HOWTO: Using pi-hole as LAN DNS server

Since you’re on a DMZ, make sure that you’ve protected port 53 (don’t let someone on the internet use it!).

Can your LAN devices access the DMZ devices, since they’re on a different subnet?

(The character to use in the markdown formatting I posted is located above the TAB key on a US keyboard, not a single quote :wink: )

Yeah 53 inbound is blocked and 53 outbound is only open to upstream servers.
Ahh yes, ticks. oops. lol

Also, yes my LAN has an allow all to DMZ, but the DMZ cannot initiate a connection to the LAN. Typical ingress/egress rules.

What do the queries look like in the log?

Run pihole -d for a debug token.

The upload is failing for some reason. I thought it. might be a firewall rule at first but i’m getting a lookup error.
I uploaded the diagnostics to a shared folder. You can get them here:

:::  ---= pihole.log
::: Logging will automatically teminate in 60 seconds
::: Finshed debugging!.
::: The debug log can be uploaded to for sharing with developers only.
::: Would you like to upload the log? [y/N] y forward host lookup failed: Host name lookup failure : Resource temporarily unavailable
::: There was an error uploading your debug log.
::: Please try again or contact the Pi-hole team for assistance.
::: A local copy of the Debug log can be found at : /var/log/pihole_debug.log

Ok I figured it out. This was a local cache issue as you suspected. Evidently I was clearing the local cache incorrectly on my Mac. Sorry for wasting your time and thank you for your assistance!

1 Like

I tried to setup DNS on my pi-hole using your instructions above.

My lan.list file is setup as following on the pihole:

pi@raspberrypi:~ $ cat /etc/pihole/lan.list isy.mylan isy lutron.mylan lutron

My wi-fi router uses pi-hole as its DNS server.

On a Windows client that’s connected my wi-fi network, I tried to connect to the device using the DNS name entry.

C:\Users\xxxx>nslookup lutron.mylan
DNS request timed out.
    timeout was 2 seconds.
Server:  UnKnown
Address:  2600:8802:6400:(masked for privacy):27ff:fe4d:7752

DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
*** Request to UnKnown timed-out

My Pihole seems to be randomly choosing not to read from the LAN configuration I set up per this thread. Everytime I open my laptop, my personal domain as well as some internal-only hostnames I configured resolve incorrectly, and after some time will correct themselves to what I’ve configured. nslookup confirms that the DNS server (pihole) is resolving the hosts to the wrong addresses, across multiple reboots. I’ve also confirmed it’s not a local DNS cache issue. Any thoughts? Not sure where to start.

Check that you only have the Pi-hole as your DNS server. It could be switching between two different servers.

It’s not that. I do have configured as my secondary on my DHCP server, but that wouldn’t affect nslookups using the pi-hole’s IP. Sometimes it will return the correct IP for a lookup, sometimes it won’t. As far as I can tell it’s the pi-hole that is just randomly deciding to resolve badly.

What’s the log look like when you request the domains? /var/log/pihole.log

It appears that only the times that the domains are resolved correctly are logged. I just performed multiple nslookups which were resolved to the domain’s external address, and none were logged, yet the log is full of entries resolving the domain to the correct internal address. I did however see this logged while I was testing, at the point where it started resolving correctly:

Dec 6 22:02:08 dnsmasq[140838]: query[AAAA] my.domain from
Dec 6 22:02:08 dnsmasq[140838]: forwarded my.domain to
Dec 6 22:02:08 dnsmasq[140838]: validation result is INSECURE
Dec 6 22:02:08 dnsmasq[140838]: reply my.domain is NODATA-IPv6

That sounds like your device is using more than just Pi-hole as the DNS server (or further upstream in the router it’s using something else)

I’m having exactly the same issue as @koolmon10. Installed Pi-Hole. Set up Pi-Hole. DHCP server enabled. Added a bunch of static DHCP leases. On the Pi-Hole itself (and other devices) half the local hostnames resolve and half don’t.

If I ping bose-lounge.local the IP resolves, and the following goes into /var/log/pihole.log

Dec 20 17:13:28 dnsmasq[28202]: DHCP is bose-lounge.local

If I ping bose-kitchen.local however, it fails to resolve and I see the following:

Dec 20 00:19:15 dnsmasq-dhcp[28202]: DHCPREQUEST(eth0) 88:4a:ea:78:37:2e
Dec 20 00:19:15 dnsmasq-dhcp[28202]: DHCPACK(eth0) 88:4a:ea:78:37:2e bose-kitchen

The odd thing is is correct for bose-kitchen.local but it never actually resolves.

Edit: actually the bose-kitchen mention in pihole.log doesn’t happen when I try to resolve the hostname, nothing gets printed in the log. Just happened to be there from earlier.

Edit 2: This gets weirder. If I ping bose-kitchen.local it does not work. If I remove the local it works fine but shows as .local!

pi@pi-hole:~ $ ping bose-kitchen.local
ping: bose-kitchen.local: Name or service not known

pi@pi-hole:~ $ ping bose-kitchen
PING bose-kitchen ( 56(84) bytes of data.
64 bytes from bose-kitchen.local ( icmp_seq=1 ttl=64 time=107 ms

Thought I’d start a new reply rather than make a third edit!! :slight_smile:

So I’ve discovered that (certainly on my LAN) it’s a crapshoot with the .local domain:

  • Some hosts can be resolved with .local and without .local on the end
  • Some hosts can only be resolved with .local on the end
  • Some hosts can only be resolved without .local on the end

All have just been configured via the DHCP leases setting via the web front end…

I have found a fix though. Change the “Pi-hole domain name” to something other than .local (I just tried .home) and now everything works both with and without .home on the end!

Hmm, maybe your router or your upstream DNS server doesn’t like .local as there is nothing specific about this TLD in our DNS server that would make me expect such a thing.

Is that really appearing when you ping? This should be there as a request to establish, verify or extend an existing lease, hence it should be totally independent of you pinging the kitchen system.

It’s possible your issues may be related to mDNS, which I believe uses .local as the default domain name. mDNS is what most devices use to discover others on the network. It’s what lets your phone find your Chromecast, etc.

I already posted this on reddit but will do so here again, since it completely resolved my DNS resolution issues with Pi-Hole in Windows (7, 8.1 and 10).

tl;dr: disable IPv6 in Network Adaper settings AND disabled IP-Helper service!

If you have any issues with local DNS resolution on Windows, although every is set up correctly as explained in the article below then try the following: 1. Disable IPv6 in your network adapter settings 2. (Important!) Stop and disable “IP Helper” service. 3. run “ipconfig -flushdns” from elevated command prompt.

I had been struggeling with local DNS resolution issues for a long time and discovered this by accident. Since I had disabled IPv6 in my network adapter settings, I was foolishly under the assumption that IPv6 was disabled on my Windows 10 but apparently Microsoft thought otherwise.

After trying to optimize my setup a bit, I stumpled upon an article that suggested to disable “IP Helper” service since its not needed in most scenarios anyway and also mentioned IPv6. The moment I stopped the service and flushed the DNS cache, all issues with local DNS resolution were gone.

Not sure why Windows still tries to do DNS resolution via IPv6 although it is disabled in the network adapter settings (I only have one), but I m glad I finally finally figured that out (after almost a year of frustration and editing “hosts” files).

Please spread the word to all that have the same issue so they wont have to struggle as long as I did :smiley:

Pi-Hole for local DNS resolution setup: HOWTO: Using pi-hole as LAN DNS server

minor problem is that Chrome/Opera browser treats the address as search (unless you put http:// in front). How to change this, if possible?