Domains können nicht aufgelöst werden

Hallo,
mein server löst keine internen domain anfragen auf (bspw. apt-get update), lediglich externe.

Fehl:1 http://security.debian.org stretch/updates InRelease
Temporärer Fehlschlag beim Auflösen von »security.debian.org«
Fehl:2 http://deb.debian.org/debian stretch InRelease
Temporärer Fehlschlag beim Auflösen von »deb.debian.org«
Fehl:3 http://deb.debian.org/debian stretch-updates InRelease
Temporärer Fehlschlag beim Auflösen von »deb.debian.org«
Paketlisten werden gelesen... Fertig
W: Fehlschlag beim Holen von http://deb.debian.org/debian/dists/stretch/InRelease Temporärer Fehlschlag beim Auflösen von »deb.debian.org«
W: Fehlschlag beim Holen von http://security.debian.org/dists/stretch/updates/InRelease Temporärer Fehlschlag beim Auflösen von »security.debian.org«
W: Fehlschlag beim Holen von http://deb.debian.org/debian/dists/stretch-updates/InRelease Temporärer Fehlschlag beim Auflösen von »deb.debian.org«
W: Einige Indexdateien konnten nicht heruntergeladen werden. Sie wurden ignoriert oder alte an ihrer Stelle benutzt.

Eine Idee dazu?
debug token kann nicht hochgeladen werden (fehler beim hochladen).

lg

Output of dig deb.debian.org and dig security.debian.org ?

dig debian.org

dig security.debian.org

2019-03-05_00h52_461592×787 281 KB

regards

die auflösung funktioniert nur wenn ich mittels sudo nano /etc/resolv.conf den nameserver von 127.0.0.1 auf bspw. 9.9.9.9 ändere, was natürlich nach einen reboot wieder geändert wird.

Were the dig commands run after changing the nameserver or while the nameserver was set to 127.0.0.1? It appears that the digs went to Pi-Hole for resolution, so this does not appear to be the case.

The dig commands properly resolved both addresses.

Edit - I missed this on first look. They did not return the correct addresses for the requested domains, but returned the addresses of the .org name servers.

while the nameserver was set to 127.0.0.1
debug log AFTER i changed to 9.9.9.9
https://tricorder.pi-hole.net/nagfzljbcm

Your debug log shows that Pi-Hole is functioning correctly:

*** [ DIAGNOSING ]: Name resolution (IPv4) using a random blocked domain and a known ad-serving domain
[✓] bob537.web3000.com is 92.60.37.79 via localhost (127.0.0.1)
[✓] bob537.web3000.com is 92.60.37.79 via Pi-hole (92.60.37.79)
[✓] doubleclick.com is 172.217.22.78 via a remote, public DNS server (8.8.8.8)

   [2019-03-05 01:02:58.714 11763] Imported 18810 queries from the long-term database
   [2019-03-05 01:02:58.714 11763]  -> Total DNS queries: 18810
   [2019-03-05 01:02:58.714 11763]  -> Cached DNS queries: 861
   [2019-03-05 01:02:58.714 11763]  -> Forwarded DNS queries: 17512
   [2019-03-05 01:02:58.714 11763]  -> Exactly blocked DNS queries: 433
   [2019-03-05 01:02:58.714 11763]  -> Unknown DNS queries: 4
   [2019-03-05 01:02:58.714 11763]  -> Unique domains: 758
   [2019-03-05 01:02:58.714 11763]  -> Unique clients: 10
   [2019-03-05 01:02:58.714 11763]  -> Known forward destinations: 7

i dont get it.
Nameserver changed to 127.0.0.1
apt-get update shows this:

Nameserver changed to 9.9.9.9
apt-get update shows this:

Nameserver changed to 193.0.14.129 (which is also my upstream provider and one of the master root nameservers -> k.root-servers.net)
apt-get update shows this:

All of the above mentioned nameservers are suporting dnssec.

regards

must be a problem with the upstream providers.
If im changing them back to dns.watch everything is working fine also with sudo nano /etc/resolv.conf set to 127.0.0.1
Any ideas why this is happening?

I was mistaken in my earlier reply where I said the digs were returning correctly. They were not.

Why are you using the root servers for your upstream DNS? This is not a recursive DNS resolver; it is only able to tell you the domain name servers for the TLDs - .com, .org, etc... From there, a recursive resolver will in turn query the domain servers in descending order to find out the IP of the domain requested. Good description here:

https://docs.pi-hole.net/guides/unbound/

dig security.debian.org to a recursive resolver shows:

dig security.debian.org

; <<>> DiG 9.10.3-P4-Raspbian <<>> security.debian.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42155
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 3, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1472
;; QUESTION SECTION:
;security.debian.org.		IN	A

;; ANSWER SECTION:
security.debian.org.	3600	IN	A	128.61.240.73
security.debian.org.	3600	IN	A	149.20.4.14
security.debian.org.	3600	IN	A	128.31.0.63

;; AUTHORITY SECTION:
security.debian.org.	28800	IN	NS	geo2.debian.org.
security.debian.org.	28800	IN	NS	geo3.debian.org.
security.debian.org.	28800	IN	NS	geo1.debian.org.

;; Query time: 633 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Mar 04 18:57:04 CST 2019
;; MSG SIZE  rcvd: 153

Same dig to the k root server shows a completely different answer; because the root server cannot resolve the entire domain name, it can only provide the addresses of the .org domain name servers, which are the IP addreses returned

dig security.debian.org @192.36.148.17

; <<>> DiG 9.10.3-P4-Raspbian <<>> security.debian.org @192.36.148.17
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33425
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 13
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;security.debian.org.		IN	A

;; AUTHORITY SECTION:
org.			172800	IN	NS	c0.org.afilias-nst.info.
org.			172800	IN	NS	a2.org.afilias-nst.info.
org.			172800	IN	NS	b2.org.afilias-nst.org.
org.			172800	IN	NS	d0.org.afilias-nst.org.
org.			172800	IN	NS	b0.org.afilias-nst.org.
org.			172800	IN	NS	a0.org.afilias-nst.info.

;; ADDITIONAL SECTION:
a0.org.afilias-nst.info. 172800	IN	A	199.19.56.1
a0.org.afilias-nst.info. 172800	IN	AAAA	2001:500:e::1
a2.org.afilias-nst.info. 172800	IN	A	199.249.112.1
a2.org.afilias-nst.info. 172800	IN	AAAA	2001:500:40::1
b0.org.afilias-nst.org.	172800	IN	A	199.19.54.1
b0.org.afilias-nst.org.	172800	IN	AAAA	2001:500:c::1
b2.org.afilias-nst.org.	172800	IN	A	199.249.120.1
b2.org.afilias-nst.org.	172800	IN	AAAA	2001:500:48::1
c0.org.afilias-nst.info. 172800	IN	A	199.19.53.1
c0.org.afilias-nst.info. 172800	IN	AAAA	2001:500:b::1
d0.org.afilias-nst.org.	172800	IN	A	199.19.57.1
d0.org.afilias-nst.org.	172800	IN	AAAA	2001:500:f::1

;; Query time: 71 msec
;; SERVER: 192.36.148.17#53(192.36.148.17)
;; WHEN: Mon Mar 04 18:53:20 CST 2019
;; MSG SIZE  rcvd: 450

So, get rid of any root servers as upstream resolvers. You must use recursive resolvers, not authoritative name servers.

Thank you very much.
I found out today by my own too, i was too sleepy yesterday.
Thanks @jfb

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.