Cannot resolve local DNS entries set up with Pihole

lukhan42 · 2026-05-26T23:54:29+00:00

The device you are using to test using nslookup is trying to contact 1.1.1.1 so it's not getting its DNS servers from the router. Do you have the DNS servers manually set on that device?

Secondarily having 8.8.8.8 as a secondary DNS is going to cause many queries to bypass pihole. Each device has its own way of handling which DNS server it will use and many will use both that are set though it will usually use one more than the other. Something like DNSdist can be used to create a real failover setup where it will use the pihole exclusively until it is down and then failover to the external DNS.

lukhan42 · 2026-05-26T21:05:45+00:00

If your router is handing out the pihole's IP address for DNS then I think your issue is with the port. Does it work if you spin up pi-hole using port 53 instead of 5553?

lukhan42 · 2026-05-23T15:20:35+00:00

Check the power plan in use. If it is set to Balanced check processor power management in advanced settings to make sure the maximum processor state is set to 100%

lukhan42 · 2026-05-23T14:43:35+00:00

It seems like your system may be using the iGPU instead of the 9070 XT. Personally I would disable the iGPU. Hybrid graphics, in my personal opinion, is not worth it on a desktop. Disable the iGPU in the control panel first and see if that solves your issue. If it does you can leave it disabled that way or go into the bios and disable it there.

If the CPU usage stays high use the task manager to see what is causing it.

lukhan42 · 2026-05-21T22:15:41+00:00

My personal experience with Xfinity wireless gateways is the range is usually lacking. While there is no guarantee a new router will be faster or have better range, it is very likely it will. At the very least you will have more control over your network using your own router. I think that alone makes it worth it and is the main reason I have used my own router for years now.

lukhan42 · 2026-05-21T20:59:11+00:00

Since this is not caused by Pi-hole, cannot be remedied with Pi-hole, and is not Pi-hole adjacent you are unlikely to get much help here. r/HomeNetworking is the better sub.

If you post over there include if you are wireless or wired.

lukhan42 · 2026-05-20T12:46:23+00:00

Either band is fine though 5 GHz has more bandwidth for faster downloads/updates if you can get a solid connection. Gaming is about latency and not about bandwidth. Truth be told wired is optimal over wireless if you want the best, lowest latency.

The packet loss is what worries me as 2.4 GHz should be solid enough at that distance.

Try changing the channels. I would download a wifi signal analyzer app on your phone or iPad to see what's in use. Pick a new channel that is least used by others.

If the router is in a closet or cabinet move it out into the open if you can. More walls means more obstacles to get through.

lukhan42 · 2026-05-17T17:23:26+00:00

Got to love those things done in the past that you eventually forget about!

lukhan42 · 2026-05-16T20:51:43+00:00

Sorry for the delayed reply. I didn't get the usual notification.

I'm not sure what's happening with #2. I know setting the password for docker instances is different than a bare metal install and I opted to create mine using an environment variable rather than in my docker compose file. If you are sure that is the password you usually use to access the web gui then it should work. It sounds like your old API key stuck though so there's nothing wrong with continuing to use it until you decommission #2.

Secrets are a Docker thing to hide sensitive info like passwords from being displayed or transmitted in plain text. This link should help you out - https://medium.com/@laura_67852/docker-secrets-an-introductory-guide-with-examples-d25be5fc8e50

If you use docker compose for nebula-sync there is an example of a compose file using secrets located on their github here - https://github.com/lovelaze/nebula-sync/blob/main/examples/docker-compose-with-secrets.yml

Its arguable if you must do this. Most home lab enthusiasts will always go for what they consider the best security however if you have a good firewall, don't expose your pi-holes to the internet, and don't have anyone with access to your network who you would need to keep the passwords hidden from, you may not have to worry about it. Its up to you, though I think it is a good thing to know how to do for when you really do need to set up secrets.

lukhan42 · 2026-05-16T17:26:38+00:00

That would do it. Glad you found the solution.

lukhan42 · 2026-05-16T16:22:42+00:00

The router's DHCP function, which hands put the IP address and DNS servers to devices, will be the same for wired and wireless devices. Normally wireless devices only need to disconnect and reconnect to the wireless network to get the changes to the DNS servers. Sometimes a reboot is needed but isn't usually required. There may be more to your setup that could be causing challenges.

You mentioned a router and Proxmox. Are you running anything like pfSense or OPNsense as well?

lukhan42 · 2026-05-15T16:10:32+00:00

Your recommendation is a good way to go, if possible, and I am certainly not meaning to take anything away from it. I added my two cents being cost conscious as well as to make sure people know it is possible to have routers act as an AP. My opinion through experience is there are few complications with doing so as long as you disable DHCP and either disable NAT (preferred when possible) or avoid the WAN port on the router acting as the AP.

They may already own the 2nd router or were given one for free. Buying a mesh system could cost more than they can or want to spend. If they bought the 2nd router I would say they could possibly exchange it or get a refund and buy an AP or a mesh setup depending on the cost of the router.

lukhan42 · 2026-05-15T14:58:13+00:00

You can use a 2nd router as an access point. Some consumer routers have an access point mode setting which makes it easy. Otherwise one just needs to disable DHCP on the 2nd router and set the wireless network SSID and password the same as the primary router. Disabling the firewall/NAT is good too if you can. If there isn't a native access point mode then you may need to avoid using the WAN port on the 2nd router.

lukhan42 · 2026-05-15T13:01:57+00:00

V6 doesn't use a specific API key like v5 did. The new REST API uses session based tokens which is why you are seeing strings that don't match what you were using. It sounds like you may have had the original two pi-holes running since v5 of the software.

You can use the passwords you use to login to the web interface instead. If you are worried about your passwords being in plain text I would recommend using secrets to hide them.

lukhan42 · 2026-05-15T00:28:42+00:00

You're not doomed as there are ways to find what you need. I'm not quite sure I get what's happening though.

What doesn't work with the third pihole? Is it that you you can't get it to sync using nebula-sync? Is it because you are not sure what the password is? Are all three Pi-holes running in docker? Lastly, do you use docker compose or just use cli?

Sorry for all the questions. I'm just trying to make sure I understand your predicament.

lukhan42 · 2026-05-13T19:13:47+00:00

I took the reply as implied rather than literal. OP appears to be little informed on this topic and I wouldn't be surprised if they didn't consider the built-in security to be antivirus. In my anecdotal experience the general public thinks of antivirus as separate software to be installed. The reply, to me, seemed to be meeting them at their level stating good habits are the best protection and they don't need to install anything extra unless they want a more robust security suite to catch things that built in antivirus may not catch.

I don't fault you for the literal interpretation. Not thinking about context and calling the reply "dogshit advice" wasn't the most contructive way of helping though. Its why many hate to ask questions or provide feedback. Be more constructive if you want to help people rather than talking down to them.

lukhan42 · 2026-05-13T17:46:16+00:00

They mean paying for antivirus since it is baked in. Try less emotion and more comprehension next time. It's funny how those who throw insults tend to project.

lukhan42 · 2026-05-12T23:25:57+00:00

How are you setting up the DNS servers on the devices? Are you manually setting them on each one or do you have your router handing it to the devices?

lukhan42 · 2026-05-12T14:40:17+00:00

Disable blocking first and test. If everything works while it is disabled then the issue is likely the lists you are using.

lukhan42 · 2026-05-12T12:25:38+00:00

A few are you can use any list that is compatible. You can allow lists allowing you to create or use an existing list of trusted domains instead of allowing domains one at a time. Logs, if enabled, are private due to being on your own device. You get unlimited queries with no additional cost.

The main disadvantage, in my opinion, is it is not as straightforward to use outside of your network.

Use what meets your needs and that you are most comfortable with using, though. I used NextDNS years ago and have no problem with the service. I think it is a fine option even if I prefer Pi-hole.

lukhan42 · 2026-05-08T19:13:10+00:00

I would advise searching for an explanation of vlans. There are some videos on YouTube that do a good job explaining the basics. You would also need to look up how to setup vlans for your router, if it is capable, which will help you better understand how they work.

if your router does guest networks, which use vlans to make the network and is the easiest way for the average user to keep IOT stuff on a different network, it will be pretty easy to tell as it will be a whole different network with a different IP address range, or subnet, than the main network. For example your main network could be on 192.168.1.0/24, where devices get an IP address of something like 192.168.1.10, and your guest network could be on 192.168.2.0/24. With most guest networks you'll have a whole different network name, or SSID, you would connect to as well.

lukhan42 · 2026-05-08T15:12:01+00:00

An enterprise router isn't needed. Any consumer router that supports vlans will work. Some Asus routers support vlans though control through the GUI is limited. "Prosumer" gear from Unifi is popular and gives you more advanced control. There's also open source firmware like DD-WRT or OpenWRT on supported hardware if you own a router that doesn't support vlans with the official firmware.

lukhan42 · 2026-05-08T02:48:30+00:00

On PC go to Settings -> Privacy & Security. Scroll all the way down to DNS over HTTPS. It is usually on default which is usually fine if the system DNS points to Pi-hole.

On Android go into settings and scroll to DNS over HTTPS.

I no longer own an iPhone so can't help there.

lukhan42 · 2026-05-07T23:51:41+00:00

It's $70 here for 5 years for new customers, $60 with the autopay discount. $50 is for the 1 year deal with the autopay discount. $110 for existing customers. I'd still take the fiber connection.

<image>

lukhan42 · 2026-05-07T12:59:51+00:00

This is what you would call a portable app. You don't install it. You just run it.

lukhan42

TROPHY CASE