All external queries return status: Blocked (external, NXRA)

The issue I am facing: Since somewhere last night my Pi-hole has stopped working. All queries not in cache are returning Blocked (external, NXRA). This would indicate that the upstream DNS server is blocking the domain. I find it hard to believe that common domains such as google.com, pool.ntp.org, etc would be blocked by my upstream DNS dns0.net. Gravity lists also won’t update.

Troubleshooting steps: I’ve switched my upstream DNS to Quad9 in case the DNS provider had issues. I restarted the pi-hole DNS resolver. I’ve restarted the entire system. I’ve now bypassed the pi-hole while still using dns0.net and DNS is working normally.

Details about my system: Raspberry Pi 4 - Core v6.1.4 | FTL v6.2.3 | Web interface v6.2.1

What I have changed since installing Pi-hole: No changes since it has stopped working. There are 2 custom DNS upstream servers, a few local DNS records for accessing machines on the local network, DNS interface is set to “allow all origins”, pi-hole is not a DHCP server.

Please upload a debug log and post just the token URL that is generated after the log is uploaded by running the following command from the Pi-hole host terminal:

pihole -d

or if you run your Pi-hole as a Docker container:

docker exec -it <pihole-container-name-or-id> pihole -d

where you substitute <pihole-container-name-or-id> as required.

Apologies for the delay, here the link to the log: https://tricorder.pi-hole.net/WhFkcQOn/

Please, while using Pi-hole as DNS server, execute the commands below and post the output:

dig google.com

dig google.com @192.168.1.10

dig google.com @8.8.8.8

Note:

Your router is configured to advertise itself as DNS server, so your devices won't use Pi-hole, unless you set Pi-hole IP as DNS server directly on each device.

    dns-server: 192.168.1.1
    dns-server: 192.168.1.1
    router: 192.168.1.1

I changed the dns-server to my router to bypass the pi-hole because of name resolution issues. Here’s the results, it seems to be working again now.

dig google.com

; <<>> DiG 9.20.11-4-Debian <<>> google.com;; global options: +cmd;; Got answer:;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37653;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:; EDNS: version: 0, flags:; udp: 1232;; QUESTION SECTION:;google.com.                    IN      A

;; ANSWER SECTION:google.com.             125     IN      A       142.251.36.14

;; Query time: 0 msec;; SERVER: 192.168.1.10#53(192.168.1.10) (UDP);; WHEN: Wed Oct 01 10:23:30 CEST 2025;; MSG SIZE  rcvd: 55

dig google.com @192.168.1.10

; <<>> DiG 9.20.11-4-Debian <<>> google.com @192.168.1.10;; global options: +cmd;; Got answer:;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27502;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:; EDNS: version: 0, flags:; udp: 1232;; QUESTION SECTION:;google.com.                    IN      A

;; ANSWER SECTION:google.com.             73      IN      A       142.251.36.14

;; Query time: 4 msec;; SERVER: 192.168.1.10#53(192.168.1.10) (UDP);; WHEN: Wed Oct 01 10:24:22 CEST 2025;; MSG SIZE  rcvd: 55

dig google.com @8.8.8.8

; <<>> DiG 9.20.11-4-Debian <<>> google.com @8.8.8.8;; global options: +cmd;; Got answer:;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 65185;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:; EDNS: version: 0, flags:; udp: 1232; COOKIE: 1e8c707913083caa (echoed);; QUESTION SECTION:;google.com.                    IN      A

;; ANSWER SECTION:google.com.             52      IN      A       142.251.36.14

;; Query time: 0 msec;; SERVER: 8.8.8.8#53(8.8.8.8) (UDP);; WHEN: Wed Oct 01 10:24:43 CEST 2025;; MSG SIZE  rcvd: 77

Your debug log shows your Pi-hole to be configured to use four upstreams:

   [dns]
     upstreams = [
       "208.67.222.222",
       "208.67.220.220",
       "193.110.81.0",
       "185.253.5.0"
     ] ### CHANGED, default = []

The first two are OpenDNS, the latter two are dns0.eu.

dns0.eu is known for accidentally blocking legit domains (e.g. salsa.debian.org), so I would not preclude it as causing your observation.

However, it would seem that dns0.eu answers blocked domains without clearing the ra flag:

~$ dig 123.ywxww.net @185.253.5.0

; <<>> DiG 9.16.50-Debian <<>> 123.ywxww.net @185.253.5.0
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 49388
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;123.ywxww.net.			IN	A

;; AUTHORITY SECTION:
123.ywxww.net.		300	IN	SOA	negative-caching.dns0.eu. hostmaster.123.ywxww.net. 0 1200 300 1209600 300

;; Query time: 19 msec
;; SERVER: 185.253.5.0#53(185.253.5.0)
;; WHEN: Wed Oct 01 10:29:28 CEST 2025
;; MSG SIZE  rcvd: 102

As the ra flag is present, such a reply would appear in Pi-hole as NXDOMAIN, rather then Blocked (external, NXRA).

From your Pi-hole's log files, could you verify which of your upstreams actually blocked that reply?

I only had dns0.eu configured initially, I added openDNS after I was experiencing issues. I’ve checked the log on the day that it occurred, it looks like some queries aren’t being forwarded or resolved from cache, but immediate get the blocked response:

Sep 28 00:47:27 dnsmasq[145067]: query[A] www.youtube.com from 192.168.1.123
Sep 28 00:47:27 dnsmasq[145067]: blocked upstream with NXRA address www.youtube.com is 0.0.0.0
Sep 28 00:47:28 dnsmasq[145067]: query[A] www.google.com from 192.168.1.123
Sep 28 00:47:28 dnsmasq[145067]: blocked upstream with NXRA address www.google.com is 0.0.0.0
Sep 28 00:47:41 dnsmasq[145067]: query[A] homegraph.googleapis.com from 192.168.1.140
Sep 28 00:47:41 dnsmasq[145067]: blocked upstream with NXRA address homegraph.googleapis.com is 0.0.0.0
Sep 28 00:47:41 dnsmasq[145067]: query[AAAA] homegraph.googleapis.com from 192.168.1.140
Sep 28 00:47:41 dnsmasq[145067]: blocked upstream with NXRA address homegraph.googleapis.com is ::
Sep 28 00:48:12 dnsmasq[145067]: query[A] clients3.google.com from 192.168.1.123
Sep 28 00:48:12 dnsmasq[145067]: blocked upstream with NXRA address clients3.google.com is 0.0.0.0

I will stop using dns0.eu as my primary resolver and see if the issue re-occurs.

I haven't seen such a line before.
It's usually either NXRA or 0.0.0.0, and the latter would show up as Blocked (external, NULL):

Oct  1 11:48:33 dnsmasq[53]: query[A] 123.ywxww.net from 192.168.1.201
Oct  1 11:48:33 dnsmasq[53]: forwarded 123.ywxww.net to 116.203.32.217
Oct  1 11:48:33 dnsmasq[53]: reply 123.ywxww.net is blocked due to upstream response (answer)
Oct  1 11:48:33 dnsmasq[53]: <not set> 123.ywxww.net is 0.0.0.0

Oct  1 12:01:12 dnsmasq[53]: query[A] 123.ywxww.net from 192.168.1.201
Oct  1 12:01:12 dnsmasq[53]: forwarded 123.ywxww.net to 9.9.9.9
Oct  1 12:01:12 dnsmasq[53]: reply 123.ywxww.net is blocked due to upstream response (header)
Oct  1 12:01:12 dnsmasq[53]: blocked upstream with NXDOMAIN + no RA 123.ywxww.net is 0.0.0.0`

I'd also expected to see a forward in your logs.

Are your quoted log lines complete, or did you omit some lines?

The block I quoted is complete, no edits. Here’s another set where some queries are forwarded and the rest aren’t:

Sep 28 03:01:09 dnsmasq[145067]: query[A] checkipv6.synology.com from 192.168.1.11
Sep 28 03:01:09 dnsmasq[145067]: cached-stale checkipv6.synology.com is NODATA-IPv4
Sep 28 03:01:09 dnsmasq[145067]: forwarded checkipv6.synology.com to 185.253.5.0
Sep 28 03:01:09 dnsmasq[145067]: query[AAAA] checkipv6.synology.com from 192.168.1.11
Sep 28 03:01:09 dnsmasq[145067]: cached-stale checkipv6.synology.com is NODATA-IPv6
Sep 28 03:01:09 dnsmasq[145067]: forwarded checkipv6.synology.com to 185.253.5.0
Sep 28 03:01:09 dnsmasq[145067]: query[A] connectivitycheck.gstatic.com from 192.168.1.66
Sep 28 03:01:09 dnsmasq[145067]: cached-stale connectivitycheck.gstatic.com is NODATA-IPv4
Sep 28 03:01:09 dnsmasq[145067]: forwarded connectivitycheck.gstatic.com to 185.253.5.0
Sep 28 03:01:09 dnsmasq[145067]: query[A] connectivitycheck.gstatic.com from 192.168.1.123
Sep 28 03:01:09 dnsmasq[145067]: cached-stale connectivitycheck.gstatic.com is NODATA-IPv4
Sep 28 03:01:09 dnsmasq[145067]: query[A] app.tado.com from 192.168.1.94
Sep 28 03:01:09 dnsmasq[145067]: blocked upstream with NXRA address app.tado.com is 0.0.0.0
Sep 28 03:01:09 dnsmasq[145067]: query[A] google.com from 192.168.1.94
Sep 28 03:01:09 dnsmasq[145067]: blocked upstream with NXRA address google.com is 0.0.0.0
Sep 28 03:01:10 dnsmasq[145067]: query[A] 2.android.pool.ntp.org from 192.168.1.94
Sep 28 03:01:10 dnsmasq[145067]: blocked upstream with NXRA address 2.android.pool.ntp.org is 0.0.0.0
Sep 28 03:01:10 dnsmasq[145067]: query[A] g.whatsapp.net from 192.168.1.94
Sep 28 03:01:10 dnsmasq[145067]: blocked upstream with NXRA address g.whatsapp.net is 0.0.0.0
Sep 28 03:01:10 dnsmasq[145067]: query[A] g.whatsapp.net from 192.168.1.94
Sep 28 03:01:10 dnsmasq[145067]: blocked upstream with NXRA address g.whatsapp.net is 0.0.0.0
Sep 28 03:01:10 dnsmasq[145067]: query[A] g-fallback.whatsapp.net from 192.168.1.94
Sep 28 03:01:10 dnsmasq[145067]: blocked upstream with NXRA address g-fallback.whatsapp.net is 0.0.0.0
Sep 28 03:01:10 dnsmasq[145067]: query[A] g-fallback.whatsapp.net from 192.168.1.94
Sep 28 03:01:10 dnsmasq[145067]: blocked upstream with NXRA address g-fallback.whatsapp.net is 0.0.0.0
Sep 28 03:01:10 dnsmasq[145067]: query[A] media-ams2-1.cdn.whatsapp.net from 192.168.1.94
Sep 28 03:01:10 dnsmasq[145067]: blocked upstream with NXRA address media-ams2-1.cdn.whatsapp.net is 0.0.0.0
Sep 28 03:01:10 dnsmasq[145067]: query[A] media-ams2-1.cdn.whatsapp.net from 192.168.1.94
Sep 28 03:01:10 dnsmasq[145067]: blocked upstream with NXRA address media-ams2-1.cdn.whatsapp.net is 0.0.0.0
Sep 28 03:01:10 dnsmasq[145067]: query[A] z-m-gateway.facebook.com from 192.168.1.94
Sep 28 03:01:10 dnsmasq[145067]: blocked upstream with NXRA address z-m-gateway.facebook.com is 0.0.0.0
Sep 28 03:01:10 dnsmasq[145067]: query[A] connectivitycheck.gstatic.com from 192.168.1.123
Sep 28 03:01:10 dnsmasq[145067]: cached-stale connectivitycheck.gstatic.com is NODATA-IPv4
Sep 28 03:01:11 dnsmasq[145067]: reply checkip.synology.com is NODATA-IPv4
Sep 28 03:01:11 dnsmasq[145067]: reply checkip.synology.com is NODATA-IPv6
Sep 28 03:01:11 dnsmasq[145067]: reply checkipv6.synology.com is NODATA-IPv4
Sep 28 03:01:11 dnsmasq[145067]: reply checkipv6.synology.com is NODATA-IPv6
Sep 28 03:01:11 dnsmasq[145067]: reply connectivitycheck.gstatic.com is NODATA-IPv4

Ok, it appears that line shows up for successive DNS requests for externally blocked domains:

Oct  1 12:01:12 dnsmasq[53]: query[A] 123.ywxww.net from 192.168.1.201
Oct  1 12:01:12 dnsmasq[53]: forwarded 123.ywxww.net to 9.9.9.9
Oct  1 12:01:12 dnsmasq[53]: reply 123.ywxww.net is blocked due to upstream response (header)
Oct  1 12:01:12 dnsmasq[53]: blocked upstream with NXDOMAIN + no RA 123.ywxww.net is 0.0.0.0

Oct  1 12:02:28 dnsmasq[53]: query[A] 123.ywxww.net from 192.168.1.201
Oct  1 12:02:28 dnsmasq[53]: blocked upstream with NXRA address 123.ywxww.net is 0.0.0.0

That would indicate that Pi-hole is caching that blocked reply, so it has blocked it without forwarding.
To find the upstream that originally blocked the domain, you'd had to look for the first requests. I guess it's that upstream that would have blocked the original first request, and Pi-hole may still be caching that blocked reply.

This is still surprising, as my Pi-hole has answered the inital request with a TTL of 2 seconds - even if its cached, Pi-hole's cache optimiser should have forwarded it upstream while providing a cached-stale reply.
While the block would be caused by your upstream, it looks like Pi-hole may artificially prolong that block by caching it longer than expected.

Could you take a look here, @DL6ER ?
EDIT: It seems like Pi-hole's cache optimiser may not be treating replies that are blocked by upstreams in the same way as regular upstream replies.

Ok, so I looked up resolution for app.tado.com and it is dns0.eu which blocks it initially:

Sep 28 01:12:45 dnsmasq[145067]: query[A] app.tado.com from 192.168.1.94
Sep 28 01:12:45 dnsmasq[145067]: forwarded app.tado.com to 193.110.81.0
Sep 28 01:12:47 dnsmasq[145067]: reply app.tado.com is blocked due to upstream response (header)
Sep 28 01:12:47 dnsmasq[145067]: blocked upstream with NXDOMAIN + no RA app.tado.com is 0.0.0.0

After that subsequent queries are no longer forwarded.

Sorry, I entirely missed this question...

Usually, upstream servers shouldn't reply with NXDOMAIN and no RA (= recursion available) bit set. I am not sure which RFC to quote for this right now, however, recursive DNS server replying that they cannot offer recursion doesn't make sense.

The issue is that the upstream is replying with NXDOMAIN where it shouldn't and, thus, seems severely broken. If it replies to NXDOMAIN to any domain, Pi-hole will cache this (configurable through dns.cache.upstreamBlockedTTL, defaulting to 24 hours). The problem is made even larger due to the fact that NXDOMAIN does not only mean this domain does not exist but also none of its subdomains exist. This means that your Pi-hole will not even try to resolve them as the upstream says that this all does not exist.