Unable to connect to the internet

Help
1

Expected Behaviour:

All my devices on my network being routed through my pihole. My pihole is running as a docker container on 10.0.50.50 on a Linux Ubuntu machine.

Actual Behaviour:

My PC (10.0.50.25) is unable to connect to the internet at all. Querys are being accepted by some devices but not all. The debug log shows that no ipv4 or ipv6 is configured, I am unsure why.

Debug Token:

https://tricorder.pi-hole.net/0X6a8Mmv/

My docker compose:

version: "3"
services:
  pihole:
    container_name: pihole
    image: pihole/pihole:latest
    network_mode: "host"
    environment:
      TZ: 'Europe/Berlin'
      WEBPASSWORD: 'EXPUNGED'
      #DNSMASQ_LISTENING: 'local' #pihole only listens to local/non-internet subnets. Deactivated because otherwise VPN Queries are not accepted.
      WEB_PORT: '8050'
    volumes:
      - '/docker/pihole/etc-pihole:/etc/pihole:rw'
      - '/docker/pihole/etc-dnsmasq.d:/etc/dnsmasq.d:rw'
    cap_add:
      - NET_ADMIN # Required if you are using Pi-hole as your DHCP server, else not needed
    restart: unless-stopped
2

I believe my interface is named enp2s0.
I am trying to change the interface name the pihole is using to this value. I am trying to follow this topic. But when trying to exec into the pihole container and entering pihole -r I receive Function not supported in docker images.

How can I reconfigure the pihole using docker? The web interface doesnt seem to offer it and the command is not supported when using the pihole docker image.

3

That expectation is off.
Pi-hole isn't a router.

Unlike a router, its DNS resolver will only ever see your clients' DNS traffic, provided your clients have been configured to use Pi-hole for DNS.

More precisely, it shows that no IP addresses are attached to eth0.
This shouldn't surprise you, since your Pi-hole host is lacking a NIC of that name, sporting an enp2s0 instead.

And as you run your Pi-hole container in host mode, you should consider to configure its INTERFACE advanced variable accordingly.

4

I updated my docker compose to include INTERFACE: enp2s0.
The interface seems to be correctly bound now, but my pc can still not connect.

Debug-token: https://tricorder.pi-hole.net/HLaom7Lh/

When using nslookup pi.hole on my PC the output is:
DNS Request timed out. timeout was 2 seconds. Server: UnKnown Address: 10.0.50.50.
The output is the same for other inputs like

  • nslookup flurry.com 10.0.50.50
  • nslookup flurry.com.

IPv6 is disabled on my pc. This is the output of ipconfig /all | findstr "DNS/ Servers":

DNS Servers . . . . . . . . . . : 10.0.50.50
DNS Servers . . . . . . . . . . : fec0:0:0:ffff::1%1
DNS Servers . . . . . . . . . . : fec0:0:0:ffff::1%1
5

Your debug log shows that your Fritzbox router is advertising as set of its own IPv6 addresses as DNS resolver:

*** [ DIAGNOSING ]: contents of /etc

-rw-r--r-- 1 root root 998 Nov 28 13:11 /etc/resolv.conf
   nameserver 10.0.50.50
   nameserver fd00::<redacted>70
   nameserver 2003:<redacted>70
   nameserver 2003:<redacted>87
   search fritz.box

I'd recommend to disable propagation of IPv6 DNS server addresses altogether.
See Unresolved ipv6 adress in my top list - #4 by Bucking_Horn for suggestions on how to achieve that with a Fritzbox.

In addition (and unrelated to your DNS observations), your webserver seems to be configured for a different IP (from the default range of your Fritzbox):

*** [ DIAGNOSING ]: contents of /etc/pihole
(...)
-rw-rw-r-- 1 1000 pihole 203 Nov 28 13:11 /etc/pihole/pihole-FTL.conf
   REPLY_ADDR4=192.168.178.50

You should adjust your container's FTLCONF_LOCAL_IPV4 for your new address.

In case your Fritzbox is still using a 192.168.178.0/24 network, your 10.0.50.50 would not be reachable from that network, unless routing is configured accordingly.

Your above nslookup may suggest that you are using separate subnets, which could explain your observation.

If you are indeed on a single 10.0.50.0/24 subnet, something on the client issuing that nslookup may interfere with DNS operations.

6

Yes. What I'm confused about, I thought this wouldn't matter if IPv6 is disabled on my PC?
I thought my PC would ignore the IPv6 addresse and only use 10.0.50.50 as the DNS Server.

I also tried to input the top two of the four ipv6 addresses shown on my fritz box for my 10.0.50.50 machine, but it didnt seem to change anything. When using ipconfig it always still showed a different ipv6 server, presumably the default one from the fritz box. I assume I'm overlooking an option that is overwriting that custom DNS field. The screenshots are to show how I tried this, it is not how my settings currently look, after this I tried disabling IPv6.

The Webserver address must be a remnant of before I switched to the 10.0.50.0/24 subnet, which is over a year ago. I added FTLCONF_LOCAL_IPV4: 10.0.50.50 and FTLCONF_REPLY_ADDR4: 10.0.50.50 to my docker compose and the address is now correctly set:

REPLY_ADDR4=10.0.50.50
LOCAL_IPV4=10.0.50.50

Every single device in my network is using 10.0.50.0/24. I have 3 devices that use 192.168.179.0/24. They are smart devices which use my Guest-Wifi. This IP-range is fixed by FritzBox and cannot be changed. I doubt this has anything to do with it. So yes, I should be using a single subnet.

Lastly, I followed your guide and disabled IPv6. I unticked the DNSv6 Router advertisement and activated the "There are no other DHCPv6 servers in the home network" option. Sadly no change.

Debug-log: https://tricorder.pi-hole.net/akD3yOMU/

I also tried disabling IPv6 support under Account like in the last screenshot. This is the debug-token after doing so: https://tricorder.pi-hole.net/VkU28XJ0/

Edit: I also tried adding "10.0.50.50" and "pi.hole" to the DNS rebind proection exception field, if it matters. Additionally, my Ethernet adapter settings on my PC for the IPv4 protocol has all settings on the default., like "Obtain DNS-Server automatically" etc. IPv6 protocol is still disabled.

image
image1084×1051 105 KB

Screenshot from 2023-11-28 14-30-32
Screenshot from 2023-11-28 14-30-32932×751 73.3 KB

image
image1547×1048 76.3 KB

7

On that Windows client, you wouldn't run any local firewall or antivirus package, e.g. AVG Secure DNS or AVAST Real-Site?
You'd have to disable those features in your antivirus package to have Pi-hole do its filtering.

8

I am not using any firewall other than windows defender on my PC. I have a Synology NAS on the IP 10.0.50.55 that used to run the pihole until a week ago. The NAS of course had a firewall, but after moving the pihole over and everything seemed to work correctly, I havent yet made a sweep over its firewall rules, as its only local anyways. Not that it matters, but I thought knowing that I moved the pihole from one machine to another a while ago might be relevant and give you ideas. The NAS used to have the 10.0.50.50 address.

9

What name (and by inference, device) is your Fritzbox associating with those IPs?

nslookup 10.0.50.50 10.0.50.1

nslookup 10.0.50.55 10.0.50.1
10

Interesting.

nslookup 10.0.50.50 10.0.50.1 returns *** fritz.box cant find 10.0.50.50: non-existent domain.

nslookup 10.0.50.55 10.0.50.1 returns Name: NAS-Server.fritz.box Address: 10.0.50.55.

So my fritz box can connect to my NAS but not my K-Server? Curious.

Edit: I checked that all my cables are correctly plugged in. My router, Synology and K-Server are connected using a simple 5 port switch. All cables seemed to sit correctly but I nonentheless plugged them out and back in. I tried it again and this time it correctly recognizes it. Name: K-Server.fritz.box Address: 10.0.50.50

Internet is still non-accessible tho.

11

Did this perhaps affect the results of your nslookups for pi.hole as well?

12

nslookup pi.hole still returns a timeout for the address 10.0.50.50

13

Could you share the complete output, including the command itself?

14

nslookup pi.hole returns DNS Request timed out. timeout was 2 seconds. Server UnKnown. Address: 10.0.50.50. ***Request to UnKnown timed-out. Sry, I have to type out the output.

15

Do those requests register in Pi-hole's Query Log?

Also and probably related, your debug log suggests that you have ticked 'Permit all origins' in your Pi-hole's Interface Settings under Settings | DNS.

Now that you've configured your container for the correct interface, could you try to switch to Respond only on interface... to see if that would make a difference?

16

It doesnt seem like they do. here is a screenshot, refreshed around 5 seconds after the command finished.

image
image1247×1155 180 KB

Changing the Interface setting to "Respond only on interface" hasnt seemingly changed anything either. I ran nslookup again and same result. I will leave the setting on that though. I also reset my PCs network configuration and rebooted, I willl leave the IPv6 protocol on for now, unless you say I should deactivate it again. DNS Server are still shown as 10.0.50.50 and two Ipv6 addresses.

17

Wait, now many domains cant be reached. See the debug log: https://tricorder.pi-hole.net/aRhLAnsg/.

18

Fritzbox sometimes messes up hostnames and IP addresses if devices of the same name have been assigned different IP addresseover time, and it could also be confused if additional routing equipment would be active in your network (your switch wouldn't be of a smart/managed variant that would have limited routing/layer-3-switching capabilities?).

If that happens, you could end up speaking to a different device than you want if you access a device by name.

It cannot explain why nslookups to Pi-hole's IP address times out, though.

This would reinforce that something is interfering with DNS, preventing DNS requests to reach your Pi-hole.

As mentioned, the usual suspects here would be firewalls or antivirus DNS features.

Not quite - the debug log shows that DNS resolution via Docker's internal virtual network interfaces fails.

This is expected and shouldn't be harmful, unless other containers under the same Docker daemon's control would require to send DNS requests to Pi-hole via Docker's internal network.

Just to clarify:
The linked configuration does not disable IPv6 - it just stops your router from propagating an IPv6 address as DNS server.

This should at least have resulted in no global scope IPv6 addresses on your Pi-hole host machine's enp2s0 interface.
However, your debug log shows the exact same set of IPv6 addresses as before, including GUAs:

*** [ DIAGNOSING ]: Networking

[✓] IPv6 address(es) bound to the enp2s0 interface:
    2003:<redacted>87/64
    2003:<redacted>fb/64
    2003:<redacted>52/64
    fe80::<redacted>ca/64

Also, the IPv6 DNS servers learned by your host machine did not change at all

*** [ DIAGNOSING ]: contents of /etc

-rw-r--r-- 1 root root 998 Nov 28 13:11 /etc/resolv.conf
   nameserver 10.0.50.50
   nameserver fd00::<redacted>70
   nameserver 2003:<redacted>70
   nameserver 2003:<redacted>87
   search fritz.box

I'm not sure what you refer to here.
I did not recommend to disable IPv6, and there's no reason to do so in your case.
Your FB supports to stop propagation of IPv6 DNS server addresses, and I'd still recommend to configure it in that way.

However, your Pi-hole host seems to be slow in picking up your Fritzbox IPv6 configuration changes, or perhaps to ignore them altogether.

Did you perhaps manually apply a static IPv6 address configuration on the machine hosting Pi-hole?

Does your Pi-hole host pick up IPv6 changes if you reboot it?

19

So maybe I should just reset all my Network devices in my fritz box to make sure this is not happening?

No, its an unmanaged switch. Something like this.

On my Ubuntu machine I dont have any firewall appllication installed. Im no linux expert, but I think it shouldnt be blocked on my Linux machines end. And my PC just has the standard windows defender, not sure what could be blocking it there. The only restrictive firewall is on my NAS, every port has to be manually opened to be used but that shouldnt have anything to do with this either right?

Im referring to the IPv6 protocol of my PCs ethernet adapter, not the host machine or fritz box. I remember I had to deactivate this back when I first installed pihole so that it works. I do not remember why, youre probably gonna tell me that I shouldnt have to do that in the first place.
So I will leave the IPv6 propagation off, IPv6 as a whole enabled in my FB. I will also leave the IPv6 protocol active on my PC.

I will test this and get back to you.

Edit:
I do not remember making any static IPv6 changes. I did follow the guide on the pihole docker github regarding Ubuntu systems and changing resolved.conf.
Here is the content of the two files mentioned:

firefly@K-Server:~$ cat /etc/systemd/resolved.conf
#  This file is part of systemd.
#
#  systemd is free software; you can redistribute it and/or modify it under the
#  terms of the GNU Lesser General Public License as published by the Free
#  Software Foundation; either version 2.1 of the License, or (at your option)
#  any later version.
#
# Entries in this file show the compile time defaults. Local configuration
# should be created by either modifying this file, or by creating "drop-ins" in
# the resolved.conf.d/ subdirectory. The latter is generally recommended.
# Defaults can be restored by simply deleting this file and all drop-ins.
#
# Use 'systemd-analyze cat-config systemd/resolved.conf' to display the full config.
#
# See resolved.conf(5) for details.

[Resolve]
# Some examples of DNS servers which may be used for DNS= and FallbackDNS=:
# Cloudflare: 1.1.1.1#cloudflare-dns.com 1.0.0.1#cloudflare-dns.com 2606:4700:4700::1111#cloudflare-dns.com 2606:4700:4700::1001#cloudflare-dns.com
# Google:     8.8.8.8#dns.google 8.8.4.4#dns.google 2001:4860:4860::8888#dns.google 2001:4860:4860::8844#dns.google
# Quad9:      9.9.9.9#dns.quad9.net 149.112.112.112#dns.quad9.net 2620:fe::fe#dns.quad9.net 2620:fe::9#dns.quad9.net
#DNS=
#FallbackDNS=
#Domains=
#DNSSEC=no
#DNSOverTLS=no
#MulticastDNS=no
#LLMNR=no
#Cache=no-negative
#CacheFromLocalhost=no
DNSStubListener=no
#DNSStubListenerExtra=
#ReadEtcHosts=yes
#ResolveUnicastSingleLabel=no
firefly@K-Server:~$ cat /etc/resolv.conf
# Generated by NetworkManager
search fritz.box
nameserver 10.0.50.1
nameserver fd00::b2f2:8ff:fe6e:1870
nameserver 2003:d0:bf0d:dc00:b2f2:8ff:fe6e:1870
firefly@K-Server:~$

I disabled IPv6 propagation 10 minutes ago, but did not restart the host machine yet, so Im not sure whether anything regarding the IPv6 addresses should have changed. I do notice that the DNS= of /etc/systemd/resolved.conf is empty though. Is that supposed to be?
Currently IPv6 propagation is disabled, and I do NOT have my piholes set as the DNS in my fritz box. I did that yesterday and to restore my internet connection for my PC. I would try to set my pihole as static DNS, restart my host machine and see if these files change?

Edit2:
This changed, /etc/systemd/resolved.conf stayed the same.

firefly@K-Server:~$ cat /etc/resolv.conf
# Generated by NetworkManager
search fritz.box
nameserver 10.0.50.50

Edit3:
Rebooting my PC made the DNS-Servers change from DNS Servers: 3 ipv6 addresses to DNS Servers 10.0.50.50, 2 IPv6 addresses. If IPv6 propagation is off, shouldnt it only be 10.0.50.50?
Oh wait, the IPv6 addresses after the change are something like fec0:0:0:ffff::1%1 fec0:0:0:ffff::2%1. I read here that this is unusual.

Here is a fresh debug log if it matters: https://tricorder.pi-hole.net/LN7SFoJN/
I notice that the there is now a dashboard header error, not sure whether its relevant.

20

Should I try to reset my FB network and reassign the IP addresses and hostnames?

Also, I am confused about something. What is the difference between these two settings:

image
image2089×1024 213 KB

image
image2494×1024 208 KB

Can I leave the one with the account information as is? Do I only need to change the DNS under Network>IPv4?

Edit: I see ufw is installed on my host machine. Might I need to allow the ports? sudo ufw status returns Status: inactive though, so I assume not.