DNS service is NOT running

kiingkofi · July 17, 2020, 5:57pm

Expected Behaviour:

DNS Server should be running.
Rasbian GNU/Linux 10 (buster)
Raspberry pi 4
Initially was on 5.0 beta
Now on 5.1.1 post via pihole checkout master & pihole -up

Actual Behaviour:

Initial issue was "Lost Connection to API"
DNS Service is not running. It'll start after repair, but will stop shortly after. In addition, pihole-FTL.log shows "Resizing /FTL-queries from XXXXXX to XXXXX"

Debug Token:

[https://tricorder.pi-hole.net/1k3yquupye]

Steps Taken Already:

I've changed the IP address in the resolv.conf to '9.9.9.9'
performed pihole -r. Repair is successful. After a few minutes, dns service will turn off once again.
To troubleshoot, I've removed dnsmasq.d (& dnsmasq.conf) and pihole -r after. Same issues exist.
I have copied /etc/pihole to Desktop as means of back up

jfb · July 17, 2020, 6:00pm

You are likely running out of memory. That's a lot of queries in 24 hours:

[2020-07-17 13:22:14.270 8464M] Resizing "/FTL-queries" from 1014300672 to 1014530048
   [2020-07-17 13:22:14.324 8464M] Imported 18115634 queries from the long-term database
   [2020-07-17 13:22:14.327 8464M]  -> Total DNS queries: 18115634
   [2020-07-17 13:22:14.327 8464M]  -> Cached DNS queries: 5800
   [2020-07-17 13:22:14.327 8464M]  -> Forwarded DNS queries: 18102727
   [2020-07-17 13:22:14.328 8464M]  -> Blocked DNS queries: 7073
   [2020-07-17 13:22:14.328 8464M]  -> Unknown DNS queries: 34
   [2020-07-17 13:22:14.328 8464M]  -> Unique domains: 2305
   [2020-07-17 13:22:14.328 8464M]  -> Unique clients: 33
   [2020-07-17 13:22:14.328 8464M]  -> Known forward destinations: 3

kiingkofi · July 17, 2020, 6:14pm

Thanks @jfb.. that's interesting because I don't know how that would've happened. I realized that my router did jump to the top of the list, but I can't figure out what caused that extreme surge.

Only thing I enabled prior to this was DNSSEC.

As far as memory goes this is with DNS Service not running:

I ran pihole -r (now seeing an error that says pihole-FTL: no process found)
and it's taking some time on "Restart DNS Server..."

jfb · July 17, 2020, 6:18pm

Please post the outputs of these commands from the Pi terminal - let's see what's going on with the high query volume.

echo ">top-clients >quit" | nc localhost 4711

echo ">top-domains >quit" | nc localhost 4711

echo ">top-ads >quit" | nc localhost 4711

kiingkofi · July 17, 2020, 6:24pm

Blank. Nothing echo'd.

pihole status:
DNS Service not running.

I saw that pihole-FTL wasn't running and started it. Still nothing.

jfb · July 17, 2020, 6:32pm

It is likely that Pi-hole is unable to read and process the previous 24 hours of data from the long term database. Let's do a workaround to get this running and then figure out what's making all the requests. We'll move the long term database to a new file and then restart FTL with an empty database. After an hour or so, run those commands and we'll see what's causing the high query volume.

sudo service pihole-FTL stop

sudo mv /etc/pihole/pihole-FTL.db /etc/pihole/pihole-FTL-hold.db

sudo service pihole-FTL start

Bucking_Horn · July 17, 2020, 7:06pm

You may have configured a DNS loop by enablig Conditional Forwarding:

*** [ DIAGNOSING ]: Pi-hole log
-rw-r--r-- 1 pihole pihole 2325449592 Jul 17 13:24 /var/log/pihole.log
   -----head of pihole.log------
   Jul 17 00:01:25 dnsmasq[2192]: query[PTR] db._dns-sd._udp.kashirifi from 192.168.0.1
   Jul 17 00:01:25 dnsmasq[2192]: forwarded db._dns-sd._udp.kashirifi to 192.168.0.1

Pi-hole forwards (certain) queries by your router back to your router for resolution, which would repeat endlessly, until they time out eventually.

Disable Conditional Forwarding and see if the issue persists.

kiingkofi · July 17, 2020, 7:55pm

echo ">top-ads >quit" | nc localhost 4711

0 13 settings-win.data.microsoft.com
1 4 data.cnn.com
2 1 csi.gstatic.com

echo ">top-domains >quit" | nc localhost 4711

1 378941 159.0.168.192.in-addr.arpa
2 362706 174.0.168.192.in-addr.arpa
3 306287 160.0.168.192.in-addr.arpa
4 75 mcs-spinnaker-283711814.us-east-1.elb.amazonaws.com
5 51 lh3.googleusercontent.com.kashirifi
6 42 ping.ubnt.com
--DELETED--
8 21 edgeapi.slack.com
9 17 tanosts1.homelab.com

echo ">top-clients >quit" | nc localhost 4711

0 1426990 192.168.0.1 homeoffice
1 358 192.168.0.184 macbook-pro.kashirifi
2 39 192.168.0.122 
3 39 192.168.210.10 tanosts1.homelab.com
4 30 192.168.0.174 
5 24 127.0.0.1 localhost
6 19 192.168.210.7 emrp-centos7.local
7 16 192.168.220.14 
8 2 192.168.0.159 
9 1 192.168.0.160

@Bucking_Horn I've disabled Conditional Forwarding (as I was hoping to get my hostnames to show up).

It's up and running, however, it doesn't appear as if I can get out (without a secondary DNS entry on my Mac)

Bucking_Horn · July 17, 2020, 9:01pm

You may want to check your Pi-hole's IPv4 address, specifically its very restrictive netmask, which doesn't seem to match your network's normal /24:

*** [ DIAGNOSING ]: Setup variables
    IPV4_ADDRESS=192.168.0.100/32

Are you still seeing that mass of queries originating from your router's IP address, or is that down to normal levels after disabling CF?

Sean_Paul_Hendrix · July 17, 2020, 9:13pm

I'm running v5.1.1 on a Rasp PI 4 2GB - It's maxed out my memory and then maxed out my Swap file. I did what "jfb" recommended and renamed my FTL.db - the system was too far locked up and I just rebooted - pi-hole is back up again, but I'm afraid this is going to be a short fix.

Yesterday, I had to completely factory reset all of my Ubiquity equipment because I was too confident in the pi-hole reliability and only had 1 DNS server listed (my pi-hole). The problem is I have 2 factor authentication to my security gateway and it could get out to the internet to verify my code.

I actually reinstalled Rasperian 32-bit and freshly installed pi-hole last night. It took less than 24 hours for the "memory leak" to lock up the API services on the PI again. My wife's corporate laptop is a really chatty device - I have 100's of thousands of queries every day.

Everything had been running perfectly up until my v5.1 upgrade... or it may have been the 5.1.1 upgrade when this started.

jfb · July 17, 2020, 9:14pm

I believe the DNS loop caused by conditional forwarding is causing this problem.

Sean_Paul_Hendrix · July 17, 2020, 9:15pm

I wouldn't have realized pi-hole was offline until I started seeing ads popping up - the failover occurred again.

Sean_Paul_Hendrix · July 17, 2020, 9:16pm

I'll be sure to turn that off... that makes sense. Thank you!

jfb · July 17, 2020, 9:16pm

If you have access on that machine, put it on a DNS other than Pi-hole. Or, if you use Pi-hole as DHCP server, you can use dnsmasq settings to assign that client to a different DNS during the DHCP handshake process. If you can do this, you won't see any activity from that client in Pi-hole.

jfb · July 17, 2020, 9:18pm

To get local IP's resolved by reverse DNS queries, map them in either /etc/hosts on the Pi or using the Local DNS records. Then Pi-hole can resolve these with no need for conditional forwarding.

Sean_Paul_Hendrix · July 17, 2020, 9:21pm

Thank you, JFB. My pi-hole is back to the expected 351M of memory and everything is fully functional.

kiingkofi · July 17, 2020, 9:43pm

Yeah, I had just changed that today in testing (per diagnostic). I've changed the ipv4 back to a /24

After disabling CF, the queries has decreased, however, I'm still running into an issue where I can't get out without a secondary DNS server. DNS Loop definitely seemed to be the issue. Once turned off DNS Service has stayed up.

system · August 7, 2020, 9:44pm

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.