Pihole ruins my connexion (i think) / pihole pourrit ma connexion (je crois)

My YunoHost server

Hardware: old lenovo thinkcentre with two ethernet ports (PCI ethernet board added)
YunoHost version: 3.6.5.3
I have access to my server : Through SSH | through the webadmin | direct access via keyboard / screen | NO ACCESS to the user interface
Are you in a special context or did you perform some particular tweaking on your YunoHost instance ? : no

Description of my issue

Hello there, so here i am again with my noob problems, this time in both languages.

Here is the situation : i cannot access my user interface when i am home, aka on the same LAN that the server is. If i understand correctly it is because my Dlink DSL320b modem/router does not support hairpinning, and during those troubled confinement times, it is quite a bummer… To correct that issue, i forced my DNS queries to go through pihole, gently installed on my yunohost.

Problem is : it f*cks up my connexion aaaall the time. Working fine for 2 hours, then all kind of DNS_PROBE errors show up (no internet, bad config, whatever) and i have to reset my router to factory, reconfigure it, wait for everyone to know each other and it’s alright again. For a few hours, 2 days if i’m lucky. I don’t know if it’s a pihole issue or a conflict somewhere (could dnsmasq and pihole conflict or loop somehow ?). Of course i cannot force any route on my router admin interface to counter (or allow, couldn’t figure in which way it works) hairpinning. I asked the guys over at FDN (my provider) if it could be a problem with my DSL line but it’s all fine and healthy so it must be a problem on my side.

The only solutions i’ve thought of so far are :

• deactivating pihole, letting the router do the DNS stuff and not accessing my server
• buy a serious router (don’t know which one, don’t know if it would cure anything, don’t have the money)
• using my modem in bridge mode, letting the server do the PPP and routing business, since it has a second unused ethernet port (and i have an ethernet switch), that would be the ultimate solution but i couldn’t find any info on the matter, and i’m a dirty noob so here is the last solution :
• ask for help to get the third solution working

Currently i forced my router to query DNS through 1.1.1.1 and eveything is fine, except i have no access to my server.

Any idea what do ?

Thanks

Mon serveur YunoHost

Matériel: vieux lenovo thinkcentre avec deux cartes réseau
Version de YunoHost: 3.6.5.3
J’ai accès à mon serveur : En SSH | Par la webadmin | En direct avec un clavier/écran | PAS D’ACCÈS à l’interface utilisateur
Êtes-vous dans un contexte particulier ou avez-vous effectué des modificiations particulières sur votre instance ? : non

Description du problème

Bonjour bonjour, me revoilà avec mes problèmes de noob, cette fois en deux langues !

Voilà la situation (que j’avais déjà exposée dans un précédent thread, fermé depuis) : impossible d’accéder à l’interface utilisateur de mon yunohost quand je suis à la maison, donc sur le même LAN que le serveur (si je comprends bien c’est parce que mon modem/routeur Dlink DSL320b ne supporte pas l’hairpinning). En ces temps confinés, c’est un peu relou de n’y avoir aucun accès… Pour corriger le problème, j’ai installé pihole et redirigé toutes les requêtes DNS vers ce dernier.

Problème : ça pourrit systématiquement ma connexion. Ça marche pendant 2h, puis j’ai toutes sortes d’erreurs DNS_PROBE (no internet, bad config, que sais-je) et je dois reset le routeur, reconfigurer, attendre que tout le monde se synchronise et se parle, et ça repart. Pour 2h de plus, 2 jours si j’ai de la chance. Je ne sais pas si c’est un problème de pihole ou un conflit quelque part (dnsmasq et pihole qui loopent ou je ne sais quoi ?). Bien sûr il n’y a pas de possibilité de forcer une route dans l’interface admin du routeur pour pallier à ce problème d’hairpinning. J’ai demandé au support FDN si ça pouvait venir de ma ligne mais tout va bien de leur côté donc c’est un problème dans ma config.

Voici donc les solutions auxquelles j’ai pensées :

• désactiver pihole, laisser le routeur s’occuper des histoires de DNS, et ne pas accéder à mon serveur quand je suis à la maison
• acheter un routeur sérieux (mais je sais pas lequel, je sais pas si ça arrangerait quoi que ce soit, et surtout j’ai pas de thunes)
• utiliser mon modem en mode bridge, laisser le serveur faire le PPP et le routage vu que j’ai un deuxième port ethernet (et un switch à brancher derrière), ça serait le pied mais impossible de trouver de la doc sur le sujet et je suis beaucoup trop mauvais pour y arriver comme ça, ce qui nous amène à la dernière solution :
• demander de l’aide pour arriver à faire fonctionner la troisième solution

Pour l’instant j’ai mis 1.1.1.1 en serveur DNS dans le routeur et tout roule, mais pas d’accès à mon serveur.

Des idées ?

Merci !

Hello

2 questions,

• How do you “force your DNS queries to go through pihole” ?
• Did you enable the DHCP server on pihole ?

1 : by that i mean putting the server’s local ip in the “dns server” field in the router’s admin panel
2 : nope, the router handles dhcp and it is disabled in pi hole, no conflict here…

Could you have a look to your pihole logs, especially to see what’s going on when you have this issue.
By the way, does the port 53 open on your router ?

Just opened port 53 that was indeed closed and reconfigured everything like it is when it crashes (pihole as dns server and so on, as described). Everything is fine for now, i’ll keep you updated…

Quite the opposite, keep it closed.
I was asking before we noticed that dnsmasq crash often when the port is open because it’s overload by requests from outside of your network.

Alright then, closed it again.
Well, it didn’t take long : everything is falling apart again : NXDOMAIN everywhere.
Which pihole logs are relevant ?

You can have a look to both /var/log/pihole.log and /var/log/pihole-FTL.log
The first one will show all your dns requests, so keep it for you. But it can be interesting to see if there’s strange activities.

I have no idea what strange activities could be so here are the last few lines of the FTL one :

[2020-03-19 00:00:08.668] New forward server: 89.233.43.71 unicast.censurfridns.dk (17/20)
[2020-03-19 00:00:08.734] New forward server: 85.214.20.141 h1768020.stratoserver.net (18/20)
[2020-03-19 00:00:08.898] New forward server: 195.160.173.53 c3a0ad35.ip.berlin.ccc.de (19/20)
[2020-03-19 00:00:08.898] Notice: Increasing forwarded struct size from 20 to 24 (10.92 KB)
[2020-03-19 00:00:08.952] New forward server: 80.67.169.12 ns0.fdn.fr (20/24)
[2020-03-19 00:00:08.994] New forward server: 80.67.190.200 log.bzh (21/24)
[2020-03-19 00:00:09.043] New forward server: 89.234.141.66 recursif.arn-fai.net (22/24)
[2020-03-19 00:00:09.097] New forward server: 185.233.100.100 gaia-dns.aquilenet.fr (23/24)
[2020-03-19 00:00:09.097] Notice: Increasing forwarded struct size from 24 to 28 (11.14 KB)
[2020-03-19 00:00:09.098] Notice: Increasing queries struct size from 0 to 10000 (331.14 KB)
[2020-03-19 00:00:09.098] Notice: Increasing domains struct size from 0 to 1000 (363.14 KB)
[2020-03-19 00:00:09.098] Notice: Increasing clients struct size from 0 to 10 (363.40 KB)
[2020-03-19 00:00:09.098] New client: 192.168.1.2 (0/10)
[2020-03-19 00:00:09.098] New client: 127.0.0.1 localhost (1/10)
[2020-03-19 00:00:10.879] Notice: Increasing queries struct size from 10000 to 20000 (688.96 KB)
[2020-03-19 00:00:12.684] Notice: Increasing queries struct size from 20000 to 30000 (1.01 MB)
[2020-03-19 00:00:14.423] Notice: Increasing queries struct size from 30000 to 40000 (1.33 MB)
[2020-03-19 00:00:15.812] New client: 192.168.1.5 centonze.noho.st (2/10)
[2020-03-19 00:00:15.813] New client: 192.168.1.1 gateway (3/10)
[2020-03-19 00:00:16.051] Notice: Increasing queries struct size from 40000 to 50000 (1.66 MB)
[2020-03-19 00:00:18.035] Notice: Increasing queries struct size from 50000 to 60000 (1.98 MB)
[2020-03-19 00:00:18.329] Notice: Increasing overTime struct size from 100 to 200 (1.99 MB)
[2020-03-19 00:00:18.913] Reading from /var/log/pihole.log (rw-r--r--)
[2020-03-19 00:19:38.802] Notice: Increasing queries struct size from 60000 to 70000 (2.31 MB)
[2020-03-19 10:00:02.241] Notice: Increasing overTime struct size from 200 to 300 (2.32 MB)
[2020-03-19 11:58:11.881] Notice: Increasing queries struct size from 70000 to 80000 (2.64 MB)
[2020-03-19 12:52:59.127] New client: 199.247.28.206 199.247.28.206.vultr.com (4/10)```

Nothing particular in this log.
Does the other log continues to log requests when you have issues ?
From localhost only ? From other devices in your network ?

You said you had to restart the router, looks like a error from your router. But I don’t know why and what.

Everything is logged from localhost and my laptop even when dsl is broken…

So if it is the current modem/router, is there a proper way to only use it as a modem and instead use yunohost server as router, and PPP as well ?

If only localhost and your laptop, and nothing from your router, that means indeed that your router itself doesn’t support using your server as dns. Which is strange… unless it does use a domain blocked by pihole (which you can probably check from the last request logged from the router into pihole’s log).

By the way, looking for this router, I find a small modem with only one port. If that’s it, how do you plugged all your devices ? Don’t you have another router behind the modem to handle your local network ?
If so, that second router should handle your dns request.
Otherwise, a solution is to set the dns for each devices in your network, quite annoying though…

But, if you have only that modem, I really think that the idea about a domain blocked by pihole is a good way to investigate. Don’t forget that PiHole is above all an ad-blocker.

That’s right no other request than localhost and my laptop, nothing from the DSL320b. This small modem can also handle routing job (does nat and dhcp and some basic stuff) but i plugged a 5 port switch behind it and then ethernet cables through the walls.

Anyway what i don’t understand in your answer is that blocked domain stuff : router is supposed to ask 192.168.1.5 (my yunohost local ip) for DNS resolution, through openDNS that i chose in pihole admin panel, how could a blocked domain interfere with that ?

I know pihole is mainly an adblocking solution, but i also used it as a workaround to my hairpinning problem… Which gets me back to the bottom line : would my problems go away if i were to use my yunohost server as a router and is there a way to do it ?

I suspect your modem to try to resolve a domain to work correctly, and that domain may be blocked by PiHole. Which could explain that your modem break down.
A look to your logs could gives you some clues about it.

Aside of using your server as a router, you can simply use PiHole as your DHCP server, which will give all your devices the correct DNS address to use. And would keep your modem working.
Have a look here about that configuration https://github.com/YunoHost-Apps/pihole_ynh/blob/master/dhcp.md#faire-de-pi-hole-votre-serveur-dhcp

Router’s dhcp is off, pihole dhcp is on, everything worked fine for 8h and DNS errors came back. Currently no internet connexion. I have unchecked every filtering list in pihole to see if it had any impact, it has none… Modem is still connected and synchronised but i cannot ping anything outside of my lan.

I begin to suspect the modem itself. Upon some research, it is known to do a far better job in bridge mode, when the router behind it does all the PPP authentication stuff. Is there anything that would prevent me to install pppd and pppoeconf on my yunohost instance to do so ? I’d like to try it so i can rule it out (if not working) before trying to get a new modem

Fun fact i just tried right now : i can access my yunohost user interface through another internet source (4G for instance) even when wired wan (to which yunohost is connected) is down.

When your connection is down, can you ping a domain ? And ping an IP address ?

Nothing passes through.

Not even a ping to an IP address !?
If not, then that’s not an issue with your DNS resolution but indeed with your modem locking down your connection for whatever reason.

Nothing ever passes, except my public IP.

So for testing purposes, is there a problem with installing pppd and ppp on yunohost ?