After following the instructions for setting up unbound in the Pi-hole as All-Around DNS Solution guide Facebook, WhatsApp Web, Messenger Kids, and Hulu don't resolve reliably: requests for those domains resolve on some devices but not others.
Expected Behaviour:
Consistently resolve facebook.com
, web.whatsapp.com
, Messenger kids, Hulu domains through unbound
for all devices connected to the local network. (Local network is set to use Pi-hole as DNS. Pi-hole is set to use unbound
as a recursive resolver.)
Actual Behaviour:
Most domains resolve fine, but not Hulu, Facebook, and those used by Messenger Kids, WhatsApp Web, and WhatsApp Desktop.
When those domains fail to resolve, folks on the network see "Can't connect to this site" errors in web browsers and "Not connected to the Internet" errors in mobile and desktop apps requesting to unresolved domains.
Per guidance in other threads, I've run dig
from the Pi-hole to gather further information on how requests are resolving from the Pi-hole upstream.
"Vanilla" dig
> $ dig web.whatsapp.com
>
> ; <<>> DiG 9.11.5-P4-5.1-Raspbian <<>> web.whatsapp.com
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61257
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ;; QUESTION SECTION:
> ;web.whatsapp.com. IN A
>
> ;; ANSWER SECTION:
> web.whatsapp.com. 3390 IN CNAME mmx-ds.cdn.whatsapp.net.
> mmx-ds.cdn.whatsapp.net. 60 IN A 31.13.71.49
>
> ;; Query time: 12 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> ;; WHEN: Tue Oct 08 23:51:01 EDT 2019
> ;; MSG SIZE rcvd: 98
dig via port 5353
> $ dig web.whatsapp.com -p5353
> ;; Warning: Message parser reports malformed message packet.
>
> ; <<>> DiG 9.11.5-P4-5.1-Raspbian <<>> web.whatsapp.com -p5353
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21112
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 1472
> ;; QUESTION SECTION:
> ;web.whatsapp.com. IN A
>
> ;; ANSWER SECTION:
> web.whatsapp.com. 53 IN CNAME mmx-ds.cdn.whatsapp.net.
> mmx-ds.cdn.whatsapp.net. 28731 RESERVED0 A \# 4 1F0D4731
>
> ;; Query time: 2 msec
> ;; SERVER: 127.0.0.1#5353(127.0.0.1)
> ;; WHEN: Tue Oct 08 23:51:08 EDT 2019
> ;; MSG SIZE rcvd: 98
dig to @1.1.1.1
> $ dig web.whatsapp.com @1.1.1.1
>
> ; <<>> DiG 9.11.5-P4-5.1-Raspbian <<>> web.whatsapp.com @1.1.1.1
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49098
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;web.whatsapp.com. IN A
>
> ;; ANSWER SECTION:
> web.whatsapp.com. 49 IN CNAME mmx-ds.cdn.whatsapp.net.
> mmx-ds.cdn.whatsapp.net. 49 IN A 31.13.71.49
>
> ;; Query time: 1 msec
> ;; SERVER: 1.1.1.1#53(1.1.1.1)
> ;; WHEN: Tue Oct 08 23:51:12 EDT 2019
> ;; MSG SIZE rcvd: 87
Current workaround (doesn't solve WhatsApp problems)
Activating the two OpenDNS IPv4 servers in the settings appears to address the issues accessing Facebook, Messenger Kids, and Hulu. (I'm continuing to watch results for those sites to verify the fix sticks.) Issues accessing WhatsApp Web and WhatsApp Desktop persist.
I chose to add the OpenDNS servers because OpenDNS is marked as supporting ECS, though I assume that this setup doesn't run the ECS requests through unbound
, based on this reference to unbound & ECS on Reddit. While that's how I'd prefer to set things up, I don't understand the information on configuring ECS in the unbound
man pages well enough to try that approach.