Update : DNS server doesn't work anymore

Help Synology
1

Hi there.

Let me explain my setup.

I’ve been using Pi-Hole for a few years on my Syno NAS without any trouble. I used to run it through Docker this way.

Creation of a docker VLAN network

docker network create -d macvlan --subnet=192.168.0.0/24  --gateway=192.168.0.254 --ip-range 192.168.0.250/32 -o parent=eth3 public-network

And the pi-hole container is setup to run on this “public-network” network, with the 192.168.0.250 local IP.

This container plays the role of my DNS server, also when I’m out of my home. On my router, I redirect all incoming queries to the 53 ports (on both TCP and UDP) to the 192.168.0.250 local address.

And again, this has worked for years…until yesterday night. I add to re-create the container, and upgrade to the new version. It works…locally. No way to get the DNS queries from outside to work, I see log messages like this:


2025-09-29 06:38:54.063 CEST [282/F52] WARNING: dnsmasq: ignoring query from non-local network 141.22.28.202

Here is the container command.


docker run -d --name pihole-2025-08-0 \
  --network public-network \
  --ip=192.168.0.250 \
  -p 53:53/tcp \
  -p 53:53/udp \
  -e DNSMASQ_USER="root" \
  -e TZ="Europe/Paris" \
  -v pihole-etc:/etc/pihole/ \
  -v pihole-dnsmasq:/etc/dnsmasq.d/ \
  --dns=127.0.0.1 \
  --dns=1.1.1.1 \
  --restart=unless-stopped \
  --hostname pi.hole \
  -e VIRTUAL_HOST="pi.hole" \
  -e PROXY_LOCATION="pi.hole" \
  -e FTLCONF_webserver_api_password="blablabla" \
  -e DNSSEC=true \
  -e FTLCONF_dns_upstreams="1.1.1.1;9.9.9.9" pihole/pihole:2025.08.0

In the pi-hole documentation, there is something related to accepting requests from the outside: Interfaces - Pi-hole documentation

But I don’t have this kind of UI on my pi-hole instance.

What do I do wrong or did forget?

Thanks.

2

Your Pi-hole is receiving traffic from public IPs.

You are about to turn your Pi-hole into an open resolver, thus posing a potential threat for all Internet users, e.g. by serving as a multiplier in a DNS Amplification attack.

The Pi-hole team strongly discourages Pi-hole’s usage as an open resolver, and we won't provide support in that case.

The recommended way to remotely access a home-based Pi-hole would be to also run a VPN server, exclusively allowing VPN clients via authenticated, secure VPN connections.

Another option would be to run your Pi-hole behind a DNS-over-TLS(853) or DNS-over-HTTPS(443) proxy, where only that proxy would be publically exposed.
Using DoT would also allow you to use certain smartphone's Private DNS feature to connect to your Pi-hole remotely.

1 Like
3

Crystal clear.

It has run this way for a few years, and I didn’t think about the potential threat this could cause.
So, thanks a lot, really.