Unfortunately I am running in a problem since yesterday. I did not change anything in my setup (well I thought so ). My router seems to be unable to resolve any DNS requests, which are needed by OpenWRT itself. For example updating the system time or the dynamic IP. All DNS requests are send to a Pi-Hole in my network, which is supposed to take all requests, filter them, then send them to the Mullvad DNS server (193.138.218.74), a server which is reachable from in- and outside the Mullvad VPN tunnel (so it does not make a difference if I am connected to Mullvad or not).
The OpenWRT router is configured in a way, that all DHCP clients are using the Pi-Hole. For that I set under "DHCP and DNS" -> "DNS forwardings" to the static IP of my Pi-Hole (192.168.100.2) and in interface settings I disabled "Use DNS servers advertised by peer" for WAN and added Pi-Hole as first custom DNS and the Mullvad one as fallback.
I see ALL requests in the Pi-Hole log, and surfing works, also with blocking (checked by blacklisting facebook and try to call it). I also see the "dynupdate.no-ip.com" questioning in the Pi-Hole log. But the Pi-Hole seems not to answer. This is weird, but it is also weird, that obviously the fallback is also not working.
I tried setting "DHCP and DNS" -> "DNS forwardings" to 8.8.8.8 and the router seems to resolve the DNS questioning (at least it connected to Mullvad then, which was also not possible since mullvad was not resolved), but I do not really want to use another DNS server than the Pi-Hole.
Could someone please explain to me what I am doing wrong? And what is the difference between the two options for setting the DNS server? Thank you a lot!
Please find attached the syslog entries (I enabled "Write received DNS requests to syslog").
Best regards!
Mon Jan 13 19:10:25 2020 daemon.info dnsmasq[6208]: 18407 127.0.0.1/58847 query[A] dynupdate.no-ip.com from 127.0.0.1
Mon Jan 13 19:10:25 2020 daemon.info dnsmasq[6208]: 18407 127.0.0.1/58847 forwarded dynupdate.no-ip.com to 192.168.100.2
Mon Jan 13 19:10:25 2020 daemon.info dnsmasq[6208]: 18407 127.0.0.1/58847 forwarded dynupdate.no-ip.com to 192.168.100.2
Mon Jan 13 19:10:25 2020 daemon.info dnsmasq[6208]: 18407 127.0.0.1/58847 forwarded dynupdate.no-ip.com to 192.168.100.2
Mon Jan 13 19:10:25 2020 daemon.info dnsmasq[6208]: 18407 127.0.0.1/58847 forwarded dynupdate.no-ip.com to 192.168.100.2
Mon Jan 13 19:10:25 2020 daemon.info dnsmasq[6208]: 18407 127.0.0.1/58847 forwarded dynupdate.no-ip.com to 193.138.218.74
Mon Jan 13 19:10:25 2020 daemon.info dnsmasq[6208]: 18408 127.0.0.1/58847 query[AAAA] dynupdate.no-ip.com from 127.0.0.1
Mon Jan 13 19:10:25 2020 daemon.info dnsmasq[6208]: 18408 127.0.0.1/58847 forwarded dynupdate.no-ip.com to 192.168.100.2
Mon Jan 13 19:10:25 2020 user.err ddns-scripts[2778]: myddns_ipv4: cURL Error: '6'
Mon Jan 13 19:10:26 2020 user.warn ddns-scripts[2778]: myddns_ipv4: Transfer failed - retry 1425/0 in 60 seconds
Hi, thanks for helping! Unfortunately this did not work. I cleaned the field and restarted. Again, no mullvad connecting possible. Switched to 8.8.8.8, Mullvad is connected. Switching back to pihole, same as before... More ideas?
Yes, the Clients are always happy, it is only the router. Just checked the two lan interfaces, both also have the pi-hole as DNS. I just did not mentioned it. The router still allows me to surf but seems not to get answers from the pihole. Can this be something about security options, like a feature that forbids answers going back to the router?
This also did not help. Same behaviour. But it seems to be something about the pihole. I tried to choose the Mullvad DNS directly at "DHCP and DNS" -> "DNS forwardings" and after rebooting the router managed to connect to mullvad and update the dyn IP. Nevertheless now I do not know which DNS is used for what. Looking to syslog sometimes Pihole is used (also for requests from the router), sometimes directly Mullvad DNS. I do not get what is happening here. I just want control over my DNS!
Could someone explain, what the difference of all the ways to set the DNS in OpenWRT is?
I can set it in:
DHCP and DNS
for interface WAN
for interface LAN
Is there an option that allows to specify one only used by the router? This would be a compromise, if I can be sure, that all clients only use the Pi-Hole, and the router still works.
Thank you, tried it out! It looks good, but I still see log entries that show me, that the pihole is not exclusive: Mullvad DNS ist asked from the router not from the pihole and even before the pihole was asked.
Tue Jan 14 20:23:57 2020 daemon.info dnsmasq[2275]: 2776 10.14.0.3/8385 forwarded mail.tutanota.com to 193.138.218.74
Tue Jan 14 20:23:57 2020 daemon.info dnsmasq[2275]: 2776 10.14.0.3/8385 forwarded mail.tutanota.com to 192.168.100.2
Tue Jan 14 20:23:57 2020 daemon.info dnsmasq[2275]: 2776 10.14.0.3/8385 forwarded mail.tutanota.com to 192.168.100.2
Tue Jan 14 20:23:57 2020 daemon.info dnsmasq[2275]: 2776 10.14.0.3/8385 forwarded mail.tutanota.com to 192.168.100.2
Tue Jan 14 20:23:57 2020 daemon.info dnsmasq[2275]: 2776 10.14.0.3/8385 forwarded mail.tutanota.com to 193.138.218.74
Tue Jan 14 20:23:57 2020 daemon.info dnsmasq[2275]: 2776 10.14.0.3/8385 reply mail.tutanota.com is 81.3.6.164
Okay, I checked again with blocking facebook and the Pi-Hole is NOT used.
Basically I still do not get, which of the options I really need. In the theory it is simple: every DNS request shall be send to the Pi-Hole, all clients shall use the Pi-Hole. The Pi-Hole shall use Mullvad DNS. The Pi-Hole is reachable from all VLANs. Let's say we start from scratch and I remove all DNS changes in OpenWRT. Which option do I need now?
The forwarding in "DHCP and DNS"?
DHCP option No. 6?
The option in WAN/WAN6?
The option in LAN/LAN2?
I guess by mixing all of them up I build a crazy forwarding-loop between router, pi-hole and mullvad or something similar.
The one single change you need is disabling peerdns on your WAN interface and adding the PiHole as DNS server.
If the PiHole replies with private IP addresses to DNS queries (I do not know how it works) then you need to disable dnsmasq's rebind protection as well.
okay I tried it. Back to scratch: I removed the forwarding in DHCP and DNS, in lan, in lan2 and in the DHCP options for lan and lan2. Only DNS is the pihole in wan options, and removed peerdns. I also removed the Mullvad DNS Fallback in wan DNS. wan6 has no DNS at all. Reboot. Result: router can not connect to Mullvad. Disabling rebind protection, reboot. Same. So nothing new here.
But I found out some things nevertheless. I can bring the router (and Mullvad VPN interface) to live, when I CHANGE the forward DNS option in "DHCP and DNS" after booting. It does not matter then if I choose the Mullvad one or 8.8.8.8 (BUT NOT PIHOLE), it will resolve the mullvad wireguard server instantly. After the connection to mullvad I can remove the forward DNS option and use the router normally, and all clients seem to use the pihole as well (facebook still blocked, rest working).
This brings me to a point where I think about the question what happens when booting. Is it possible that some interfaces can not use the pihole what I did not experienced when the router was already connected (only checking the clients)?
And could it furthermore be, that CHANGING the forward DNS server justs restarts some services, while the order of starting is resulting in different DNS server usage?
I am really confused here...
Maybe for information: the pihole is in lan1, all members which use mullvad are in lan2. Nevertheless these members seem to work fine with pihole.... More ideas?!
UPDATE: when I choose 8.8.8.8 for DNS forwarding and reboot it also works. What is the difference between Mullvad DNS there and Google? But even if I would accept that I need something chosen in there I can not accept that also clients then start to use 8.8.8.8... It is really frustrating.
UPDATE2: I loaded the complete OpenWRT working config from September. Same behaviour. I get the feeling the pi-hole is broken/missbehaving. I tried nslookup on the router, but he can't resolve anything. Also interesting: when calling my nextcloud over its dyndns name in my network I get "Rejected request from RFC1918 IP to public server address". This was never a thing since I added an entry in /etc/config/dhcp which is still there. Trying to disable rebind protection again did not the trick also.
I asked in the Pihole forum. They think it is a question of port forwarding / firewall. Ideas for that? Here is my network config:
192.168.100.1: router
192.168.100.2: pihole
192.168.100.4: nextcloud
For summarize: the router can not resolve domains with any mentioned settings. The pihole itself works for the clients. The router has problems with resolving at all since even his own dhcp.conf entries (nextcloud) seems to be broken. Also internal packet manager can not connect. Only thing known working: using google dns (8.8.8.8) in "DHCP and DNS" as Forwarding option.
Rebind protection has NO influence.
I did not really understood the problem, but it really seems to be a question of wrongly combining DNS options in OpenWRT as mentioned in the previous post.
I now have reset everything (also using ISP default DNS in WAN interfaces) and only have told all lan clients via DHCP option 6 to use the pihole. This works. The Wireguard clients are using directly the pihole via DNS option in the Android Wireguard app. This made it working for me. I can live with the fact, that inital Mullvad connection, time synch and updates do not run via the pihole since these are connections directly from the router. But maybe I can fix this too in the future. Thanks for helping nevertheless!
I don’t know if you ever resolved this but I had the exact same problem. I followed the guide to the letter but when I tried to poly update at the end everything failed. No domains could be resolved in putty but all network was working fine.
The solution for me was to disable Adblock and suspend the service.