Windows 10 Ignoring Local DNS Server

[Gerowen]

I set up a PiHole at my mom's house for her a year or two ago, and I noticed this evening after updating Windows 10 on her desktop to 21H2, it seems the entire OS is just ignoring the local DNS server (PiHole) and going straight to the internet through some other hard-coded DNS server.  I know that the PiHole is working properly because my own laptop (Debian) that was connected via VPN, and another Linux machine I have running there as a backup server, were able to properly resolve local DNS names and ads were being blocked.  Her Windows 10 PC however could neither resolve local DNS names, nor was it having ads blocked.  It could access local IP addresses directly, but could not resolve those IPs from the names I have configured in the PiHole "Local DNS" area.

 

Here are some things I've tried and checked:

 

- Verified that the router was configured to hand out the PiHole as the only DNS server and there were no secondary servers configured.

- Flushed the local DNS cache with ipconfig /flushdns to try and force the desktop to reach out to the PiHole whenever fresh attempts to access local DNS names were made.

- I noticed a couple of IPv6 addresses listed under "DNS Servers" when I ran ipconfig /all , so I manually assigned the IPv4 settings in Windows and left IPv6 disabled altogether so that when running ipconfig, the only DNS server listed is the IPv4 address of the PiHole.

- Tried disabling/enabling the affected WiFi network interface after making these configuration changes (Old Windows control panel method).

- Tried rebooting the machine after making these configuration changes.

- Disabled all the "secure DNS" features in Firefox and Brave that might make them use DNS over HTTPS in lieu of the PiHole.

 

Despite all this, I cannot ping local DNS names in the command line with the Windows machines, but I can with my Linux laptop.  I can visit websites via the Windows machine that should be getting blocked by the PiHole.  Those sites are being blocked by the PiHole when I try to visit them from my Linux machine.

 

The only thing I can figure is that after updating, Windows has some sort of hard-coded DNS server or DNS over HTTPS that is taking precedent, despite what the output of ipconfig /all is telling me.

 

Any ideas on how to get Windows to stop doing its own thing and get back behind her PiHole?

[+BudMan MVC]

and what does a simple output of ipconfig /all show?

 

It would show you what is set as your dns, example..

 

 

What does simple nslookup for something show?  It would show you what is being asked for dns..

 

 

 

On 12/04/2022 at 21:02, Gerowen said:

Windows has some sort of hard-coded DNS server or DNS over HTTPS that is taking precedent

And what update would that have been... While they are suppose to start supporting doh, I have not heard or seen anything about them changing to it by default, or forcing it..  From my understanding to get windows 10/11 to use doh, you have to set static IP and actually set it..  And I do believe you have to set a registry key, since I do not see it as an option to set as of yet.

 

I run the latest windows 10, I show no updates available - and my local dns works just fine on windows 10, you can see in my first image what version of windows 10 I am running

 

What specific version of windows 10 are you running? Is it a preview build or something, insider? etc..  From what I can make out on my version, it can not even be enabled yet..

 

 

[Gerowen]

On 12/04/2022 at 22:39, BudMan said:

and what does a simple output of ipconfig /all show?

 

It would show you what is set as your dns, example..

 

Snipped

 

What does simple nslookup for something show?  It would show you what is being asked for dns..

 

Snipped

 

 

And what update would that have been... While they are suppose to start supporting doh, I have not heard or seen anything about them changing to it by default, or forcing it..

 

I run the latest windows 10, I show no updates available - and my local dns works just fine on windows 10, you can see in my first image what version of windows 10 I am running

 

 

I don't know what happened, but when I logged back in to take a screenshot for you, everything is just working exactly as it's supposed to work, despite multiple restarts and all the steps I listed in my OP.  Some kind of cached values that weren't cleared when I did ipconfig /flushdns ?  Weird thing is, it worked before and no changes were made to any of the settings until after it stopped working post-update.  The update that was just installed was 21H2.  Sorry to waste your time I guess.

 

[+BudMan MVC]

Well not really sure how kitt would resolve that is not actually a fqdn... it would be like kit.something.tld

 

But that sure looks like it resolved..  But it shouldn't

 

[Gerowen]

On 12/04/2022 at 23:51, BudMan said:

Well not really sure how kitt would resolve that is not actually a fqdn... it would be like kit.something.tld

 

But that sure looks like it resolved..  But it shouldn't

 

It's just a Linux backup server on her same network.  I guess technically the FQDN would be kitt.local since that's set as the "domain name" in the PiHole DNS settings, but I don't think it really cares since they're both connected to the same router together.  I could have lived with it not resolving those local names, but when it started bypassing it altogether and letting ads and such through, I got aggravated.

[+BudMan MVC]

On 12/04/2022 at 22:58, Gerowen said:

hey're both connected to the same router togethe

Yeah that has nothing to do with it..  I don't use pihole to resolve my local domain, it forwards to my pfsense which has the entries in unbound..   Its possible the setup in pihole allows for non fully qualified hosts - but its not good practice to not use fqdn, and .local is horrible choice for a local domain.

 

You really should setup a domain to use locally.  home.arpa is what should really be used, if you don't have something specific you want to use.

 

https://datatracker.ietf.org/doc/html/rfc8375

Special-Use Domain 'home.arpa.'

 

 

[Gerowen]

On 13/04/2022 at 07:47, BudMan said:

Yeah that has nothing to do with it..  I don't use pihole to resolve my local domain, it forwards to my pfsense which has the entries in unbound..   Its possible the setup in pihole allows for non fully qualified hosts - but its not good practice to not use fqdn, and .local is horrible choice for a local domain.

 

You really should setup a domain to use locally.  home.arpa is what should really be used, if you don't have something specific you want to use.

 

https://datatracker.ietf.org/doc/html/rfc8375

Special-Use Domain 'home.arpa.'

 

 

I'll definitely read up on it.  My biggest goal was for her, a lay-person, when re-adding her printer or something without me around, wouldn't have to remember much except that when it asks for a domain name or IP, all she has to do is enter the word "printer" and it'll find her printer for her.  If she loses track of the network share on her backup server all she has to remember is "\\kitt".  I was trying to keep things as simple as possible so I've never bothered explicitly specifying or setting up a local network domain name for her and have just left that part of it at default settings and added local DNS names in the PiHole for things like her backup server and printer.

[+BudMan MVC]

windows would auto add your local domain, this how its normally setup... So if you did a nslookup for say printer.

 

It would ask for printer.yourlocaldomain automatically.

 

[Gerowen]

On 13/04/2022 at 15:17, BudMan said:

windows would auto add your local domain, this how its normally setup... So if you did a nslookup for say printer.

 

It would ask for printer.yourlocaldomain automatically.

 

 I just got to checking, and both of our PiHoles are picking up ".lan" as our default domain name, and even though her Netgear router with stock firmware doesn't have an option to change that, I did notice that since I've flashed my own router with OpenWRT, it "does" have an option to change that.  I guess in the future it might be a good idea to specify the FQDN even for local devices, i.e. printer.lan (or better yet, change it to home.arpa to match the RFC) and such in order to keep DNS queries intended to be local only from somehow leaking onto the internet.

 

Router screenshot

 

PiHole screenshot

[Gerowen]

On 13/04/2022 at 15:17, BudMan said:

windows would auto add your local domain, this how its normally setup... So if you did a nslookup for say printer.

 

It would ask for printer.yourlocaldomain automatically.

 

Not sure how familiar you are with the PiHole software, but I just remembered I had checked these boxes when I set mine up, so I went back and re-read what they state.  It seems like between these and the router setting I posted earlier that auto-appends .lan, this accomplishes the goal of not leaking local DNS queries, and is the reason simply pinging "kitt" instead of "kitt.lan" worked in my earlier comment.  Still though, it's always good to educate myself and do things properly in the first place.

 

[+BudMan MVC]

I'm very familiar with it - been running it for quite some time.   And yeah it should never forward non fqdn.  But how it resolved in the first place is my question.  It shouldn't resolve juts a host name, because its not fully qualified.

 

Resolving just host via dns is BORKED, because it is not fully qualified... It is not a sane setup to be able to just resolve host... There needs to be a domain be domain.tld or just host.tld, etc.

 

Single label like that is also bad practice... So your query should of been been kitt.lan not just kitt.