Gargoyle Forum

A forum to discuss the Gargoyle web interface for Openwrt
https://www.gargoyle-router.com/phpbb/

Gargoyle and Pi-Hole (ad-blocking)

https://www.gargoyle-router.com/phpbb/viewtopic.php?t=10324

Page 1 of 3

Gargoyle and Pi-Hole (ad-blocking)

Posted: Thu Dec 22, 2016 6:12 am
by darrepac
Hi,

As I cannot install ad-blocking plugin (not enough memory in my WR841 V10), I am giving a try to Pi-Hole (https://github.com/pi-hole/pi-hole).
I have a 192.168.0.* network
I have a 192.168.0.1 Gargoyle router connected to ADSL modem.
I have the Pi-Hole setup (static IP) at 192.168.0.88

Before (it was working well):
I put DNS server of my ISP

After (all clients were not able to access internet anymore):
I put 192.168.0.88 as DNS server and I checked "Force Clients To Use Router DNS Servers".

I have no idea why it is failing.
Pi-Hole setup is quite straigthforward and I don't think I made a mistake there.
I am wondering if I can have a DNS server in my network with Gargoyle as a router??

any hint welcome!
A happy, yet new, user of Gargoyle

Re: Gargoyle and Pi-Hole (ad-blocking)

Posted: Thu Dec 22, 2016 6:20 am
by Lantis
Have you tried manually pointing a single devices DNS to the Pi-Hole to rule that out as a point of failure?
If that doesn't work, you've got a problem there.

Re: Gargoyle and Pi-Hole (ad-blocking)

Posted: Thu Dec 22, 2016 6:24 am
by darrepac
No... will give it a try!

Re: Gargoyle and Pi-Hole (ad-blocking)

Posted: Thu Dec 22, 2016 4:55 pm
by darrepac
So on one computer (connected through lan to the router), I manually set the DNS to 192.168.0.88 and it works flawlessly.
Then I tried again to update the gargoyle router DNS field and put back 192.168.0.88 and then all connected equipments were not working anymore (except the one which DNS was manually set)...
So fail
But I have seen also something else:
The number of query through Pi-Hole have exploded (several thousands) during the time I set 192.168.0.88 as DNS in Gargoyle config.
Looking at the log, show sort of infinite loop in DNS query. Extract below (212.27.40.240/241 being my ISP DNS server set into Pi-Hole config):

Code: Select all

Dec 22 21:38:43 dnsmasq[5981]: query[A] guzzoni.apple.com from 192.168.0.1
Dec 22 21:38:43 dnsmasq[5981]: forwarded guzzoni.apple.com to 212.27.40.241
Dec 22 21:38:43 dnsmasq[5981]: forwarded guzzoni.apple.com to 212.27.40.240
Dec 22 21:38:43 dnsmasq[5981]: query[A] guzzoni.apple.com from 192.168.0.1
Dec 22 21:38:43 dnsmasq[5981]: forwarded guzzoni.apple.com to 212.27.40.241
Dec 22 21:38:43 dnsmasq[5981]: forwarded guzzoni.apple.com to 212.27.40.240
Dec 22 21:38:43 dnsmasq[5981]: query[A] guzzoni.apple.com from 192.168.0.1
Dec 22 21:38:43 dnsmasq[5981]: forwarded guzzoni.apple.com to 212.27.40.241
Dec 22 21:38:43 dnsmasq[5981]: forwarded guzzoni.apple.com to 212.27.40.240
Dec 22 21:38:43 dnsmasq[5981]: query[A] guzzoni.apple.com from 192.168.0.1
Dec 22 21:38:43 dnsmasq[5981]: forwarded guzzoni.apple.com to 212.27.40.241
Dec 22 21:38:43 dnsmasq[5981]: forwarded guzzoni.apple.com to 212.27.40.240
Dec 22 21:38:43 dnsmasq[5981]: query[A] guzzoni.apple.com from 192.168.0.1
Dec 22 21:38:43 dnsmasq[5981]: forwarded guzzoni.apple.com to 212.27.40.241
Dec 22 21:38:43 dnsmasq[5981]: forwarded guzzoni.apple.com to 212.27.40.240
Dec 22 21:38:43 dnsmasq[5981]: query[A] guzzoni.apple.com from 192.168.0.1
Dec 22 21:38:43 dnsmasq[5981]: forwarded guzzoni.apple.com to 212.27.40.241
Dec 22 21:38:43 dnsmasq[5981]: forwarded guzzoni.apple.com to 212.27.40.240
Dec 22 21:38:43 dnsmasq[5981]: query[A] guzzoni.apple.com from 192.168.0.1
Dec 22 21:38:43 dnsmasq[5981]: forwarded guzzoni.apple.com to 212.27.40.241
Dec 22 21:38:43 dnsmasq[5981]: forwarded guzzoni.apple.com to 212.27.40.240

Re: Gargoyle and Pi-Hole (ad-blocking)

Posted: Thu Dec 22, 2016 5:27 pm
by Lantis
It sounds like dnsmasq is protecting you from a "DNS rebind attack". Which is nice, but not helpful in this situation.

See the configuration options here: https://wiki.openwrt.org/doc/uci/dhcp
Kind of looks like you'll want to disable rebind protection or add in a whitelisted domain that is allowed to serve DNS requests locally

Re: Gargoyle and Pi-Hole (ad-blocking)

Posted: Thu Dec 22, 2016 7:21 pm
by darrepac
Sounds promising, thanks!
How can I allow my local server to resolve dns instead of stopping the full rebind protection?
I don't really understand the rebind-localhost-ok option

Re: Gargoyle and Pi-Hole (ad-blocking)

Posted: Sat Dec 31, 2016 1:06 pm
by darrepac
So in dhcp.conf I changed rebind_protection to 0 and rebooted the gargoyle router...unfortunately it doesn't change anything :cry:

Re: Gargoyle and Pi-Hole (ad-blocking)

Posted: Sun Jan 01, 2017 2:37 pm
by darrepac
If it help, when I changed the DNS in Gargoyle, here is what was going on on the log. Extract:

Code: Select all

Sun Jan  1 19:14:03 2017 daemon.info dnsmasq[20633]: using nameserver 95.142.171.235#53 for domain micro
Sun Jan  1 19:14:03 2017 daemon.info dnsmasq[20633]: using nameserver 95.211.32.162#53 for domain micro
Sun Jan  1 19:14:03 2017 daemon.info dnsmasq[20633]: using nameserver 66.244.95.20#53 for domain micro
Sun Jan  1 19:14:03 2017 daemon.info dnsmasq[20633]: using nameserver 95.142.171.235#53 for domain oss
Sun Jan  1 19:14:03 2017 daemon.info dnsmasq[20633]: using nameserver 95.211.32.162#53 for domain oss
Sun Jan  1 19:14:03 2017 daemon.info dnsmasq[20633]: using nameserver 66.244.95.20#53 for domain oss
Sun Jan  1 19:14:03 2017 daemon.info dnsmasq[20633]: using nameserver 95.142.171.235#53 for domain null
Sun Jan  1 19:14:03 2017 daemon.info dnsmasq[20633]: using nameserver 95.211.32.162#53 for domain null
Sun Jan  1 19:14:03 2017 daemon.info dnsmasq[20633]: using nameserver 66.244.95.20#53 for domain null
Sun Jan  1 19:14:03 2017 daemon.info dnsmasq[20633]: using nameserver 95.142.171.235#53 for domain ing
Sun Jan  1 19:14:03 2017 daemon.info dnsmasq[20633]: using nameserver 95.211.32.162#53 for domain ing
Sun Jan  1 19:14:03 2017 daemon.info dnsmasq[20633]: using nameserver 66.244.95.20#53 for domain ing
Sun Jan  1 19:14:03 2017 daemon.info dnsmasq[20633]: using nameserver 95.142.171.235#53 for domain indy
Sun Jan  1 19:14:03 2017 daemon.info dnsmasq[20633]: using nameserver 95.211.32.162#53 for domain indy
Sun Jan  1 19:14:03 2017 daemon.info dnsmasq[20633]: using nameserver 66.244.95.20#53 for domain indy
Sun Jan  1 19:14:03 2017 daemon.info dnsmasq[20633]: using nameserver 95.142.171.235#53 for domain gopher
Sun Jan  1 19:14:03 2017 daemon.info dnsmasq[20633]: using nameserver 95.211.32.162#53 for domain gopher
Sun Jan  1 19:14:03 2017 daemon.info dnsmasq[20633]: using nameserver 66.244.95.20#53 for domain gopher
Sun Jan  1 19:14:03 2017 daemon.info dnsmasq[20633]: using nameserver 95.142.171.235#53 for domain geek
Sun Jan  1 19:14:03 2017 daemon.info dnsmasq[20633]: using nameserver 95.211.32.162#53 for domain geek
Sun Jan  1 19:14:03 2017 daemon.info dnsmasq[20633]: using nameserver 66.244.95.20#53 for domain geek
Sun Jan  1 19:14:03 2017 daemon.info dnsmasq[20633]: using nameserver 95.142.171.235#53 for domain fur
Sun Jan  1 19:14:03 2017 daemon.info dnsmasq[20633]: using nameserver 95.211.32.162#53 for domain fur
Sun Jan  1 19:14:03 2017 daemon.info dnsmasq[20633]: using nameserver 66.244.95.20#53 for domain fur
Sun Jan  1 19:14:03 2017 daemon.info dnsmasq[20633]: using nameserver 95.142.171.235#53 for domain free
Sun Jan  1 19:14:03 2017 daemon.info dnsmasq[20633]: using nameserver 95.211.32.162#53 for domain free
Sun Jan  1 19:14:03 2017 daemon.info dnsmasq[20633]: using nameserver 66.244.95.20#53 for domain free
Sun Jan  1 19:14:03 2017 daemon.info dnsmasq[20633]: using nameserver 95.142.171.235#53 for domain bbs
Sun Jan  1 19:14:03 2017 daemon.info dnsmasq[20633]: using nameserver 95.211.32.162#53 for domain bbs
Sun Jan  1 19:14:03 2017 daemon.info dnsmasq[20633]: using nameserver 66.244.95.20#53 for domain bbs
Sun Jan  1 19:14:03 2017 daemon.info dnsmasq[20633]: using nameserver 95.142.171.235#53 for domain dyn
Sun Jan  1 19:14:03 2017 daemon.info dnsmasq[20633]: using nameserver 95.211.32.162#53 for domain dyn
Sun Jan  1 19:14:03 2017 daemon.info dnsmasq[20633]: using nameserver 66.244.95.20#53 for domain dyn
Sun Jan  1 19:14:03 2017 daemon.info dnsmasq[20633]: using nameserver 95.142.171.235#53 for domain parody
Sun Jan  1 19:14:03 2017 daemon.info dnsmasq[20633]: using nameserver 95.211.32.162#53 for domain parody
Sun Jan  1 19:14:03 2017 daemon.info dnsmasq[20633]: using nameserver 66.244.95.20#53 for domain parody
Sun Jan  1 19:14:03 2017 daemon.info dnsmasq[20633]: using nameserver 95.142.171.235#53 for domain glue
Sun Jan  1 19:14:03 2017 daemon.info dnsmasq[20633]: using nameserver 95.211.32.162#53 for domain glue
Sun Jan  1 19:14:03 2017 daemon.info dnsmasq[20633]: using nameserver 66.244.95.20#53 for domain glue
Sun Jan  1 19:14:03 2017 daemon.info dnsmasq[20633]: using nameserver 176.58.118.172#53 for domain bit
Sun Jan  1 19:14:03 2017 daemon.info dnsmasq[20633]: using nameserver 106.187.47.17#53 for domain bit
Sun Jan  1 19:14:03 2017 daemon.info dnsmasq[20633]: using nameserver 178.32.31.41#53 for domain bit
Sun Jan  1 19:14:03 2017 daemon.info dnsmasq[20633]: using local addresses only for domain lan
Sun Jan  1 19:14:03 2017 daemon.info dnsmasq[20633]: using nameserver 192.168.0.88#53
Sun Jan  1 19:14:03 2017 daemon.info dnsmasq[20633]: using nameserver 192.168.0.88#53

Code: Select all

Sun Jan  1 19:14:11 2017 daemon.warn dnsmasq[20633]: Maximum number of concurrent DNS queries reached (max: 150)
Sun Jan  1 19:14:17 2017 daemon.warn dnsmasq[20633]: Maximum number of concurrent DNS queries reached (max: 150)
Sun Jan  1 19:14:24 2017 daemon.warn dnsmasq[20633]: Maximum number of concurrent DNS queries reached (max: 150)

Re: Gargoyle and Pi-Hole (ad-blocking)

Posted: Sun Jan 01, 2017 5:31 pm
by Lantis
There's an option "dnsforwardmax" which you could try raising to 300-500 to try and stabilise the network. However that is more of a bandaid than a solution.

It kind of sounds like you have a DNS loop?
E.g.
Computer asks router where google is
Router forwards the request to Pi hole
Pi hole forwards request to router
Etc.

May not be the case, but 150 requests seems excessive

Re: Gargoyle and Pi-Hole (ad-blocking)

Posted: Sun Jan 01, 2017 5:40 pm
by darrepac
I do agree that it seems like a loop... needs to understand where and why
All times are UTC-04:00
Page 1 of 3

Powered by phpBB® Forum Software © phpBB Limited