PiHole - Devices?
Discussion
I want to see which devices are firing what DNS lookups at my PiHole thingy, I feel like I've got something slightly wrong in the setup.
The dashboard shows 3 Active Clients, they are my WAN address with the hostname that relates to my ISP, there's the IP address of my router and then there's localhost which looks like the PiHole itself.
It's ages since I messed around with this, how do I check a particular device is using PiHole and how do I get proper device-level info in the dashboard?
Ta.
The dashboard shows 3 Active Clients, they are my WAN address with the hostname that relates to my ISP, there's the IP address of my router and then there's localhost which looks like the PiHole itself.
It's ages since I messed around with this, how do I check a particular device is using PiHole and how do I get proper device-level info in the dashboard?
Ta.
There should be a logfile in /var/log/pihole.log - according to this site said logfile should contain all queries. I'm not sure of the format - but suspect the client IP addresses performing the queries should be stored in the logfile too.
If you see any external IP addresses performing queries then you have a problem!
EDIT: This site explains how to interpret the logfile. So you are looking for 'query' statements.
Like this: Nov 4 07:28:53 dnsmasq[1045]: query[A] ntp.ubuntu.com from 192.168.1.52
So if the "from" field contains anything but your own network addresses you have a problem.
If you see any external IP addresses performing queries then you have a problem!
EDIT: This site explains how to interpret the logfile. So you are looking for 'query' statements.
Like this: Nov 4 07:28:53 dnsmasq[1045]: query[A] ntp.ubuntu.com from 192.168.1.52
So if the "from" field contains anything but your own network addresses you have a problem.
Edited by TonyRPH on Monday 6th February 10:27
Only showing your router address could be normal if you have a router configured to host it's own DNS cache and push out its own IP as the DNS server to DHCP clients. I think that is the most common setup for a home network these days.
No idea why your wan address would be in there but is suspect it is a red herring.
No idea why your wan address would be in there but is suspect it is a red herring.
Great, I think I can see the log now, everything is coming from the router IP address. It's Google WiFi and the setup options are fairly limited, so I don't know if there's anything I can do with that to get the correct IP Addresses to come through.
A scroll of the log shows it's picking up a range of devices, but I'd like to check that everything is using Pi Hole correctly.
In my router config I set a second DNS address as the Google one, am I right in thinking if my Pi Hole goes offline that that will keep my devices working, but devices won't use that in normal circumstances?
A scroll of the log shows it's picking up a range of devices, but I'd like to check that everything is using Pi Hole correctly.
In my router config I set a second DNS address as the Google one, am I right in thinking if my Pi Hole goes offline that that will keep my devices working, but devices won't use that in normal circumstances?
paulrockliffe said:
Great, I think I can see the log now, everything is coming from the router IP address. It's Google WiFi and the setup options are fairly limited, so I don't know if there's anything I can do with that to get the correct IP Addresses to come through.
A scroll of the log shows it's picking up a range of devices, but I'd like to check that everything is using Pi Hole correctly.
You say 'router IP address' - do you mean addresses assigned by the router, or the actual IP of the router itself?A scroll of the log shows it's picking up a range of devices, but I'd like to check that everything is using Pi Hole correctly.
Depending on your router configuration, it's possible that the requests could be originating from the internal IP address of the router, which although fine is not the ideal way for it work.
paulrockliffe said:
In my router config I set a second DNS address as the Google one, am I right in thinking if my Pi Hole goes offline that that will keep my devices working, but devices won't use that in normal circumstances?
DNS works in a 'round robin' fashion - if you have two IP addresses set in DNS, the clients will use whichever responds first.If you want redundancy, the solution would be to setup a second PiHole, and assign both the PiHoles as primary and secondary DNS servers in your router config.
OK, I can see how I would setup DHCP on the PI, my concern is that with that setup if my server is off, which happens if there's a power-cut as it doesn't boot itself automatically. I would be away, the power would go off and my wife wouldn't be able to work and the kids couldn't watch cartoons. Nightmare.
Is there anyway to configure this so that it rolls back to the Router automatically, I guess not.
Perhaps I should setup Pi Hole on a spare Raspberry Pi instead, it would be a bit more resilient to power failure then I guess. Is it possible to run Pi Hole on both devices and have one fall-over to the other?
Is there anyway to configure this so that it rolls back to the Router automatically, I guess not.
Perhaps I should setup Pi Hole on a spare Raspberry Pi instead, it would be a bit more resilient to power failure then I guess. Is it possible to run Pi Hole on both devices and have one fall-over to the other?
As I said in my post up there ^^^^ - DNS works in a 'round robin' fashion.
So yes, you could setup 2 PiHole devices, and they would then share the DNS queries. If one stopped working, the other would simply handle all queries.
You assign them in your router as primary and secondary.
DHCP failover is another subject in itself, and non trivial.
The power failure case is a nuisance, as if the power does fail you'll lose both PiHoles anyway.
Surely you could leave instructions on how to power them up again? Are power failures a common issue in your area?
So yes, you could setup 2 PiHole devices, and they would then share the DNS queries. If one stopped working, the other would simply handle all queries.
You assign them in your router as primary and secondary.
DHCP failover is another subject in itself, and non trivial.
The power failure case is a nuisance, as if the power does fail you'll lose both PiHoles anyway.
Surely you could leave instructions on how to power them up again? Are power failures a common issue in your area?
No, power cuts are fairly unusual, but the consequences of the internet going down are unimaginable, if it's my fault anyway! Probably a bigger risk that something else on the server goes wrong and takes down everything else. To be fair, it's been pretty solid for a long time, it just needs to be self-healing in a way that I don't get the blame if stuff stops working.
Instructions won't really work without some more messing around, the server is outside in my workshop and the power switch is behind a grill on the front and the last thing I want is people poking around out there, you never know what they'll find.
So it sounds like I should put Pi Hole on a spare Pi and take it from there I think.
Instructions won't really work without some more messing around, the server is outside in my workshop and the power switch is behind a grill on the front and the last thing I want is people poking around out there, you never know what they'll find.
So it sounds like I should put Pi Hole on a spare Pi and take it from there I think.
In the event of a power cut you stand a good chance of corruption to the SD card the Pi is (probably) using.
To my mind there are two things to do:
1: Get the Pi using a proper hard disk as they're much hardier. Just the logging from PiHole will kill an SD card relatively quickly (log2ram is another option, but less good as a solution - won't stop power cuts killing your SD card).
2: Get the whole shebang running on a UPS so that you don't have issues after a power cut.
To my mind there are two things to do:
1: Get the Pi using a proper hard disk as they're much hardier. Just the logging from PiHole will kill an SD card relatively quickly (log2ram is another option, but less good as a solution - won't stop power cuts killing your SD card).
2: Get the whole shebang running on a UPS so that you don't have issues after a power cut.
There we go, got a message in the middle of the morning complaining nothing was working. Luckily my router settings are accessible, so I was able to swap DNS back over to Google.
As far as I can see all traffic to PiHole disappeared at 00:40 this morning, due to the router IP address being rate-limited to 1,000 queries a minute.
I guess that's an easy fix, but this is what i was trying to avoid!
As far as I can see all traffic to PiHole disappeared at 00:40 this morning, due to the router IP address being rate-limited to 1,000 queries a minute.
I guess that's an easy fix, but this is what i was trying to avoid!
paulrockliffe said:
There we go, got a message in the middle of the morning complaining nothing was working. Luckily my router settings are accessible, so I was able to swap DNS back over to Google.
As far as I can see all traffic to PiHole disappeared at 00:40 this morning, due to the router IP address being rate-limited to 1,000 queries a minute.
I guess that's an easy fix, but this is what i was trying to avoid!
Do you not have a secondary dns setup for it to fall back on?As far as I can see all traffic to PiHole disappeared at 00:40 this morning, due to the router IP address being rate-limited to 1,000 queries a minute.
I guess that's an easy fix, but this is what i was trying to avoid!
paulrockliffe said:
<sip>
As far as I can see all traffic to PiHole disappeared at 00:40 this morning, due to the router IP address being rate-limited to 1,000 queries a minute.
<snip>
This is of greater concern than anything else. It would seem to me that your PiHole is exposed to the outside world somehow - otherwise how else would it exceed 1,000 queries per minute?As far as I can see all traffic to PiHole disappeared at 00:40 this morning, due to the router IP address being rate-limited to 1,000 queries a minute.
<snip>
OP - PM me your external IP address and I'll do a quick scan.
If you don't want to do that, then go to the excellent Shields UP website and carry out a scan from there.
thebraketester said:
As I explained previously in this topic - DNS works in a 'round robin' fashion - so if the primary DNS is set to the PiHole, and the secondary DNS is set to Google, some DNS responses will be served by Google and some by the PiHole - totally negating the point of having a PiHole!!!I run bind9 on my Linux boxes (primary and secondary) with DNS blacklists (similar to the PiHole) so I have some built in redundancy.
The OP mentioned he had another server - this could be setup as a secondary DNS server - however it's unlikely to be able to use the PiHole (unless he sets up a virtual machine to run it).
TonyRPH said:
paulrockliffe said:
<sip>
As far as I can see all traffic to PiHole disappeared at 00:40 this morning, due to the router IP address being rate-limited to 1,000 queries a minute.
<snip>
This is of greater concern than anything else. It would seem to me that your PiHole is exposed to the outside world somehow - otherwise how else would it exceed 1,000 queries per minute?As far as I can see all traffic to PiHole disappeared at 00:40 this morning, due to the router IP address being rate-limited to 1,000 queries a minute.
<snip>
OP - PM me your external IP address and I'll do a quick scan.
If you don't want to do that, then go to the excellent Shields UP website and carry out a scan from there.
paulrockliffe said:
Will PM you later when I can find it. The PiHole sees every request as coming from the router IP address, so I assumed it was something on my network getting in a mess and asking for stuff.
This (bold above) doesn't seem right - the router should not be intercepting internal queries at all - it should simply be 'telling' network clients where to find the DNS server address, and the client(s) should query the PiHole server directly.For example - if the PiHole is 192.168.1.2 and the router is 192.168.1.1 and a client (192.168.1.6) the query should be thus;
(client) 192.168.1.6 -> (dns request) -> 192.168.1.2
(PiHole) 192.168.1.2 -> (dns request) -> (router) 192.168.1.1 -> external DNS server(s).
In the above ^^^ the router should be transparent (i.e. not answering the query - but simply performing NAT on the traffic and passing it to the outside world).
Based on what you've said, (and assuming you have a 'normal' router!) - it sounds as though you might have mapped an inbound port to the PiHole - which would explain the query limit being imposed (likely due to external exploitation) and would also explain why all queries are sourced from the router.
This is also likely why your setup is rather unstable.
It sounds like you’ve got your router giving out its own address in DHCP to clients (usually the default behaviour), then the routers DNS server is forwarding queries to the pihole. If you want the pihole to see the client IPs directly then need to change the DHCP settings on your router to direct clients straight to the pihole for DNS and not query the router at all. It’s not always easy on home routers.
It may well be using is WAN interface as the source which is why you’re seeing that in the pihole logs. what it’d do for the majority of cases where the ISP or something else on the internet is the upstream DNS.
Possibly you’ve also enabled it to resolve queries from the WAN while changing settings and someone has found that and used it as a reflector for dos attacks, so try find that and turn it off ASAP. That could be why it’s hit the pihole flood protection.
If you set multiple DNS servers in windows, then it just sends queries to them all and accepts the first valid response. So that won’t work if one server is blocking malicious domains but the other resolved them as the clients will still get a valid lookup and be able to connect.
It may well be using is WAN interface as the source which is why you’re seeing that in the pihole logs. what it’d do for the majority of cases where the ISP or something else on the internet is the upstream DNS.
Possibly you’ve also enabled it to resolve queries from the WAN while changing settings and someone has found that and used it as a reflector for dos attacks, so try find that and turn it off ASAP. That could be why it’s hit the pihole flood protection.
If you set multiple DNS servers in windows, then it just sends queries to them all and accepts the first valid response. So that won’t work if one server is blocking malicious domains but the other resolved them as the clients will still get a valid lookup and be able to connect.
Edited by wombleh on Wednesday 8th February 20:01
Gassing Station | Computers, Gadgets & Stuff | Top of Page | What's New | My Stuff