AC68u, RPi pihole and DNS loop?

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

Tensor

New Around Here
Hello all. Last few months i've been experimenting a bit with my network setup and i've noticed a few odd things, that bugs me.
Here's my setup:
I use RT-AC68u as a router, with the newest Merlin. WAN DNSs are DNSs of my ISP, DHCP is enabled, Forward local domain queries is set to off, and my local DNS
points to Rpi, with Pihole and with Cloudflare DOH service.

First thing that i noticed was, that even if newely connected clients have Cloudflare's DNS, after a few minutes, it is changed to Googles DNS or DNS of my ISP. So i set DNSFilter,
that forces the use of Pihole, also i set the RPi's MAC to no-filtering.

Now i notice two new things.
First is, that once a day, clients suddently cannot acces internet. It's not the PIholes problem, but Routers (on LAN's DHCP or DNSfilter settings i just reenter IP of PIhole, click Apply, and everything works again...for a day).

Second is, that i noticed a lot of Router's queries through Pihole. It looks like, that, for instance, if a webpage is on a PIhole's blacklist and a client wants to access it, the page is blocked by Pihole, but then
another same query is made by Router. Therefore, all queries from a Router are red - blocked.
Can someone explain if it's just a bug or am i missing something?
TY!
 

bbunge

Very Senior Member
In DNS Filter, set to router, make the Pi-hole unfiltered.
Consider not using DoH with Cloudflared. DoH does use DNS on port 53 to locate the DoH server and may not be best.
Set WAN DNS to other than your ISP with DNSSEC.
You can use DoT on the router and Pi-hole but you may have the periodic glitch. Yes, you can install Stubby on the Pi-hole. See the Pi-hole forum.
 

Tensor

New Around Here
Thank you for your prompt answer. For DNS, i use custom port. DNS filter is already set that way. What bugs me the most is, why my Router is doubling queries of other clients... No settings of DNS are pointing to Router...

P. S. : Another bug is, that almost every time when the router reboots, i have to manually start VPN server...
 

dave14305

Part of the Furniture
Please post screenshots of the LAN DHCP Server DNS page and the DNS Filter page. Ensure "Advertise router's IP in addition to user-specified DNS" is set to No. A screenshot of the Pi-Hole upstream DNS settings would be useful.

Also a screenshot of this "double query" log would help explain to us what you're seeing.
 

Tensor

New Around Here
Please post screenshots of the LAN DHCP Server DNS page and the DNS Filter page. Ensure "Advertise router's IP in addition to user-specified DNS" is set to No. A screenshot of the Pi-Hole upstream DNS settings would be useful.

Also a screenshot of this "double query" log would help explain to us what you're seeing.
Here it goes...
 

Attachments

dave14305

Part of the Furniture
Here it goes...
Remove the duplicate entry in DNS 2 on the router's LAN DHCP Server page. On the DNS Filter page, set global mode to Router, which will enforce the LAN DHCP DNS 1 server IP.
 

Tensor

New Around Here
Remove the duplicate entry in DNS 2 on the router's LAN DHCP Server page. On the DNS Filter page, set global mode to Router, which will enforce the LAN DHCP DNS 1 server IP.
Thanks, i changed the settings. Still have unexplainable queries by router...
 

dave14305

Part of the Furniture
Thanks, i changed the settings. Still have unexplainable queries by router...
With DNS Filter enabled, router queries represent queries from LAN clients who do not respect the PIHole DNS IP being sent by DHCP (e.g. Google or amazon devices with hardcoded DNS). Are they still duplicated?
 

Tensor

New Around Here
With DNS Filter enabled, router queries represent queries from LAN clients who do not respect the PIHole DNS IP being sent by DHCP (e.g. Google or amazon devices with hardcoded DNS). Are they still duplicated?
Thanks. Yes, they're still duplicated. For instance, my Huawei Mate 20... It uses Pihole's DNS (checked on 1.1.1.1/help ) , has a static IP, but same blocked queries are shown from Router and from client (Mate 20).
 

dave14305

Part of the Furniture
Is the Raspberry Pi connected to the router by Ethernet or Wireless? Hopefully not both. Or you might need 2 MAC entries in DNS Filter for No Filtering since wired and wireless would have separate MACs.

What DNS settings can you see in the Wireless details on the Mate 20?
 

Tensor

New Around Here
Is the Raspberry Pi connected to the router by Ethernet or Wireless? Hopefully not both. Or you might need 2 MAC entries in DNS Filter for No Filtering since wired and wireless would have separate MACs.

What DNS settings can you see in the Wireless details on the Mate 20?
It's connected only through ethernet, don't have wireless on it. Wireless details.... Static IP, IP of router as a gateway, IP of RPI as DNS,. Everything seems ok...
 

ShagBark

Occasional Visitor
Looks like Dave14305 may have answered this. Running 2 wired PiHoles with no duplicates.

ASUS-PiHole.png
 

N/A

Occasional Visitor
Hello all. Last few months i've been experimenting a bit with my network setup and i've noticed a few odd things, that bugs me.
Here's my setup:
I use RT-AC68u as a router, with the newest Merlin. WAN DNSs are DNSs of my ISP, DHCP is enabled, Forward local domain queries is set to off, and my local DNS
points to Rpi, with Pihole and with Cloudflare DOH service.

First thing that i noticed was, that even if newely connected clients have Cloudflare's DNS, after a few minutes, it is changed to Googles DNS or DNS of my ISP. So i set DNSFilter,
that forces the use of Pihole, also i set the RPi's MAC to no-filtering.

Now i notice two new things.
First is, that once a day, clients suddently cannot acces internet. It's not the PIholes problem, but Routers (on LAN's DHCP or DNSfilter settings i just reenter IP of PIhole, click Apply, and everything works again...for a day).

Second is, that i noticed a lot of Router's queries through Pihole. It looks like, that, for instance, if a webpage is on a PIhole's blacklist and a client wants to access it, the page is blocked by Pihole, but then
another same query is made by Router. Therefore, all queries from a Router are red - blocked.
Can someone explain if it's just a bug or am i missing something?
TY!
Do you enable IPv6 on your router? If so, the router will always push its own IPv6 IP to clients as one of the DNS even though you specified not advertise router's IP.
In my case I just set pihole's IP on DHCP Server page and modified the IPv6 equivalent setting through script. I never have to touch DNS filter.
 

dave14305

Part of the Furniture
I see someone else had a similar problem, but without solution...

https://www.reddit.com/r/pihole/comments/dml9i9
Maybe your second LAN DNS entry for PiHole was necessary to prevent Android from keeping 8.8.8.8 as a secondary DNS (which would get redirected by the router to the Pihole). I don't have any modern Android devices to test with, but it would be useful to install and run tcpdump on the router to capture DNS traffic on the br0 interface from the Android phone to see where it's trying to go.
Bash:
tcpdump -n -i br0 dst port 53 and ! dst 192.168.77.44 and src 192.168.77.xx
Use the IP of the phone to replace the xx.

Similar thread at https://forums.oneplus.com/threads/secondary-dns-forced-to-8-8-8-8.999920/page-2#post-21723550
 

Tensor

New Around Here
Do you enable IPv6 on your router? If so, the router will always push its own IPv6 IP to clients as one of the DNS even though you specified not advertise router's IP.
In my case I just set pihole's IP on DHCP Server page and modified the IPv6 equivalent setting through script. I never have to touch DNS filter.
No, i have disabled IPv6... I know, that secondary queries could be from it, but it is disabled in IPv6 settings...
 

MaziahBebop

Regular Contributor
Ax88u + pi-hole with unbound. I see the dual requests from one connected client, my LG TV. I had not noticed it until reading this thread, which prompted me to search the pi-hole logs for requests from the router, and sure enough, a whole bunch of requests from the router matching the timestamps and URLs of the LG TV client requests.
Will watch this thread and post a solution if I find one.

[edit]
I think this post from @dave14305 explains the source of the problem somewhat. Is it not acceptable to have the duplicated DNS request from such clients? I mean, should a request only come from the client OR router but never from both?
 
Last edited:

SomeWhereOverTheRainBow

Very Senior Member
Ax88u + pi-hole with unbound. I see the dual requests from one connected client, my LG TV. I had not noticed it until reading this thread, which prompted me to search the pi-hole logs for requests from the router, and sure enough, a whole bunch of requests from the router matching the timestamps and URLs of the LG TV client requests.
Will watch this thread and post a solution if I find one.

[edit]
I think this post from @dave14305 explains the source of the problem somewhat. Is it not acceptable to have the duplicated DNS request from such clients? I mean, should a request only come from the client OR router but never from both?
Your probably seeing that because the television has a hard coded dns and is trying to send request via hard-coded dns, dns filter is forcing it to send those request via pihole. The request show up as coming from the router because the router is preventing the smart TV from using an outside dns server.
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top