Static public IP behind Fritz!Box, PiHole unreachable

PiHole-Manni · October 4, 2025, 3:57pm

The issue I am facing:

For years I was able to use PiHole on my server with a static IPv4. Unfortunately, PiHole is unreachable now after the modem can no longer run in bridge mode and the router is now connected as an Exposed Host. I have not been able to find a solution online and I am asking for help.

Details about my system:

The Fritz!Box 6490 Cable used to have a static public IPv4 (78.94.18#.##4.) from Vodafone West (formerly Unitymedia). The FRITZ!Box was in bridge mode, and behind it was an Apple AirPort Extreme with the public IPv4 78.94.18#.##5. This acted as a router, had the private address 10.0.1.1, and used PiHole on the server 10.0.1.4. All devices connected to the AirPort Extreme and receiving IP addresses and DNS info from it used PiHole, and everything worked fine.

Now Vodafone West has made some technical changes, and in the FRITZ!Box’s still selectable bridge mode, the AirPort Extreme would no longer be online with the static IPv4. Therefore, behind the FRITZ!Box with the public IPv4 78.94.18#.##4, the router with the public IPv4 78.94.18#.##5 now needs to configured as an Exposed Host. The router still has the private IPv4 10.0.1.1 and assigns private IPs from that range to all connected devices. As long as I specify common DNS servers like 8.8.8.8 in the router, everything works.

But: No matter whether I configure PiHole with 10.0.1.4 in the router or in the modem (FRITZ!Box), the router and connected devices have no DNS and practically complain about a missing internet connection.

What’s strange is that everything works if I manually set PiHole with 10.0.1.4 as the DNS server on the individual end devices behind the routers. But for several reasons, this is not a good solution.

So how can I centrally distribute 10.0.1.4 and thus PiHole from the router automatically as the DNS to the end devices?

My debug token is https://tricorder.pi-hole.net/3GcD5r3k/

Many thanks!

Bucking_Horn · October 4, 2025, 5:13pm

Exposing Pi-hole's DNS server via a public IP will turn your Pi-hole into an open resolver, thus posing a potential threat for all Internet users, e.g. by serving as a multiplier in a DNS Amplification attack.

The Pi-hole team strongly discourages Pi-hole’s usage as an open resolver, and we won't provide support in that case.

The recommended way to remotely access a home-based Pi-hole would be to also run a VPN server in your network, exclusively allowing VPN clients via authenticated, secure VPN connections.

Another option would be to run your Pi-hole behind a DNS-over-TLS(853) or DNS-over-HTTPS(443) proxy, where only that proxy would be publically exposed.
Using DoT would also allow you to use certain smartphone's Private DNS feature to connect to your Pi-hole remotely.

PiHole-Manni · October 4, 2025, 5:29pm

Thx! I fully agree and I actually use StrongSwan to access my system externally. Only Apache2 is exposed to the internet.

But my problem is that I cannot access my server with PiHole from the Fritz!Box. Hence, this is an internal access I want - but do not have.

wd9895 · October 5, 2025, 8:49am

Hi Manni,

I created a VPN user in the Fritzbox and can access Pi-Hole from outside without any issues, even with my Google phone.

Is this a solution you have considered yet?

PiHole-Manni · October 5, 2025, 5:01pm

Thx all!

Settings → DNS → Expert → Conditional Forwarding → “true,10.0.1.0/24,10.0.1.1” did the trick for me.

system · October 26, 2025, 5:02pm

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.