NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Solved
Orbi doesn't fall over to 2nd or 3rd DNS
I have a couple of Raspberry Pi's running PiHole for my DNS. The setup works great, but the other day the first PiHole machine got unplugged, and my devices weren't able to reach the network, despite...
So I think I figured things out.
One of my RPi is setup as my DHCP server, and when I looked the DNSMasq .conf file it was only passing on the IP address of the DNS servers for that RPi, not the addresses for the RPi PiHole severs.
I edited the .conf file, and replaced 8.8.8.8, etc with the local pihole IPs, and for the first time ever I have all three of my RPis showing blocked traffic!
Yes, I can see live stats on the query numbers, and for sure it doesn't move on to the next DNS.
I've had this happen on a few occasions now. (I was testing some overclocking for awhile)
Makes a person wonder if the Orbi DNS code came from (a) the OpenWRT that Orbi is based on, or (b) was ported from the Nighthawk line. Would be a hoot to see if the Nighthawk line has the same 'disappointment'. Will take me the weekend to set up a second Pihole and dig out a Nighthawk to compare with Orbi.
Anything I can do to help test?
Have two Pi-holes running now. Am hoping that "pihole disable 10m" means to turn off everything, rather than "quit blocking and resolve everything." Validating your results on Orbi will be quick. Have to dig in my "Big Box of Stuff" to find my Nighthawk R7000 and Archer (might as well test it, too.)
- My understanding is the “disable for X mins” is simply to turn off the content blocking.
Well, this is not working out as I anticipated. I have two Raspberry Pi's running Pi-hole.
My "test" Orbi is connected to my regular Orbi and configured as a router.
It is set to use the two Pi's as DNS servers. (192.168.1.27 and 192.168.1.30).
I have a Windows PC connected to the test Orbi (ethernet). When I open a web browser, what seems to happen is that all DNS requests are sent by the Orbi to both Pi-holes. What appears to be happening is that the Orbi behaves as Windows 10 seems to behave. If DNS requests cannot be satisfied from the Pi-hole cache, they are sent to all DNS resolvers.
I will perform another test tomorrow where DNS server #1 is taken off-line to see if DNS requests still go to DNS server #2.
Not sure what to make of all this. So far, it is not confirming your experience.
More tomorrow.....
There is another way to verify Orbi DNS behavior: capture WAN traffic.
If Orbi has two defined DNS servers (perhaps Google and Open DNS), a WAN traffic capture should show whether Orbi queries one or both of them. Will try that tomorrow as well.
Another puzzle. Used the debug feature to capture WAN/LAN traffic while I opened a series of web pages that had not been opened in a while (avoid Windows and Orbi cache). Test Orbi set to use 1.1.1.1 and two Pi-holes. The WAN packet capture shows the Orbi sending queries to all three up-stream DNS servers at the same time, with all three responding.
i.e.
DNS 1.1.1.1
Internet
Production Orbi Router (LAN 192.168.1.1)
Pi-hole1 (192.168.1.27)
Pi-hole2 (192.168.1.30)
Test Orbi Server (192.168.1.81) (LAN side 10.0.0.1, configured to use 3 DNS servers)
Test Windows PC (10.0.0.2) Set to use DHCP provided DNS server, which is 10.0.0.1
The goal was to reproduce and document the Orbi DNS failure. These results are not encouraging. There seem to be two additional avenues to explore, but I am not certain how to go about it:
- I had thought that "losing" one of the DNS servers would cause it to be "marked" somehow and forgotten (no longer used). I shut off one of the Pi's, waited a few minutes, and then turned it back on. New debug log shows the Orbi continuing to query all three servers.
- Perhaps the Orbi treats DNS servers attached to the LAN side differently than on the WAN side. Exploring this is much more complicated as it involves several production Orbi restarts, which the family will not enjoy.
This exercise has made me realize that using Pi-hole to filter DNS queries works only if every DNS server the Orbi uses is a Pi-hole. Servers are not primary, failover1, failover2. They are all equal and all used every time.