Disabling only DNS server and use Pi-hole instead?

dirk · September 28, 2023, 9:04am

Hello,

I've set up Pi-hole as a docker on a raspberry pi, but I still have to disable the dns server in OpenWrt, as far as I understood, to make Pi-hole being used.

In Luci, when I navigate to DHCP and DNS, I read the following below the headline:

"Dnsmasq is a combined DHCP-Server and DNS-Forwarder for NAT firewalls"

This confuses me a little bit. Does it mean, I cannot deactivate OpenWrt's DNS server without also disabling OpenWrt's DHCP server, which I'm still using and want to use in the future?

In the "Interfaces" -> "LAN" -> "General Settings" tab I saw a "Use Custom DNS" and there I added my raspberry pi's ip.

Running a nslookup from my CMD, the server requested is still my OpenWrt router. Also when I execute the following commands before:

ipconfig /release & ipconfig /renew
ipconfig /release6 & ipconfig /renew6
ipconfig /flushdns

Can you please help me, what I exactly have to do to get Pi-hole running in my LAN? The best way for me would be the following:

Ask Pi-hole to resolve DNS
When Pi-hole is not available, ask OpenWrt - because I'm almost sure it's running always.

Thanks and kind regards,

Dirk

frollic · September 28, 2023, 10:28am

not really, you could set openwrts dnsmasq to use the pihole as upstream resolver.

or you need to use option 6 from https://openwrt.org/docs/guide-user/base-system/dhcp_configuration#dhcp_options, to tell your clients to use the pi's IP as DNS.

dirk · September 30, 2023, 7:20pm

Thank you, I'll look into that.

dirk · October 1, 2023, 4:57pm

I looked into the DHCP Options you've linked. I made the following config from the shell

uci add_list dhcp.lan.dhcp_option="6,192.168.0.2"
uci commit dhcp
/etc/init.d/dnsmasq restart

Afterwards I rebooted the router, reconnected my wifi device to the router, ran the ipconfig release and renew and flushdns commands I mentioned in the first post.

Nevertheless Pi-hole doesn't seem to be used.

On my windows client a

ipconfig /all

IPv6-Adresse. . . . . . . . . . . : 1234:5678:9101::bb1(Bevorzugt)
Lease erhalten. . . . . . . . . . : Donnerstag, 28. September 2023 11:01:17
Lease läuft ab. . . . . . . . . . : Donnerstag, 8. November 2159 01:15:00
IPv6-Adresse. . . . . . . . . . . : 1234:5678:9101:0:74ee:ac3c:39fe:be1(Bevorzugt)
Temporäre IPv6-Adresse. . . . . . : 1234:5678:9101:0:5172:9ac0:d29c:d081(Bevorzugt)
Verbindungslokale IPv6-Adresse . : fe80::7d25:be67:ec64:d0d5%2(Bevorzugt)
IPv4-Adresse . . . . . . . . . . : 192.168.0.40(Bevorzugt)
Subnetzmaske . . . . . . . . . . : 255.255.255.0
Standardgateway . . . . . . . . . : 192.168.0.1
DHCPv6-IAID . . . . . . . . . . . : 45896751
DHCPv6-Client-DUID. . . . . . . . : 00-01-00-01-26-99-41-69-00-2B-67-8C-EE-0C
DNS-Server . . . . . . . . . . . : 1234:5678:9101::1
192.168.0.2
NetBIOS über TCP/IP . . . . . . . : Aktiviert

So in general it knows the Pi-hole, but only on second position. Does this mean, it prefers the IPv6 dns?

A nslookup 1234:5678:9101::1 shows my router as name.

On my raspberry pi running Pi-hole in a docker, my ifconfig looks like:

docker0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.17.0.1 netmask 255.255.0.0 broadcast 172.17.255.255
inet6 0512::34:9837:1234:bad5 prefixlen 64 scopeid 0x20
ether 00:00:00:00:00:00 txqueuelen 0 (Ethernet)
RX packets 2146165 bytes 2765469903 (2.5 GiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 4239566 bytes 5554702478 (5.1 GiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.0.2 netmask 255.255.255.0 broadcast 192.168.0.255
inet6 1234:5678:9101::ae6 prefixlen 128 scopeid 0x0
inet6 1234:5678:9101::2d6 prefixlen 128 scopeid 0x0
inet6 :::::**** prefixlen 64 scopeid 0x20
inet6 1234:5678:9101:0:74c9:a3e6:8f0f:d8f9 prefixlen 64 scopeid 0x0<gl

Any ideas what's going wrong?

Thanks and kind regards,

Dirk

frollic · October 1, 2023, 5:35pm

Does nslookup google.com 192.168.0.2 from a client work ?

dave14305 · October 1, 2023, 7:33pm

Does the Pi-Hole have a static ULA address you can advertise via IPv6 on the LAN?

dirk · October 2, 2023, 4:51pm

Thanks for your responses.

Sadly I get the following message:

nslookup google.com 192.168.0.2
DNS request timed out.
timeout was 2 seconds.
Server: UnKnown
Address: 192.168.0.2

No, there's no static IPv6 address for my raspberry pi running Pi-hole as docker. Only a static IPv4 address configured as follows:

IPv4

auto eth0
allow-hotplug eth0
iface eth0 inet static
address 192.168.0.2
netmask 255.255.255.0
gateway 192.168.0.1
dns-nameservers 192.168.0.2

Testwise I extended my IPv4 static config on the raspberry pi by

IPv6

iface eth0 inet6 static
pre-up modprobe ipv6
address fe80::1
netmask 64

and set the Pi-hole docker env variable FTLCONF_LOCAL_IPV6 to fe80::1, restarted the raspberry pi, but nothing changed.

Something I remembered was: I have an iphone and can manually set the DNS to 192.168.0.2. In this case, webpages in Safari cannot be loaded anymore on the smartphone. No idea why it cannot reach the webpages.

The Pi-hole itself seems to work, at least the admin page tells me in some cases that queries, probably directly from the raspberry pi, were routed over Pi-hole.

frollic · October 2, 2023, 5:07pm

then you need to figure out why your dockered pi-hole isn't reachable.

dirk · October 2, 2023, 9:24pm

Any ideas why this could be the case? I can e.g. call via the browser http://192.168.0.2/admin and see the config page. So in general it's reachable and port "forwarding" for port 53 on TCP and UDP is also made (this is, how it's shown in portainer):

0.0.0.0:53 53/tcp
:::53 53/tcp
0.0.0.0:53 53/udp
:::53 53/udp

At least for everything going on on the raspberry pi, it seems to work. E.g. when I open phpmyadmin running on another docker container on the same pi, it calculates the queries made.

Executing the command for open tcp and open upd ports on the raspberry pi

netstat -lnt | grep LISTEN | awk '{ print ( $4 ) }' | awk 'BEGIN{FS=":"} { print $(NF) }' | sort -n | uniq

and

netstat -lnu | grep udp | awk '{ print ( $4 ) }' | awk 'BEGIN{FS=":"} { print $(NF) }' | sort -n | uniq

show me port 53 to be open.

frollic · October 3, 2023, 12:58am

Incoming or outgoing?

Add google.com to the list of local DNS names, then redo the nslookup.

If it works, then it's an issue with the outgoing queries.

dirk · October 3, 2023, 7:14am

Thanks a lot for your help. I managed to get it work in the morning. The problem was: The Pi-hole dns config was restricted to "Allow only local requests".

I want to let everybody with potentially the same problem know how I found the problem and how I fixed it.

In the Pi-hole admin mask navigate to Tools-> Pi-hole diagnosis.
There I found the dnsmasq warning "ignoring query from non-local network 192.168.0.40
Navigate to Settings -> tab DNS
Find the Potentially dangerous options section
Check Respons only on interface eth0 -> or any other of the potentially unsafe options that make sense for you (read the warning message below these options)
Save

When I now call some websites with lots of ads I see the queries counter increasing and also the blogged queries counter.

Thanks once again to both of you. I'm happy it's now working.

cantenna · October 3, 2023, 8:46am

Curious to know motivation of using docker to deploy pihole on a raspberry pi...

dirk · October 3, 2023, 9:43am

I wanted to try it out and get cleanly rid of it again, in case it don't like it. Since I'm not a networking expert, I would be interested, why this is curious for you and/or why it shouldn't be installed in docker.

For me, from my current experiences (some hours surfing) using Pi-hole on my Raspberry Pi 4 with 4 GB is really performant and I don't remember any performance issues while surfing.