Thanks the theory is clear,
But I sill have 2 questions,
You should find this in /var/log/pihole.log
OK - your post convinced me to donate! I'm tech-able enough to make use of Pi-Hole and I love it.....so THANKS TO THE DEVELOPERS...ALL 3 OF YOU WHO MAINTAIN IT. The sinkholing of ads alone is worth it.
(Sorry...had to shout that out!!)
I have this same error, and with any luck, will manage to make 'em disappear following the instructions...not that I particularly care as they're really just "information".
It seams strange with the low packet size.. so what happens when you resolve dnssec? standart for that is 4096.
/Frank
You'll retry over TCP where no limit exists (packets can be arbitrarily fragmented).
Just came across this as I updated my pi-hole and am now getting flooded with these alerts .
They are to the Cloudflare and Google DNS servers 1.1.1.1, 8.8.8.8, and 1.0.0.1 that I have set in PiHole.
What I don't understand is if you know what the maximum packet size to these addresses are, and we have those DNS servers specified in pihole, why in the world is it trying to send anything larger than the maximum packet size to start with let alone adding Warnings, like there is a serious issue, when it reduces the size to 1280?
Especially infuriating as there is a non-stop bouncing alert for something that is apparently 'normal' and now way to $#@%#$% select all and clear this list of what quickly becomes hundred of items.
There very much is an easy way to clear the items:
hit the trashcan from the bottom up.
Or...
You know...
Follow the thread and copy/paste?
Do you need help opening a terminal and creating the 99-edns.cfg file and how to navigate to it and edit it?
Having to hit the trash can on every single entry for what is looking to be around 500 entries a day, every day, is not reasonable nor is having to go to a config file to address something that should not be reported and should have a two click delete option as is standard with any UI with possibility for multiple times.
You need help understanding what usability is and perhaps how to be useful instead of patronizing.
And you obviously didn't bother to read the other posts that highlighted why that is not ideal and can potentially affect performance.
I didn't address my question to you, and you didn't even attempt answer the question I asked (again not to you). Your comments continue to be useless and patronizing.
And you did not read that it is somewhere in the configuration of your network that is causing the problem.
That it has always reduced the packet size, it just did not alert you before.
You can use Unbound, dive into your router; many reasons were given why it is not ideal but the microseconds your home network experiences is not a major issue.
And actually, you replied to a reply to me, practically asking the same question and, somehow, did not understand how much work went into a detailed answer.
Now, do you want the help or not?
My reply was expressly to DL6ER, not you.
The question I asked was "What I don't understand is if you know what the maximum packet size to these addresses are, and we have those DNS servers specified in pihole, why in the world is it trying to send anything larger than the maximum packet size to start with let alone adding Warnings, like there is a serious issue, when it reduces the size to 1280?"
You didn't answer this nor did you provide any useful information. So no, I did not request, nor do I desire another useless, edgelord response from you.
Because they did not know the packet size for each one until they spent the time, one packet by one, to find it out.
They spelled that out.
I DID answer the question and so did they. I am far from trying to get attention, or insult you.
Honestly, it seems like you are demanding it and insulting.
He did it in this thread, for us on 12-21.
Just make the .cfg and type.
Or,
Go choose a DNS with a packet size lower than 1280. That is the simplest answer. And who knows when a DNS will, arbitrarily, change the packet size.
You know he has a day job?
OFFS!
"Does your Pi-hole show individual clients in the Query Log or only your router? Also, this may still be true as your router may be truncating the responses because of a low MTU. I don't think its' possible to give a general recommendation for all types of networks. Setting it to 1232 (not 1280) will always work. This is the default dnsmasq will have as a lower bound in the next releae."
They flat out say they are working on it...
Now I'm annoyed. >:(
Moderator here.
Enough. Both of you knock off the bashing, as this helps nobody.
Try
sudo pihole-FTL sqlite3 /etc/pihole/pihole-FTL.db "Delete from message;"
If you see this warning, reducing the packet size will actually increase your performance.
OP here, was there a change pushed? because I just got the following errors, even though I changed the file that should fix the issue.
Maybe it's a coincidence and your upstream reduced just now to 1232. As you reduced to 1280 it's still larger than 1232.
So what has changed? Was this changed on their end?
I just tried it and can confirm (at least for 9.9.9.9) that they changed it to 1232. I have no idea why you got it also for the other two, while I see
1.1.1.3 -> 1452
1.0.0.3 -> 1452
9.9.9.9 -> 1232
Maybe you should just change the config to
edns-packet-max=1232
the cloudflare manual mentions this/
we end up with a maximum DNS message size of 1472 bytes for IPv4 and 1232 bytes in order for a message to fit within a single packet. If the message is any larger than that, it will have to be fragmented into more packets.
source: https://blog.cloudflare.com/dns-flag-day-2020/
not sure if this has something to do with the probe and the actual size, but I still get the error if I don't bring it down to 1232. so maybe fragmentation is not supported?
not sure is this also affects other dns servers this way.
also I'm not sure why dns packages should be any larger then this.
Just putting this here in case it saves someone else a few mins...
I had about 1 of these warnings show up in my logs on average every couple of hours. Not alarming, but I wanted to investigate and this thread has been excellent, so my thanks to everyone!
In my particular case, I am using dnscrypt-proxy for an upstream provider, and these dnsmasq warnings only show up when I enable DNSSEC. Using this discussion here I came across this:
https://github.com/DNSCrypt/dnscrypt-proxy/issues/945
...which, if i summarize correctly, means that dnscrypt-proxy currently hard codes a limit of 1252 on edns packets. So the magic number to put in the dnsmasq configs is there if needed.