Recently I discovered a rather interesting but also somewhat annoying issue with my pihole. Exactly one domain (odido.nl) is not resolving and that is the domain of my internet provider.
Expected Behaviour: When I type www.odido.nl or just odido.nl in my browser I expect to go to the website.
Pihole + Unboud is on my headless Pi4B with 8GB mem, installed from DietPi's menu. It is updated to the latest version, is the sole DNS in my network set in my router and its IP address is fixed. IPv6 is off (on the whole network, including my router). From HTOP: mem usage is 327M/7.680, load avarage is <= 0.15. I have no other noticable (DNS) issues in my network, speed is a solid 100Mbit/100Mbit on fiber.
Actual Behaviour:
So, on any Windows PC (all wired) or Android device (wireless) on the network, this particular domain does not resolve.
Tested:
- change windows network adapter settings to a fixed DNS 1.1.1.1 or
- switch off WiFi and use mobile data on my Android device or
- use terminal on the Pi4B to ping the domain
all results in the domain being resolved and accessable.
However:
- manually adding the domain as an allowed domain in pihole or
- disable blocking from the web ui or
- use Windows terminal to ping or
- use a terminal on another Pi3B in my network to ping or nslookup
all results in the domain still not being resolved.
To me it's weird because if this domain was somewhere in a gravity list than disabling blocking would allow the domain to be resolved, but it isn't.
This is almost correct, but the domain resolution depends on the upstream DNS server.
You know 1.1.1.1 is correctly resolving the domain, but your Pi-hole is using a different upstream (Unbound).
From the Pi4B command line, what is the output of this command?
nslookup -port=5335 www.odido.nl 127.0.0.1
www.odido.nl's zone configuration seems faulty. Apparently, it is announcing support for a specific signing algorithm, but not supplying actual data:
Likely, that incorrect configuration results in unbound failing to validate signed DNS records for odido.nl via DNSSEC.
This has to be fixed by the domain's maintainer.
Thank you. This is the response to that
;; Got SERVFAIL reply from 127.0.0.1
Server: 127.0.0.1
Address: 127.0.0.1#5335
** server can't find www.odido.nl: SERVFAIL
but 'nslookup www.odido.nl' results in this:
Server: 37.143.84.228
Address: 37.143.84.228#53
Thank you. Not sure I understand that picture, way over my head I guess 
If I understand correctly, this would effect all Odido customers who also use Unbound, right? With around 8 million customers I should be able to find others with the same issue then, I'll see if I can find any.
Is there any way to confirm or test that Unbound has problems with that faulty zone configuration, outside of my Pihole/Pi4B, or is that nslookup the only way?
As that domain belongs to your ISP, you could approach your ISP with the findings of DNSViz's DNSSEC validator, by including the link I've posted above, and ask them to address the errors it found.
Thank you. I will do that but first I'll try to find others with the same issue as I anticipate no (helpful) response from my provider if I'm the only one reporting this
Which is hampered by the fact I can't reach their supportpages as those are under that domain .... 
So, I did find a forum thread with others who have that same issue starting back from april 17 2025, confirming that DNSviz report. There, solutions are provided with a change in unbound.conf: 'harden-algo-downgrade: no' that would effectively mean something like 'if alg 13 is okay then ignore alg 8'. And then the thread continious with lots more changes that I don't understand
I'll report this to my provider and link the forum post that shows it is actually an issue with them, with the zone configuration, and see if that resolves anything.
Edit: I found 1 other report of this at my provider from 29 days ago but no reply there, unfortunately. Sent a report myself as well. The Dutch forum thread that also provides a soluition: https://gathering.tweakers.net/forum/list_messages/1844277?data[filter_keywords]=odido
I think this topic can be closed.
