DNS stop working without

aa_a · June 18, 2022, 8:17am

Expected Behaviour:

Raspberry pi
Debian bulleyes

Actual Behaviour:

I didn't touch my raspberry for a while and yesterday the DNS stop working correctly.
I can't ping anything from the raspberry.
I have a lot ntp so i tried to put the time manually but nothing.

Debug Token:

Moderator edit: Explicit debug log removed.

Bucking_Horn · June 18, 2022, 12:20pm

(Just post the token, please. For your own privacy and security, do not post the full, unsanitised debug log output here. Also, your debug log seems to be shortened - it is missing parts of its usual contents, e.g. some gravity tables.)

Since you are using unbound as Pi-hole's upstream, DNS lookups may fail due to DNSSEC validation with an incorrect time, which may well explain your observation.

Please reverify your local time on your Pi-hole machine.

Run from your Pi-hole host machine, what's the result of the following command:

dig 2.debian.pool.ntp.org @192.168.1.144

jfb · June 18, 2022, 12:24pm

This will temporarily reset the nameserver on the Pi to bypass Pi-Hole DNS.

sudo nano /etc/resolv.conf

Edit the nameserver line to nameserver 9.9.9.9 or your preferred third party DNS service, save and exit

Run

pihole -d

and upload the debug log.

aa_a · June 18, 2022, 12:52pm

I had to cut the adlist because number of character restriction.
For the token, the curl instruction didn't work.
Bucking_Horn :

pi@raspberrypi:~ $ dig 2.debian.pool.ntp.org @192.168.1.144

; <<>> DiG 9.16.27-Debian <<>> 2.debian.pool.ntp.org @192.168.1.144
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 2907
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;2.debian.pool.ntp.org.         IN      A

;; Query time: 4 msec
;; SERVER: 192.168.1.144#53(192.168.1.144)
;; WHEN: Sat Jun 18 14:38:04 CEST 2022
;; MSG SIZE  rcvd: 50

jfb :
https://tricorder.pi-hole.net/pjysuxYj/
The token works this time and i can ping from my raspberry but when i manually use my raspberry as DNS on my PC, it can't solve request.

jfb · June 18, 2022, 1:43pm

Your debug log shows that your DHCP server is passing its own IP for DNS rather than the IP of Pi-hole. Other than that, your debug log is normal.

*** [ DIAGNOSING ]: Discovering active DHCP servers (takes 10 seconds)
   Scanning all your interfaces for DHCP servers
   Timeout: 10 seconds
   
   * Received 548 bytes from wlan0:192.168.1.254
     Offered IP address: 192.168.1.144
     Server IP address: N/A
     Relay-agent IP address: N/A
     BOOTP server: (empty)
     BOOTP file: (empty)
     DHCP options:
      Message type: DHCPOFFER (2)
      server-identifier: 192.168.1.254
      lease-time: 43200 ( 12h )
      --- end of options ---
    
   DHCP packets received on interface wlan0: 1
   DHCP packets received on interface lo: 0
   DHCP packets received on interface eth0: 0

The problem appears to lie in your upstream DNS resolver (Unbound) which is replying with SERVFAIL for every request shown in your debug log.

Edit - as a first troubleshooting step, change your upstream DNS server to something other than unbound. That should restore your Pi-hole to operation and you can troubleshoot the unbound problem.

aa_a · June 18, 2022, 2:20pm

Thanks, I have change Unbound for Quad9 and it works.
Should I try to remake the Unbound configuration to repair Unbound ?

deHakkelaar · June 18, 2022, 8:53pm

No, for Pi-OS Bullseye and maybe even Debian, check if below file exists first:

cat /etc/unbound/unbound.conf.d/resolvconf_resolvers.conf

If exists, delete it with below so unbound becomes a true recursive resolver again:

sudo rm /etc/unbound/unbound.conf.d/resolvconf_resolvers.conf

Make sure it doesnt get recreated at boot or network state change by hashing out # the unbound_conf= line in below file:

sudo sed -i 's/^unbound_conf=/#unbound_conf=/' /etc/resolvconf.conf

Restart unbound to apply:

sudo service unbound restart

Also check if the unbound-resolvconf.service unit is active with below:

service unbound-resolvconf status

It populates /etc/resolv.conf with the (unwanted) loopback IP 127.0.0.1 nameserver instead of the one thats configured in /etc/dhcpcd.conf.
Can disable and stop that one with below:

sudo systemctl disable --now unbound-resolvconf.service

Restart the dhcpcd network manager to apply:

sudo service dhcpcd restart

And check if resolv.conf now contains the domain_name_servers= IP's from /etc/dhcpcd.conf:

pi@ph5b:~ $ tail /etc/dhcpcd.conf
[..]
interface eth0
  static ip_address=10.0.0.4/24
  static routers=10.0.0.1
  static domain_name=home.dehakkelaar.nl
  static domain_name_servers=10.0.0.1

pi@ph5b:~ $ cat /etc/resolv.conf
# Generated by resolvconf
domain home.dehakkelaar.nl
nameserver 10.0.0.1

system · July 9, 2022, 8:53pm

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.