Can't reach upstream DNS servers

Scott_S · February 17, 2023, 7:23pm

I recently moved and in the process changed ISPs and routers. Everything else about my network is the same. It took me quite some time to find the setting on my router to disable DHCP, but it's done now. The trouble is that I can no longer resolve non-local names.

Expected Behavior:

Raspberry Pi 3B running Raspbian
Upstream DNS servers configured via the web interface. Was Cloudflare; changed in turn to DNS.WATCH and Google, but the issue persists.

I expect to be able to resolve all domain names, and for other machines on my network that use Pi Hole's DHCP server to also be able to resolve domain names.

Actual Behavior:

I'm able to resolve names that I've configured on my local network, but I'm unable to resolve anything that Pi Hole needs to contact an upstream DNS server for. Here are a couple of dig requests, issued from the Raspberry Pi (192.168.1.254):

pi@pi-dns ~> dig  versions.pi-hole.net

; <<>> DiG 9.11.5-P4-5.1+deb10u8-Raspbian <<>> versions.pi-hole.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 33383
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
; OPT=15: 00 08 ("..")
;; QUESTION SECTION:
;versions.pi-hole.net.		IN	A

;; Query time: 56 msec
;; SERVER: 192.168.1.254#53(192.168.1.254)
;; WHEN: Mon Feb 13 19:59:45 CST 2023
;; MSG SIZE  rcvd: 55

pi@pi-dns ~> dig @8.8.8.8 versions.pi-hole.net

; <<>> DiG 9.11.5-P4-5.1+deb10u8-Raspbian <<>> @8.8.8.8 versions.pi-hole.net
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14356
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;versions.pi-hole.net.		IN	A

;; AUTHORITY SECTION:
pi-hole.net.		1800	IN	SOA	ns1.pi-hole.net. hostmaster.pi-hole.net. 2022011805 7200 900 1209600 900

;; Query time: 30 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Mon Feb 13 20:03:17 CST 2023
;; MSG SIZE  rcvd: 100

As you can see, dig fails when using Pi Hole, but succeeds when I tell it to use 8.8.8.8.

Debug Token:

Because I'm unable to resolve upstream domain names, I was unable to create a debug token. However, here's a link to the debug log, lightly redacted. Note also that I ran it several times and in some runs had more DNS resolution failures than the log below records.

DanSchaper · February 17, 2023, 7:28pm

Is that debug log from today?

What is the date on the Pi-hole server? Your log shows a lot of BOGUS responses which means DNSSEC is not configured correctly. Number one issue for DNSSEC failures is bad system time. The log you provided has Feb 13 as the most recent date.

deHakkelaar · February 17, 2023, 8:39pm

Below commands might be helpful:

timedatectl status

timedatectl timesync-status

Scott_S · February 17, 2023, 9:00pm

I hadn't expected the clock to drift that much when the Raspberry was powered down for about a week. Thanks! All is working now.

deHakkelaar · February 17, 2023, 9:19pm

FYI, as the Raspi doesnt have an RTC, below one saves/restores the clock to/from a file on boot/shutdown:

pi@ph5b:~ $ systemctl list-units '*fake*'
  UNIT                 LOAD   ACTIVE SUB    DESCRIPTION
  fake-hwclock.service loaded active exited Restore / save the current clock

pi@ph5b:~ $ systemctl cat fake-hwclock.service
# /lib/systemd/system/fake-hwclock.service
[Unit]
Description=Restore / save the current clock
Documentation=man:fake-hwclock(8)
DefaultDependencies=no
Before=sysinit.target shutdown.target
Conflicts=shutdown.target

[Service]
EnvironmentFile=-/etc/default/fake-hwclock
ExecStart=/sbin/fake-hwclock load $FORCE
ExecStop=/sbin/fake-hwclock save
Type=oneshot
RemainAfterExit=yes

[Install]
WantedBy=sysinit.target

Below one updates that file every hour:

pi@ph5b:~ $ cat /etc/cron.hourly/fake-hwclock
#!/bin/sh
#
# Simple cron script - save the current clock periodically in case of
# a power failure or other crash

if (command -v fake-hwclock >/dev/null 2>&1) ; then
  fake-hwclock save
fi

pi@ph5b:~ $ man fake-hwclock
[..]
FILES
       /etc/fake-hwclock.data
              The file used to store the time

system · March 10, 2023, 9:20pm

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.