I have setup a server with Pi-hole and Unbound and I am not using any external DNS resolvers like Cloudfare, etc.
It's working fine for quite some time now, but I've ran into problems with some specific websites.
I noticed this in Aliexpress and Docker Hub.
For example:
Digging hub.docker.com using Quad9 enabled in the DNS options section of pihole
$ dig @9.9.9.9 hub.docker.com
; <<>> DiG 9.18.1-1ubuntu1.2-Ubuntu <<>> @9.9.9.9 hub.docker.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: **NOERROR**, id: 10227
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;hub.docker.com. IN A
;; ANSWER SECTION:
hub.docker.com. 300 IN CNAME elb-default.us-east-1.aws.dckr.io.
elb-default.us-east-1.aws.dckr.io. 60 IN CNAME prodextdefblue-1cc5ls33lft-b42d79a68e9f190c.elb.us-east-1.amazonaws.com.
prodextdefblue-1cc5ls33lft-b42d79a68e9f190c.elb.us-east-1.amazonaws.com. 60 IN A 18.210.197.188
prodextdefblue-1cc5ls33lft-b42d79a68e9f190c.elb.us-east-1.amazonaws.com. 60 IN A 18.206.20.10
prodextdefblue-1cc5ls33lft-b42d79a68e9f190c.elb.us-east-1.amazonaws.com. 60 IN A 3.228.146.75
;; Query time: 199 msec
;; SERVER: 9.9.9.9#53(9.9.9.9) (UDP)
;; WHEN: Mon Oct 17 16:15:45 UTC 2022
;; MSG SIZE rcvd: 220
Now if I disable any external DNS and use Unbound upstream:
Please upload a debug log and post just the token URL that is generated after the log is uploaded by running the following command from the Pi-hole host terminal:
I cannot recreate your observation: hub.docker.com resolves correctly with my Pi-hole/unbound configuration.
Your debug log shows you are using Pi-hole's default BLOCKINGMODE, which would return 0.0.0.0 for blocked domains.
This indeed confirms that it is not Pi-hole providing that NXDOMAIN answer by blocking hub.docker.com or any of its CNAMEs.
This would suggest that Pi-hole is using the reply as provided by unbound.
You could check that by running your dig directly through unbound:
dig -p 5335 @127.0.0.1 hub.docker.com
Some observations from your debug log, unrelated to your issue (click for details)
Pi-hole is DNS filter - it is allowing or blocking domains, not IPs.
If you want to allow or block access to some or all of Aliexpress sites, you have to use the respective domain names.
You should remove that 104.112.149.216 entry via Pi-hole's Domain Management.
Thank you @Bucking_Horn for your extra tips.
Well, that's awkward, but hub.docker.com is now working. The only thing I changed was the multiple IPs in the resolv.conf file as you pointed out. Now it has just my pihole IP address.
But aliexpress still won't resolve so i used:
dig -p 5335 @127.0.0.1 www.aliexpress.com
; <<>> DiG 9.18.1-1ubuntu1.2-Ubuntu <<>> -p 5335 @127.0.0.1 www.aliexpress.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 30555
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;www.aliexpress.com. IN A
;; ANSWER SECTION:
www.aliexpress.com. 100 IN CNAME global.aliexpress.com.
global.aliexpress.com. 49 IN CNAME global.aliexpress.com.gds.alibabadns.com.
;; AUTHORITY SECTION:
gds.alibabadns.com. 143 IN SOA gdsns1.alibabadns.com. none. 2018122017 1800 600 3600 360
;; Query time: 3 msec
;; SERVER: 127.0.0.1#5335(127.0.0.1) (UDP)
;; WHEN: Tue Oct 18 23:19:18 UTC 2022
;; MSG SIZE rcvd: 166
OK, I can buy my chinese stuff somewhere else, but I couldn't live without docker hub
Update
This whatsapp media server also get a NXDOMAIN 'media.fldb5-1.fna.whatsapp.net'.
That wouldn't affect your issue.
As mentioned, a resolv.conf search option expects a domain name (presumably as defined by your router) rather than an IP address. Your host machine will use that domain to append to DNS queries (e.g. a lookup for mylaptop would also request resolution of mylaptop.lan).
It might be interesting to take a domain that's giving this incorrect NXDOMAIN result and try it again after first clearing unbound's cache of all results relating to that domain. Eg for that whatsapp domain