Hallo,
mein server löst keine internen domain anfragen auf (bspw. apt-get update), lediglich externe.
Fehl:1 http://security.debian.org stretch/updates InRelease
Temporärer Fehlschlag beim Auflösen von »security.debian.org«
Fehl:2 Index of /debian stretch InRelease
Temporärer Fehlschlag beim Auflösen von »deb.debian.org«
Fehl:3 Index of /debian stretch-updates InRelease
Temporärer Fehlschlag beim Auflösen von »deb.debian.org«
Paketlisten werden gelesen... Fertig
W: Fehlschlag beim Holen von http://deb.debian.org/debian/dists/stretch/InRelease Temporärer Fehlschlag beim Auflösen von »deb.debian.org«
W: Fehlschlag beim Holen von http://security.debian.org/dists/stretch/updates/InRelease Temporärer Fehlschlag beim Auflösen von »security.debian.org«
W: Fehlschlag beim Holen von http://deb.debian.org/debian/dists/stretch-updates/InRelease Temporärer Fehlschlag beim Auflösen von »deb.debian.org«
W: Einige Indexdateien konnten nicht heruntergeladen werden. Sie wurden ignoriert oder alte an ihrer Stelle benutzt.
Eine Idee dazu?
debug token kann nicht hochgeladen werden (fehler beim hochladen).
; <<>> DiG 9.10.3-P4-Debian <<>> deb.debian.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15375
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 13
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;deb.debian.org. IN A
;; AUTHORITY SECTION:
org. 172800 IN NS a0.org.afilias-nst.info.
org. 172800 IN NS a2.org.afilias-nst.info.
org. 172800 IN NS b0.org.afilias-nst.org.
org. 172800 IN NS b2.org.afilias-nst.org.
org. 172800 IN NS c0.org.afilias-nst.info.
org. 172800 IN NS d0.org.afilias-nst.org.
;; ADDITIONAL SECTION:
a0.org.afilias-nst.info. 172800 IN A 199.19.56.1
a2.org.afilias-nst.info. 172800 IN A 199.249.112.1
b0.org.afilias-nst.org. 172800 IN A 199.19.54.1
b2.org.afilias-nst.org. 172800 IN A 199.249.120.1
c0.org.afilias-nst.info. 172800 IN A 199.19.53.1
d0.org.afilias-nst.org. 172800 IN A 199.19.57.1
a0.org.afilias-nst.info. 172800 IN AAAA 2001:500:e::1
a2.org.afilias-nst.info. 172800 IN AAAA 2001:500:40::1
b0.org.afilias-nst.org. 172800 IN AAAA 2001:500:c::1
b2.org.afilias-nst.org. 172800 IN AAAA 2001:500:48::1
c0.org.afilias-nst.info. 172800 IN AAAA 2001:500:b::1
d0.org.afilias-nst.org. 172800 IN AAAA 2001:500:f::1
; <<>> DiG 9.10.3-P4-Debian <<>> security.debian.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19314
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 13
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;security.debian.org. IN A
;; AUTHORITY SECTION:
org. 172800 IN NS a0.org.afilias-nst.info.
org. 172800 IN NS a2.org.afilias-nst.info.
org. 172800 IN NS b0.org.afilias-nst.org.
org. 172800 IN NS b2.org.afilias-nst.org.
org. 172800 IN NS c0.org.afilias-nst.info.
org. 172800 IN NS d0.org.afilias-nst.org.
;; ADDITIONAL SECTION:
a0.org.afilias-nst.info. 172800 IN A 199.19.56.1
a2.org.afilias-nst.info. 172800 IN A 199.249.112.1
b0.org.afilias-nst.org. 172800 IN A 199.19.54.1
b2.org.afilias-nst.org. 172800 IN A 199.249.120.1
c0.org.afilias-nst.info. 172800 IN A 199.19.53.1
d0.org.afilias-nst.org. 172800 IN A 199.19.57.1
a0.org.afilias-nst.info. 172800 IN AAAA 2001:500:e::1
a2.org.afilias-nst.info. 172800 IN AAAA 2001:500:40::1
b0.org.afilias-nst.org. 172800 IN AAAA 2001:500:c::1
b2.org.afilias-nst.org. 172800 IN AAAA 2001:500:48::1
c0.org.afilias-nst.info. 172800 IN AAAA 2001:500:b::1
d0.org.afilias-nst.org. 172800 IN AAAA 2001:500:f::1
die auflösung funktioniert nur wenn ich mittels sudo nano /etc/resolv.conf den nameserver von 127.0.0.1 auf bspw. 9.9.9.9 ändere, was natürlich nach einen reboot wieder geändert wird.
Were the dig commands run after changing the nameserver or while the nameserver was set to 127.0.0.1? It appears that the digs went to Pi-Hole for resolution, so this does not appear to be the case.
The dig commands properly resolved both addresses.
Edit - I missed this on first look. They did not return the correct addresses for the requested domains, but returned the addresses of the .org name servers.
Your debug log shows that Pi-Hole is functioning correctly:
*** [ DIAGNOSING ]: Name resolution (IPv4) using a random blocked domain and a known ad-serving domain
[✓] bob537.web3000.com is 92.60.37.79 via localhost (127.0.0.1)
[✓] bob537.web3000.com is 92.60.37.79 via Pi-hole (92.60.37.79)
[✓] doubleclick.com is 172.217.22.78 via a remote, public DNS server (8.8.8.8)
[2019-03-05 01:02:58.714 11763] Imported 18810 queries from the long-term database
[2019-03-05 01:02:58.714 11763] -> Total DNS queries: 18810
[2019-03-05 01:02:58.714 11763] -> Cached DNS queries: 861
[2019-03-05 01:02:58.714 11763] -> Forwarded DNS queries: 17512
[2019-03-05 01:02:58.714 11763] -> Exactly blocked DNS queries: 433
[2019-03-05 01:02:58.714 11763] -> Unknown DNS queries: 4
[2019-03-05 01:02:58.714 11763] -> Unique domains: 758
[2019-03-05 01:02:58.714 11763] -> Unique clients: 10
[2019-03-05 01:02:58.714 11763] -> Known forward destinations: 7
i dont get it.
Nameserver changed to 127.0.0.1
apt-get update shows this:
Zusammenfassung
Fehl:1 http://security.debian.org stretch/updates InRelease
Temporärer Fehlschlag beim Auflösen von »security.debian.org«
Fehl:2 Index of /debian stretch InRelease
Temporärer Fehlschlag beim Auflösen von »deb.debian.org«
Fehl:3 Index of /debian stretch-updates InRelease
Temporärer Fehlschlag beim Auflösen von »deb.debian.org«
Paketlisten werden gelesen... Fertig
W: Fehlschlag beim Holen von http://deb.debian.org/debian/dists/stretch/InRelease Temporärer Fehlschlag beim Auflösen von »deb.debian.org«
W: Fehlschlag beim Holen von http://security.debian.org/dists/stretch/updates/InRelease Temporärer Fehlschlag beim Auflösen von »security.debian.org«
W: Fehlschlag beim Holen von http://deb.debian.org/debian/dists/stretch-updates/InRelease Temporärer Fehlschlag beim Auflösen von »deb.debian.org«
W: Einige Indexdateien konnten nicht heruntergeladen werden. Sie wurden ignoriert oder alte an ihrer Stelle benutzt.
Nameserver changed to 9.9.9.9
apt-get update shows this:
Nameserver changed to 193.0.14.129 (which is also my upstream provider and one of the master root nameservers -> k.root-servers.net)
apt-get update shows this:
Zusammenfassung
Ign:1 http://security.debian.org stretch/updates InRelease
Ign:2 Index of /debian stretch InRelease
Fehl:3 http://security.debian.org stretch/updates Release
Beim Auflösen von »security.debian.org:http« ist etwas Schlimmes passiert (-5 - Zu diesem Hostnamen gehört keine Adresse).
Ign:4 Index of /debian stretch-updates InRelease
Fehl:5 Index of /debian stretch Release
Beim Auflösen von »deb.debian.org:http« ist etwas Schlimmes passiert (-5 - Zu diesem Hostnamen gehört keine Adresse).
Fehl:6 Index of /debian stretch-updates Release
Beim Auflösen von »deb.debian.org:http« ist etwas Schlimmes passiert (-5 - Zu diesem Hostnamen gehört keine Adresse).
Paketlisten werden gelesen... Fertig
E: The repository 'http://security.debian.org stretch/updates Release' does no longer have a Release file.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
E: The repository 'Index of /debian stretch Release' does no longer have a Release file.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
E: The repository 'Index of /debian stretch-updates Release' does no longer have a Release file.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
All of the above mentioned nameservers are suporting dnssec.
must be a problem with the upstream providers.
If im changing them back to dns.watch everything is working fine also with sudo nano /etc/resolv.conf set to 127.0.0.1
Any ideas why this is happening?
I was mistaken in my earlier reply where I said the digs were returning correctly. They were not.
Why are you using the root servers for your upstream DNS? This is not a recursive DNS resolver; it is only able to tell you the domain name servers for the TLDs - .com, .org, etc... From there, a recursive resolver will in turn query the domain servers in descending order to find out the IP of the domain requested. Good description here:
dig security.debian.org to a recursive resolver shows:
dig security.debian.org
; <<>> DiG 9.10.3-P4-Raspbian <<>> security.debian.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42155
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 3, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1472
;; QUESTION SECTION:
;security.debian.org. IN A
;; ANSWER SECTION:
security.debian.org. 3600 IN A 128.61.240.73
security.debian.org. 3600 IN A 149.20.4.14
security.debian.org. 3600 IN A 128.31.0.63
;; AUTHORITY SECTION:
security.debian.org. 28800 IN NS geo2.debian.org.
security.debian.org. 28800 IN NS geo3.debian.org.
security.debian.org. 28800 IN NS geo1.debian.org.
;; Query time: 633 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Mar 04 18:57:04 CST 2019
;; MSG SIZE rcvd: 153
Same dig to the k root server shows a completely different answer; because the root server cannot resolve the entire domain name, it can only provide the addresses of the .org domain name servers, which are the IP addreses returned
dig security.debian.org @192.36.148.17
; <<>> DiG 9.10.3-P4-Raspbian <<>> security.debian.org @192.36.148.17
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33425
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 13
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;security.debian.org. IN A
;; AUTHORITY SECTION:
org. 172800 IN NS c0.org.afilias-nst.info.
org. 172800 IN NS a2.org.afilias-nst.info.
org. 172800 IN NS b2.org.afilias-nst.org.
org. 172800 IN NS d0.org.afilias-nst.org.
org. 172800 IN NS b0.org.afilias-nst.org.
org. 172800 IN NS a0.org.afilias-nst.info.
;; ADDITIONAL SECTION:
a0.org.afilias-nst.info. 172800 IN A 199.19.56.1
a0.org.afilias-nst.info. 172800 IN AAAA 2001:500:e::1
a2.org.afilias-nst.info. 172800 IN A 199.249.112.1
a2.org.afilias-nst.info. 172800 IN AAAA 2001:500:40::1
b0.org.afilias-nst.org. 172800 IN A 199.19.54.1
b0.org.afilias-nst.org. 172800 IN AAAA 2001:500:c::1
b2.org.afilias-nst.org. 172800 IN A 199.249.120.1
b2.org.afilias-nst.org. 172800 IN AAAA 2001:500:48::1
c0.org.afilias-nst.info. 172800 IN A 199.19.53.1
c0.org.afilias-nst.info. 172800 IN AAAA 2001:500:b::1
d0.org.afilias-nst.org. 172800 IN A 199.19.57.1
d0.org.afilias-nst.org. 172800 IN AAAA 2001:500:f::1
;; Query time: 71 msec
;; SERVER: 192.36.148.17#53(192.36.148.17)
;; WHEN: Mon Mar 04 18:53:20 CST 2019
;; MSG SIZE rcvd: 450
So, get rid of any root servers as upstream resolvers. You must use recursive resolvers, not authoritative name servers.
