With Blocky as my DNS server, requests don't resolve

[Vinnl]

Apologies if I'm abusing some terminology, this (clearly) isn't my area of expertise... But I've set up Blocky on my Raspberry Pi, on a static IP 192.168.1.4. I then set up my router to configure that as the DNS server, and I see it being used on my laptop. However, requests don't resolve:

$  curl https://0xerr0r.github.io/blocky
curl: (6) Could not resolve host: 0xerr0r.github.io

Requests in Firefox don't ever seem to complete.

That is from my laptop, which has picked up the correct IP for the DNS server, as far as I can see:

Also from my laptop:

$ dig @192.168.1.4 https://0xerr0r.github.io
;; communications error to 192.168.1.4#53: timed out
;; communications error to 192.168.1.4#53: timed out
;; communications error to 192.168.1.4#53: timed out

; <<>> DiG 9.18.30 <<>> @192.168.1.4 https://0xerr0r.github.io
; (1 server found)
;; global options: +cmd
;; no servers could be reached

However, running the same from the Pi itself (through SSH - note that the Pi runs NixOS):

$ nix-shell --packages dig --run "dig @192.168.1.4 https://0xerr0r.github.io"
; <<>> DiG 9.18.28 <<>> @192.168.1.4 https://0xerr0r.github.io
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31507
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;https://0xerr0r.github.io.	IN	A

;; ANSWER SECTION:
https://0xerr0r.github.io. 3600	IN	A	185.199.109.153
https://0xerr0r.github.io. 3600	IN	A	185.199.108.153
https://0xerr0r.github.io. 3600	IN	A	185.199.111.153
https://0xerr0r.github.io. 3600	IN	A	185.199.110.153

;; Query time: 335 msec
;; SERVER: 192.168.1.4#53(192.168.1.4) (UDP)
;; WHEN: Sun Feb 16 13:44:31 CET 2025
;; MSG SIZE  rcvd: 118

These are my Blocky settings (in my Nix config, so not YAML, but otherwise the usual settings):

    settings = {
      ports.dns = 53; # Port for incoming DNS Queries.
      ports.http = 4000;
      upstreams.groups.default = [
        "https://one.one.one.one/dns-query" # Using Cloudflare's DNS over HTTPS server for resolving queries.
      ];
      # For initially solving DoH/DoT Requests when no system Resolver is available.
      bootstrapDns = {
        upstream = "https://one.one.one.one/dns-query";
        ips = [ "1.1.1.1" "1.0.0.1" ];
      };
      #Enable Blocking of certain domains.
      blocking = {
        denylists = {
          #Adblocking
          ads = ["https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts"];
          #Another filter for blocking adult sites
          adult = ["https://blocklistproject.github.io/Lists/porn.txt"];
          #You can add additional categories
        };
        #Configure what block categories are used
        clientGroupsBlock = {
          default = [ "ads" ];
          kids-ipad = ["ads" "adult"];
        };
      };
    };

It also appears to be running fine:

$  blocky blocking status
[2025-02-16 13:55:27]  INFO blocking enabled

I'm not sure if the problem is in my Blocky config, or potentially in my router, so some potentially relevant settings from my router follow.

Setting the static IP for my Pi:

Setting the DNS server to that IP address:

I thought that would have been sufficient, but I also had to add this dnsmasq configuration for my laptop to actually pick up the DNS server:

Anyone have any idea what could be wrong? Thanks in advance!

[Vinnl]

Found an answer through StackExchange:

The RasPi running Blocky needs to have incoming connections from your network to port 53 (both TCP and UDP) allowed. The fact that dig is receiving timeouts rather than active rejections suggests there is a firewall rule on either your laptop or the RasPi that is blocking the DNS connections from the laptop to Blocky.

So I had to add the following to my Nix configuration:

  networking.firewall.allowedTCPPorts = [ 53 ];
  networking.firewall.allowedUDPPorts = [ 53 ];