I'm so happy with this update. And just before the holidays too, perfect time to do some heavy adminning among which this beauty.
Just a heads up; when updating from 4.0 to 4.1 in our test environment, since we are that eager to play with it, we ran into this problem:
Info to go with that: we run pihole on a dedicated machine. pihole forwards queries to 127.0.0.1#5353 where unbound runs which contacts root servers. Despite the error, everything is up to date and running. We haven't rebooted yet though
No error in either of the three logs. Just the usual log messages, nothing more than notices and information really. Oh, and some "insecure" messages (DNSSEC), but never a problem. So no evidence as of why. It even showed knowing about 127.0.0.1#5353 being the nameserver/forward server.
FTL may have just taken too long to start up (you have a lot of block lists), since you don't have any errors in your debug log. Try pihole -g now. If it works, try pihole -up again.
Just to be clear; everything is running normally. this above is going on, but meanwhile we can browse and stuff gets blocked as usual. no actual resolving issues, apart from Pi-hole saying so.
This server runs in a test environment, which is also used enough to be a situation comparable to a real life one. It has a gateway (router) which forwards DNS externally. It also has a server, on which Pi-hole and other services run.
The server itself uses the gateway to resolve DNS. The devices in the test-network use the server to resolve DNS. So the devices are protected by Pi-hole. But optionally can get direct access by setting the DNS server to the gateway.
The server with Pi-hole, as said, runs Unbound. This is used to query root servers from the server. Pi-hole is asked to forward to this local Unbound to resolve.
Edit: TLDR; commands were ran from the server CLI and bypass the Pi-hole/Unbound setup..
So the issue is that the getent hosts raw.githubusercontent.com command takes too long, where it should be taking about the same time as the dig command.
If the getent command fails, after the retry time it will make another check using:
timeout 1 dig +short raw.githubusercontent.com
Does this dig command run in less than one second? (it should, since the other dig one did, but just checking).