VLAN devices not getting DNS served by pihole

jeshuranpaul · November 21, 2023, 7:17pm

Related post: No wireless internet for VLAN

Since above topic is marked solved, starting a new one.

I've realized the pihole setup is not working correctly. Previously, I was using multiple DNS servers in addition to pihole IP. When I switched it back to just using the pihole IP (192.168.1.5), DNS queries are not being served.

For now I'm just trying to get this work on my Guest network as I need my other devices to work. I added the traffic rule as @psherman pointed out (also as suggested in OneMarkFifty's firewall video)

No luck. I tried just forwarding guest zone to the pihole IP on port 53 to lan, but it still didn't work

When I'm connected to the Guest network, I'm able to ping the 192.168.1.5 and also access the pihole web interface. There is internet connectivity but no dns resolution i.e. I can ping 8.8.8.8 but not google.com

Attaching relevant details from

/etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option localservice '1'
        option ednspacket_max '1232'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'
        list dhcp_option '6,192.168.1.5,94.140.14.14,94.140.14.15,1.1.1.1'    

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config dhcp 'guest_interface'
        option interface 'guest_interface'
        option start '100'
        option limit '150'
        option leasetime '12h'
        list dhcp_option '6,192.168.1.5'

Relevant Firewall:

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'
        option flow_offloading '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config zone
        option name 'guest_zone'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'guest_interface'

config rule
        option name 'Allow-DHCP-DNS-Guest'
        option src 'guest_zone'
        option dest_port '53 67 68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-DNS-Guest'
        option src 'guest_zone'
        option dest 'lan'
        option dest_port '53'
        option target 'ACCEPT'
        list dest_ip '192.168.1.5'

config forwarding
        option src 'guest_zone'
        option dest 'wan'

AndrewZ · November 21, 2023, 7:37pm

What is configured in Pi-hole Settings - DNS - Interface Settings ?

jeshuranpaul · November 21, 2023, 7:45pm

Its set to 'Allow only local requests'. Does that mean it will only respond to 192.168.1.0/24?

If so, what would be the correct option?

Respond only on interface eth0
Bind only to interface eth0
Permit all origins (this sounds scary lol)

AndrewZ · November 21, 2023, 7:48pm

Yes. Please refer to the Pi-hole documentation linked on that page. They have all the options explained.

jeshuranpaul · November 21, 2023, 9:58pm

I tried changing these settings but still could get this to work. I had unbound installed the server as well. Removed the package and stopped the service but still no dns on vlan

AndrewZ · November 21, 2023, 10:20pm

I would try to separate possible problems. Assuming OpenWrt is configured properly, you should see the DNS requests on the server when you run sudo tcpdump -v port 53 there.

psherman · November 22, 2023, 12:22am

jeshuranpaul:

config rule
        option name 'Allow-DHCP-DNS-Guest'
        option src 'guest_zone'
        option dest_port '53 67 68'
        option target 'ACCEPT'
        option family 'ipv4'

Try removing port 53 from this rule.

jeshuranpaul · November 22, 2023, 1:05am

I tried doing that earlier but that didn't work either. Restarted the router for good measure, but no luck

psherman · November 22, 2023, 4:56am

As a test, add forwarding from the guest zone to the lan zone. Then, from a host on the guest network:

ping your pihole
ssh to the pi hole
connect to the pihole admin
perform dns lookups