Setting DNS to Pi-Hole Kills the Internet

Help
1

Expected Behaviour:
Set the DNS Servers to the Pi-Hole's IP under DHCP server and ads are blocked and the Internet works.

Actual Behaviour:
When the DNS Servers are set to the Pi-Hole's IP under DHCP server, the Internet drops almost instantly. Switching back to default DNS Servers restores the Internet. I do not have an option to turn off DHCP on my router.

Running a Raspberry Pi Zero W which connects to my Wifi network (no problem). Set both primary and secondary DNS under DHCP, plus just primary and the same result. I am using an TP-Link M5 Deco Mesh Router which is connected directly to a cable modem. The router is connected to a TP-Link TL-SF1005D switch so I have enough ethernet ports for various devices.

Debug Token:

https://tricorder.pi-hole.net/8797ztv05c

2

What does dig pi.hole @192.168.68.112 show?

The debug log is showing a failure to resolve when using that address.

*** [ DIAGNOSING ]: Name resolution (IPv4) using a random blocked domain and a known ad-serving domain
[✓] ads.araba.com is 192.124.249.18 via localhost (127.0.0.1)
[✗] Failed to resolve ads.araba.com via Pi-hole (192.168.68.112)
[✓] doubleclick.com is 172.217.164.238 via a remote, public DNS server (8.8.8.8)

It does appear that some clients have used this Pi-hole in the past:

   [2020-02-16 01:25:18.490 1921] Imported 2137 queries from the long-term database
   [2020-02-16 01:25:18.491 1921]  -> Total DNS queries: 2137
   [2020-02-16 01:25:18.491 1921]  -> Cached DNS queries: 277
   [2020-02-16 01:25:18.492 1921]  -> Forwarded DNS queries: 1405
   [2020-02-16 01:25:18.492 1921]  -> Exactly blocked DNS queries: 455
   [2020-02-16 01:25:18.492 1921]  -> Unknown DNS queries: 0
   [2020-02-16 01:25:18.492 1921]  -> Unique domains: 588
   [2020-02-16 01:25:18.492 1921]  -> Unique clients: 9
   [2020-02-16 01:25:18.493 1921]  -> Known forward destinations: 4
   [2020-02-16 01:25:18.493 1921] Successfully accessed setupVars.conf
3

I should add that 192.168.68.112 is the IP address of the Pi Hole which has been reserved on the router. Running the dig pi hole command yields the following result.

; <<>> DiG 9.11.5-P4-5.1-Raspbian <<>> pi.hole @192.168.68.112
;; global options: +cmd
;; connection timed out; no servers could be reached

4

Are you running any kind of firewall that would prevent DNS queries on the Pi-hole to itself to fail? What is the output from ip -4 address show on the Pi-hole device?

5

If it matters I am using Cloudflare as my upstream DNS provider. Maybe Google or OpenDNS would work?

I run Windows Defender and Firewall on my Windows PC and standard router level firewall protection. When I run ip -4 address show my result is:

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    inet 192.168.68.112/24 brd 192.168.68.255 scope global noprefixroute wlan0
       valid_lft forever preferred_lft forever
6

Upstream providers wouldn't matter at this point. We're just trying to get the Pi-hole to respond locally to queries.

Does dig pi.hole @127.0.0.1 give any result?

7

Yes:

; <<>> DiG 9.11.5-P4-5.1-Raspbian <<>> pi.hole @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 41602
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;pi.hole. IN A

;; AUTHORITY SECTION:
. 2911 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2020021501 1800 900 604800 86400

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sun Feb 16 04:33:31 GMT 2020
;; MSG SIZE rcvd: 111

8

That shows the resolver on the Pi-hole device is not using Pi-hole itself. Are you running any other DNS servers on the same Pi-hole device?

9

I tried to install Unbound via the guide here: Redirecting...

However, at the " /etc/unbound/unbound.conf.d/pi-hole.conf" step I received the below error message so I abandoned the install.

-bash: /etc/unbound/unbound.conf.d/pi-hole.conf: No such file or directory

Is that causing a conflict? Should I wipe the whole thing and start over?

10

/etc/unbound/unbound.conf.d/pi-hole.conf is a file you have to edit. The guide shows the content of the file as it needs to be when edited. Try editing that file sudo nano /etc/unbound/unbound.conf.d/pi-hole.conf or using your favorite editor.

11

So I edited the file as provided in the instructions. When I run ```
dig pi-hole.net @127.0.0.1 -p 5353

;; global options: +cmd
;; connection timed out; no servers could be reached

Is there a way to start from square 1 and do a clean install (format it) or would that not help?

12

What does sudo systemctl status --full --no-pager unbound show?

13 
Sudo systemctl status --full --no-pager unbound shows:

● unbound.service - Unbound DNS server
   Loaded: loaded (/lib/systemd/system/unbound.service; enabled; vendor preset: enabled)
   Active: active (running) since Sun 2020-02-16 01:33:52 GMT; 11h ago
     Docs: man:unbound(8)
  Process: 498 ExecStartPre=/usr/lib/unbound/package-helper chroot_setup (code=exited, status=0/SUCCESS)
  Process: 505 ExecStartPre=/usr/lib/unbound/package-helper root_trust_anchor_update (code=exited, status=0/SUCCESS)
 Main PID: 509 (unbound)
   Memory: 10.4M
   CGroup: /system.slice/unbound.service
           └─509 /usr/sbin/unbound -d

Feb 16 01:33:50 raspberrypi systemd[1]: Starting Unbound DNS server...
Feb 16 01:33:51 raspberrypi package-helper[505]: /var/lib/unbound/root.key has content
Feb 16 01:33:51 raspberrypi package-helper[505]: success: the anchor is ok
Feb 16 01:33:52 raspberrypi unbound[509]: [509:0] notice: init module 0: subnet
Feb 16 01:33:52 raspberrypi unbound[509]: [509:0] notice: init module 1: validator
Feb 16 01:33:52 raspberrypi unbound[509]: [509:0] notice: init module 2: iterator
Feb 16 01:33:52 raspberrypi systemd[1]: Started Unbound DNS server.
Feb 16 01:33:52 raspberrypi unbound[509]: [509:0] info: start of service (unbound 1.9.0).
Feb 16 01:34:07 raspberrypi unbound[509]: [509:0] info: generate keytag query _ta-4f66. NULL IN
Feb 16 12:45:07 raspberrypi unbound[509]: [509:0] info: generate keytag query _ta-4f66. NULL IN
14

After you edit the file, you need to restart unbound: sudo service unbound restart

15

Ok I ran the sudo command and now when I run the ping tests that the Unbound guide says to run, I get the expected results.

Now Sudo systemctl status --full --no-pager unbound shows:

 unbound.service - Unbound DNS server
   Loaded: loaded (/lib/systemd/system/unbound.service; enabled; vendor preset: enabled)
   Active: active (running) since Sun 2020-02-16 17:37:20 GMT; 7min ago
     Docs: man:unbound(8)
  Process: 5180 ExecStartPre=/usr/lib/unbound/package-helper chroot_setup (code=exited, status=0/SUCCESS)
  Process: 5183 ExecStartPre=/usr/lib/unbound/package-helper root_trust_anchor_update (code=exited, status=0/SUCCESS)
 Main PID: 5187 (unbound)
   Memory: 4.8M
   CGroup: /system.slice/unbound.service
           └─5187 /usr/sbin/unbound -d

Feb 16 17:37:19 raspberrypi systemd[1]: Starting Unbound DNS server...
Feb 16 17:37:20 raspberrypi package-helper[5183]: /var/lib/unbound/root.key has content
Feb 16 17:37:20 raspberrypi package-helper[5183]: success: the anchor is ok
Feb 16 17:37:20 raspberrypi systemd[1]: Started Unbound DNS server.
Feb 16 17:37:21 raspberrypi unbound[5187]: [5187:0] info: start of service (unbound 1.9.0).

And dig pi.hole gives me:

; <<>> DiG 9.11.5-P4-5.1-Raspbian <<>> pi.hole @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55917
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;pi.hole.                       IN      A

;; ANSWER SECTION:
pi.hole.                2       IN      A       192.168.68.112

;; Query time: 1 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sun Feb 16 17:45:42 GMT 2020
;; MSG SIZE  rcvd: 52
16

And one last addition: I set the primary DNS under DHCP for my router to the Pi-hole. Now my internet isn't cutting out but I am not getting ads blocked. Using: Test your ad blocker (in a few simple steps) - Ads-blocker.com for testing

18

Load a page known to have lots of ads - i.e. cnn.com. If you don't see a page full of ads, Pi-Hole is working.

19

Ok I loaded cnn.com on a browser with no ad-blocker installed. I see "paid partner content" both on the right and near the bottom. See example attached.

One thought: do I need to restart (either the PC or my connection to the network) in order to get the benefits of Pi-Hole after setting the DNS?

CNN
CNN1948×1160 391 KB

20

From the client on which you loaded this web page, from the command prompt or terminal on that client (and not via ssh or Putty to the Pi), what is the output of

nslookup pi.hole

And, what is the OS of the client involved?

21

Using Windows 10. The browser is Microsoft Edge. I run Firefox with ad blocking hence why I don't use it to test.

Here is the output of nslookup pi.hole

Microsoft Windows [Version 10.0.18362.657]
(c) 2019 Microsoft Corporation. All rights reserved.

C:\Windows\system32>nslookup pi.hole
Server: dns.google
Address: 8.8.8.8

*** dns.google can't find pi.hole: Non-existent domain