Hi all,
I have a lan network (192.168.1.0/24) und a guest network (192.168.3.0/24). My pi-hole is on the lan network and I populate the pi-hole address using DHCP option (6,<ip address of pihole>). Everything works fine for clients on the lan network. I can see that the guest network clients have pi-hole configured as dns server, but still I cannt see any guest network client in the pi-hole query log and nslookup on a guest network client seems to query the router as dns server, not pi-hole-
I configured a firewall rule "accept" from guest network to lan network with ip adress of pi-hole and port 53 tcp/udd, but that doesn't help.
In Pi-Hole-DSN-Settings I have configured "Permit all origins", but that doesn't solve the issue as well.
Any idea how to force guest network clients to use the pi-hole on the lan network as DNS server and that I see the guest network clients in the query log?
Make sure that masquerading on the lan zone is not enabled or there is no SNAT rule rewriting the source addresses of the requests to the lan IP address of the router.
thanks, but the configuration of the firewall rule ist identical to my configuration.
Regarding NAT, I have a rule for "automatic rewrite source IP" from any zone to WAN zone. But that should not apply for forwarding between lan and guest network, right?
Maybe the reason is IPv6, because nslookup on the client says that it uses the ipv6 address of the router as DNS server. How can I prevent, that the client gets the ipv6 address of the router as DNS server?
Do you need a DHCPv6 server?
If not, disable the odhcpd service or at least stop it temporarily to see if that fixes the problem.
Make sure to update the DHCP configuration and clear the DNS cache on the client device.
This rule intercepts all DNS traffic originating from the lan zone and redirects it to the router's local (lan) interface. The router then forwards the query to the upstream DNS server (Pi-hole or whatever) on its behalf, so it's not clear to me how you can see the real originator of the request.
My mistake. You have option 6 set, so the DNS query should be sent directly to the Pi-hole
Hmm, it seems that even on lan network not all clients show up in the query log. I just tested on a lan client and it did'nt show up. Other clients in the lan network show up constantly in the query log
If I disable the divert dns rule, then dns lookups on lan still work, but nslookup on guest network returns dns request timed out.
Without seeing the whole configuration it's hard for me to guess what's wrong, but you can try the following workaround.
config redirect
option target 'DNAT'
option src 'guest'
list proto 'tcp'
list proto 'udp'
option src_dport '53'
option name 'DNS-guest'
option dest_ip '192.168.1.x' # Pi-hole IP
config redirect
option target 'DNAT'
option src 'lan'
list proto 'tcp'
list proto 'udp'
option src_dport '53'
option name 'DNS-lan'
option dest_ip '192.168.1.x' # Pi-hole IP
what are your misbehaving clients? smart phones, tablets, smart tv maybe? because they tend to use hardwired DNS server (dhcp offered dns is not mandatory to use by clients), and not using traditional dns but dns-over-https, so your redirecting rule on port 53 will not catch them. also modern browsers are using DoH by default nowadays. it is not so easy to force use of your preferred dns server.
thanks, but unfortunately the workaround also didn't solve the issue.
I hesitate to post my whole network configuration incl. ip addresses and names in the internet.
The clients I'm currently testing are windows pcs using nslookup abnd firefox.
I also tested iphone using safari. Same behaviour.
To me it seems that the client sends the dns requests to pi-hole ip address, but they do not end up at the pi-hole due to the above posted divert dns rule, because when I disable this rule, I get a "dns request timed out" on the client.
firefox by default using cloduflare over DoH. pls verify whether you disabled it to make sure all dns requests are targeting pi-hole. you stated "not all clients show up in the query log" which means some requests do reach pihole so it is not a routing/firewall problem, but can be the aforementioned hard-coded / DoH problem.
try to run tcpdump to monitor what is going on exactly. maybe you receive the request but cannot reply: how your lan/guest firewall zones are configured? assuming you have only problems on the guest clients but from your previous answer it is not clear to me.
I tried to monitor the traffic by using tcpdump on the router.
The client definetely sends requests towards pi-hole and it seems that the dns request actually reach the pi-hole and pi-hole (rasp2hmlangw) replies to the client (192.168.3.172), but still I don't see the corresponding entries in the query log. I'm confused.
20:55:13.522982 IP 192.168.3.172.52409 > rasp2hmlangw.lan.53: 12102+ Type65? cm.everesttech.net. (36)
20:55:13.523499 IP 192.168.3.172.53325 > rasp2hmlangw.lan.53: 39950+ A? cm.everesttech.net. (36)
20:55:13.529277 IP 192.168.3.172.62885 > rasp2hmlangw.lan.53: 50923+ Type65? as.bild.de. (28)
20:55:13.529756 IP 192.168.3.172.54621 > rasp2hmlangw.lan.53: 60793+ A? as.bild.de. (28)
20:55:13.533182 IP 192.168.3.172.57200 > rasp2hmlangw.lan.53: 13945+ Type65? www.google.com. (32)
20:55:13.533659 IP 192.168.3.172.51315 > rasp2hmlangw.lan.53: 20818+ A? www.google.com. (32)
20:55:13.534193 IP 192.168.3.172.54311 > rasp2hmlangw.lan.53: 35277+ Type65? www.google.de. (31)
20:55:13.534798 IP 192.168.3.172.63362 > rasp2hmlangw.lan.53: 13030+ A? www.google.de. (31)
20:55:13.535575 IP rasp2hmlangw.lan.53 > 192.168.3.172.52409: 12102 1/1/0 CNAME cm.everesttech.net.akadns.net. (142)
20:55:13.537146 IP rasp2hmlangw.lan.53 > 192.168.3.172.53325: 39950 4/0/0 CNAME cm.everesttech.net.akadns.net., A 18.201.4.185, A 18.203.152.154, A 54.229.62.148 (124)
20:55:13.537803 IP 192.168.3.172.64157 > rasp2hmlangw.lan.53: 10243+ Type65? cm.everesttech.net.akadns.net. (47)
20:55:13.543894 IP rasp2hmlangw.lan.53 > 192.168.3.172.62885: 50923 1/1/0 CNAME bild.de.ssl.sc.omtrdc.net. (136)
20:55:13.546444 IP 192.168.3.172.60805 > rasp2hmlangw.lan.53: 40975+ Type65? bild.de.ssl.sc.omtrdc.net. (43)
20:55:13.551583 IP rasp2hmlangw.lan.53 > 192.168.3.172.54621: 60793 4/0/0 CNAME bild.de.ssl.sc.omtrdc.net., A 15.236.117.205, A 13.37.25.97, A 15.236.125.10 (115)
20:55:13.558991 IP rasp2hmlangw.lan.53 > 192.168.3.172.57200: 13945 1/0/0 Type65 (57)
20:55:13.560671 IP rasp2hmlangw.lan.53 > 192.168.3.172.64157: 10243 0/1/0 (113)
20:55:13.561114 IP rasp2hmlangw.lan.53 > 192.168.3.172.51315: 20818 1/0/0 A 142.251.209.132 (48)
20:55:13.562598 IP rasp2hmlangw.lan.53 > 192.168.3.172.54311: 35277 1/0/0 Type65 (56)
20:55:13.563061 IP rasp2hmlangw.lan.53 > 192.168.3.172.63362: 13030 1/0/0 A 172.217.16.67 (47)
20:55:13.567956 IP rasp2hmlangw.lan.53 > 192.168.3.172.60805: 40975 0/1/0 (112)
I guess this is due to the rule "Divert DNS" redirect rule (see above). If I disable this rule, dns requests are still send towards pi-hole, but they don't reach the pi-hole anymore.It seems the firewall rule that is intended to forward traffic between lan and guest network somehow does not work.
config rule
option target 'ACCEPT'
option src 'guest'
option name 'guest dns pihole'
option dest 'lan'
option dest_port '53'
list dest_ip '192.168.1.x'
So how can I ensure that the dns requests send from a guest network client actually reach the pi-hole in the lan network?
Maybe it is a mistake in the firewall zone and forwarding configuration? Here is my config:
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option drop_invalid '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'lan'
config zone
option name 'wan'
option output 'ACCEPT'
option masq '1'
option mtu_fix '1'
option input 'DROP'
option forward 'DROP'
list network 'wan'
list network 'wan6'
config forwarding
option src 'lan'
option dest 'wan'
config include
option path '/etc/firewall.user'
config zone
option name 'guest'
option forward 'REJECT'
option output 'ACCEPT'
option input 'REJECT'
list network 'guest'
config forwarding
option dest 'wan'
option src 'guest'
config include 'miniupnpd'
option type 'script'
option path '/usr/share/miniupnpd/firewall.include'
option family 'any'
option reload '1'
config zone
option name 'vpnserver'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'vpnserver'
config forwarding
option src 'vpnserver'
option dest 'wan'
config forwarding
option src 'vpnserver'
option dest 'lan'
Additionally, in pi-hole diagnosis I get a dnsmasq warning "Maximum number of concurrent DNS queries reached (max: 150)". Not sure if this is related to the problem.
Thanks, but can you explain why this could solve the problem? As far as I understand the problem ist that forwarding from client in guest network to pi-hole in lan network does not work. Forwarding from lan to guest would be the opposite direction.
I don't want to allow forwarding from guest to lan in general for the security reasons, but only for the pi-hole and I have a firewall rule for that (see above).
i said no such thing. the total opposite: from lan to guest allowing reply from pihole to reach guest client. the firewall rule you have allows guest clients to send traffic to specific lan host (i.e. pihole). but that's only unidirectional. zone forwarding is not bi-directional, you need reply traffic from pihole to be allowed from lan to guest direction too.
when you disable the fw rule it means no traffic allowed from guest to lan host (pihole) at all, as you say
Actually I have another firewall rule for the opposite direction, but that also doesn't solve the problem.
config rule
option name 'guest pihole zurück'
option src 'lan'
option dest 'guest'
option target 'ACCEPT'
list src_ip '192.168.1.x'
My understanding was that if the request would reach the pi-hole, but the reply does not reach the client, I at least should see an entry in the query log, since the query would have reached the pi-hole...