DNS Lookup Fails sometimes

operating system - DietPi
hardware Raspberry PI 2

After struggles with running fully recursive DNS on raspibian, finally ended up running pihole on Dietpi using Google as my upstream provider. Now my network has two subnets.The first 192.168.0.0/24 is where the pihole is located with IP address 192.168.0.5. The second subnet is 192.168.2.0/24 and this subnet contains all my user devices. Interface settings is set to permit all origins. Now my that i observed is that there are some queries which Pihole cannot answer for reasons i dont yet know. In some cases dns requests takes two attempts before pihole responds with positive answer. My biggest problem is that some queries simply do not resolve on my second subnet.
example from subnet 192.168.2.0

*** pi.hole can't find reddit.com: Server failed
> reddit.com
Server:  pi.hole
Address:  192.168.0.5

*** pi.hole can't find reddit.com: Server failed
> reddit.com
Server:  pi.hole
Address:  192.168.0.5

*** pi.hole can't find reddit.com: Server failed
> reddit.com
Server:  pi.hole
Address:  192.168.0.5

*** pi.hole can't find reddit.com: Server failed

and on first subnet, the query is successfully resolved

C:\Users\zimbizih>nslookup reddit.com
Server:  pi.hole
Address:  192.168.0.5

DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
*** Request to pi.hole timed-out

expect result

I expected all queries to be answered on first attempt.

Iam not sure what iam missing. Everything works great when i bypass pihole.

Actual Behaviour:
[replace this text with what is actually happening]

Debug Token:this is proving difficult to get. I run it and seems to hang on diagnosing dashboard headers. I have copied manually the stuff generated

*** [ INITIALIZING ]
[i] 2025-01-03:22:50:38 debug log has been initialized.
[i] System has been running for 0 days, 0 hours, 20 minutes

*** [ INITIALIZING ] Sourcing setup variables
[i] Sourcing /etc/pihole/setupVars.conf...

*** [ DIAGNOSING ]: Core version
[✓] Version: v5.18.4
[i] Remotes: origin     https://github.com/pi-hole/pi-hole.git (fetch)
             origin     https://github.com/pi-hole/pi-hole.git (push)
[i] Branch: master
[i] Commit: v5.18.4-0-g2cf046d

*** [ DIAGNOSING ]: Web version
[✓] Version: v5.21
[i] Remotes: origin     https://github.com/pi-hole/web.git (fetch)
             origin     https://github.com/pi-hole/web.git (push)
[i] Branch: master
[i] Commit: v5.21-0-gbe05b0f

*** [ DIAGNOSING ]: FTL version
[✓] Version: v5.25.2
[i] Branch: master
[i] Commit: 8943e260

*** [ DIAGNOSING ]: lighttpd version
[i] 1.4.69

*** [ DIAGNOSING ]: php version
[i] 8.2.7

*** [ DIAGNOSING ]: Operating system
[✓] Distro:  Raspbian
[✓] Version: 12
[✓] dig return code: 0
[i] dig response: "Raspbian=11,12 Ubuntu=20,22,23,24 Debian=11,12 Fedora=40,41 CentOS=9"
[✓] Distro and version supported

*** [ DIAGNOSING ]: SELinux
[i] SELinux not detected

*** [ DIAGNOSING ]: FirewallD
[i] Firewalld service inactive

*** [ DIAGNOSING ]: Processor
[✓] armv6l

*** [ DIAGNOSING ]: Disk usage
   Filesystem      Size  Used Avail Use% Mounted on
   /dev/root        30G  2.5G   26G   9% /
   devtmpfs        207M     0  207M   0% /dev
   tmpfs           239M  8.8M  230M   4% /dev/shm
   tmpfs            96M  3.0M   93M   4% /run
   tmpfs           5.0M     0  5.0M   0% /run/lock
   tmpfs           1.0G   16K  1.0G   1% /tmp
   tmpfs            50M   64K   50M   1% /var/log
   /dev/mmcblk0p1  127M   52M   76M  41% /boot

*** [ DIAGNOSING ]: Network interfaces and addresses
   1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
       link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
       inet 127.0.0.1/8 scope host lo
          valid_lft forever preferred_lft forever
       inet6 ::1/128 scope host noprefixroute
          valid_lft forever preferred_lft forever
   2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
       link/ether b8:27:eb:50:29:33 brd ff:ff:ff:ff:ff:ff
       inet 192.168.0.5/24 brd 192.168.0.255 scope global eth0
          valid_lft forever preferred_lft forever
       inet6 fd01::ba27:ebff:fe50:2933/64 scope global dynamic mngtmpaddr
          valid_lft 276sec preferred_lft 276sec
       inet6 fe80::ba27:ebff:fe50:2933/64 scope link
          valid_lft forever preferred_lft forever
   3: wlan0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
       link/ether 0c:8c:24:d2:ae:8d brd ff:ff:ff:ff:ff:ff

*** [ DIAGNOSING ]: Network routing table
   default via 192.168.0.1 dev eth0 onlink
   192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.0.5

*** [ DIAGNOSING ]: Networking
[✓] IPv4 address(es) bound to the eth0 interface:
    192.168.0.5/24

[✓] IPv6 address(es) bound to the eth0 interface:
    fd01::ba27:ebff:fe50:2933/64
    fe80::ba27:ebff:fe50:2933/64

[i] Default IPv4 gateway(s):
     192.168.0.1
   * Pinging first gateway 192.168.0.1...
[✓] Gateway responded.
[i] Default IPv6 gateway(s):
     fe80::5ad5:6eff:feb2:b793
   * Pinging first gateway fe80::5ad5:6eff:feb2:b793...
ping6: Warning: IPv6 link-local address on ICMP datagram socket may require ifname or scope-id => use: address%<ifname|scope-id>
ping6: Warning: source address might be selected on device other than: eth0
[✓] Gateway responded.

*** [ DIAGNOSING ]: Ports in use
    udp:127.0.0.1:5335 is in use by unbound
    udp:0.0.0.0:58340 is in use by pihole-FTL
    udp:0.0.0.0:54308 is in use by pihole-FTL
[✓] udp:0.0.0.0:53 is in use by pihole-FTL
[✓] udp:*:53 is in use by pihole-FTL
[✓] tcp:127.0.0.1:4711 is in use by pihole-FTL
    tcp:127.0.0.1:5335 is in use by unbound
[✓] tcp:0.0.0.0:53 is in use by pihole-FTL
    tcp:0.0.0.0:22 is in use by dropbear
[✓] tcp:0.0.0.0:80 is in use by lighttpd
[✓] tcp:[::1]:4711 is in use by pihole-FTL
[✓] tcp:[::]:53 is in use by pihole-FTL
    tcp:[::]:22 is in use by dropbear
[✓] tcp:[::]:80 is in use by lighttpd

*** [ DIAGNOSING ]: Name resolution (IPv4) using a random blocked domain and a known ad-serving domain
[✓] p05.shemale.movie is 0.0.0.0 on lo (127.0.0.1)
[✓] p05.shemale.movie is 0.0.0.0 on eth0 (192.168.0.5)
[✓] doubleclick.com is 173.194.221.102 via a remote, public DNS server (8.8.8.8)

*** [ DIAGNOSING ]: Name resolution (IPv6) using a random blocked domain and a known ad-serving domain
[✓] www.inpostd.cfd is :: on lo (::1)
[✓] www.inpostd.cfd is :: on eth0 (fd01::ba27:ebff:fe50:2933)
[✗] Failed to resolve www.inpostd.cfd on eth0 (fe80::ba27:ebff:fe50:2933)
[✗] Failed to resolve doubleclick.com via a remote, public DNS server (2001:4860:4860::8888)

*** [ DIAGNOSING ]: Discovering active DHCP servers (takes 10 seconds)
   Scanning all your interfaces for DHCP servers
   Timeout: 10 seconds

   * Received 300 bytes from eth0:192.168.0.1
     Offered IP address: 192.168.0.150
     Server IP address: 192.168.0.1
     Relay-agent IP address: N/A
     BOOTP server: (empty)
     BOOTP file: (empty)
     DHCP options:
      Message type: DHCPOFFER (2)
      server-identifier: 192.168.0.1
      lease-time: 86400 ( 1d )
      renewal-time: 43200 ( 12h )
      rebinding-time: 75600 ( 21h )
      netmask: 255.255.255.0
      broadcast: 192.168.0.255
      dns-server: 192.168.0.5
      router: 192.168.0.1
      domain-name: "Dlink"
      --- end of options ---

   DHCP packets received on interface eth0: 1

*** [ DIAGNOSING ]: Pi-hole processes
[✓] lighttpd daemon is active
[✓] pihole-FTL daemon is active

*** [ DIAGNOSING ]: Pi-hole-FTL full status
   ● pihole-FTL.service - Pi-hole FTL
     Loaded: loaded (/etc/systemd/system/pihole-FTL.service; enabled; preset: enabled)
     Active: active (running) since Fri 2025-01-03 22:46:54 SAST; 4min 17s ago
    Process: 2300 ExecStartPre=/opt/pihole/pihole-FTL-prestart.sh (code=exited, status=0/SUCCESS)
   Main PID: 2313 (pihole-FTL)
      Tasks: 20 (limit: 990)
        CPU: 53.742s
     CGroup: /system.slice/pihole-FTL.service
             ├─2313 /usr/bin/pihole-FTL -f
             └─2458 /usr/bin/pihole-FTL -f

Jan 03 22:47:58 piHole pihole-FTL[2313]: [2025-01-03 22:47:56.337 2313M] Resizing "FTL-queries" from 7569408 to (176128 * 44) == 7749632 (/dev/shm: 8.8MB used, 250.2MB total, FTL uses 8.8MB)
Jan 03 22:47:58 piHole pihole-FTL[2313]: [2025-01-03 22:47:57.790 2313M] Resizing "FTL-queries" from 7749632 to (180224 * 44) == 7929856 (/dev/shm: 9.0MB used, 250.2MB total, FTL uses 9.0MB)
Jan 03 22:47:58 piHole pihole-FTL[2313]: [2025-01-03 22:47:58.135 2313M] Imported 176864 queries from the long-term database
Jan 03 22:47:58 piHole pihole-FTL[2313]: [2025-01-03 22:47:58.147 2313M]  -> Total DNS queries: 176864
Jan 03 22:47:58 piHole pihole-FTL[2313]: [2025-01-03 22:47:58.147 2313M]  -> Cached DNS queries: 10350
Jan 03 22:47:58 piHole pihole-FTL[2313]: [2025-01-03 22:47:58.147 2313M]  -> Forwarded DNS queries: 145637
Jan 03 22:47:58 piHole pihole-FTL[2313]: [2025-01-03 22:47:58.148 2313M]  -> Blocked DNS queries: 8848
Jan 03 22:47:58 piHole pihole-FTL[2313]: [2025-01-03 22:47:58.148 2313M]  -> Unknown DNS queries: 5816
Jan 03 22:47:58 piHole pihole-FTL[2313]: [2025-01-03 22:47:58.148 2313M]  -> Unique domains: 3599
Jan 03 22:47:58 piHole pihole-FTL[2313]: [2025-01-03 2

*** [ DIAGNOSING ]: Lighttpd configuration test
[✓] No error in lighttpd configuration

*** [ DIAGNOSING ]: Setup variables
    PIHOLE_INTERFACE=eth0
    QUERY_LOGGING=false
    INSTALL_WEB_SERVER=false
    INSTALL_WEB_INTERFACE=true
    LIGHTTPD_ENABLED=true
    CACHE_SIZE=15000
    DNS_FQDN_REQUIRED=true
    DNS_BOGUS_PRIV=true
    DNSMASQ_LISTENING=all
    BLOCKING_ENABLED=true
    DNSSEC=true
    REV_SERVER=false
    PIHOLE_DNS_1=8.8.8.8
    PIHOLE_DNS_2=8.8.4.4
    WEBUIBOXEDLAYOUT=boxed
    WEBTHEME=default-auto

*** [ DIAGNOSING ]: Dashboard headers

Let's see if we can discover what is wrong.

What is the output of curl -I localhost/admin/ ?

at this point this url will be unreachable because i ran pihole -d and it got stuck on the above. however after restarting the service, i get this

root@piHole:~# curl -I localhost/admin/
HTTP/1.1 302 Found
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Set-Cookie: PHPSESSID=l9q9isu4u6qd5o8ljjun0kqtv7; path=/; HttpOnly; SameSite=Strict
Location: login.php
Content-type: text/html; charset=UTF-8
X-Pi-hole: The Pi-hole Web interface is working!
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-XSS-Protection: 0
X-Robots-Tag: noindex, nofollow
X-Permitted-Cross-Domain-Policies: none
Referrer-Policy: same-origin
Content-Security-Policy: default-src 'self' 'unsafe-inline'
Date: Sat, 04 Jan 2025 07:03:41 GMT
Server: lighttpd/1.4.69

Can you generate and upload a debug log after restarting the service?

finally, succeeded in uploading

https://tricorder.pi-hole.net/HxXDG0an/

hi all,

iam still suffering from random failures on dns lookups. but dont have a clue on why pihole fails randomly like this. I donot get this problem when i bypass pihole and use my ISP or Google DNS directly on my pc

just now when i tried google

Address:  192.168.0.5

DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
*** Request to pi.hole timed-out

Not sure if i found breakthrough today. But i noticed that github.com was failing to open and when I traced tne domain i picked DNSSEC validation errors. I had DNSSEC validation enabled and was using Google DNS servers. I disabled DNSSEC and github came to life. I will monitor in the next few days.