Communications error on Linux client

Expected Behaviour:

Pi-hole runs on docker image, Ubuntu Server, Raspberry Pi 4. DHCP disabled.

On a Linux Debian 12 PC I got performance issues about DNS resolution.

• Debian 12
• laptop with 8GB memory

On a Windows 10 PC, it seems working.

Actual Behaviour:

Ad blocking works, but internet browsing is slow on Linux. When I revert to my default router, DNS resolving seems fine.

Linux client

As a test, I ran a nslookup command, and it starts with timeouts, then works :

time nslookup fast.com
;; communications error to 192.168.1.20#53: timed out
;; communications error to 192.168.1.20#53: timed out
;; communications error to 192.168.1.20#53: timed out
Server:		0000::0000:0000:0000:0000%3%3
Address:	0000::0000:0000:0000:0000%3#53

Non-authoritative answer:
Name:	fast.com
Address: 104.85.27.250
;; communications error to 192.168.1.20#53: timed out
;; communications error to 192.168.1.20#53: timed out
;; communications error to 192.168.1.20#53: timed out
Name:	fast.com
Address: 2a02:26f0:2b00:39a::24fe
Name:	fast.com
Address: 2a02:26f0:2b00:395::24fe


real	0m30.180s
user	0m0.028s
sys	0m0.023s

Windows client

On a Windows 10 PC, I ran some nslookup :

powershell "Measure-Command { nslookup www.google.com }" | FINDSTR "^Milliseconds"
Non-authoritative answer:
Milliseconds      : 92

The values are between 78ms and 133ms.
With my router, values are between 42ms and 76ms.

It seems that is a configuration issue on the Linux client, rather than a Pi-hole issue

Debug Token:

UhatzKnM

Best regards

On the linux machine whats the output of

cat /etc/resolv.conf

Also , I'm assuming your pihole is 192.168.1.20. Can you ping that ip?

Thanks for your reply.

Linux client

Sure, there is my resolv.conf file :

# Generated by NetworkManager
search home
nameserver 192.168.1.20
nameserver 0000::0000:0000:0000:8e66%wlo1

ping 192.168.1.20
PING 192.168.1.20 (192.168.1.20) 56(84) bytes of data.
64 bytes from 192.168.1.20: icmp_seq=1 ttl=64 time=3.06 ms
64 bytes from 192.168.1.20: icmp_seq=2 ttl=64 time=3.55 ms
64 bytes from 192.168.1.20: icmp_seq=3 ttl=64 time=4.12 ms
64 bytes from 192.168.1.20: icmp_seq=4 ttl=64 time=4.51 ms

ping 0000::0000:0000:0000:8e66
PING 0000::0000:0000:0000:8e66(0000::0000:0000:0000:8e66) 56 data bytes
64 bytes from 0000::0000:0000:0000:8e66%wlo1: icmp_seq=1 ttl=64 time=3.44 ms
64 bytes from 0000::0000:0000:0000:8e66%wlo1: icmp_seq=2 ttl=64 time=3.57 ms
64 bytes from 0000::0000:0000:0000:8e66%wlo1: icmp_seq=3 ttl=64 time=3.75 ms
64 bytes from 0000::0000:0000:0000:8e66%wlo1: icmp_seq=4 ttl=64 time=7.20 ms

I also configured the local network resolution, and seems very slow between each ping. It seems to resolve the full IPv6 address :

ping -6 pi4.home
PING pi4.home(00000000000000000000000000008e66.ipv6.my.isp.com (0000:0000:0000:0000:0000:0000:0000:8e66)) 56 data bytes
64 bytes from 00000000000000000000000000008e66.ipv6.my.isp.com (0000:0000:0000:0000:0000:0000:0000:8e66): icmp_seq=1 ttl=64 time=3.16 ms
64 bytes from 00000000000000000000000000008e66.ipv6.my.isp.com (0000:0000:0000:0000:0000:0000:0000:8e66): icmp_seq=2 ttl=64 time=3.09 ms
64 bytes from 00000000000000000000000000008e66.ipv6.my.isp.com (0000:0000:0000:0000:0000:0000:0000:8e66): icmp_seq=3 ttl=64 time=3.03 ms
64 bytes from 00000000000000000000000000008e66.ipv6.my.isp.com (0000:0000:0000:0000:0000:0000:0000:8e66): icmp_seq=4 ttl=64 time=3.07 ms

When disabling Conditional forwarding and adding Local DNS CNAME entries :
It resolves the local IPv6 address, but it's very slow between each request

ping -6 pi4.home
PING pi4.home(pi4.home (0000::0000:0000:0000:8e66)) 56 data bytes
64 bytes from pi4.home (0000::0000:0000:0000:8e66%wlo1): icmp_seq=1 ttl=64 time=2.82 ms
64 bytes from pi4.home (0000::0000:0000:0000:8e66%wlo1): icmp_seq=2 ttl=64 time=3.07 ms
64 bytes from pi4.home (0000::0000:0000:0000:8e66%wlo1): icmp_seq=3 ttl=64 time=2.99 ms
64 bytes from pi4.home (0000::0000:0000:0000:8e66%wlo1): icmp_seq=4 ttl=64 time=2.72 ms
^C64 bytes from 0000::0000:0000:0000:8e66%wlo1: icmp_seq=5 ttl=64 time=2.96 ms
--- pi4.home ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 20127ms
rtt min/avg/max/mdev = 2.718/2.910/3.070/0.124 ms

total 20s

Windows client

Same command with Local DNS CNAME entries

ping -6 pi4.home

Pinging pi4.home [0000::0000:0000:0000:8e66%7] with 32 bytes of data:
Reply from 0000::0000:0000:0000:8e66%7: time<1ms
Reply from 0000::0000:0000:0000:8e66%7: time<1ms
Reply from 0000::0000:0000:0000:8e66%7: time<1ms
Reply from 0000::0000:0000:0000:8e66%7: time<1ms

Ping statistics for 0000::0000:0000:0000:8e66%7:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms

From what I can tell then you can resolve ipv6 but its failing on ipv4 ( based on the intiial nslookups ). You can ping the interfaces ok.

On the linux see if you can resolve the pi for both using dig. If you don't have it installed it should be part of dnsutils package ).

dig pi4.home A
dig pi4.home AAAA

Also, is there a firewall setup on the pi / container? I have no docker experience but its could be that your port 53 is not reachable causing the timeouts and an eventual failover to ipv6 which resolves. This can also be tested with netcat ( netcat-traditional is the package if not installed). Command would be

nc -zv 192.168.1.20 53

If the port is open then it should respond with a succeeded message. If not it will hang for while and error with a connection timeout.

Your debug log suggests that your Pi-hole host has no IPv6 connectivity at all, as would be expected for a Pi-hole running as Docker container.

What device does that IPv6 belong to?
It's not from any of the common special use ranges (fe80:/10, fd00::/8; 2001::/3), making me wonder how your router is configuring IPv6 for your network.

If your router would be advertising its own IPv6 address as DNS server, that would allow your IPv6 clients to by-pass Pi-hole.

Please share your docker-compose or docker run script.

dig and netcat

$ dig pi4.home A
;; communications error to 192.168.1.20#53: timed out
;; communications error to 192.168.1.20#53: timed out
;; communications error to 192.168.1.20#53: timed out

; <<>> DiG 9.18.24-1-Debian <<>> pi4.home A
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16205
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1280
;; QUESTION SECTION:
;pi4.home.			IN	A

;; ANSWER SECTION:
pi4.home.		0	IN	A	192.168.1.20

;; Query time: 4 msec
;; SERVER: 0000::0000:0000:0000:8e66%3#53(0000::0000:0000:0000:8e66%3%3) (UDP)
;; WHEN: Tue Mar 05 07:55:42 CET 2024
;; MSG SIZE  rcvd: 53

$ dig pi4.home AAAA
;; communications error to 192.168.1.20#53: timed out
;; communications error to 192.168.1.20#53: timed out
;; communications error to 192.168.1.20#53: timed out

; <<>> DiG 9.18.24-1-Debian <<>> pi4.home AAAA
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64016
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1280
;; QUESTION SECTION:
;pi4.home.			IN	AAAA

;; ANSWER SECTION:
pi4.home.		0	IN	AAAA	fe80::dea6:32ff:fef0:8e66

;; Query time: 0 msec
;; SERVER: 0000::0000:0000:0000:8e66%3#53(0000::0000:0000:0000:8e66%3%3) (UDP)
;; WHEN: Tue Mar 05 07:57:07 CET 2024
;; MSG SIZE  rcvd: 65


$ nc -zv 192.168.1.20 53
pi4.home [192.168.1.20] 53 (domain) open

docker compose

version: "3"

# More info at https://github.com/pi-hole/docker-pi-hole/ and https://docs.pi-hole.net/
services:
  pihole:
    container_name: pihole
    image: pihole/pihole:latest
    # For DHCP it is recommended to remove these ports and instead add: network_mode: "host"
    ports:
      - "53:53/tcp"
      - "53:53/udp"
   #  - "67:67/udp" # Only required if you are using Pi-hole as your DHCP server
      - "12345:80/tcp"
    environment:
      TZ: 'Europe/Paris'
      WEBPASSWORD: 'MY-WEB-PASSWORD'
    # Volumes store your data between container upgrades
    volumes:
      - './etc-pihole:/etc/pihole'
      - './etc-dnsmasq.d:/etc/dnsmasq.d'
    #   https://github.com/pi-hole/docker-pi-hole#note-on-capabilities
    #cap_add:
      #- NET_ADMIN # Required if you are using Pi-hole as your DHCP server, else not needed
    restart: 'always'

From the linux client what do you get if you dig to the pihole ip itself and to an extrernal resolver?

dig @192.168.1.20 fast.com

dig @1.1.1.1 fast.com

dig test

# pi-hole
$ dig @192.168.1.20 fast.com
;; communications error to 192.168.1.20#53: timed out
;; communications error to 192.168.1.20#53: timed out
;; communications error to 192.168.1.20#53: timed out

; <<>> DiG 9.18.24-1-Debian <<>> @192.168.1.20 fast.com
; (1 server found)
;; global options: +cmd
;; no servers could be reached

# router
$ dig @192.168.1.1 fast.com

; <<>> DiG 9.18.24-1-Debian <<>> @192.168.1.1 fast.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64186
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: e0d7430a964542940100000065e756b59791c6763d055da6 (good)
;; QUESTION SECTION:
;fast.com.			IN	A

;; ANSWER SECTION:
fast.com.		20	IN	A	23.56.203.34

;; Query time: 24 msec
;; SERVER: 192.168.1.1#53(192.168.1.1) (UDP)
;; WHEN: Tue Mar 05 18:30:08 CET 2024
;; MSG SIZE  rcvd: 81

# public dns
$ dig @1.1.1.1 fast.com

; <<>> DiG 9.18.24-1-Debian <<>> @1.1.1.1 fast.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15394
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;fast.com.			IN	A

;; ANSWER SECTION:
fast.com.		8	IN	A	23.217.253.73

;; Query time: 16 msec
;; SERVER: 1.1.1.1#53(1.1.1.1) (UDP)
;; WHEN: Tue Mar 05 18:30:30 CET 2024
;; MSG SIZE  rcvd: 53

workaround

It seems that I found a workaround (without explaining it, though)

Configure only the local IPv6 address of pi-hole in network settings

cat /etc/resolv.conf 
# Generated by NetworkManager
search home
nameserver 0000::0000:0000:0000:8e66%wlo1

dig fast.com

; <<>> DiG 9.18.24-1-Debian <<>> fast.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11102
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1280
;; QUESTION SECTION:
;fast.com.			IN	A

;; ANSWER SECTION:
fast.com.		20	IN	A	104.85.27.250

;; Query time: 20 msec
;; SERVER: 0000::0000:0000:0000:8e66%3#53(0000::0000:0000:0000:8e66%3%3) (UDP)
;; WHEN: Tue Mar 05 18:37:13 CET 2024
;; MSG SIZE  rcvd: 53

Your docker-compose looks ok, but you may probably need to change Pi-hole's Interface listening via Settings | DNS to either Respond only on interface eth0 or Permit all origins.
Alternatively, you could set your Pi-hole container's DNSMASQ_LISTENING advanced environment variable accordingly.

You should also consider adding the FTLCONF_LOCAL_IPV4 recommended environment variable.
This unrelated to your DNS issue, as it may only affect Pi-hole's web UI.

Let's have a closer look at your machine's network configuration.
Run from the machine hosting your Docker, what's the output of:

ip -4 address

ip -6 address

ip route

ip -6 route

$ip -4 address
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    inet 192.168.1.20/24 metric 100 brd 192.168.1.255 scope global dynamic eth0
       valid_lft 49804sec preferred_lft 49804sec
4: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default 
    inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
       valid_lft forever preferred_lft forever
5: br-b6182d87b92e: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default 
    inet 172.26.0.1/16 brd 172.26.255.255 scope global br-b6182d87b92e
       valid_lft forever preferred_lft forever
# more interfaces br-something

$ip -6 address
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 state UNKNOWN qlen 1000
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 0000:0000:0000:0000:0000:0000:0000:8e66/64 scope global dynamic mngtmpaddr noprefixroute 
       valid_lft 86393sec preferred_lft 593sec
# same same

$ ip route
default via 192.168.1.1 dev eth0 proto dhcp src 192.168.1.20 metric 100 
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown 
# interfaces br-something
192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.20 metric 100 
192.168.1.1 dev eth0 proto dhcp scope link src 192.168.1.20 metric 100 

$ ip -6 route
::1 dev lo proto kernel metric 256 pref medium
2a01:cb08:8f18:f000::/64 dev eth0 proto ra metric 100 expires 86363sec pref medium
fe80::/64 dev eth0 proto kernel metric 256 pref medium
fe80::/64 dev vethf0b99e5 proto kernel metric 256 pref medium
fe80::/64 dev br-8f48a73fa194 proto kernel metric 256 pref medium
# interfaces veth/br-something
default via fe80::0000:0000:0000:5f90 dev eth0 proto ra metric 100 expires 563sec mtu 1500 pref high

Thanks for your reply. It works.
I configured "Permits all origins" and I have added FTLCONF_LOCAL_IPV4 with the host value.

$ cat /etc/resolv.conf 
# Generated by NetworkManager
search home
nameserver 192.168.1.20
nameserver 0000::0000:0000:0000:0000%wlo1

$ dig AAAA fast.com

; <<>> DiG 9.18.24-1-Debian <<>> AAAA fast.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55479
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1280
;; QUESTION SECTION:
;fast.com.			IN	AAAA

;; ANSWER SECTION:
fast.com.		20	IN	AAAA	2a02:26f0:2b00:f97::24fe
fast.com.		20	IN	AAAA	2a02:26f0:2b00:fa9::24fe

;; Query time: 31 msec
;; SERVER: 192.168.1.20#53(192.168.1.20) (UDP)
;; WHEN: Tue Mar 05 20:58:42 CET 2024
;; MSG SIZE  rcvd: 93

$ dig A fast.com

; <<>> DiG 9.18.24-1-Debian <<>> A fast.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8053
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1280
;; QUESTION SECTION:
;fast.com.			IN	A

;; ANSWER SECTION:
fast.com.		20	IN	A	23.217.253.73

;; Query time: 427 msec
;; SERVER: 192.168.1.20#53(192.168.1.20) (UDP)
;; WHEN: Tue Mar 05 20:58:48 CET 2024
;; MSG SIZE  rcvd: 53

Glad its working for IPv4 now.
And IPv4 is fully sufficient for DNS/Pi-hole.

Nevertheless, your ip -6 route results suggests that the Docker host machine running your Pi-hole container has IPv6 connectivity.
If your router advertises its own IPv6 as DNS server, IPv6 clients may by-pass Pi-hole.

As for the strange all-zero prefixed IPv6:

That isn't a link-local address, as it does not start with fe80:.
As mentioned before, it doesn't match any common IPv6 range, and your IPv6 routing table shows that there is no dedicated routing entry for it.

I wonder how you ended up with that address.
Did you perhaps statically define it?

I try to mask some parts of my ipv6 with zeroes, my local address starts with fe80.

$ ip -6 address
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 state UNKNOWN qlen 1000
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 2a01:0000:0000:0000:0000:0000:0000:8e66/64 scope global dynamic mngtmpaddr noprefixroute 
       valid_lft 86392sec preferred_lft 592sec
    inet6 fe80::0000:0000:0000:8e66/64 scope link 
       valid_lft forever preferred_lft forever

@Bucking_Horn
One more question, if it's ok.

And IPv4 is fully sufficient for DNS/Pi-hole.

When I add both IPv4/IPv6 pointing to the same pi-hole host, it is a bad practice ? When a domain is blocked, it tries to use the second address as fallback ?

Does that mean you redacted IPv6 addresses in all of your posts?
It would have been nice if you've told us.
Consider explicitly marking them as redacted instead, e.g. fe80:<redacted>66%7, so they still carry some significance.

Could you elaborate on that?
Do you want to create DNS records for that host, or are you talking about your router's DNS configuration here?

I redacted IPv6 parts, I am sorry.

DNS question

I think about the client configuration using one pi-hole with both IPv4/IPv6 : 192.168.1.20/fe80:::8e66
Current :

$ cat /etc/resolv.conf 
# Generated by NetworkManager
search home
nameserver 192.168.1.20
nameserver fe80::<redacted>:8e66%wlo1

This is better ? :

$ cat /etc/resolv.conf 
# Generated by NetworkManager
search home
nameserver 192.168.1.20

or

$ cat /etc/resolv.conf 
# Generated by NetworkManager
search home
nameserver fe80::<redacted>:8e66%wlo1

Testing

For testing purposes, I only set the pi-hole IPv6 address in Windows and Linux clients. Seems working, but surprises may happen. Like the damn printer or scanner for whatever printing protocol

Just one of your Pi-hole host machine's would suffice.
There would be no advantage in using both of them.

I'd prefer to use the private range IPv4 address, as that is routable within your home network.
The IPv6 link-local isn't - its restricted to the link/network segment its host is connecting to.

@CallMeCurious @Bucking_Horn

Thanks for your replies

Best regards

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.