Please follow the below template, it will help us to help you!
If you are Experiencing issues with a Pi-hole install that has non-standard elements (e.g you are using nginx
instead of lighttpd
, or there is some other aspect of your install that is customised) - please use the Community Help category.
Expected Behaviour:
RPi 4b & for things to work
Actual Behaviour:
pi@PiNet:~ $ pihole status
[✗] DNS service is NOT running
Debug Token:
[?] Would you like to upload the log? [y/N] y
* Using curl for transmission.
* curl failed, falling back to netcat for transmission.
nc: getaddrinfo for host "tricorder.pi-hole.net" port 9999: Temporary failure in name resolution
[✗] There was an error uploading your debug log.
- Please try again or contact the Pi-hole team for assistance.
- A local copy of the debug log can be found at: /var/log/pihole_debug.log
Absolutely fresh install on a Raspberry Pi 4b. Here's every step I took, even listing a few that aren't required, just for completeness sake, and I have replicated these results numerous times, trying things in various orders. I have realized that a temporary fix would be to open /etc/resolv.conf
and modify that, but that only works until a restart, and I don't think I should have to do that every single time.
Step 1: Use balenaEtcher to burn "retropie-buster-4.6-rpi2_rpi3.img.gz". (The latest lite version from www.raspberrypi.org)
Step 2: Unplug and replug USB to create file "ssh" on boot drive of MicroSD Card, eject and boot RPi.
Step 3: PuTTY into RPi and run sudo raspi-config
and setup as necessary.
Step 4: Reboot with sudo shutdown -r now
.
Step 5: run command curl https://download.argon40.com/argon1.sh | bash
as I have an Argon ONE case for my RPi.
Step 6: run command argonone-config
to set my preferences (I know, totally unrelated to the issues, but just covering all bases and step-by-step of install).
Step 7: run command(s) sudo apt install -y unattended-upgrades && sudo apt update && sudo apt -y dist-upgrade && sudo apt -y full-upgrade
this might very well be excessive and repeative, but oh well, I figured better safe than sorry on a fresh install, and well, I'm still sorry.
Step 8: Reboot with sudo shutdown -r now
.
Now here I've tried a couple of variations, including trying to install PiVPN first and whatnot, so I figured I'd try and install that after Pi-Hole this time around, doesn't matter though, the end result is always the same.
Step 9: execute command curl -sSL https://install.pi-hole.net | bash
with the following options:
Interface: eth0
Upstream DNS Provider: Cloudflare
Third Party Lists: default
Protocols: Default
Static IP Address: 192.168.0.111/24 Gateway: 192.168.0.1
Web admin interface, web server, log queries and privacy mode for FTL; all default
now here, it'll say supported OS Detected throughout the scrolling (I mean, why wouldn't it, this is the OS straight from the website?! But, we'll come back to this)
Step 10: execute pihole -a -p
set my preferred password
Step 11: execute curl -L https://install.pivpn.io | bash
to install PiVPN with the following options:
IPv4 address: 192.168.0.111/24
Gateway: 192.168.0.1
User: pi
Installation mode: OpenVPN (I don't know enough about WireGuard, but have used OpenVPN for awhile now)
Installation mode: default (Don't really care, just mainly looking to VPN for Pi-Hole from mobile devices)
Port: 3763 (picked at random, but used in the past without issue)
We have detected a Pi-hole installation, do you want to use it as the DNS server for the VPN, so you get ad blocking on the go?: Yes
Public OP or DNS: DDNS address
unattended upgrades: no, already installed
allowed to reboot the RPi
Step 12: execute sudo apt -y install unbound
Got error message:
Created symlink /etc/systemd/system/unbound.service.wants/unbound-resolvconf.service → /lib/systemd/system/unbound-resolvconf.service.
Job for unbound.service failed because the control process exited with error code.
See "systemctl status unbound.service" and "journalctl -xe" for details.
Job for unbound.service failed because the control process exited with error code.
See "systemctl status unbound.service" and "journalctl -xe" for details.
invoke-rc.d: initscript unbound, action "start" failed.
● unbound.service - Unbound DNS server
Loaded: loaded (/lib/systemd/system/unbound.service; enabled; vendor preset: enabled)
Active: activating (auto-restart) (Result: exit-code) since Thu 2020-07-30 17:32:11 MDT; 25ms ago
Docs: man:unbound(8)
Process: 1107 ExecStartPre=/usr/lib/unbound/package-helper chroot_setup (code=exited, status=0/SUCCESS)
Process: 1113 ExecStartPre=/usr/lib/unbound/package-helper root_trust_anchor_update (code=exited, status=0/SUCCESS)
Process: 1117 ExecStart=/usr/sbin/unbound -d $DAEMON_OPTS (code=exited, status=1/FAILURE)
Main PID: 1117 (code=exited, status=1/FAILURE)
Processing triggers for systemd (241-7~deb10u4+rpi1) ...
Processing triggers for man-db (2.8.5-2) ...
Processing triggers for libc-bin (2.28-10+rpi1) ...
Step 13: Reboot with sudo shutdown -r now
.
Step 14: Repeat Step 12: execute sudo apt -y install unbound
again
Get message:
pi@PiNet:~ $ sudo apt -y install unbound
Reading package lists... Done
Building dependency tree
Reading state information... Done
unbound is already the newest version (1.9.0-2+deb10u2).
The following package was automatically installed and is no longer required:
rpi-eeprom-images
Use 'sudo apt autoremove' to remove it.
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Must be installed... Whatever, guess the failure message was unrelated before. But, just for fun, also ran:
pi@PiNet:~ $ sudo systemctl status unbound.service
● unbound.service - Unbound DNS server
Loaded: loaded (/lib/systemd/system/unbound.service; enabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Thu 2020-07-30 17:34:38 MDT; 3min 20s ago
Docs: man:unbound(8)
Process: 1135 ExecStartPre=/usr/lib/unbound/package-helper chroot_setup (code=exited, status=0/SUCCESS)
Process: 1138 ExecStartPre=/usr/lib/unbound/package-helper root_trust_anchor_update (code=exited, status=0/SUCCESS)
Process: 1142 ExecStart=/usr/sbin/unbound -d $DAEMON_OPTS (code=exited, status=1/FAILURE)
Main PID: 1142 (code=exited, status=1/FAILURE)
Jul 30 17:34:38 PiNet systemd[1]: unbound.service: Failed with result 'exit-code'.
Jul 30 17:34:38 PiNet systemd[1]: Failed to start Unbound DNS server.
Jul 30 17:34:38 PiNet systemd[1]: unbound.service: Service RestartSec=100ms expired, scheduling restart.
Jul 30 17:34:38 PiNet systemd[1]: unbound.service: Scheduled restart job, restart counter is at 5.
Jul 30 17:34:38 PiNet systemd[1]: Stopped Unbound DNS server.
Jul 30 17:34:38 PiNet systemd[1]: unbound.service: Start request repeated too quickly.
Jul 30 17:34:38 PiNet systemd[1]: unbound.service: Failed with result 'exit-code'.
Jul 30 17:34:38 PiNet systemd[1]: Failed to start Unbound DNS server.
Guess everything isn't quite as it seems, don't know what any of this means though
Step 15: do the following (2) commands: wget -O root.hints https://www.internic.net/domain/named.root
& sudo mv root.hints /var/lib/unbound/
Step 16: Attempt to do sudo nano /etc/unbound/unbound.conf.d/pi-hole.conf
just to find out it's empty so I paste the following into it:
server:
verbosity: 0
interface: 127.0.0.1
port: 5335
do-ip4: yes
do-udp: yes
do-tcp: yes
# May be set to yes if you have IPv6 connectivity
do-ip6: no
# You want to leave this to no unless you have *native* IPv6. With 6to4 and
# Terredo tunnels your web browser should favor IPv4 for the same reasons
prefer-ip6: no
# Use this only when you downloaded the list of primary root servers!
# Location of root.hints
root-hints: "/var/lib/unbound/root.hints"
# Trust glue only if it is within the servers authority
harden-glue: yes
# Ignore very large queries.
harden-large-queries: yes
# Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS
# If you want to disable DNSSEC, set harden-dnssec stripped: no
harden-dnssec-stripped: yes
# Use Capitalization randomization
# This is an experimental resilience method which uses upper and lower case letters in the question hostname to obtain randomness.
# Two names with the same spelling but different case should be treated as identical.
# Attackers hoping to poison a DNS cache must guess the mixed-case encoding of the query.
# This increases the difficulty of such an attack significantly
use-caps-for-id: yes
# Reduce EDNS reassembly buffer size.
# Suggested by the unbound man page to reduce fragmentation reassembly problems
edns-buffer-size: 1472
# Rotates RRSet order in response (the pseudo-random
# number is taken from Ensure privacy of local IP
# ranges the query ID, for speed and thread safety).
# private-address: 192.168.0.0/16
rrset-roundrobin: yes
# Time to live minimum for RRsets and messages in the cache. If the minimum
# kicks in, the data is cached for longer than the domain owner intended,
# and thus less queries are made to look up the data. Zero makes sure the
# data in the cache is as the domain owner intended, higher values,
# especially more than an hour or so, can lead to trouble as the data in
# the cache does not match up with the actual data anymore
cache-min-ttl: 300
cache-max-ttl: 86400
msg-cache-size: 128m
rrset-cache-size: 256m
# Have unbound attempt to serve old responses from cache with a TTL of 0 in
# the response without waiting for the actual resolution to finish. The
# actual resolution answer ends up in the cache later on.
serve-expired: yes
# Harden against algorithm downgrade when multiple algorithms are
# advertised in the DS record.
harden-algo-downgrade: yes
# Ignore very small EDNS buffer sizes from queries.
harden-short-bufsize: yes
# Refuse id.server and hostname.bind queries
hide-identity: yes
# Report this identity rather than the hostname of the server.
identity: "Server"
# Refuse version.server and version.bind queries
hide-version: yes
# Prevent the unbound server from forking into the background as a daemon
do-daemonize: no
# Number of bytes size of the aggressive negative cache.
neg-cache-size: 4M
# Send minimum amount of information to upstream servers to enhance privacy
qname-minimisation: yes
# Deny queries of type ANY with an empty response.
# Works only on version 1.8 and above
# deny-any: yes
# Do no insert authority/additional sections into response messages when
# those sections are not required. This reduces response size
# significantly, and may avoid TCP fallback for some responses. This may
# cause a slight speedup
minimal-responses: yes
# Perform prefetching of close to expired message cache entries
# This only applies to domains that have been frequently queried
# This flag updates the cached domains
prefetch: yes
# Fetch the DNSKEYs earlier in the validation process, when a DS record is
# encountered. This lowers the latency of requests at the expense of little
# more CPU usage.
prefetch-key: yes
# One thread should be sufficient, can be increased on beefy machines. In reality for
# most users running on small networks or on a single machine, it should be unnecessary
# to seek performance enhancement by increasing num-threads above 1.
num-threads: 1
# more cache memory. rrset-cache-size should twice what msg-cache-size is.
msg-cache-size: 50m
rrset-cache-size: 100m
# Faster UDP with multithreading (only on Linux).
so-reuseport: yes
# Ensure kernel buffer is large enough to not lose messages in traffix spikes
so-rcvbuf: 4m
so-sndbuf: 4m
# Set the total number of unwanted replies to keep track of in every thread.
# When it reaches the threshold, a defensive action of clearing the rrset
# and message caches is taken, hopefully flushing away any poison.
# Unbound suggests a value of 10 million.
unwanted-reply-threshold: 10000
# Enable ratelimiting of queries (per second) sent to nameserver for
# performing recursion. More queries are turned away with an error
# (servfail). This stops recursive floods (e.g., random query names), but
# not spoofed reflection floods. Cached responses are not rate limited by
# this setting. Experimental option.
ratelimit: 1000
# Minimize logs
# Do not print one line per query to the log
log-queries: no
# Do not print one line per reply to the log
log-replies: no
# Do not print log lines that say why queries return SERVFAIL to clients
logfile: /dev/null
# Ensure privacy of local IP ranges
private-address: 192.168.0.0/16
private-address: 169.254.0.0/16
private-address: 172.16.0.0/12
private-address: 10.0.0.0/8
private-address: fd00::/8
private-address: fe80::/10
Step 17: run the following two commands from a previous automatic Pi-Hole update script I've used before so I have port 80 available for an Apache server also running on the RPi (to be added later): sudo sed -i.bak 's/80/8134/1' /etc/lighttpd/lighttpd.conf
& sudo sed -i.bak 's/cache-size=10000/cache-size=0/1' /etc/dnsmasq.d/01-pihole.conf
Step 18: Reboot with sudo shutdown -r now
.
Step 19: execute pihole status
[✗] DNS service is NOT running
Step 20: execute pihole -d
[✓] ** FINISHED DEBUGGING! **
* The debug log can be uploaded to tricorder.pi-hole.net for sharing with developers only.
* For more information, see: https://pi-hole.net/2016/11/07/crack-our-medical-tricorder-win-a-raspberry-pi-3/
* If available, we'll use openssl to upload the log, otherwise it will fall back to netcat.
[?] Would you like to upload the log? [y/N] y
* Using curl for transmission.
* curl failed, falling back to netcat for transmission.
nc: getaddrinfo for host "tricorder.pi-hole.net" port 9999: Temporary failure in name resolution
[✗] There was an error uploading your debug log.
* Please try again or contact the Pi-hole team for assistance.
* A local copy of the debug log can be found at: /var/log/pihole_debug.log
These were the only things marked in red that I saw during the dubug:
*** [ DIAGNOSING ]: Operating system (I said we'd come back to this, and here we are)
[✗] Distro: Raspbian
[✗] Error: Raspbian is not a supported distro (https://discourse.pi-hole.net/t/hardware-software-requirements/273)
*** [ DIAGNOSING ]: Networking
[✓] IPv4 address(es) bound to the eth0 interface:
192.168.0.111/24 matches the IP found in /etc/pihole/setupVars.conf
[✓] IPv6 address(es) bound to the eth0 interface:
fe80::xxxx:xxxx:xxxx:xxxx does not match the IP found in /etc/pihole/setupVars.conf (https://discourse.pi-hole.net/t/use-ipv6-ula-addresses-for-pi-hole/2127)
^ Please note that you may have more than one IP address listed.
As long as one of them is green, and it matches what is in /etc/pihole/setupVars.conf, there is no need for concern.
The link to the FAQ is for an issue that sometimes occurs when the IPv6 address changes, which is why we check for it.
[i] Default IPv4 gateway: 192.168.0.1
* Pinging 192.168.0.1...
[✓] Gateway responded.
*** [ DIAGNOSING ]: Name resolution (IPv4) using a random blocked domain and a known ad-serving domain
[✗] Failed to resolve www.dziennikuprowadzono.online via localhost (127.0.0.1)
[✗] Failed to resolve www.dziennikuprowadzono.online via Pi-hole (192.168.0.111)
[✓] doubleclick.com is 172.217.9.46 via a remote, public DNS server (8.8.8.8)
*** [ DIAGNOSING ]: Dashboard and block page
[✗] Block page X-Header: X-Header does not match or could not be retrieved.
[✗] Web interface X-Header: X-Header does not match or could not be retrieved.
I'm positive I just did something wrong or something and I got head firmly inserted somewhere it shouldn't be. But, if someone could please help me see the sunlight again, I'd be rather grateful.