What's new
By:

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Wireguard DNS issues

M

Martin

New Around Here
Hello everyone,

I have been having some odd issues with my Wireguard setup, that seem to be specific to how I use my router.
The clients can reach the DNS server just fine, and get responses. However, the DNS Server seems to be failing in forwarding the answers it gets upstream in specific cases.

Situation:
  • GT-AX6000 running 3004.388.8_4
  • DNS External server setup:
    • 192.168.0.10 (Internal PiHole)
  • Wireguard server setup with
    • Allow DNS: Yes
    • Enable NAT - ipv6: No
    • IP Range used: 10.12.0.0/24
    • etc.
  • Client settings:
    • DNS: 10.12.0.1

With this any local system can have either the router ip (192.168.0.1) or the PiHole ip (192.168.0.10) setup and both are processed through the PiHole. The PiHole is setup to also issue local DNS responses (example www.mydomain.com) to internal IP addresses. This works.

Remote systems (through Wireguard) can access the world wide web, and even internal clients that have their hostname known at the router. However, the local DNS responses from PiHole do not work (so www.mydomain.com) times out.

Now the weird thing:
nslookup www.nu.nl
Server: 10.12.0.1
Address: 10.12.0.1#53

Non-authoritative answer:
www.nu.nl canonical name = www.nu.nl.edgekey.net.
www.nu.nl.edgekey.net canonical name = e67691.b.akamaiedge.net.
Name: e67691.b.akamaiedge.net
Address: 2.16.6.10
Name: e67691.b.akamaiedge.net
Address: 2.16.6.16
Click to expand...
nslookup hostname.local
Server: 10.12.0.1
Address: 10.12.0.1#53

Name: hostname.local
Address: 192.168.0.80
Click to expand...
nslookup www.mydomain.com
;; communications error to 10.12.0.1#53: timed out
;; communications error to 10.12.0.1#53: timed out
;; communications error to 10.12.0.1#53: timed out
;; no servers could be reached
Click to expand...

It is also visible in the PiHole all 3 queries arrive, and are answered positively. It just seems to be the case the Asus dues not return the request to the client (even though it is answered by the PiHole).

Any thoughts? Or is this a known thing?
 
Last edited:
Looks like you do not have the Pi-Hole set up correctly. In WAN/DNS Server you should have only external IP addresses for DNS Servers. One good reason for this is that the router, when booting, needs to get to a DNS server to set its time. Sure, you may be able to use your Pi-Hole but don't. Might be a good idea to set up Diversion and use the same block lists you use on your Pi-Hole. Use the router as the main DNS server for the LAN and put the Pi-Hole IP address in LAN/DHCP Server/DNS Server 1. Also use DNS Director and set it to Router but remember to allow the Pi-Hole to access its upstream DNS servers in the DNS Director exceptions.
As for the WIreguard clients, just replace the 10.12.0.1 DNS setting in the client config with the IP address of the Pi-Hole and allow the Pi-Hole to service DNS queries from anywhere.
But, if you use Diversion you do not need the Pi-Hole so use the RPI for another project. ANd while you are at it install Skynet as Diversion and Pi-Hole only block some of the DNS bad guys some of the time...
 
bbunge said:
Looks like you do not have the Pi-Hole set up correctly. In WAN/DNS Server you should have only external IP addresses for DNS Servers. One good reason for this is that the router, when booting, needs to get to a DNS server to set its time. Sure, you may be able to use your Pi-Hole but don't. Might be a good idea to set up Diversion and use the same block lists you use on your Pi-Hole. Use the router as the main DNS server for the LAN and put the Pi-Hole IP address in LAN/DHCP Server/DNS Server 1. Also use DNS Director and set it to Router but remember to allow the Pi-Hole to access its upstream DNS servers in the DNS Director exceptions.
As for the WIreguard clients, just replace the 10.12.0.1 DNS setting in the client config with the IP address of the Pi-Hole and allow the Pi-Hole to service DNS queries from anywhere.
But, if you use Diversion you do not need the Pi-Hole so use the RPI for another project. ANd while you are at it install Skynet as Diversion and Pi-Hole only block some of the DNS bad guys some of the time...
Click to expand...
I am aware, however: PiHole (and dnsmasq) also recommends to only allow local IPs. Which is the local network, not the VPN Network. Which is why the VPN setup points to the router, which uses the PiHole as an upstream. This allows all queries to come from the local network, and this works for all queries except for the local IP queries it seems.

Saying it like that sounds as if the router is not returning responses in the private IP range, so I tested it with a public IP that gets returned.

Direct to PiHole:
nslookup hostname.remote
Server:192.168.0.10
Address: 192.168.0.10#53

Name: hostname.remote
Address: 85.56.xxx.xxx
Click to expand...

And from Wireguard to the Router:
nslookup hostname.remote
;; communications error to 10.12.0.1#53: timed out
;; communications error to 10.12.0.1#53: timed out
;; communications error to 10.12.0.1#53: timed out
;; no servers could be reached
Click to expand...

The behaviour is off, as it does do the request at PiHole but it just doesnt return the response.


bennor said:
Where do you have the Pi-Hole IP address set on the router? On the WAN > DNS? Or on the LAN > DHCP Server?
See the following link for one example of how to setup Pi-Hole on an Asus router running Asus-Merlin.
https://www.snbforums.com/threads/pihole-dns.74646/page-3#post-712319
Pi-Hole does not recommend inputting the Pi-Hole IP address in the WAN DNS settings.
Click to expand...
When I did this before the redirect did not work for Wireguard clients, but it wont hurt to try again.


bennor said:
Where do you have the Pi-Hole IP address set on the router? On the WAN > DNS? Or on the LAN > DHCP Server?
See the following link for one example of how to setup Pi-Hole on an Asus router running Asus-Merlin.
https://www.snbforums.com/threads/pihole-dns.74646/page-3#post-712319
Pi-Hole does not recommend inputting the Pi-Hole IP address in the WAN DNS settings.
Click to expand...
Yes to both, I am aware it is not ideal but with the situation above it feels like the best option (for now).


I might have a look at https://www.snbforums.com/threads/pi-hole-directly-on-the-router-yes.90719/ instead, to solve all these issues at once if the GT-AX6000 is supported.
 
No idea if this is an issue but how is the Pi-Hole's Interface Setting configured? For the Recommended setting > Allow only local requests? Or one of the options under Potentially dangerous options? If the Pi-Hole is properly firewalled, perhaps try Potentially dangerous options that matched how your Pi-Hole is connected to the router. Could be, if using the recommended setting, the Pi-Hole isn't responding to client requests that are more than one hop away (i.e. clients on the 10.12.0.0/24 subnet).

Interfaces - Pi-hole documentation

docs.pi-hole.net docs.pi-hole.net
PS: Don't remember, off hand, having an issue with DNS requests when using a WireGuard Server and connected VPN clients on my Pi-Hole setup when using the Asus-Merlin firmware (3004.388.8_4) on my RT-AX86U Pro. But in my setup at the time I was using YazFi which neccessitated (if I remember right) using the Respond only on interface eth0 (that Pi was connected via Ethernet) setting under potentially dangerous options due to YazFi using alternate IP address subnets than the main LAN IP subnet.
 
Last edited:
bennor said:
No idea if this is an issue but how is the Pi-Hole's Interface Setting configured? For the Recommended setting > Allow only local requests? Or one of the options under Potentially dangerous options? If the Pi-Hole is properly firewalled, perhaps try Potentially dangerous options that matched how your Pi-Hole is connected to the router. Could be, if using the recommended setting, the Pi-Hole isn't responding to client requests that are more than one hop away (i.e. clients on the 10.12.0.0/24 subnet).

Interfaces - Pi-hole documentation

docs.pi-hole.net docs.pi-hole.net
PS: Don't remember, off hand, having an issue with DNS requests when using a WireGuard Server and connected VPN clients on my Pi-Hole setup when using the Asus-Merlin firmware (3004.388.8_4) on my RT-AX86U Pro. But in my setup at the time I was using YazFi which neccessitated (if I remember right) using the Respond only on interface eth0 (that Pi was connected via Ethernet) setting under potentially dangerous options due to YazFi using alternate IP address subnets than the main LAN IP subnet.
Click to expand...
This is the odd thing, indeed if I set PiHole to accept "All" it responds to direct requests to clients that have the dns set to 192.168.0.10. Which I have done for now, but is not an ideal situation.
But even though the requests come from the 192.168.0.1 IP, and PiHole responds to them with valid anwsers, the ASUS does not seem to return the request to the Wireguard client when using 10.12.0.1 as DNS.

This is the behaviour that is off.
But perhaps this is in the "older" ASUS firmware as you previously shared it is not recommended to use WAN, but for the newer it is.
Maybe they fixed this in the newer firmware, which merlin is not yet using (waiting for that, to also add VLAN support).
 
Martin said:
But even though the requests come from the 192.168.0.1 IP, and PiHole responds to them with valid anwsers, the ASUS does not seem to return the request to the Wireguard client when using 10.12.0.1 as DNS.
Click to expand...
Perhaps you should post your full wireguard server settings, redacting the sensitive information.
And perhaps post any VPN Director and DNS Director settings you have created or enabled.

If I remember right, if you use Pi-Hole's IP address in the router WAN DNS section and not the LAN DHCP Server DNS section, the Pi-Hole only shows LAN requests as the router's IP address. But using the LAN DHCP DNS, the Pi-Hole shows the requests coming from the individual LAN client.
 
bennor said:
Perhaps you should post your full wireguard server settings, redacting the sensitive information.
And perhaps post any VPN Director and DNS Director settings you have created or enabled.

If I remember right, if you use Pi-Hole's IP address in the router WAN DNS section and not the LAN DHCP Server DNS section, the Pi-Hole only shows LAN requests as the router's IP address. But using the LAN DHCP DNS, the Pi-Hole shows the requests coming from the individual LAN client.
Click to expand...
I'll have a look (once I am back home) if there is anything useful to add that I didnt share in the original post.

But indeed what you say is correct, which is why also the DHCP server is broadcasting the PiHole IP as DNS server instead of its own on LAN. The only requests coming from the router should be the routers and the ones from the VPN connections. And to clarify, when I say I can see them come in and get responses this is also with a packet inspection with Wireshark.
 
Does your Pi-Hole have a static IP address or a manually assigned address via the router DHCP? It should have a static IP address and the router DHCP pool should start at a point above 192.168.0.11.
Is the Pi-Hole set up to use Conditional Forwarding? If not I recommend you try it. Conditional Forwarding is at the bottom of the DNS Settings in both Pi-Hole 5 and 6.
If you are using Pi-Hole 5 it is a good idea to upgrade to version 6. I've found it is better to start with a fresh RPI OS and do an install of Pi-Hole 6.
I am running Pi-Hole on a RPI 3B+ and in a container on a Synology NAS. I have zero problems with DNS and my Wireguard clients use the Pi-Hole DNS successfully.
 
Martin said:
This is the odd thing, indeed if I set PiHole to accept "All" it responds to direct requests to clients that have the dns set to 192.168.0.10. Which I have done for now, but is not an ideal situation.
Click to expand...

Just thinking out loud here, it sounds like your pi-hole is set to respond to requests from the internal network only. Thus when a WG client makes a request, pi-hole sees the request coming from your WG subnet and gets ignored. If so, you need to make changes to your WG server. Possibly a masquerade problem?? I never liked, nor do I use, the GUI wireguard interface. Not enough configuration control.
 
Another thought here. What is the Pi-Hole installed on? A Raspberry Pi, or something else like a NAS, Linux server, PC, Docker, etc.? Wonder if the device the Raspberry Pi is installed on is somehow playing a part with the issue. Maybe it's firewall (or if Docker container) doesn't respond, or reply back to, to non local IP address subnets.

PS: In my case I have Pi-Hole (+ Unbound) installed on two headless Raspberry Pi's running OS 11 (bullseye). Both Pi's have manual IP addresses reserved in the RT-AX86U Pro's DHCP Server manual reservation list. The two Pi-Hole instances are configured for Respond only on interface eth0 and Respond only on interface wlan0 respectively. The Pi-Holes are running: Core v6.0.5 FTL v6.0.4 Web interface v6.0.2. The Asus router runs the DHCP Server.

One thing I did, when I set the manual IP reservation for the Pi's on the Asus router's DHCP Server, was on the Pi-Hole installer screen that asks; "Do you want to use your current network settings as a static address?" I selected "Skip I will set the Static IP later, or have already done so" instead of selecting "Yes Set static IP to current values".
 
Last edited:
bennor said:
Another thought here. What is the Pi-Hole installed on? A Raspberry Pi, or something else like a NAS, Linux server, PC, Docker, etc.? Wonder if the device the Raspberry Pi is installed on is somehow playing a part with the issue. Maybe it's firewall (or if Docker container) doesn't respond, or reply back to, to non local IP address subnets.

PS: In my case I have Pi-Hole (+ Unbound) installed on two headless Raspberry Pi's running OS 11 (bullseye). Both Pi's have manual IP addresses reserved in the RT-AX86U Pro's DHCP Server manual reservation list. The two Pi-Hole instances are configured for Respond only on interface eth0 and Respond only on interface wlan0 respectively. The Pi-Holes are running: Core v6.0.5 FTL v6.0.4 Web interface v6.0.2. The Asus router runs the DHCP Server.

One thing I did, when I set the manual IP reservation for the Pi's on the Asus router's DHCP Server, was on the Pi-Hole installer screen that asks; "Do you want to use your current network settings as a static address?" I selected "Skip I will set the Static IP later, or have already done so" instead of selecting "Yes Set static IP to current values".
Click to expand...
Many folks do not set a static IP address on their Pi-Hole. And also run Debian 11. Well, Debian 12 is the latest and nmtui makes it easy to set a real static IP address on a minimal Raspios install: https://www.jeffgeerling.com/blog/2024/set-static-ip-address-nmtui-on-raspberry-pi-os-12-bookworm
 
ZebMcKayhan said:
Forwarding local ips dns could be a dns rebind attack. Have you tested turning off dns rebind protection on the router? Just a thought...
Click to expand...
This sounds like the most sensible so far :)

Sadly it made no difference. Meaning either the setting does not apply, or something else is still wrong (also tested without DNSSEC of course).
Oddly enough when on the local network and using the router it does forward the addresses, even with DNS rebind protection on.

I think, I might just switch over the DHCP for the local network to the PiHole. That way I can enable "Forward local domain queries to upstream DNS" on the Router. My assumption would be that this could make it accept local addresses. (and still preserve Hostname resolving)


Although... thinking about that. Running in a rootless Podman registers all IPv4 requests with the same MAC. Might cause issues with a DHCP server...
 
Martin said:
Sadly it made no difference. Meaning either the setting does not apply, or something else is still wrong (also tested without DNSSEC of course).
Click to expand...
Well, it was worth a shot. Altough I realized it should not lead to "connection timeout" but something more proper.

Martin said:
Oddly enough when on the local network and using the router it does forward the addresses, even with DNS rebind protection on.
Click to expand...
Which would suggest that maybe dnsmasq is not forwarding these and communication is direct between lan client and pi-hole.
 
Last edited:
ZebMcKayhan said:
Well, it was worth a shot. Altough I realized it should not lead to "connection timeout" but something more proper.


Which would suggest that maybe dnsmasq is not forwarding these and communication is direct between lan client and pi-hole.
Click to expand...
That would be what it suggests, however that seems to be "impossible". As when I use the WAN address it won't route it through the port forward to the appropriate server, nor are all addresses available on public DNS servers.
But clients with the router set as DNS (manually) still resolve without issue. Unless the IPv6 DNS setting is overriding the return of IPv4 of course... I'll have to test with a non-existant IPv6 DNS server.
 
You must log in or register to reply here.

Similar threads

N
IPv6 Not Allowing Manual DNS Server
Replies
12
Views
888
ZebMcKayhan
Z
I
Clients are bypassing the DNS set by the DHCP server set by Merlin
Replies
11
Views
519
bennor
B
P
DNS Director (Global redirection = router, User defined 1 = pihole) not sending anything to user defined 1
Replies
11
Views
769
bennor
B
M
DNS Leak due to Wireguard DNS and PiHole Upstream DNS
Replies
8
Views
1K
mehravishay
M
V
Why is my DNS director not working?
Replies
8
Views
639
vmachiel
V
Similar threads
Thread starter Title Forum Replies Date
T Wireguard Client VPN not using DNS Asuswrt-Merlin 14
Panic Button Wireguard client optional DNS Server setting Asuswrt-Merlin 2
Groot WireGuard VPN leaking DNS with DNS Director / RT-AX88U Asuswrt-Merlin 5
M DNS Leak due to Wireguard DNS and PiHole Upstream DNS Asuswrt-Merlin 8
A PROBLEM, DNS Director AdGuard + VPN Wireguard Asuswrt-Merlin 9
A Can Wireguard prioritize VPN-servers? Asuswrt-Merlin 4
A Possible to route certain sites through WAN and all others through Wireguard? Asuswrt-Merlin 3
J Experience using PIA Wireguard on your router (ASUSWRT-MERLIN) Asuswrt-Merlin 0
TheLyppardMan Problem getting WireGuard to work on my Windows laptop Asuswrt-Merlin 5
H WireGuard won’t connect….. Asuswrt-Merlin 2

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 456 (members: 17, guests: 439)
Back
Top