The admin gui is working properly.
I'll do some more testing, some of the commands we deleted are needed to stop it issuing dhcp offers to the dummy interfaces etc. Need to work on the blocklist as well, its empty at the moment.
But thanks for the help and the systematic guidance.
Goodnight.
PS the only thing I did differently before that last test was to issue a systemctl daemon-reload.
No warning it was required, just a feeling.
Dont you just love systemd
Harry
netadmin@namepi:~/dnsmasq_rubbish $ sudo systemctl daemon-reload
netadmin@namepi:~/dnsmasq_rubbish $ sudo grep -v '^#\|^$' -R /etc/dnsmasq.* | sort
/etc/dnsmasq.conf:conf-dir=/etc/dnsmasq.d/,*.conf
/etc/dnsmasq.d/01-pihole.conf:addn-hosts=/etc/pihole/black.list
/etc/dnsmasq.d/01-pihole.conf:addn-hosts=/etc/pihole/gravity.list
/etc/dnsmasq.d/01-pihole.conf:addn-hosts=/etc/pihole/local.list
/etc/dnsmasq.d/01-pihole.conf:bogus-priv
/etc/dnsmasq.d/01-pihole.conf:cache-size=10000
/etc/dnsmasq.d/01-pihole.conf:domain-needed
/etc/dnsmasq.d/01-pihole.conf:except-interface=nonexisting
/etc/dnsmasq.d/01-pihole.conf:localise-queries
/etc/dnsmasq.d/01-pihole.conf:local-ttl=2
/etc/dnsmasq.d/01-pihole.conf:log-async
/etc/dnsmasq.d/01-pihole.conf:log-facility=/var/log/pihole.log
/etc/dnsmasq.d/01-pihole.conf:log-queries
/etc/dnsmasq.d/01-pihole.conf:no-resolv
/etc/dnsmasq.d/01-pihole.conf:server=192.168.55.9#53
/etc/dnsmasq.d/10-mypiholesetup.conf:bind-dynamic
/etc/dnsmasq.d/10-mypiholesetup.conf:listen-address=172.25.25.146,127.0.0.1
netadmin@namepi:~/dnsmasq_rubbish $ sudo service dnsmasq stop
netadmin@namepi:~/dnsmasq_rubbish $ sudo service pihole-FTL start
netadmin@namepi:~/dnsmasq_rubbish $ sudo service pihole-FTL status
● pihole-FTL.service - LSB: pihole-FTL daemon
Loaded: loaded (/etc/init.d/pihole-FTL; generated; vendor preset: enabled)
Active: active (exited) since Fri 2020-01-03 22:28:42 GMT; 7s ago
Docs: man:systemd-sysv-generator(8)
Process: 2557 ExecStart=/etc/init.d/pihole-FTL start (code=exited, status=0/SUCCESS)
Jan 03 22:28:42 namepi systemd[1]: Starting LSB: pihole-FTL daemon...
Jan 03 22:28:42 namepi pihole-FTL[2557]: Not running
Jan 03 22:28:42 namepi su[2586]: Successful su for pihole by root
Jan 03 22:28:42 namepi su[2586]: + ??? root:pihole
Jan 03 22:28:42 namepi su[2586]: pam_unix(su:session): session opened for user pihole by (uid=0)
Jan 03 22:28:42 namepi pihole-FTL[2557]: FTL started!
Jan 03 22:28:42 namepi systemd[1]: Started LSB: pihole-FTL daemon.
netadmin@namepi:~/dnsmasq_rubbish $ sudo netstat -ltunp | grep ":53 "
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 2601/pihole-FTL
tcp 0 0 172.25.25.146:53 0.0.0.0:* LISTEN 2601/pihole-FTL
tcp 0 0 192.168.55.9:53 0.0.0.0:* LISTEN 26553/unbound
tcp 0 0 192.168.55.1:53 0.0.0.0:* LISTEN 498/nsd
udp 0 0 127.0.0.1:53 0.0.0.0:* 2601/pihole-FTL
udp 0 0 172.25.25.146:53 0.0.0.0:* 2601/pihole-FTL
udp 0 0 192.168.55.9:53 0.0.0.0:* 26553/unbound
udp 0 0 127.0.0.53:53 0.0.0.0:* 31052/systemd-resol
udp 0 0 192.168.55.1:53 0.0.0.0:* 498/nsd
netadmin@namepi:~/dnsmasq_rubbish $
pihole-FTL(dnsmasq) is no network manager or dhcp client.
For Raspbian + Pi-hole default, dhcpcd5 does the assigning of IP addresses to interfaces:
pi@noads:~ $ apt policy dhcpcd5
dhcpcd5:
Installed: 1:6.11.5-1+rpt7
pi@noads:~ $ man dhcpcd5
[..]
DESCRIPTION
dhcpcd is an implementation of the DHCP client specified in RFC
2131. dhcpcd gets the host information (IP address, routes, etc)
from a DHCP server and configures the network interface of the
machine on which it is running. dhcpcd then runs the configura‐
tion script which writes DNS information to resolvconf(8), if
available, otherwise directly to /etc/resolv.conf. If the host‐
name is currently blank, (null) or localhost, or force_hostname
is YES or TRUE or 1 then dhcpcd sets the hostname to the one sup‐
plied by the DHCP server. dhcpcd then daemonises and waits for
the lease renewal time to lapse. It will then attempt to renew
its lease and reconfigure if the new lease changes when the lease
beings to expire or the DHCP server sends message to renew early.
If any interface reports a working carrier then dhcpcd will try
and obtain a lease before forking to the background, otherwise it
will fork right away. This behaviour can be modified with the
-b, --background and -w, --waitip options.
[..]
pi@noads:~ $ tail /etc/dhcpcd.conf
interface eth0
static ip_address=10.0.0.2/24
static routers=10.0.0.1
static domain_name_servers=127.0.0.1
pi@noads:~ $ service dhcpcd status
[..]
Active: active (running) since Tue 2019-12-03 23:04:20 CET; 1 months
[..]
EDIT: Or do you mean its running its own DHCP service ?
Currently, pihole-FTL is not configured to serve DHCP.
@shoka. This has been quite a long thread, and it appears that your problem is resolved? If so, can you post a short summary of the problem you originally noted and what steps fixed the problem?
Wish I could be definitive of the problem. When the dust settles a little, I'll undo some of the changes to see what breaks it again.
The overall problem is that I'm building a dedicated name server for my local network. That name server will talk via a VPN to the internet. The name server is built by using pihole-FTL as the internal network facing name server, (and address filter), with the outside facing name server being an instance of unbound, and an authoritative nameserver for the local network domains implemented by NSD.
All three nameservers are running on the Pi, the pihole-FTL server running on the eth0 interface, and the two other name servers running on virtual interfaces in the pi.
Internal name service requests are directed to the pihole-FTL server, which forwards unmatched names to the unbound server, which does a recursive name lookup on the internet. If that name lookup is for the "private" namespace for my network, that recursion reaches the name server that hosts the public DNS configuration for my network, which returns the ns record for the local domain, which is the IP address of the NSD instance, which responds with an authoritative response for the local name.
Since that returned ns record contains a private address, only valid within my network, only local systems can resolve names in that name domain.
The fundamental issue I've been struggling with is that dnsmasq/pihole-FTL is not really aimed at that sort of installation, by default it assumes that it's alone, and possibly directly internet connected. In that scenario open name server ports are a security issue, so as a security measure dnsmasq/pihole_FTL attempts to bind to all interfaces in the box, and actively discards name server queries from interfaces other than the one it is intentionally servicing.
So the game has been to find a configuration for pihole-FTL that respects the other two name servers on their virtual interfaces, but also avoids pihole-FTL detecting the interfaces already configured, spitting out its dummy and refusing to bind any interface at all.
I managed to get a a config for an unmodified version of dnsmasq that did as required fairly early in this saga, but the battle has been to get a config for pihole-FTL that functioned the same.
I've still more testing to do as I want to be able to start and stop any of the three name servers, and be able to restart them, ie not have pihole-FTL see the open DNS ports on those interfaces (when the appropriate name server is stopped) as a hazard and bind them itself.
After much help from deHakkelaar,I've found at least a config that meets my minimal requirement to use pihole-FTL.
Two commands that have proved invaluable are
sudo netstat -ltunp | grep ":53 "
That lists all the interfaces on the box, udp and tcp that have port 53 active, and which process is holding that port.
And a deHakkelaar special
sudo grep -v '^#\|^$' -R /etc/dnsmasq.* | sort
that finds all the commands in all the active pihole-FTL/dnsmasq config files. I'm still not sure I understand how it works completely, but it certainly does work, and well.
With the set up described above, I can now use the server command in nslookup, to route name requests to any of the three name servers, and see what each returns.
The pihole admin web interface now works mostly as expected, and I'm definitely filtering out adverts.
Harry
I wonder how three individual ports for the three services instead of three (partially virtual) interfaces with the same port would have worked. Reading this again, only pihole-FTL has to be visible on port 53 within your network, right?
If this is true, unbound could have been bound to 127.0.0.1:5311 and nsd to 127.0.0.1:5312 (or similar).
Lots of possible ways to set it up. My reason for setting it like this is those loopback addresses are visible from my network (static route to them via 172.25.25.146), and can be set as target servers in nslookup. Thus I can use nslookup and examine the returns from each name server, without having to remember what port I set them up on.
Harry
This is a recursive search of the /etc/dnsmasq directory and subdirectories, looking for all non-commented lines and sorting the output. Very handy Linux command.
I know what it does. It's the grep magic that does it that I have not yet got my head around.
OK I understand the ^# is line beginning # the | is presumably an or and the ^$ is presumably lines beginning $. The -R foxed me until I looked up the man page, its search recursively through sub directories, including following symbolic links.
Harry
I also have a Pi on this network acting as a VPN router. The plan is to tunnel traffic out from the unbound instance to that vpn router, so dns lookups are sent via the VPN to the internet. That is easier to achieve if the unbound instance has its own IP.
Yeah grep recursively "-R" through all files matching pattern "/etc/dnsmasq.*".
Grep for lines starting with a hash "^#" or "\|" empty lines "^$" and invert "-v" the results.
And sort the lot.
If you would have changed below directive in dnsmasq.conf:
conf-dir=/dnsmasq.d/,*.conf
I would have had to change the grep into:
sudo grep -v '^#\|^$' -R /etc/dnsmasq.* --include=*.conf | sort
Furter on this, as you only need extra IP's to listen/bind to, you could have done without the dummy interfaces and use IP aliasing on one interface instead:
deHakkelaar
Respectfully disagree
My dnsmasq.conf file
netadmin@namepi:~ $ cat /etc/dnsmasq.conf
# Configuration file for dnsmasq.
#
conf-dir=/etc/dnsmasq.d/,*.conf
netadmin@namepi:~ $
Files in my /etc/dnsmasq.d/
netadmin@namepi:/etc/dnsmasq.d $ ls
01-pihole.conf 10-mypiholesetup.conf README
netadmin@namepi:/etc/dnsmasq.d $
netadmin@namepi:~ $ sudo grep -v '^#\|^$' -R /etc/dnsmasq.* | sort
/etc/dnsmasq.conf:conf-dir=/etc/dnsmasq.d/,*.conf
/etc/dnsmasq.d/01-pihole.conf:addn-hosts=/etc/pihole/black.list
/etc/dnsmasq.d/01-pihole.conf:addn-hosts=/etc/pihole/gravity.list
/etc/dnsmasq.d/01-pihole.conf:addn-hosts=/etc/pihole/local.list
/etc/dnsmasq.d/01-pihole.conf:bogus-priv
/etc/dnsmasq.d/01-pihole.conf:cache-size=10000
/etc/dnsmasq.d/01-pihole.conf:domain-needed
/etc/dnsmasq.d/01-pihole.conf:except-interface=nonexisting
/etc/dnsmasq.d/01-pihole.conf:localise-queries
/etc/dnsmasq.d/01-pihole.conf:local-ttl=2
/etc/dnsmasq.d/01-pihole.conf:log-async
/etc/dnsmasq.d/01-pihole.conf:log-facility=/var/log/pihole.log
/etc/dnsmasq.d/01-pihole.conf:log-queries
/etc/dnsmasq.d/01-pihole.conf:no-resolv
/etc/dnsmasq.d/01-pihole.conf:server=192.168.55.9#53
/etc/dnsmasq.d/10-mypiholesetup.conf:bind-dynamic
/etc/dnsmasq.d/10-mypiholesetup.conf:listen-address=172.25.25.146,127.0.0.1
netadmin@namepi
netadmin@namepi:~ $ sudo grep -v '^#\|^$' -R /etc/dnsmasq.* --include=*.conf | sort
/etc/dnsmasq.conf:conf-dir=/etc/dnsmasq.d/,*.conf
/etc/dnsmasq.d/01-pihole.conf:addn-hosts=/etc/pihole/black.list
/etc/dnsmasq.d/01-pihole.conf:addn-hosts=/etc/pihole/gravity.list
/etc/dnsmasq.d/01-pihole.conf:addn-hosts=/etc/pihole/local.list
/etc/dnsmasq.d/01-pihole.conf:bogus-priv
/etc/dnsmasq.d/01-pihole.conf:cache-size=10000
/etc/dnsmasq.d/01-pihole.conf:domain-needed
/etc/dnsmasq.d/01-pihole.conf:except-interface=nonexisting
/etc/dnsmasq.d/01-pihole.conf:localise-queries
/etc/dnsmasq.d/01-pihole.conf:local-ttl=2
/etc/dnsmasq.d/01-pihole.conf:log-async
/etc/dnsmasq.d/01-pihole.conf:log-facility=/var/log/pihole.log
/etc/dnsmasq.d/01-pihole.conf:log-queries
/etc/dnsmasq.d/01-pihole.conf:no-resolv
/etc/dnsmasq.d/01-pihole.conf:server=192.168.55.9#53
/etc/dnsmasq.d/10-mypiholesetup.conf:bind-dynamic
/etc/dnsmasq.d/10-mypiholesetup.conf:listen-address=172.25.25.146,127.0.0.1
netadmin@namepi:~ $
Both commands list both the content of /dnsmasq.conf and the contents of /dnsmasq.d/*
Looks like the /etc/dnsmasq.* matches dnsmasq.conf and dnsmasq.d
and the -R recurses into /dnsmasq.d/ and all the files in there.
Importantly to me as I've been bitten by dnsmasq's default habit of viewing everything in /etc/dnsmasq.d/ as config files except for some very odd limitations, That config line restricts dnsmasq, and presumably pihole-FTL to reaf only *.conf files as config files.
Harry
If have below directive:
conf-dir=/etc/dnsmasq.d/,*.conf
The dnsmasq part in pihole-FTL would only load config files with suffix *.conf.
So grepping for other files not ending in *.conf would make no sense does it ?
Unless you are worried that the shorter command can misleadingly find command lines in non *.conf files, that are in files that will not be processed by dnsmasq with that config command.
That ls true as far as I can see.
Does that --include=*.conf help? does that exclude any file not matching *.conf ?
pi@noads:~ $ sudo grep '^#' -R /etc/dnsmasq.* --include=README | sort
/etc/dnsmasq.d/README:#
/etc/dnsmasq.d/README:# All files in this directory will be read by dnsmasq as
/etc/dnsmasq.d/README:# configuration files, except if their names end in
/etc/dnsmasq.d/README:# ".dpkg-dist",".dpkg-old" or ".dpkg-new"
/etc/dnsmasq.d/README:# This can be changed by editing /etc/default/dnsmasq
Yep it does exclude...
--include=GLOB
Search only files whose base name matches GLOB (using wildcard matching as described under --exclude).
grep is my favorite and most used bash command ... besides nc and dd 
This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.