Internal PiHole resolves the query but the gateway doesn't forward it?

lostinbits · March 17, 2025, 12:15pm

I’m new to OpenWrt. I just setup a Flint 2 router two days ago. It installed the latest OpenWrt image onto it (it is not using the one that came with it.)

I’ve set my router up using LuCI and not the uci. I can find my way around Linux as a developer but not as network engineer

This will be a long message since I’m trying to describe as much as possible the setup and problem.

I guess the bottom line is that when the query comes from the gateway, even though they get resolved, they are not forwarded to the device making the query even if the query is resolved by the router itself when the DNS Records are added to it. (I added this paragraph up here in my post to describe what the problem seems to be. You’ll find the same at the bottom of the post.)

My basic setup would be really simple if I didn’t have the internal DNS server (PiHoles.) The PiHoles are not just used for ad blocking. They also contains the entries to all my internal servers, of which there are many.

I setup my wireless for both radios. I pointed them both to the “lan” interface.

The LAN interface is setup under the DHCP Server → Advanced Settings tabs to send the addresses of the PiHoles (I have two for redundancy) to the clients. This is done by adding this 6,10.10.10.184,10.10.10.182,1.1.1.1 to the DHCP-Options. BTW, I tried it with out the 1.1.1.1 too.

Under the WANs interfaces (both 4 and 6) I’ve unchecked the “Use DNS severs advertised by peer” and added the addresses of the PiHoles and 1.1.1.1. I didn’t change the DNS weight since I’m not sure what that does.

On the network I have the following:

Fedora desktop ethernet wired
Two Fedora laptops WiFi connected
Two PopOs laptops WiFi connected
Two Graphene OS mobile devices
Two Graphene OS tables (no mobile connection only WiFi)
Many LXC containers running on a Proxmox hypervisor
No Windows, MacOS, iOS, nor stock Android devices in this network as those are separated from the internal LAN.

Finally to the problem.

On the ethernet wired Fedora computer and the PopOS laptops I can access the internal network servers with no problems. When I look at the logs in the PiHoles I can see the request coming from the IP addresses of those devices.

On the two WiFi attached Fedora laptops, I can still access the internal network servers. They get resolved by the PiHoles and I see the queries coming from the laptops IP addresses. However, the first time, after connection to the WiFi, it takes a long time for the browser to load the pages. Now this could be a Fedora issue, but I mention it just for completeness. The PiHoles returns the result of the query in less than 30ms.

Now for the Graphene OS devices. These never get a resolution. Looking at the WiFi settings for those devices I can see that the DHCP did send the DNS addresses as described above. But when I look at the PiHoles queries logs, the queries are coming from the gateway 10.10.10.1. Even though the PiHole does resolve the queries, the devices never get the resolution.

If I ssh into one of the servers on the Proxmox the only DNS server for those is the gateway. So those never get a resolution for the internal network domain names.

Finally what happens when I use the Diagnostics in the router itself? None of the internal domains get the address even though the PiHoles do resolve the entries. I made sure that I tried the Ping and Traceroute for both IPv4 and IPv6 with no success.

The final thing I tried is to add the a couple of the DNS records to the DHCP and DNS section in the DNS Records tab. When I did that, the Diagnostics from the router worked, but none of the devices were able to get the resolution.

Thoughts I’ve had:

The PiHoles are not resolving queries from IPv6. The Diagnostics showed that it didn’t matter if I query IPv4 or IPv6.
It is a problem with Graphene OS. The Diagnostics and nslookup from the LXC severs showed that not to be the problem.

I guess the bottom line is that when the query comes from the gateway, even though they get resolved, they are not forwarded to the device making the query even if the query is resolved by the router itself when the DNS Records are added to it.

Thank you for any help you can provide.

lostinbits · March 19, 2025, 5:54pm

Ok. this was not a problem with anything except me...

Because I couldn't figure this out, I decided that I would use AdGuard Home instead of PiHole and install it on the router itself. However, before I did that I thought, why if I just install AGH on my Proxmox and see if PiHole is the problem.

Doing that yielded the same result. But while looking at the documentation to install AGH on the router, I noticed the demotion of dnsmasq to port 54 for the DNS and the forwards. That was my problem. Doing that made it work for me. I did that, again in LuCI.
In my Proxmox, I also had to set the DNS server to the IP address of the AGH.

Of course having AGH running on Proxmox is not a good idea in case of updates to the AGH or Proxmox itself. So I'm in the process of setting up a second AGH on a Pi.

I'm staying with AGH instead of PiHole for two reasons:

The wildcard DNS Rewrites for all my internal servers. Makes it a lot easier
The much easier way to sync both AGH servers.

LilRedDog · March 19, 2025, 6:19pm

I missed this; we'll figure it out.

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:
ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

lostinbits · March 19, 2025, 7:09pm

Hi @LilRedDog I got the problem resolved as mentioned above. However, I could still post my settings if you think that will help others. Let me know.

LilRedDog · March 19, 2025, 8:09pm

I was just responding to this part.
If you're satisfied just mark your post as the solution for others.