Self signed certificate for PiHole v6 does not work after Bookworm upgrade

Joulinar · 21 March 2025 08:16

You mean inside PiHole or where does this caused an issue?

jetspeed · 21 March 2025 11:30

Not PiHole. To see a list of LAN clients using my NTP server (running on the same machine as PiHole) I run the command chronyc clients. At the moment it returns just the IP addresses of all connected clients. Previously it would have resolved the IP addresses to host names. I assume that is because chrony is using the OS configured name servers for DNS resolution now?

Jappe · 21 March 2025 13:12

This is a bit tricky, some time when Pihole used the dnsmasq of your system, you could config it to resolve local IPs with Pihole and only public IPs with quad9 or whatever. But since dnsmasq is now baked into PiHole, this will not work anymore. Another solution would be resolved-systemd, but you would need to config this by yourself since DietPi does not use it by default.

Maybe @trendy has some idea how to fix this?

trendy · 21 March 2025 13:40

As far as I remember ( I am not using Pihole anymore), Pihole is using dnsmasq for the local DNS and DHCP. If Pihole is used as DHCP, then it should work out of the box. But if you are using the router or another device as DHCP, it will need a reverse zone forwarding to know where to ask for the PTR records.
rev-server=192.168.0.0/24,192.168.0.1

Jappe · 21 March 2025 17:07

~~by default pihol-FTL will not read dnsmasq config from /etc/dnsmasq.d, but this behaviour can be changed, see: https://discourse.pi-hole.net/t/dnsmasq-custom-configurations-in-v6/68469~~

~~So would be maybe a forwarding via dnsmasq be possible, like:~~

server=/168.192.in-addr.arpa/127.0.0.1
server=9.9.9.9

So everything for 192.168.X.X gets forwarded to the pihole device, anything else goes to 9.9.9.9
?!

Edit: Ok since the device itself does not use pihole for DNS, my idea makes no sense

jetspeed · 22 March 2025 05:10

I’m using PiHole for DHCP, but it does not work out of the box.

Maybe there is something wrong with my config. I have previously upgrade from PiHole v5 → v6, then Bullseye → Bookworm.

Joulinar · 22 March 2025 07:54

If this is necessary for this specific use case, you can of course also use PiHole, AGH or Unbound as upstream DNS server in DietPi. My recommendation above is simply based on experience and is our best practice recommendation for most users. If you use PiHole, AGH or Unbound as an upstream DNS server, you just need to be aware of the risks and what to do if the upstream DNS server does not work.

trendy · 23 March 2025 16:19

What is the output of cat /etc/resolv.conf ?

jetspeed · 24 March 2025 05:10

See my response at Self signed certificate for PiHole v6 does not work after Bookworm upgrade - #16 by jetspeed

trendy · 25 March 2025 05:57

Change it to 127.0.0.1