Gargoyle and Pi-Hole (ad-blocking)

[darrepac]

Hi,

As I cannot install ad-blocking plugin (not enough memory in my WR841 V10), I am giving a try to Pi-Hole (https://github.com/pi-hole/pi-hole).
I have a 192.168.0.* network
I have a 192.168.0.1 Gargoyle router connected to ADSL modem.
I have the Pi-Hole setup (static IP) at 192.168.0.88

Before (it was working well):
I put DNS server of my ISP

After (all clients were not able to access internet anymore):
I put 192.168.0.88 as DNS server and I checked "Force Clients To Use Router DNS Servers".

I have no idea why it is failing.
Pi-Hole setup is quite straigthforward and I don't think I made a mistake there.
I am wondering if I can have a DNS server in my network with Gargoyle as a router??

any hint welcome!
A happy, yet new, user of Gargoyle

[Lantis]

Have you tried manually pointing a single devices DNS to the Pi-Hole to rule that out as a point of failure?
If that doesn't work, you've got a problem there.

[darrepac]

No... will give it a try!

[darrepac]

So on one computer (connected through lan to the router), I manually set the DNS to 192.168.0.88 and it works flawlessly.
Then I tried again to update the gargoyle router DNS field and put back 192.168.0.88 and then all connected equipments were not working anymore (except the one which DNS was manually set)...
So fail
But I have seen also something else:
The number of query through Pi-Hole have exploded (several thousands) during the time I set 192.168.0.88 as DNS in Gargoyle config.
Looking at the log, show sort of infinite loop in DNS query. Extract below (212.27.40.240/241 being my ISP DNS server set into Pi-Hole config):

Code: Select all

Dec 22 21:38:43 dnsmasq[5981]: query[A] guzzoni.apple.com from 192.168.0.1
Dec 22 21:38:43 dnsmasq[5981]: forwarded guzzoni.apple.com to 212.27.40.241
Dec 22 21:38:43 dnsmasq[5981]: forwarded guzzoni.apple.com to 212.27.40.240
Dec 22 21:38:43 dnsmasq[5981]: query[A] guzzoni.apple.com from 192.168.0.1
Dec 22 21:38:43 dnsmasq[5981]: forwarded guzzoni.apple.com to 212.27.40.241
Dec 22 21:38:43 dnsmasq[5981]: forwarded guzzoni.apple.com to 212.27.40.240
Dec 22 21:38:43 dnsmasq[5981]: query[A] guzzoni.apple.com from 192.168.0.1
Dec 22 21:38:43 dnsmasq[5981]: forwarded guzzoni.apple.com to 212.27.40.241
Dec 22 21:38:43 dnsmasq[5981]: forwarded guzzoni.apple.com to 212.27.40.240
Dec 22 21:38:43 dnsmasq[5981]: query[A] guzzoni.apple.com from 192.168.0.1
Dec 22 21:38:43 dnsmasq[5981]: forwarded guzzoni.apple.com to 212.27.40.241
Dec 22 21:38:43 dnsmasq[5981]: forwarded guzzoni.apple.com to 212.27.40.240
Dec 22 21:38:43 dnsmasq[5981]: query[A] guzzoni.apple.com from 192.168.0.1
Dec 22 21:38:43 dnsmasq[5981]: forwarded guzzoni.apple.com to 212.27.40.241
Dec 22 21:38:43 dnsmasq[5981]: forwarded guzzoni.apple.com to 212.27.40.240
Dec 22 21:38:43 dnsmasq[5981]: query[A] guzzoni.apple.com from 192.168.0.1
Dec 22 21:38:43 dnsmasq[5981]: forwarded guzzoni.apple.com to 212.27.40.241
Dec 22 21:38:43 dnsmasq[5981]: forwarded guzzoni.apple.com to 212.27.40.240
Dec 22 21:38:43 dnsmasq[5981]: query[A] guzzoni.apple.com from 192.168.0.1
Dec 22 21:38:43 dnsmasq[5981]: forwarded guzzoni.apple.com to 212.27.40.241
Dec 22 21:38:43 dnsmasq[5981]: forwarded guzzoni.apple.com to 212.27.40.240

[Lantis]

It sounds like dnsmasq is protecting you from a "DNS rebind attack". Which is nice, but not helpful in this situation.

See the configuration options here: https://wiki.openwrt.org/doc/uci/dhcp
Kind of looks like you'll want to disable rebind protection or add in a whitelisted domain that is allowed to serve DNS requests locally

[darrepac]

Sounds promising, thanks!
How can I allow my local server to resolve dns instead of stopping the full rebind protection?
I don't really understand the rebind-localhost-ok option

[darrepac]

So in dhcp.conf I changed rebind_protection to 0 and rebooted the gargoyle router...unfortunately it doesn't change anything

[darrepac]

If it help, when I changed the DNS in Gargoyle, here is what was going on on the log. Extract:

Code: Select all

Sun Jan  1 19:14:03 2017 daemon.info dnsmasq[20633]: using nameserver 95.142.171.235#53 for domain micro
Sun Jan  1 19:14:03 2017 daemon.info dnsmasq[20633]: using nameserver 95.211.32.162#53 for domain micro
Sun Jan  1 19:14:03 2017 daemon.info dnsmasq[20633]: using nameserver 66.244.95.20#53 for domain micro
Sun Jan  1 19:14:03 2017 daemon.info dnsmasq[20633]: using nameserver 95.142.171.235#53 for domain oss
Sun Jan  1 19:14:03 2017 daemon.info dnsmasq[20633]: using nameserver 95.211.32.162#53 for domain oss
Sun Jan  1 19:14:03 2017 daemon.info dnsmasq[20633]: using nameserver 66.244.95.20#53 for domain oss
Sun Jan  1 19:14:03 2017 daemon.info dnsmasq[20633]: using nameserver 95.142.171.235#53 for domain null
Sun Jan  1 19:14:03 2017 daemon.info dnsmasq[20633]: using nameserver 95.211.32.162#53 for domain null
Sun Jan  1 19:14:03 2017 daemon.info dnsmasq[20633]: using nameserver 66.244.95.20#53 for domain null
Sun Jan  1 19:14:03 2017 daemon.info dnsmasq[20633]: using nameserver 95.142.171.235#53 for domain ing
Sun Jan  1 19:14:03 2017 daemon.info dnsmasq[20633]: using nameserver 95.211.32.162#53 for domain ing
Sun Jan  1 19:14:03 2017 daemon.info dnsmasq[20633]: using nameserver 66.244.95.20#53 for domain ing
Sun Jan  1 19:14:03 2017 daemon.info dnsmasq[20633]: using nameserver 95.142.171.235#53 for domain indy
Sun Jan  1 19:14:03 2017 daemon.info dnsmasq[20633]: using nameserver 95.211.32.162#53 for domain indy
Sun Jan  1 19:14:03 2017 daemon.info dnsmasq[20633]: using nameserver 66.244.95.20#53 for domain indy
Sun Jan  1 19:14:03 2017 daemon.info dnsmasq[20633]: using nameserver 95.142.171.235#53 for domain gopher
Sun Jan  1 19:14:03 2017 daemon.info dnsmasq[20633]: using nameserver 95.211.32.162#53 for domain gopher
Sun Jan  1 19:14:03 2017 daemon.info dnsmasq[20633]: using nameserver 66.244.95.20#53 for domain gopher
Sun Jan  1 19:14:03 2017 daemon.info dnsmasq[20633]: using nameserver 95.142.171.235#53 for domain geek
Sun Jan  1 19:14:03 2017 daemon.info dnsmasq[20633]: using nameserver 95.211.32.162#53 for domain geek
Sun Jan  1 19:14:03 2017 daemon.info dnsmasq[20633]: using nameserver 66.244.95.20#53 for domain geek
Sun Jan  1 19:14:03 2017 daemon.info dnsmasq[20633]: using nameserver 95.142.171.235#53 for domain fur
Sun Jan  1 19:14:03 2017 daemon.info dnsmasq[20633]: using nameserver 95.211.32.162#53 for domain fur
Sun Jan  1 19:14:03 2017 daemon.info dnsmasq[20633]: using nameserver 66.244.95.20#53 for domain fur
Sun Jan  1 19:14:03 2017 daemon.info dnsmasq[20633]: using nameserver 95.142.171.235#53 for domain free
Sun Jan  1 19:14:03 2017 daemon.info dnsmasq[20633]: using nameserver 95.211.32.162#53 for domain free
Sun Jan  1 19:14:03 2017 daemon.info dnsmasq[20633]: using nameserver 66.244.95.20#53 for domain free
Sun Jan  1 19:14:03 2017 daemon.info dnsmasq[20633]: using nameserver 95.142.171.235#53 for domain bbs
Sun Jan  1 19:14:03 2017 daemon.info dnsmasq[20633]: using nameserver 95.211.32.162#53 for domain bbs
Sun Jan  1 19:14:03 2017 daemon.info dnsmasq[20633]: using nameserver 66.244.95.20#53 for domain bbs
Sun Jan  1 19:14:03 2017 daemon.info dnsmasq[20633]: using nameserver 95.142.171.235#53 for domain dyn
Sun Jan  1 19:14:03 2017 daemon.info dnsmasq[20633]: using nameserver 95.211.32.162#53 for domain dyn
Sun Jan  1 19:14:03 2017 daemon.info dnsmasq[20633]: using nameserver 66.244.95.20#53 for domain dyn
Sun Jan  1 19:14:03 2017 daemon.info dnsmasq[20633]: using nameserver 95.142.171.235#53 for domain parody
Sun Jan  1 19:14:03 2017 daemon.info dnsmasq[20633]: using nameserver 95.211.32.162#53 for domain parody
Sun Jan  1 19:14:03 2017 daemon.info dnsmasq[20633]: using nameserver 66.244.95.20#53 for domain parody
Sun Jan  1 19:14:03 2017 daemon.info dnsmasq[20633]: using nameserver 95.142.171.235#53 for domain glue
Sun Jan  1 19:14:03 2017 daemon.info dnsmasq[20633]: using nameserver 95.211.32.162#53 for domain glue
Sun Jan  1 19:14:03 2017 daemon.info dnsmasq[20633]: using nameserver 66.244.95.20#53 for domain glue
Sun Jan  1 19:14:03 2017 daemon.info dnsmasq[20633]: using nameserver 176.58.118.172#53 for domain bit
Sun Jan  1 19:14:03 2017 daemon.info dnsmasq[20633]: using nameserver 106.187.47.17#53 for domain bit
Sun Jan  1 19:14:03 2017 daemon.info dnsmasq[20633]: using nameserver 178.32.31.41#53 for domain bit
Sun Jan  1 19:14:03 2017 daemon.info dnsmasq[20633]: using local addresses only for domain lan
Sun Jan  1 19:14:03 2017 daemon.info dnsmasq[20633]: using nameserver 192.168.0.88#53
Sun Jan  1 19:14:03 2017 daemon.info dnsmasq[20633]: using nameserver 192.168.0.88#53

Code: Select all

Sun Jan  1 19:14:11 2017 daemon.warn dnsmasq[20633]: Maximum number of concurrent DNS queries reached (max: 150)
Sun Jan  1 19:14:17 2017 daemon.warn dnsmasq[20633]: Maximum number of concurrent DNS queries reached (max: 150)
Sun Jan  1 19:14:24 2017 daemon.warn dnsmasq[20633]: Maximum number of concurrent DNS queries reached (max: 150)

[Lantis]

There's an option "dnsforwardmax" which you could try raising to 300-500 to try and stabilise the network. However that is more of a bandaid than a solution.

It kind of sounds like you have a DNS loop?
E.g.
Computer asks router where google is
Router forwards the request to Pi hole
Pi hole forwards request to router
Etc.

May not be the case, but 150 requests seems excessive

[darrepac]

I do agree that it seems like a loop... needs to understand where and why