I don't know if someone did already mention this (a quick issue and faq search showed no results), but my Pi-Hole stopped working because my router had DNS Rebind Protection turned on. This means DNS queries cannot be answered with a local IP address, so maybe this could be included in the FAQs or somewhere else.
I don't know if it happens really often, but OpenWrt has it turned on as default.
Want to back this issue? Post a bounty on it! We accept bounties via Bountysource.
Is there any way to turn it off? That would be a nice addition to the wiki/FAQ, etc.
It's going to depend greatly on the router, or router firmware I would have thought..
Running OpenWrt on the router i disabled rebind protection by changing
option rebind_protection 1
to
option rebind_protection 0
in /etc/config/dhcp (source). Afterwards I reloaded the dnsmasq service on the router.
Yes, it depends on the router firmware, but i think a note somewhere in the FAQs may help?
Yeah, absolutely. We can add it to the wiki, here, and @jacobsalmela can add it to the FAQs on pi-hole.net
DD-WRT also has a "No DNS Rebind" option -- when enabled, I can't see my custom html file I placed in /var/www/html/pihole but when I disable the option, my custom image does show. In my situation, with the "No DNS rebind" option either on or off, pi-hole still seems to be blocking ads properly, it's just not showing my special image I set up.
Is there a way to still keep the No DNS Rebind enabled yet allow full pihole functionality (I like my little image placeholder so I can see some of the places ads are blocked)? Currently, I do have an option in DDWRT for Plex to work properly:
rebind-domain-ok=/plex.direct/
Is there something similar to do with pi-hole? My pi-hole has a static address of 192.168.1.2 if it helps.
Or, is there a significant security downside to disabling the "No DNS Rebind" option?
When the "No DNS Rebind" option is enabled, are you seeing entries in the /var/log/pihole.log that list gravity.list as the source with your Pi's IP address? And how about the /var/log/lighttpd/access.log? Are there changes in the behaviors of the logs when you turn the rebind on and off? I'm running OpenWRT on a WNDR3700v2 so I don't think I load the DD-WRT firmware for that router. If need by I'll see if I can find a cheap eBay router that can do DD-WRT to add to the testbed. (I'm the one on the team that tries to break things whenever possible before it gets out to public use :smile: )
I'll have to retry this over the weekend. There are lots of entries for both of these. What's the best way to clear them and retry a webpage before and after enabling/disabling the rebind option?
BTW I'm using OSXdaily.com as my test site to see or not see the little GIF I have set up. I've found that other sites (like the http://ads-blocker.com/testing/ site) show blanks (eg. no ad but no GIF either) regardless of the DNS rebind option setting.
Yeah, a lot of ads are served by javascript.. see #264 for a bit more info.
If you have a Windows client that you can use to test, then a ipconfig /flushdns at the CMD will give you a clean slate and have the Win box do a fresh lookup. You'd need to restart but not reload dnsmasq because we have it set to cache for 300 seconds... (sudo systemctl restart dnsmasq should do it...)
@dschaper : I'm on a Mac. Any suggestions how to do this on a Mac?
Or, I can SSH into the pi -- is there a command I can use there to clear the logs, then I can browse to the OSXdaily site with DNS rebind protection on, then off, clearing the logs in between?
I still dont know how to clear the pi-hole log, etc to test how dns rebind protection via DD_WRT from a Mac or via SSH.
i do have a desktop VNC setup on the Pi and could do it all via VNC on the Pi -- can anyone give me directions on how to test using this method?
Edit: nevermind: it appears that on the Pi, the GIF placeholder shows up with or without the DNS rebind protection on -- it must be getting it locally somehow?
Apologies for the lack of reply..!
Thanks for the reply. That looks like it will clear the computer's DNS cache, but any tip on how to fully clear the Pi-hole logs so it's easier to see what's happening before and after? I don't think resetting dnsmasq clears the relevant Pi-hole logs.
ah, sure.. on the pi just run piholeLogFlush.sh :)
This is tagged Documentation Needed. I can move this over to the wiki but I am not sure what the exact issue is. If the router has a 'DNS Rebind Protection' feature you must disable it or it will not accept the (local range) ip address of your pi in your network. Right?
Providing more info on where that can be found is undoable due to the amount of different routers/brands/firmware versions. I doubt this is in normal consumer grade routers. If it is a DD-WRT/Open-WRT feature that should/can be mentioned, however I own a DD-WRT router, there are tons of options in there. There are probably others that disable the pi or give unexpected behavior. It has it's own dnsmasq (option) that might (or not) interfere. Suggestions?
dnsmasq has the option to whitelist certain domains if you run it with this argument:
--rebind-domain-ok=example.com
It also has:
Reject (and log) addresses from upstream nameservers which are
in the private IP ranges. This blocks an attack where a browser
behind a firewall is used to probe machines on the local
network
But I'm not sure if you can apply this option in the config file or not.
I think the problem would manifest itself if rebind was enabled on the router itself. I don't know if there is a configuration we can change on dnsmasq that would override the router/DHCP server config... If the router is rejecting localhost responses then it needs to be fixed router side? (Or I'm missing something, and just coming in on the tail end of the conversation, lol...)
You're probably right that the router would take precedence even if we could change it. It would be nice to have a router to test this out on.
I was also just reading more about DNS rebind since I wasn't really too familiar with it.
I'm running OpenWRT on my WNDR3700v2 so I can enable and disable Rebind, but also allow 127/8 through...
@dschaper your entry looks promising: on DD-WRT we can include options in the "Additional DNSMasq options" box. In my screenshot, I have rebind-domain-ok=/plex.direct/ because if DNS rebind protection is enabled, Plex clients can't seem to connect securely to the server.
I found an option for rebind-localhost-ok but when I enable it and enable "No DNS Rebind" I once again lose my pi-hole served GIF placeholder (and get a sadfaced webpage icon). If I disable "No DNS Rebind" the placeholder reappears.


Regardless, it feels like this might be fixable in a DNSMasq option of some sort....
Yeah I get this from the manpage
Exempt 127.0.0.0/8 from rebinding checks. This address range is returned by realtime black hole servers, so blocking it may disable these services.
When you get the sad face, can you check /var/log/lighttpd/access.log and see if it's trying to pull anything (Maybe an https?)...
Also, are you clearing both the browsers cache and the clients DNS cache between configuration changes so we're sure we're not pulling stale data accidentally?
I've cleared the caches and I'm getting the sad face.
I'm trying to look at/var/log/lighttpd/access.log but there's tons of entries and I don't know what I'm looking for. I tried the piholeLogFlush.sh but it didn't clear the access.log
I'm a total noob at this stuff so bear with me...
No problem, a good way to do this is to open a terminal window for the pi and run sudo tail -f /var/log/lighttpd/access.log and that will stream in real time the urls that are being redirected to the lighttpd process. Then while you can see the entries streaming go ahead and visit the website. It's going to be a little difficult to tell, but you're looking for entries that either have https in them, or entries that come up with one configuration but not with the other... I'll try to build a similar setup to yours and play with my router entries to see if I can duplicate the issue and find where the mixup is.
The fact that you are getting a sad face does tell me that at least the domain is not being resolved, so Pi-hole is in fact working, we're assuming (hopefully correctly) that the sad face is because the localhost address that Pi-hole is sending is causing the rebind protection to start up...
Are you able to view any logs on the router itself, to see if it's telling us that it's detecting a rebind condition? (I don't know DD, but I know OpenWRT has the logread command to pull system logs)
Thanks. I'll try more likely tomorrow night.
I'm on a Mac and I'm using the terminal command sudo killall -HUP mDNSResponder to clear the DNS cache on the Mac, and also clearing the browser history in the web browser. Chrome I realize does some of its own caching, if I recall, so I'll see if I can figure out a way to purge everything between trials.
Right now, I'm getting this output from the tail command, line after line looking like:
1456813180|192.168.1.2|GET /admin/api.php?summary HTTP/1.1|200|130
I'll play more and see what I can figure out....
Okay, I don't have any Mac's here so I can't emulate that particular portion of the setup. But keep us updated and on Chrome a CTRL-F5 should force a fresh reload...
I'm not sure if this helps much, but here goes:
Using the tail command you suggested above, here's what I can see on the terminal output if I go to OSXDaily.com or astalavista.box.sk. My placeholder gif is called rd2dbzzt.gif, and I can see it when "No DNS Rebind" is Disabled.
"No DNS Rebind" DISABLED:
astalavista.box.sk
1456813965|astalavista.box.sk|GET / HTTP/1.1|304|0
1456813965|astalavista.box.sk|GET /pihole/r2d2bzzt.gif HTTP/1.1|304|0
1456813965|astalavista.box.sk|GET /favicon.ico HTTP/1.1|200|91
1456813973|192.168.1.2|GET /admin/api.php?summary HTTP/1.1|200|130
OSXdaily.com:
1456898741|w.sharethis.com|GET /button/buttons.js HTTP/1.1|304|0
1456898741|tags.expo9.exponential.com|GET /tags/OSXDailycom/ROS/tags.js HTTP/1.1|304|0
1456898741|stats.wordpress.com|GET /e-201609.js HTTP/1.1|304|0
1456898741|www.google-analytics.com|GET /urchin.js HTTP/1.1|304|0
1456898741|s3.buysellads.com|GET /ac/bsa.js HTTP/1.1|304|0
1456898741|rcm-na.amazon-adsystem.com|GET /e/cm?t=oxd-20&o=1&p=12&l=st1&mode=electronics&search=Apple&fc1=000000<1=_blank&lc1=3366FF&bg1=FFFFFF&f=ifr HTTP/1.1|304|0
1456898741|rcm-na.amazon-adsystem.com|GET /pihole/r2d2bzzt.gif HTTP/1.1|304|0
If I enable "No DNS Rebind", even with rebind-localhost-ok in the options box, watching the tail output, there is often nothing posted: no new lines added or scrolling by, except perhaps something like:
1456898754|192.168.1.2|GET /admin/api.php?summary HTTP/1.1|200|132
which I suspect is just the admin webinterface updating its stats (I had it open on a tab). In this situation, the pages load, and there are no ads in the placeholder spot, just the sad page. Thus, I know the ad is being blocked but the placeholder gif isn't getting through.
Not sure if this helps much at all...
What that tells me is that with No DNS Rebind enabled then the Pi-hole dnsmasq response address is being dropped altogether, and the lookup isn't even making it to lighttpd for replacement with your .gif. So your conclusions are correct. The problem now is how to get the dnsmasq process on the router to accept the rebind-localhost-ok flag. I'd still like to see if there is some way to look at the logs on the DD-WRT router itself, and see if it's rejecting the localhost-ok flag for some reason. Can you SSH into the DD-WRT box and get a shell?
I can get into the shell for the dd-wrt. Not sure how to go from there for the log
The first place I'd look is in /var/log but I don't know the layout. I know that OpenWRT has logread as a command for pulling the logs. I'll see if I can find an old router that is supported by DD-WRT and flash it, but that may take a few days.
Here's what I get. Can't figure out if the rebind-localhost-ok flag is being rejected or not. I tried systemctl status dnsmasq.service but get a -sh: systemctl: not found error.
Here's my terminal output for looking into logs:
root@DD-WRT:/# logread
logread: can't find syslogd buffer: No such file or directory
root@DD-WRT:/# cd /var/log
root@DD-WRT:/tmp/var/log# ls
**cores** log.nmbd log.smbd messages
I doubt DD-WRT is running SystemD as it's init system. They are probably running a custom init system so systemctl would not exist. You could check and see if there are files in /etc/init.d/.
Can you do a cat /var/log/messages or a cat /var/log/messages |grep dnsmasq?
Also check and see if there is a /tmp/var/log/messages file...
And cat /etc/dnsmasq.conf
tried each of those and all 3 just return to prompt (eg no output).
Hmmm, you might have to check on the DD-WRT forum and see if anyone there has an answer. I'll see if I can dig up a router to testbed on, but that may be a bit...
Did anything new come up with this issue?
nothing new on my end: I can't find any new answers for how to get local rebind working on DDWRT. For now I've shut off No DNS Rebind functionality since I like my placeholder to explain when pages load blank.
This is old, but I just installed OpenWRT on my router and due to the built in dnsmasq all queries in the log came from the router instead of the client. I fixed this this way:
Add this info to /etc/config/dhcp
config 'dhcp' 'lan'
list 'dhcp_option' '6,ipaddress1,ipaddress2'
That's interesting. I'm trying to implement this on my DDWRT but even though I'm logged in as root, it won't let me create a file in /etc/config/dhcp -- it responds with a 'read only filesystem' error. Not sure if DDWRT is different in this regard vs OpenWRT.
I'll see if there's another way to specify DNSMasq options...
Not sure, openwrt and dd-wrt are different (user interface wise), however I have a dd-wrt router running aswell and I was able to set the DNS options somewhere in the webinterface without any problems.
In my FritzBox I can set exception for the rebind protection. But what IP do I have to enter? The static IP of the pihole?
General Problem on FRITZ!Box (in my case FRITZ!Box 7490):
_"To guarantee the security of the computers in the FRITZ!Box home network, the FRITZ!Box suppresses DNS responses that point to IP addresses in the home network. This is a security function of the FRITZ!Box to protect against what are known as "DNS rebinding attacks"."_
Result:
Inserting RPi IP as DNS blocks Ads, but many pages (web.de, heise.de, spiegel.de etc.) load very slowly and a lot of pictures are shown as broken Links.
Since latest Firmware Update (06.50 and 06.60) you can add a "Local DNS".
Result:
Ad-Blocking not working.
As TylonHH mentioned above, an exception for the rebind protection can be set (a list of domains/IPs). Tried to enter RPi IP here.
Result:
Didn´t help.
So, currently pi-hole seems not working with the (in Germany widespread) FRITZ!Box.
Any Ideas? Thanks!
I have the similar FritzBox 7390 and here it's working.
I describe how u set up my box, but i don't know the exactly english menu words because I'm German:
internet - login data (Zugangsdaten) - DNS Server - set DNSv4 to RPi IP and alternate DNS to e.g. 8.8.8.8 (Google)
Home network - (Heimnetz) - overview (Heimnetzübersicht) - network setting (Netzwerkeinstellung) - IPv4 Adress - set locale DNS server to RPi IP
Reconnect your WLAN devices. With the Android app network info II (https://play.google.com/store/apps/details?id=aws.apps.networkInfoIi) you can check if your devices has recognize the new DNS (WiFi tap).
I have no IP addresses in the rebind protection.
Feedback welcome.
I have a FritzBox 6490 from a German Cable Provider (formerly KabelBW, now Unitymedia). What seems to be working for me is to:
This allows me to resolve local names that the FritzBox assigns under its fritz.box domain, and PiHole works fine, too.
Hi there, @asmod3us and @TylonHH, another fellow Fritzbox user here. I've opened another ticket yesterday, but it seems this is the exact same problem. So far, it seems like your solutions don't work for me, I'm afraid.
@TylonHH As long as the Fritxbox has anything other than the pihole available (e.g. 8.8.8.8 as secondary DNS like you mentioned), that would simply circumvent pihole for problematic domains, wouldn't it? As in: Maybe not waiting for timeout, but also no blocked ads. Plus a slight delay until it notices that the primary DNS doesn't work and it tries the secondary DNS? I have to admit, I don't know exactly how this works in practice – is the secondary DNS used as a fallback in the way I image? Or would it just be used in case the primary DNS is not reachable at all? @dschaper, do you know this?
@asmod3us You don't have any upstream DNS servers set on your pihole other than the Fritzbox? And the Fritzbox has set the pihole as DNS? But then… how does that setup actually resolve names that need to be resolved? From which device does your setup query an actual upstream DNS? Where in your setup is e.g. 8.8.8.8 or your ISPs DNS server defined?
_Edit:_ Well, all it took was a renewal of the DHCP lease. Working fine, and now I understand the distinction between the two places where one can enter DNS servers in the latest Fritzbox firmware. The new way (setting it under the second location mentioned by @TylonHH (which is also what you mean with your second bullet point I presume, @asmod3us) modifies the Fritzbox' DHCP replies to contain the IP of the pihole as the DNS to use instead of the IP of the Fritzbox itself. So this is an "automated" way of setting the pihole directly on all devices in your network. Pretty neat. I can't resolve fritz.box right now and only access the web interface via IP, but I suppose that's what @asmod3us third bullet point solves.
To make sure I understand everything correctly: When using this new method of distributing a local DNS, the values entered in the previous location (Internetzugangsdaten) are not actually in use for anything (besides possibly the Fritzbox itself checking for updates), right?
@TylonHH your solution works, but I have made the following settings in pihole
My Workflow:
FritzBox Settings:
pihole Settings:
_Note:_ if the Adblock doesn't work with the Android Device - try to restart it. And check with the Page www.ads-blocker.com/testing/
@matrixagent I run with the settings as described by @mr-bolle, i.e. the FritzBox itself still uses the DNS server assigned to it by my cable provider, but it only distributes the PiHole as DNS server via DHCP. DHCP clients use the PiHole, which does its magic first and uses the FritzBox as upstream DNS. Makes sense?
@asmod3us as I understand, the dns upstream is used only when an unblocked domain i would open. And pihole does not know the IP behind the domain.
@mr-bolle not sure if I understand what you mean. PiHole produces a hosts file that dnsmasq uses to block ads. I believe PiHole does not need the IP a domain resolves to for blocking. In my case all of the blocked domains point to the IP address of the PiHole. Unblocked domain requests are sent to the upstream DNS server. But maybe I'm confused, or my understanding is wrong. The setup I described seems to work ok for me: it blocks ads and resolves local domain names.
FAQ for Discourse.
Documentation added here: https://discourse.pi-hole.net/t/why-wont-pi-hole-work-with-dns-rebind-protection-enabled/3142
Feedback welcome as it's a complex and encompassing topic.
@jacobsalmela Hope this is the right place for feedback: In the very first key sentence it says "answered by a local IP address". While probably correct (not a native speaker), to me personally it seems that "answered _with_ a local IP address" would be a little less ambiguous. The query is answered by my PiHole which is on a local IP address which is not the root of the problem, but my PiHole answers the query with a local IP address and that is what causes the problem. (Just stating that again to make sure I'm not mistaken about the whole thing again, it's such a complex topic and it's still pretty early over here…)
dnsmasq actually describes it well:
Reject (and log) addresses from upstream nameservers which are in the private IP ranges. This blocks an attack where a browser behind a firewall is used to probe machines on the local network.
I think this also explains it well:
Internet DNS responses should never come back with a private IP, hence it's safest to block this
As far as turning that into a once sentence explainer for the FAQ...it might need some more word-smithing. I'll mull it over some more, but in the meantime, I agree with what you have said and I changed with word _by_ to _with_ in the FAQ.
Most helpful comment
I have a FritzBox 6490 from a German Cable Provider (formerly KabelBW, now Unitymedia). What seems to be working for me is to:
This allows me to resolve local names that the FritzBox assigns under its fritz.box domain, and PiHole works fine, too.