Some devices, not all, unable to connect to internet

Non-customised install.

Expected Behaviour:

All devices connected to the network have access to the internet if required.

Actual Behaviour:

Most devices connect to the internet and have no issues that I am aware of. However, some claim to have no internet access, 4 in total (out of 16 or so) of which 2 I need fixing.
I currently have to disable PiHole on a regular basis.

I have looked at the logs and see errors being logged such as:

   May  8 14:09:33 dnsmasq[595]: query[AAAA] update.qnap.com from 192.168.1.71
   May  8 14:09:33 dnsmasq[595]: config error is REFUSED (EDE: network error)

That device is my QNAP NAS and it claims to have no access to a DNS Server. I believe that this is because it can't talk to a specific server, ncsi.qnap.com. I have even added the FQDN via regex to allow lists and even turned off blocking, to no avail, still get fresh logs indicating the above. I am unable to debug the other 3 failures further as I have no interface to query the device.

Shutting down the PiHole service and the Pi completely and enabling DHCP on the router, there are no complaints from any devices and those affected devices connect to the internet without reporting issues.

As an update to the initial post, I will add that 2 of the complaining devices are connected by ethernet and 2 via WiFi.

Debug Token:

https://tricorder.pi-hole.net/QFdX6UuH/

Run from your Pi-hole host machine, what's the output of

echo ">stats >quit" | nc localhost 4711

echo ">forward-dest >quit" | nc localhost 4711

echo ">stats >quit" | nc localhost 4711
domains_being_blocked 177554
dns_queries_today 2870
ads_blocked_today 0
ads_percentage_today 0.000000
unique_domains 25
queries_forwarded 0
queries_cached 0
clients_ever_seen 9
unique_clients 9
dns_queries_all_types 2870
reply_UNKNOWN 0
reply_NODATA 0
reply_NXDOMAIN 0
reply_CNAME 0
reply_IP 0
reply_DOMAIN 0
reply_RRNAME 0
reply_SERVFAIL 0
reply_REFUSED 2870
reply_NOTIMP 0
reply_OTHER 0
reply_DNSSEC 0
reply_NONE 0
reply_BLOB 0
dns_queries_all_replies 2870
privacy_level 0
status enabled

 echo ">forward-dest >quit" | nc localhost 4711
-3 0.00 blocked blocked
-2 0.00 cached cached
-1 100.00 other other

And please also share:

dig +short servers.bind chaos txt

pi@raspberrypi:~ $ dig +short servers.bind chaos txt
pi@raspberrypi:~ $

Your output indicates that your Pi-hole isn't aware of any upstream servers to forward DNS requests to.

Consequently, all DNS requests received within the last 24 hours have been REFUSED (as EDE: network error):

You have configured your Pi-hole to use OpenDNS as upstream, but your debug log also shows other public DNS servers to be inaccessible:

*** [ DIAGNOSING ]: Name resolution (IPv4) using a random blocked domain and a known ad-serving domain
[✓] service1.predictad.com is  on lo (127.0.0.1)
[✓] service1.predictad.com is  on eth0 (192.168.1.158)
[✓] No IPv4 address available on wlan0
[✓] service1.predictad.com is  on tun0 (10.52.241.1)
[✗] Failed to resolve doubleclick.com via a remote, public DNS server (8.8.8.8)

This would suggest an upstream connectivity issue.
A possible cause could be a firewall blocking outbund DNS requests from your Pi-hole host machine. You want to verify that your Pi-hole host is allowed access to Pi-hole's required ports.

But more importantly, your debug log shows your Pi-hole host to lack a default route:

*** [ DIAGNOSING ]: Network routing table
   10.52.241.0/24 dev tun0 proto kernel scope link src 10.52.241.1 
   192.168.1.0/24 dev eth0 proto dhcp scope link src 192.168.1.158 metric 202

Why did you limit your traffic to local private networks?
Was that by intention?

You'd have to restore a default route - without a default route, any traffic that does not refer to one of the two subnet routes would have no gateway to go through.

As a result, I doubt that many of your clients are actually using Pi-hole for DNS:
Even if they would be configured to use it as one of their DNS servers, they'd quickly give up using it, as none of their DNS queries would succeed.

This would also suggest that your clients are aware of alternative DNS servers (quite probably via IPv6), or else none of your clients would be able to resolve DNS names at all. This circumstance would likely need additional attention once you've sorted your original issue.

In regard to:

Why did you limit your traffic to local private networks?
Was that by intention?

• I took no intentional action to do that at all
• I am intrigued that my lap tops, Amazon firestick, etc., etc. have access with no reported issues, hence here I am
• Is there a command/setting I can change right now to test?
• PiHole DHCP settings has 192.168.1.1 as the Router (gateway IP address)

It would depend on your host OS how to properly acquire and restore a default route.

Your debug log suggests your are running RPi OS 11/Bullseye.
It also shows you've enabled Pi-hole's DHCP server.

In preparation for that, did you perhaps try to configure a static IP address on your host device?
How would you have done that - via dhcpcd, via NetworkManager or by some other means?

The host device did have a static IP address set up. It was so long ago (3 years?) when that was done I can't remember how it was done. There is no file named /etc/dhcpd.conf. There is dhcpcd.conf which has no defined router, however, does have the static IP address for the host. I've set the router address and rebooted the host.
I can now see
May 8 17:05:41: query[A] update.qnap.com from 192.168.1.71** May 8 17:05:41: forwarded update.qnap.com to 208.67.220.220

Logging in to my NAS I know see it's happy.

THANK YOU

I guess perhaps, there's a suggestion maybe this could be checked by install scripts.

As to why only 4 devices complained I have no idea.

Once again thank you!

Now that my memory is working better..

• When I first installed PiHole all was fine
• A month later a new device (1 of the 4 that complains) that was installed and complained it had no internet access
• I disabled PiHole until recently
• Meanwhile the host was regularly updating (at 1am) every day
• I then added more devices that complained

Perhaps a host updated edited the configuration file. Will keep an eye out.

I have tried to raise your attention for that

Your debug log suggests you have IPv6 connecitivity.
What's more, your Pi-hole host machine's OS has been configured for two IPv6 DNS servers:

-rw-r--r-- 1 root root 88 Mar  5 15:46 /etc/resolv.conf
   nameserver 2a00:23ee:0:8000::5
   nameserver 2a00:23ee:0:8000::6

Those are public IPv6 addresses, outside of your own IPv6 network address range.

Most likely, they'd be the ones provided by your ISP, or perhaps your router is advertising its own IPv6 address as DNS server. Doing either would allow all your clients to by-pass Pi-hole.

You'd have to find a way to configure your router to advertise your Pi-hole host machine's IPv6 as DNS server or to stop advertising its own.

You'd have to consult your router's documentation sources on further details for its IPv6 configuration options.

If your router doesn't support configuring IPv6 DNS, you could consider disabling IPv6 altogether.

If your router doesn't support that either, your clients will always be able to bypass Pi-hole via IPv6.

Okay, so I am now more interested. I have disabled IPv6 on my host - probably a mistake now that I read more carefully.
My router has no option AFAICT to disable either DNS or IPv6.

Q: Since the host is supplying DNS - how come it doesn't supply IPv6 versions thereof?

I do not understand your question.

Which host are your referring to?
In general, hosts wouldn't supply DNS services - they would use them.

With IPv6, it is your router's job to advertise an IPv6 DNS server address periodically, and also on explicit solicitation requests.
Your debug log demonstrates that your router is propagating IPv6 DNS server addresses (unless you manually added those lines to your resolv.conf), but not those of your Pi-hole machine.

Apologies, by host I meant the PiHole host. I naively assumed that the PiHole would always be involved in all such traffic. However, the PiHole documentation is clear on needing to set up the PiHole as the router's DNS entry.
The summary that I have taken is that the devices claiming no internet access were correct, I had a setup issue. The other devices get their DHCP address from the PiHole DHCP but otherwise directed requests to the router and thus had no such issue.
I also clearly have a gap in my understanding of how all this works on my LAN.

I'm re-reading your question as follows then:
"Why doesn't Pi-hole supply IPv6 versions of its DNS services?"

Well, yours already does, as your Pi-hole host has public as well as link-local IPv6 connectivity:

*** [ DIAGNOSING ]: Network interfaces and addresses
(...)
   2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
       inet 192.168.1.158/24 brd 192.168.1.255 scope global noprefixroute eth0
          valid_lft forever preferred_lft forever
       inet6 2a00:<redacted>e5/64 scope global mngtmpaddr noprefixroute 
          valid_lft forever preferred_lft forever
       inet6 fe80::<redacted>78/64 scope link 
          valid_lft forever preferred_lft forever

But your router is telling your clients to use a different set of IPv6 DNS addresses.

Pi-hole could be configured to advertise its own IPv6 addresses - but that wouldn't stop your router from advertising its own set, so clients could still pick those offered by your router (and they'd also be more likely to prefer the router's over Pi-hole's).

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.