; <<>> DiG 9.10.3-P4-Debian <<>> deb.debian.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15375
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 13
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;deb.debian.org. IN A
;; AUTHORITY SECTION:
org. 172800 IN NS a0.org.afilias-nst.info.
org. 172800 IN NS a2.org.afilias-nst.info.
org. 172800 IN NS b0.org.afilias-nst.org.
org. 172800 IN NS b2.org.afilias-nst.org.
org. 172800 IN NS c0.org.afilias-nst.info.
org. 172800 IN NS d0.org.afilias-nst.org.
;; ADDITIONAL SECTION:
a0.org.afilias-nst.info. 172800 IN A 199.19.56.1
a2.org.afilias-nst.info. 172800 IN A 199.249.112.1
b0.org.afilias-nst.org. 172800 IN A 199.19.54.1
b2.org.afilias-nst.org. 172800 IN A 199.249.120.1
c0.org.afilias-nst.info. 172800 IN A 199.19.53.1
d0.org.afilias-nst.org. 172800 IN A 199.19.57.1
a0.org.afilias-nst.info. 172800 IN AAAA 2001:500:e::1
a2.org.afilias-nst.info. 172800 IN AAAA 2001:500:40::1
b0.org.afilias-nst.org. 172800 IN AAAA 2001:500:c::1
b2.org.afilias-nst.org. 172800 IN AAAA 2001:500:48::1
c0.org.afilias-nst.info. 172800 IN AAAA 2001:500:b::1
d0.org.afilias-nst.org. 172800 IN AAAA 2001:500:f::1
; <<>> DiG 9.10.3-P4-Debian <<>> security.debian.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19314
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 13
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;security.debian.org. IN A
;; AUTHORITY SECTION:
org. 172800 IN NS a0.org.afilias-nst.info.
org. 172800 IN NS a2.org.afilias-nst.info.
org. 172800 IN NS b0.org.afilias-nst.org.
org. 172800 IN NS b2.org.afilias-nst.org.
org. 172800 IN NS c0.org.afilias-nst.info.
org. 172800 IN NS d0.org.afilias-nst.org.
;; ADDITIONAL SECTION:
a0.org.afilias-nst.info. 172800 IN A 199.19.56.1
a2.org.afilias-nst.info. 172800 IN A 199.249.112.1
b0.org.afilias-nst.org. 172800 IN A 199.19.54.1
b2.org.afilias-nst.org. 172800 IN A 199.249.120.1
c0.org.afilias-nst.info. 172800 IN A 199.19.53.1
d0.org.afilias-nst.org. 172800 IN A 199.19.57.1
a0.org.afilias-nst.info. 172800 IN AAAA 2001:500:e::1
a2.org.afilias-nst.info. 172800 IN AAAA 2001:500:40::1
b0.org.afilias-nst.org. 172800 IN AAAA 2001:500:c::1
b2.org.afilias-nst.org. 172800 IN AAAA 2001:500:48::1
c0.org.afilias-nst.info. 172800 IN AAAA 2001:500:b::1
d0.org.afilias-nst.org. 172800 IN AAAA 2001:500:f::1
die auflösung funktioniert nur wenn ich mittels sudo nano /etc/resolv.conf den nameserver von 127.0.0.1 auf bspw. 9.9.9.9 ändere, was natürlich nach einen reboot wieder geändert wird.
Were the dig commands run after changing the nameserver or while the nameserver was set to 127.0.0.1? It appears that the digs went to Pi-Hole for resolution, so this does not appear to be the case.
The dig commands properly resolved both addresses.
Edit - I missed this on first look. They did not return the correct addresses for the requested domains, but returned the addresses of the .org name servers.
Your debug log shows that Pi-Hole is functioning correctly:
*** [ DIAGNOSING ]: Name resolution (IPv4) using a random blocked domain and a known ad-serving domain
[✓] bob537.web3000.com is 92.60.37.79 via localhost (127.0.0.1)
[✓] bob537.web3000.com is 92.60.37.79 via Pi-hole (92.60.37.79)
[✓] doubleclick.com is 172.217.22.78 via a remote, public DNS server (8.8.8.8)
[2019-03-05 01:02:58.714 11763] Imported 18810 queries from the long-term database
[2019-03-05 01:02:58.714 11763] -> Total DNS queries: 18810
[2019-03-05 01:02:58.714 11763] -> Cached DNS queries: 861
[2019-03-05 01:02:58.714 11763] -> Forwarded DNS queries: 17512
[2019-03-05 01:02:58.714 11763] -> Exactly blocked DNS queries: 433
[2019-03-05 01:02:58.714 11763] -> Unknown DNS queries: 4
[2019-03-05 01:02:58.714 11763] -> Unique domains: 758
[2019-03-05 01:02:58.714 11763] -> Unique clients: 10
[2019-03-05 01:02:58.714 11763] -> Known forward destinations: 7
Nameserver changed to 193.0.14.129 (which is also my upstream provider and one of the master root nameservers -> k.root-servers.net)
apt-get update shows this:
Zusammenfassung
Ign:1 http://security.debian.org stretch/updates InRelease
Ign:2 http://deb.debian.org/debian stretch InRelease
Fehl:3 http://security.debian.org stretch/updates Release
Beim Auflösen von »security.debian.org:http« ist etwas Schlimmes passiert (-5 - Zu diesem Hostnamen gehört keine Adresse).
Ign:4 http://deb.debian.org/debian stretch-updates InRelease
Fehl:5 http://deb.debian.org/debian stretch Release
Beim Auflösen von »deb.debian.org:http« ist etwas Schlimmes passiert (-5 - Zu diesem Hostnamen gehört keine Adresse).
Fehl:6 http://deb.debian.org/debian stretch-updates Release
Beim Auflösen von »deb.debian.org:http« ist etwas Schlimmes passiert (-5 - Zu diesem Hostnamen gehört keine Adresse).
Paketlisten werden gelesen... Fertig
E: The repository 'http://security.debian.org stretch/updates Release' does no longer have a Release file.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
E: The repository 'http://deb.debian.org/debian stretch Release' does no longer have a Release file.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
E: The repository 'http://deb.debian.org/debian stretch-updates Release' does no longer have a Release file.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
All of the above mentioned nameservers are suporting dnssec.
must be a problem with the upstream providers.
If im changing them back to dns.watch everything is working fine also with sudo nano /etc/resolv.conf set to 127.0.0.1
Any ideas why this is happening?
I was mistaken in my earlier reply where I said the digs were returning correctly. They were not.
Why are you using the root servers for your upstream DNS? This is not a recursive DNS resolver; it is only able to tell you the domain name servers for the TLDs - .com, .org, etc... From there, a recursive resolver will in turn query the domain servers in descending order to find out the IP of the domain requested. Good description here:
dig security.debian.org to a recursive resolver shows:
dig security.debian.org
; <<>> DiG 9.10.3-P4-Raspbian <<>> security.debian.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42155
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 3, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1472
;; QUESTION SECTION:
;security.debian.org. IN A
;; ANSWER SECTION:
security.debian.org. 3600 IN A 128.61.240.73
security.debian.org. 3600 IN A 149.20.4.14
security.debian.org. 3600 IN A 128.31.0.63
;; AUTHORITY SECTION:
security.debian.org. 28800 IN NS geo2.debian.org.
security.debian.org. 28800 IN NS geo3.debian.org.
security.debian.org. 28800 IN NS geo1.debian.org.
;; Query time: 633 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Mar 04 18:57:04 CST 2019
;; MSG SIZE rcvd: 153
Same dig to the k root server shows a completely different answer; because the root server cannot resolve the entire domain name, it can only provide the addresses of the .org domain name servers, which are the IP addreses returned
dig security.debian.org @192.36.148.17
; <<>> DiG 9.10.3-P4-Raspbian <<>> security.debian.org @192.36.148.17
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33425
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 13
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;security.debian.org. IN A
;; AUTHORITY SECTION:
org. 172800 IN NS c0.org.afilias-nst.info.
org. 172800 IN NS a2.org.afilias-nst.info.
org. 172800 IN NS b2.org.afilias-nst.org.
org. 172800 IN NS d0.org.afilias-nst.org.
org. 172800 IN NS b0.org.afilias-nst.org.
org. 172800 IN NS a0.org.afilias-nst.info.
;; ADDITIONAL SECTION:
a0.org.afilias-nst.info. 172800 IN A 199.19.56.1
a0.org.afilias-nst.info. 172800 IN AAAA 2001:500:e::1
a2.org.afilias-nst.info. 172800 IN A 199.249.112.1
a2.org.afilias-nst.info. 172800 IN AAAA 2001:500:40::1
b0.org.afilias-nst.org. 172800 IN A 199.19.54.1
b0.org.afilias-nst.org. 172800 IN AAAA 2001:500:c::1
b2.org.afilias-nst.org. 172800 IN A 199.249.120.1
b2.org.afilias-nst.org. 172800 IN AAAA 2001:500:48::1
c0.org.afilias-nst.info. 172800 IN A 199.19.53.1
c0.org.afilias-nst.info. 172800 IN AAAA 2001:500:b::1
d0.org.afilias-nst.org. 172800 IN A 199.19.57.1
d0.org.afilias-nst.org. 172800 IN AAAA 2001:500:f::1
;; Query time: 71 msec
;; SERVER: 192.36.148.17#53(192.36.148.17)
;; WHEN: Mon Mar 04 18:53:20 CST 2019
;; MSG SIZE rcvd: 450
So, get rid of any root servers as upstream resolvers. You must use recursive resolvers, not authoritative name servers.