AC68u, RPi pihole and DNS loop?

[Tensor]

Hello all. Last few months i've been experimenting a bit with my network setup and i've noticed a few odd things, that bugs me.
Here's my setup:
I use RT-AC68u as a router, with the newest Merlin. WAN DNSs are DNSs of my ISP, DHCP is enabled, Forward local domain queries is set to off, and my local DNS
points to Rpi, with Pihole and with Cloudflare DOH service.

First thing that i noticed was, that even if newely connected clients have Cloudflare's DNS, after a few minutes, it is changed to Googles DNS or DNS of my ISP. So i set DNSFilter,
that forces the use of Pihole, also i set the RPi's MAC to no-filtering.

Now i notice two new things.
First is, that once a day, clients suddently cannot acces internet. It's not the PIholes problem, but Routers (on LAN's DHCP or DNSfilter settings i just reenter IP of PIhole, click Apply, and everything works again...for a day).

Second is, that i noticed a lot of Router's queries through Pihole. It looks like, that, for instance, if a webpage is on a PIhole's blacklist and a client wants to access it, the page is blocked by Pihole, but then
another same query is made by Router. Therefore, all queries from a Router are red - blocked.
Can someone explain if it's just a bug or am i missing something?
TY!

 

[bbunge]

In DNS Filter, set to router, make the Pi-hole unfiltered.
Consider not using DoH with Cloudflared. DoH does use DNS on port 53 to locate the DoH server and may not be best.
Set WAN DNS to other than your ISP with DNSSEC.
You can use DoT on the router and Pi-hole but you may have the periodic glitch. Yes, you can install Stubby on the Pi-hole. See the Pi-hole forum.

 

[Tensor]

Thank you for your prompt answer. For DNS, i use custom port. DNS filter is already set that way. What bugs me the most is, why my Router is doubling queries of other clients... No settings of DNS are pointing to Router...

P. S. : Another bug is, that almost every time when the router reboots, i have to manually start VPN server...

 

[dave14305]

Please post screenshots of the LAN DHCP Server DNS page and the DNS Filter page. Ensure "Advertise router's IP in addition to user-specified DNS" is set to No. A screenshot of the Pi-Hole upstream DNS settings would be useful.

Also a screenshot of this "double query" log would help explain to us what you're seeing.

 

[Tensor]

Please post screenshots of the LAN DHCP Server DNS page and the DNS Filter page. Ensure "Advertise router's IP in addition to user-specified DNS" is set to No. A screenshot of the Pi-Hole upstream DNS settings would be useful.

Also a screenshot of this "double query" log would help explain to us what you're seeing.

Here it goes...

 

[dave14305]

Here it goes...

Remove the duplicate entry in DNS 2 on the router's LAN DHCP Server page. On the DNS Filter page, set global mode to Router, which will enforce the LAN DHCP DNS 1 server IP.

 

[Tensor]

Remove the duplicate entry in DNS 2 on the router's LAN DHCP Server page. On the DNS Filter page, set global mode to Router, which will enforce the LAN DHCP DNS 1 server IP.

Thanks, i changed the settings. Still have unexplainable queries by router...

 

[dave14305]

Thanks, i changed the settings. Still have unexplainable queries by router...

With DNS Filter enabled, router queries represent queries from LAN clients who do not respect the PIHole DNS IP being sent by DHCP (e.g. Google or amazon devices with hardcoded DNS). Are they still duplicated?

 

[Tensor]

With DNS Filter enabled, router queries represent queries from LAN clients who do not respect the PIHole DNS IP being sent by DHCP (e.g. Google or amazon devices with hardcoded DNS). Are they still duplicated?

Thanks. Yes, they're still duplicated. For instance, my Huawei Mate 20... It uses Pihole's DNS (checked on 1.1.1.1/help ) , has a static IP, but same blocked queries are shown from Router and from client (Mate 20).

 

[dave14305]

Is the Raspberry Pi connected to the router by Ethernet or Wireless? Hopefully not both. Or you might need 2 MAC entries in DNS Filter for No Filtering since wired and wireless would have separate MACs.

What DNS settings can you see in the Wireless details on the Mate 20?

 

[Tensor]

Is the Raspberry Pi connected to the router by Ethernet or Wireless? Hopefully not both. Or you might need 2 MAC entries in DNS Filter for No Filtering since wired and wireless would have separate MACs.

What DNS settings can you see in the Wireless details on the Mate 20?

It's connected only through ethernet, don't have wireless on it. Wireless details.... Static IP, IP of router as a gateway, IP of RPI as DNS,. Everything seems ok...

 

[Tensor]

I see someone else had a similar problem, but without solution...

https://www.reddit.com/r/pihole/comments/dml9i9

 

[ShagBark]

Looks like Dave14305 may have answered this. Running 2 wired PiHoles with no duplicates.

 

[N/A]

Hello all. Last few months i've been experimenting a bit with my network setup and i've noticed a few odd things, that bugs me.
Here's my setup:
I use RT-AC68u as a router, with the newest Merlin. WAN DNSs are DNSs of my ISP, DHCP is enabled, Forward local domain queries is set to off, and my local DNS
points to Rpi, with Pihole and with Cloudflare DOH service.

First thing that i noticed was, that even if newely connected clients have Cloudflare's DNS, after a few minutes, it is changed to Googles DNS or DNS of my ISP. So i set DNSFilter,
that forces the use of Pihole, also i set the RPi's MAC to no-filtering.

Now i notice two new things.
First is, that once a day, clients suddently cannot acces internet. It's not the PIholes problem, but Routers (on LAN's DHCP or DNSfilter settings i just reenter IP of PIhole, click Apply, and everything works again...for a day).

Second is, that i noticed a lot of Router's queries through Pihole. It looks like, that, for instance, if a webpage is on a PIhole's blacklist and a client wants to access it, the page is blocked by Pihole, but then
another same query is made by Router. Therefore, all queries from a Router are red - blocked.
Can someone explain if it's just a bug or am i missing something?
TY!

Do you enable IPv6 on your router? If so, the router will always push its own IPv6 IP to clients as one of the DNS even though you specified not advertise router's IP.
In my case I just set pihole's IP on DHCP Server page and modified the IPv6 equivalent setting through script. I never have to touch DNS filter.

 

[dave14305]

I see someone else had a similar problem, but without solution...

https://www.reddit.com/r/pihole/comments/dml9i9

Maybe your second LAN DNS entry for PiHole was necessary to prevent Android from keeping 8.8.8.8 as a secondary DNS (which would get redirected by the router to the Pihole). I don't have any modern Android devices to test with, but it would be useful to install and run tcpdump on the router to capture DNS traffic on the br0 interface from the Android phone to see where it's trying to go.

tcpdump -n -i br0 dst port 53 and ! dst 192.168.77.44 and src 192.168.77.xx

Use the IP of the phone to replace the xx.

Similar thread at https://forums.oneplus.com/threads/secondary-dns-forced-to-8-8-8-8.999920/page-2#post-21723550

 

[Tensor]

Do you enable IPv6 on your router? If so, the router will always push its own IPv6 IP to clients as one of the DNS even though you specified not advertise router's IP.
In my case I just set pihole's IP on DHCP Server page and modified the IPv6 equivalent setting through script. I never have to touch DNS filter.

No, i have disabled IPv6... I know, that secondary queries could be from it, but it is disabled in IPv6 settings...

 

[SomeWhereOverTheRainBow]

No, i have disabled IPv6... I know, that secondary queries could be from it, but it is disabled in IPv6 settings...

What is the dns of your pihole settings pointed at

 

[Tensor]

It's custom at 127.0.0.1:5877 ... Which points to Cloudflare

 

[MaziahBebop]

Ax88u + pi-hole with unbound. I see the dual requests from one connected client, my LG TV. I had not noticed it until reading this thread, which prompted me to search the pi-hole logs for requests from the router, and sure enough, a whole bunch of requests from the router matching the timestamps and URLs of the LG TV client requests.
Will watch this thread and post a solution if I find one.

[edit]
I think this post from @dave14305 explains the source of the problem somewhat. Is it not acceptable to have the duplicated DNS request from such clients? I mean, should a request only come from the client OR router but never from both?

 

[SomeWhereOverTheRainBow]

Ax88u + pi-hole with unbound. I see the dual requests from one connected client, my LG TV. I had not noticed it until reading this thread, which prompted me to search the pi-hole logs for requests from the router, and sure enough, a whole bunch of requests from the router matching the timestamps and URLs of the LG TV client requests.
Will watch this thread and post a solution if I find one.

[edit]
I think this post from @dave14305 explains the source of the problem somewhat. Is it not acceptable to have the duplicated DNS request from such clients? I mean, should a request only come from the client OR router but never from both?

Your probably seeing that because the television has a hard coded dns and is trying to send request via hard-coded dns, dns filter is forcing it to send those request via pihole. The request show up as coming from the router because the router is preventing the smart TV from using an outside dns server.