While using Pi-hole as only DNS, nothing is loading

Help
1

Hi all!

First post, please be forgiving, I'm trying to do things right. :slight_smile: Excuse my poor english: french guy over here.

Expected Behaviour:

Just showing Internet pages normally.

I precise that I'm a computing engineer (more developper than network specialist, I admit). So I hope, I can understand your advices.

Actual Behaviour:

First of all: IPv6 is disable everywhere in my LAN. DHCPv6 on the router is turned off. Pihole IPv6 is disable too (I think. It don't let me tick any of DNS IPv6 upstream servers).

After setting up my Raspberry Pi 3B+, I've installed Pihole normally and apply the setup I was running previously in a Docker container on my QNAP Nas.
Everything had been well for two weeks, but lately webpages doesn't load at all or take years. And very often when the browser times out.

My Raspberry has as static IP (192.168.1.253) outside ouf the DHCP range of my router (192.168.1.2 - 192.168.1.252/24). Strange thing is that if I disable Wifi on my Raspi, I can no longer ping it nor SSH on the eth0 static IP (this fact begins at the same time Pihole or whatever starts doing sh*t.).

Here is /etc/dhcpcd.conf

interface eth0
static ip_address=192.168.1.253/24
static routers=192.168.1.1
static domain_name_servers=127.0.0.1

/etc/resolv.conf gives 127.0.0.1 on the Raspi and the Raspi LAN address (so the Pihole one) is used as the only DNS server in my DCHP settings (on the router) and it does applies to clients as expected.

My router is a ZTE F670. As an extra, I've added Pihole IP Adress in Applications > DNS Service > Hosts of my router but I'm not sure of what it actually does... (but not adding it in this section gives the exact same result).

I've noticed that "dig" does passes through Pihole and answers correctly but the command takes a lot of time to give me the hand back (but the DNS response from Pihole takes less than 200ms).

dig +trace [@192.168.1.253] facebook.com

I've noticed too that numbers of DNS queries running through Pihole explodes as soon as it has been defined as the primary DNS server of my LAN (loop ??).

At last, I've noticed that my iPhone get my Pihole address as DNS but alongside an IPv6 (fe80::1) out of nowhere (I don't understand...).

I've disabled all DNS upstream servers from Pihole config and set a custom DNS IPv4: 192.168.1.1 (my router's IP, translated in 192.168.1.1#53).

2 two days of googling has gave me no idea of what's going on...

Debug Token:

https://tricorder.pi-hole.net/ynhqmhc34a
https://pastebin.com/0gC4LKwa

Any help would be greatly appreciated! For now, I've switched back to Google's DNS... My bad! :frowning:

Thank you so much. :blush:

8

That is your IPV6 gateway (your Router).

Not according to the debug log.

You have a GUA IPV6 address enabled/used on your RaspberryPi that does not match the IPV6 IP that was configured during initial setup.

[✓] IPv6 address(es) bound to the eth0 interface:
   fe80::1b9a:168:61ef:879 does not match the IP found in /etc/pihole/setupVars.conf

See

in order to get a more stable IPV6 IP address.

On the other hand, it seems that your gateway does not want to respond to pings on both IPV6 and IPV4 IP either.

[i] Default IPv4 gateway: 192.168.1.1
192.168.1.1
   * Pinging 192.168.1.1
192.168.1.1...
[✗] Gateway did not respond. (https://discourse.pi-hole.net/t/why-is-a-default-gateway-important-for-pi-hole/3546)
 
[i] Default IPv6 gateway: fe80::1
fe80::1
   * Pinging fe80::1
fe80::1...
[✗] Gateway did not respond. (https://discourse.pi-hole.net/t/why-is-a-default-gateway-important-for-pi-hole/3546)

That's (as seen above) your IPV6 IP of your gateway.

You are right about the loop here but it's a little more tangled than what you think.

According to your config, you are pointing and using Pi-hole with the upstream DNS as the gateway (192.168.1.1).

I don't know how that gateway is set-up or what/how it works when it comes to DNS (remember it doesn't respond to pings, could be that it's not allowing/responding to DNS queries either).

IF your DNS server within the gateway points to 253 then you definitely threw the requests in a loop and the only way it will work is when the request is bounced/tried via the IPV6 DNS server that the router uses.

Between your request and the moment it's tried via the IPV6 resolver (as a fallback at router level), there is a noticeable delay, never the same though. So probably that's why you see the slow response time.

What I recommend doing is setting it up like this:

Pi-hole set up to use a different upstream server (Any of the available there or even a custom one, maybe a local Unbound instance Redirecting... ).

Raspberry Pi set up with ULA IPV6.

Gateway set-up with IPV4 IP of Pi-hole as it's (sole) WAN DNS.

One thing to keep in mind. If the gateway is your DHCP server, then it will propagate via the DHCP packet itself as the default gateway to all clients.
Because of that, Pi-hole will see all the requests originate from the gateway's IP (see logic):

Client1 <--->
Client2 <---> Gateway <--> Pi-Hole
ClientN <--->

If your gateway allows you, you should specify the default DNS server as your Pi-hole IP at DHCP server level (setting).
Otherwise you have 2 options:

1.Disable DHCP within the Router and enable it on Pi-hole.
2. Manually specify the IPV4 IP of Pi-hole on each and every client.

Oh and one more thing:

If IPV4 and IPV6 are both present and enabled within a network, IPV6 is preferred and unless you have your IPV6 settings correct, you might sometimes, see ads (that get resolved via IPV6 and because erroneous settings, bypass Pi-hole).

1 Like
10

Hi!

Thanks for your complete answer.

We were right for the DNS loop on the LAN but I've already figured it out and solved it.

DHCPv6 was never enabled on the router so how is it possible for the Raspberry to have an IPv6 address knowing that I've configured its static IPv4 manually (maybe Router Advertisement?) ?! I will have a look on the link you provide: thanks. Or I will try to disable IPv6 at all on the router to prevent Router Advertisement.

For settings application concerns through DHCP, yes I'm fully aware of it but I do flush DCHP leases and renews DHCPREQUESTS from clients when necessary, or I manually update clients' settings. Moreover, I do confirm that my router supports the fact of specifying primary and secondary DNS within the DHCP configuration, so I don't need (and actually don't want) Pihole to act as my DHCP server.

To refine my current setup (which is finally working pretty well after removing some blocklists and solving my loop issue), I will assign a correct ULA IPv6 to my Raspi.

Thanks again for your help. :blush:

1 Like
11

After searching in my router's settings, it doesn't seems to provide a way to define an IPv6 ULA address.

So I've set a static IPv6 in /etc/dhcpcd.conf, same way I've made it for IPv4 (but this static IPv4 is outside my DCHPv4 range, that is not made for the IPv6 as DHCPv6 is disabled on my router). Then I've set up the same address in /etc/pihole/setupVars.conf.

Is that ok or should I've better disable Router Advertisement in my router's configuration (seems to be possible on an interface basis)?

Let me precise that my ISP doesn't provide IPv6 connectivty on the WAN.

Thanks again. :slight_smile:

12

See if you can access ipv6.google.com ...

13

Already tried: can't! And no WAN connexion is set up for IPv6 on the router: disabled.

From my laptop: http://tinyurl.com/y5ndqckm

14

Well then, you are set.

All queries will go through IPV4.

Make sure that your clients will use ONLY the IP of Pi-hole as the DNS server.

15

Thanks!! :slight_smile:

Make sure that your clients will use ONLY the IP of Pi-hole as the DNS server.
They do except iDevices, plz read below.

But what if my router assign fe80::1 as DNS (can see that on iPhone for example, even if DHCPv6 is disabled, as explained at first) alongside my Pihole IPv4 (via DHCPv4 config) ? Seems to be due to Router Advertisement (I may be wrong).

Here's a brand new debug token:
https://tricorder.pi-hole.net/cftjjpif7t
https://pastebin.com/P9WDueah

16

fe80::1 is not a valid address really. It's the IPv6 equivalent of 127.0.0.1 or localhost. If you tell a client that they should use fe80::1 as a DNS server then the client will try to query itself.

17

Yep! I understand. That's the loopback address.

Do you confirm that is not a problem if my iDevices have 192.168.1.253 (Pihole) AND fe80::1 as DNS adresses, at the same time (alongside)? Do they forward their DNS request to Pihole as expected after "fallbacking" to themselves?

Excuse my ignorance, I try to understand every single detail. :slight_smile:

18

There is no such thing as a fallback DNS server, every server you list will be used. Having loopback as an address for a client that doesn't have a DNS server on it will cause problems as well.

19

Ok thanks! So I’m good for now, I think.

But, last question: what does « IPv6 will be tried first », as said previously, actually means? Doesn’t it mean that DNS through IPv6 will be tried first then fallen back to IPv4 if no answer?

Thanks a lot guys!

20

It depends on the client and the client OS. Some prefer IPv6 over IPv4, some don't. If it does prefer IPv6 then it may try the IPv6 DNS server and wait for things to timeout, could be up to 30 seconds or so, and then try IPv4 resolvers. But an IPv4 DNS server can give out AAAA records along with A records, the IP protocol doesn't determine what record types are returned.

1 Like
21

I see that there is not IPv6 on the WAN interface, why is it that you want to have IPv6 enabled on the local network? Just disable the protocol and save yourself from dealing with the complexity and hassle for no real gain.

2 Likes
22

Wasn't aware about that! Thanks! Very helpful information.

Yep, that was I said previously.

To do so, I think I have to :

  • Disable DHCPv6 (already done)
  • Disable Router Advertisement for all interfaces (so the clients don't get fe80::1 as DNS alongside my Pihole's IPv4)
  • Turn off IPv6 switch

Please see attached screenshots, corresponding to aforementioned points.

What do you think? Is there any advantage to have my LAN adressed with both IPv4 and IPv6 (despite the fact I have no WAN IPv6 address)?

Thanks a lot! :slight_smile:

DHCPv6
DHCPv6778×756 34.2 KB

IPv6%20switch
IPv6%20switch778×630 33.2 KB

RouterAdvertisement
RouterAdvertisement778×756 41.2 KB

23

Your LAN IP Address for IPv6 is wrong. If you want to give your clients an IPv6 address, which is pretty much useless for your network, then you would need to use a ULA range for the addresses. You are trying to assign the loopback address to all of your clients and that is bad.

Just disable IPv6 on your network. Set IPv6 Function to off and be done with it all.

24

I'm not trying to assign anything, that's the default router's settings. xD

Ok, so you confirm my expectations: no need to have my LAN addressed with IPv6... (I don't have many billions devices)

Thanks for your help, will give it a try.

Then I may remove my static IPv6 address from my Raspi (/etc/dhcpcd.conf), right?

25

Yes, if the address is not of use then it should be removed.