with Pi-hole installed, your /etc/resolv.conf should point to 127.0.0.1 (assuming Pi-hole is on the same machine as the above /etc/resolv.conf file).
Your current setting with 52.214.17.59 as your name server, is dodging the Pi-hole and sends all the DNS requests to that IP.
If that's your Public IP then unless you open port 53 in your firewall to allow inbound requests ( I wouldn't recommend that ) that IP will not work (when it comes to Ad blocking) ...
That should point to 127.0.0.1 (on the Pi-hole server).
If the client is outside of the LAN then you'd have resolv.conf point to the PUBLIC IP of the Pi-Hole server.
If the client is within the LAN, you can leave the DHCP server to hand the DNS server settings.
But running an open DNS server is really a bad idea unless you really know what you're doing and implement at least some minimal protection.
Yes ... close down DNS with the firewall and only allow IP addresses that you know are yours or from friends/family!
Or setup openVPN on server and clients to do all the stuff like SSH, DNS, web etc, even on mobile devices, through a secure VPN tunnel:
You really dont want to contribute to a DDOS amplification attack on for example your local bank or hospital do you ?
After firewalling, try below one on one of your clients:
I just found out that my Vodafone router had an option enabled called Safe DNS which prevent usage of custom DNS servers. I disabled it and now I see Pi-hole logging queries. It's still not blocking ads though
Run these commands from both your Pi-Hole OS (in your case Arch Linux) and from a client machine that is seeing ads (substitute nslookup for dig depending on your client OS), and post results.
dig flurry.com - this checks a known ad-blocked site. Should not return an actual IP, should return the IP of your Pi-Hole.
dig flurry.com @8.8.8.8 - this checks same site on a third party DNS, bypassing your Pi-Hole. This should return the actual IP.
[root@ip-172-31-7-138 ~]# cat /etc/resolv.conf
# This file is managed by man:systemd-resolved(8). Do not edit.
#
# This is a dynamic resolv.conf file for connecting local clients directly to
# all known uplink DNS servers. This file lists all configured search domains.
#
# Third party programs must not access this file directly, but only through the
# symlink at /etc/resolv.conf. To manage man:resolv.conf(5) in a different way,
# replace this symlink by a static file or a different symlink.
#
# See man:systemd-resolved.service(8) for details about the supported modes of
# operation for /etc/resolv.conf.
nameserver 127.0.0.1
nameserver 172.31.0.2
[root@ip-172-31-7-138 ~]# dig flurry.com
; <<>> DiG 9.13.0 <<>> flurry.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51975
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;flurry.com. IN A
;; ANSWER SECTION:
flurry.com. 300 IN A 172.31.7.138
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Jul 25 19:08:46 UTC 2018
;; MSG SIZE rcvd: 55
On the server, in my /etc/resolv.conf I have an extra DNS server which I suspect is added by AWS: nameserver 172.31.0.2. It seems to be in the same subnet but I'm not sure what it's happening here.
You only ran the dig flurry.com command, and didn't test a direct lookup to the Google servers with the second command. Please run the second command and post results.
Your Pi-Hole appears to have the IP address 172.31.7.138 (confirm by running host pi.hole). If Pi-Hole blocks a site (either from block lists or your black list), it returns the DNS address of the Pi-Hole. If the site is not blocked, Pi-Hole returns the DNS address it obtained from the third party DNS server.
In both your dig commands, the Pi-Hole returned it's own IP address, which indicates that it blocked the domain "flurry.com". The "server" address in your case is the IP address of your resolver that was previously public.
If ads are getting through to a client, I think it's a sneak path either through the second name server or in your router or on the client.
I've found the issue! It was not resolving ad-delivers domains with the Pi-hole server IP address. I fixed that in the /etc/pihole/setupVars.conf configuration file, restarted and it worked.
I also added reject rules for HTTP(S) ports and opened them in the security group, so the connections won't hang.
pi@noads:~ $ host pi.hole 52.214.17.59
;; connection timed out; no servers could be reached
Yeah I suspected something like this happening so wanted to make sure with the dig version, it really was dnsmasq answering and not some safety mechanism on the router like rebind protection:
This means processes/scripts/tasks/programs running on this VM that depend on DNS resolution will sometimes query Pi-hole's own DNS service on the loopback interface 127.0.0.1, and sometimes they will query the other DNS 172.31.0.2.
Nothing wrong whit that but prefered is to have all DNS queries run through 127.0.0.1.
Tip: if you default the router settings @ home, and only configure the upstream DNS resolver for the router (often called WAN DNS or something) to be that of the Pi-hole IP address (no secondary DNS!), the clients, through DHCP, will be configured to use the router for DNS resolution.
And in turn, the router will forward queries to Pi-hole to have them answered.
That way you have your router caching DNS queries on your local network resulting in less traffic to the (slower) internet.
Ps. if you fiddle with DHCP settings, always make sure the client DHCP leases get renewed.
Disconnect & reconnect network on the clients or reboot them.