole Ubuntu server 192.168.1.15:
~$ nslookup -type=txt -class=chaos version.bind 192.168.1.15
Server: 192.168.1.15
Address: 192.168.1.15#53

version.bind text = “dnsmasq-pi-hole-2.80”

Macbook OSX 192.168.1.109:
monos-MacBook-Pro:~ mono$ ssh 192.168.1.15
mono@192.168.1.15’s password:
monos-MacBook-Pro:~ mono$ nslookup -type=txt -class=chaos version.bind 192.168.1.15
;; connection timed out; no servers could be reached

I ran ssh to show connectivity is fine from the Mac running only pi-hole as its DNS, but with DNS there very much an error. In fact running tcpdump on the pi-hole server shows that the nslookup requests did arrive from the Mac, pi-hole is simply not answering for some reason? See below. Please note I do not use the pi-hole DHCP, but my tp-link router, however if manually setting the DNS on the Mac it should work in my expectations.

$ sudo tcpdump -i enp2s0 udp port 53
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on enp2s0, link-type EN10MB (Ethernet), capture size 262144 bytes
13:47:41.631205 IP 192.168.1.109.60603 > safeharbour.domain: 19394+ TXT CHAOS? version.bind. (30)
13:47:41.633412 IP safeharbour.20450 > resolver2.opendns.com.domain: 48058+ PTR? 109.1.168.192.in-addr.arpa. (44)
13:47:41.688327 IP resolver2.opendns.com.domain > safeharbour.20450: 48058 NXDomain* 0/1/0 (103)
13:47:46.635323 IP 192.168.1.109.60603 > safeharbour.domain: 19394+ TXT CHAOS? version.bind. (30)
13:47:51.636746 IP 192.168.1.109.60603 > safeharbour.domain: 19394+ TXT CHAOS? version.bind. (30)

#4

Does below one show the correct interface + IP ?

sudo grep 'IPV[4,6]_ADDRESS\|PIHOLE_INTERFACE' /etc/pihole/setupVars.conf

Firewall active ?

sudo iptables -L -n

Check router for below or similar security settings:

#5

Thanks for the reply.
sudo greo 'IPV[4,6]_ADDRESS\|PIHOLE_INTERFACE' /etc/pihole/setupVars.conf
Returns the correct IP and interface and that is all.
My router is a TP-Link Archer VR400 with none of the DNS rebind protection.
I monitor tcpdump traffic on the pihole and it is only ever one way, inbound! The pi-hole host itself performs lookups fine via pi-hole.

One question, if I can see my incoming queries via tcpdump [-i int udp port 53] on the pi-hole, why can’t I see them in the pi-hole query log http://192.168.1.15/admin/queries.php ?
hostname is safeharbour:
23:16:16.344329 IP (tos 0x0, ttl 255, id 18198, offset 0, flags [none], proto UDP (17), length 68)
192.168.1.109.63415 > safeharbour.domain: [udp sum ok] 41826+ A? p52-streams.icloud.com. (40)
23:16:17.610550 IP (tos 0x0, ttl 255, id 65524, offset 0, flags [none], proto UDP (17), length 57)
192.168.1.109.53053 > safeharbour.domain: [udp sum ok] 4912+ A? twitter.com. (29)
23:16:18.344837 IP (tos 0x0, ttl 255, id 32086, offset 0, flags [none], proto UDP (17), length 68)
192.168.1.109.63415 > safeharbour.domain: [udp sum ok] 41826+ A? p52-streams.icloud.com. (40)

I have updated my iptables rules, as it just seems pi-hole replies do not occur outbound. However they are all fine I believe:
$ sudo iptables -L -n --line-number
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 f2b-sshd tcp – 0.0.0.0/0 0.0.0.0/0 multiport dports 22
2 f2b-sshd tcp – 0.0.0.0/0 0.0.0.0/0 multiport dports 22
3 f2b-sshd tcp – 0.0.0.0/0 0.0.0.0/0 multiport dports 22
4 ACCEPT udp – 0.0.0.0/0 0.0.0.0/0 multiport dports 445
5 ACCEPT tcp – 0.0.0.0/0 0.0.0.0/0 multiport dports 445
6 ACCEPT all – 0.0.0.0/0 0.0.0.0/0
7 ACCEPT all – 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
8 ACCEPT tcp – 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
9 ACCEPT udp – 0.0.0.0/0 0.0.0.0/0 udp spt:53
10 ACCEPT tcp – 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
11 ACCEPT tcp – 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443
12 DROP all – 0.0.0.0/0 0.0.0.0/0
13 ACCEPT tcp – 0.0.0.0/0 0.0.0.0/0 tcp spt:53

Chain FORWARD (policy ACCEPT)
num target prot opt source destination

Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT udp – 0.0.0.0/0 0.0.0.0/0 udp spt:53
2 ACCEPT udp – 0.0.0.0/0 0.0.0.0/0 udp dpt:53
3 ACCEPT tcp – 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
4 ACCEPT tcp – 0.0.0.0/0 0.0.0.0/0 tcp spt:53

Also see my listening DNS ports
sudo netstat -nltup | grep ":53 "
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 4820/pihole-FTL
tcp 0 0 192.168.1.15:53 0.0.0.0:* LISTEN 4820/pihole-FTL
tcp6 0 0 ::1:53 :::* LISTEN 4820/pihole-FTL
tcp6 0 0 fe80::9eb6:54ff:fe09:53 :::* LISTEN 4820/pihole-FTL
udp 0 0 127.0.0.1:53 0.0.0.0:* 4820/pihole-FTL
udp 0 0 192.168.1.15:53 0.0.0.0:* 4820/pihole-FTL
udp6 0 0 ::1:53 :::* 4820/pihole-FTL
udp6 0 0 fe80::9eb6:54ff:fe09:53 :::* 4820/pihole-FTL

#6
ifconfig -a
please
#7

host and pi hole plz

#8

Am no iptables expert but to me it looks like your rules setup might be missconfigured.
The INPUT chain has rule #12 dropping everything before rule #13 to allow TCP 53.
So if a packet traverses the rules, it gets dropped even before it can reach rule #13.
And usually rule #1 is along the lines of below for a more efficient rules set:

ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED

Try disabling iptables or flushing the rules to diagnose.

#9

Also look for other security settings that might block traffic.

#10

Default pihole-FTL is listening on all IP’s 0.0.0.0:

pi@noads:~ $ sudo netstat -nltup | grep 'Proto\|:53 \|:67 \|:80 \|:471[1-8] '
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      27450/lighttpd
tcp        0      0 0.0.0.0:53              0.0.0.0:*               LISTEN      5235/pihole-FTL
tcp        0      0 127.0.0.1:4711          0.0.0.0:*               LISTEN      5235/pihole-FTL
tcp6       0      0 :::80                   :::*                    LISTEN      27450/lighttpd
tcp6       0      0 :::53                   :::*                    LISTEN      5235/pihole-FTL
tcp6       0      0 ::1:4711                :::*                    LISTEN      5235/pihole-FTL
udp        0      0 0.0.0.0:53              0.0.0.0:*                           5235/pihole-FTL
udp        0      0 0.0.0.0:67              0.0.0.0:*                           5235/pihole-FTL
udp6       0      0 :::53                   :::*                                5235/pihole-FTL

Check for alien dnsmasq/pihole-FTL config files not belonging to Pi-hole:

sudo grep -v '^#\|^$' -R /etc/dnsmasq.*

#11

pi-hole

ifconfig -a
enp2s0    Link encap:Ethernet  HWaddr 9c:b6:54:09:33:ee  
          inet addr:192.168.1.15  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::9eb6:54ff:fe09:33ee/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:270878 errors:0 dropped:61 overruns:0 frame:0
          TX packets:379435 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:98348702 (98.3 MB)  TX bytes:476378468 (476.3 MB)
          Interrupt:18 

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:1623 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1623 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1 
          RX bytes:143851 (143.8 KB)  TX bytes:143851 (143.8 KB)

mac host joining, not on vpn:

ifconfig -a
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
        options=1203<RXCSUM,TXCSUM,TXSTATUS,SW_TIMESTAMP>
        inet 127.0.0.1 netmask 0xff000000
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
        nd6 options=201<PERFORMNUD,DAD>
gif0: flags=8010<POINTOPOINT,MULTICAST> mtu 1280
stf0: flags=0<> mtu 1280
EHC29: flags=0<> mtu 0
EHC26: flags=0<> mtu 0
XHC20: flags=0<> mtu 0
en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        ether 28:cf:e9:1d:02:0b
        inet6 fe80::1ca9:ed17:628:6125%en0 prefixlen 64 secured scopeid 0x7
        inet 192.168.1.111 netmask 0xffffff00 broadcast 192.168.1.255
        nd6 options=201<PERFORMNUD,DAD>
        media: autoselect
        status: active
p2p0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 2304
        ether 0a:cf:e9:1d:02:0b
        media: autoselect
        status: inactive
awdl0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1484
        ether 9e:bc:7f:96:2a:af
        inet6 fe80::9cbc:7fff:fe96:2aaf%awdl0 prefixlen 64 scopeid 0x9
        nd6 options=201<PERFORMNUD,DAD>
        media: autoselect
        status: active
en1: flags=8963<UP,BROADCAST,SMART,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
        options=60<TSO4,TSO6>
        ether 32:00:16:70:8e:40
        media: autoselect <full-duplex>
        status: inactive
en2: flags=8963<UP,BROADCAST,SMART,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
        options=60<TSO4,TSO6>
        ether 32:00:16:70:8e:41
        media: autoselect <full-duplex>
        status: inactive
bridge0: flags=8822<BROADCAST,SMART,SIMPLEX,MULTICAST> mtu 1500
        options=63<RXCSUM,TXCSUM,TSO4,TSO6>
        ether 32:00:16:70:8e:40
        Configuration:
                id 0:0:0:0:0:0 priority 0 hellotime 0 fwddelay 0
                maxage 0 holdcnt 0 proto stp maxaddr 100 timeout 1200
                root id 0:0:0:0:0:0 priority 0 ifcost 0 port 0
                ipfilter disabled flags 0x2
        member: en1 flags=3<LEARNING,DISCOVER>
                ifmaxaddr 0 port 10 priority 0 path cost 0
        member: en2 flags=3<LEARNING,DISCOVER>
                ifmaxaddr 0 port 11 priority 0 path cost 0
        media: <unknown type>
        status: inactive
utun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 2000
        inet6 fe80::a0d2:65cf:6476:80e1%utun0 prefixlen 64 scopeid 0xd
       nd6 options=201<PERFORMNUD,DAD>
utun1: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1380
        inet6 fe80::38f7:2b5f:8041:68a8%utun1 prefixlen 64 scopeid 0xe
        nd6 options=201<PERFORMNUD,DAD>
1 Like
#12

OK My bad it was iptables! Those rules were updated from the still failing system so i’m starting from scratch with rules again. Cheers!!! tcpdump below, pi-hole hostname is safeharbour/192.1681.1.15 Thanks Guys. :slight_smile: I did think on Firewalls it was good practice to drop all s the last rule.

22:46:41.787040 IP safeharbour.domain > 192.168.1.111.50559: 21983 3/0/0 CNAME session-origin-live.bbc.net.uk., A 212.58.244.215, A 212.58.249.137 (109)
22:46:42.853797 IP 192.168.1.111.62385 > safeharbour.domain: 4186+ A? nav.files.bbci.co.uk. (38)
22:46:42.854311 IP safeharbour.34948 > resolver2.opendns.com.domain: 48274+ A? nav.files.bbci.co.uk. (38)
22:46:42.856092 IP 192.168.1.111.65465 > safeharbour.domain: 10147+ A? homepage.files.bbci.co.uk. (43)
22:46:42.856517 IP safeharbour.44482 > resolver2.opendns.com.domain: 2571+ A? homepage.files.bbci.co.uk. (43)
22:46:42.873095 IP resolver2.opendns.com.domain > safeharbour.34948: 48274 3/0/0 CNAME nav.files.bbci.co.uk.edgekey.net., CNAME e3891.dscf.akamaiedge.net., A 104.82.74.185 (136)
22:46:42.873400 IP safeharbour.domain > 192.168.1.111.62385: 4186 3/0/0 CNAME nav.files.bbci.co.uk.edgekey.net., CNAME e3891.dscf.akamaiedge.net., A 104.82.74.185 (136)
22:46:42.887113 IP resolver2.opendns.com.domain > safeharbour.44482: 2571 3/0/0 CNAME homepage.files.bbci.co.uk.edgekey.net., CNAME e3891.dscf.akamaiedge.net., A 104.82.74.185 (146)
22:46:42.887392 IP safeharbour.domain > 192.168.1.111.65465: 10147 3/0/0 CNAME homepage.files.bbci.co.uk.edgekey.net., CNAME e3891.dscf.akamaiedge.net., A 104.82.74.185 (146)

1 Like
#13

Nothing I can see in your output shows an glaring network issues, I can see at least.
IMO, if this is not a production machine, restore IP Tables to default and test to either confirm it is indeed an IP TAbles issue or not. back up IP Tables of course before.
I know network ACLs can cause some really unexpected behavior.

I would also turn down all your interfaces on your ubuntu machine for troubleshooting; just keep en0 up.

A softer approch would be to observe requests by:
watch --interval=5 ‘iptables -nvL | grep -v “0 0”’

(lifted from:


Bottom of the article)

#14

That’s how Cisco does it. “implicit deny rule”
if a permit rule doesn’t allow it, it it gets dumped.