One domain does not resolve on pihole

itsbhanusharma · February 18, 2019, 4:47pm

Please follow the below template, it will help us to help you!

Expected Behaviour:

My domain edmreleases.net does not resolve when using pi-hole

Actual Behaviour:

it should resolve

Debug Token:

87skybwxm9

Additional Context:
it was resolving fine initially and then it just stopped without a reason. It starts resolving again once I switch to another dns e.g. 1.1.1.1

Here are digs:

bhanu@DESKTOP-LJ6A4Q2:~$ dig edmreleases.net @192.168.10.49

; <<>> DiG 9.11.3-1ubuntu1.3-Ubuntu <<>> edmreleases.net @192.168.10.49
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 19700
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1452
;; QUESTION SECTION:
;edmreleases.net.               IN      A

;; Query time: 41 msec
;; SERVER: 192.168.10.49#53(192.168.10.49)
;; WHEN: Mon Feb 18 22:08:08 DST 2019
;; MSG SIZE  rcvd: 44

bhanu@DESKTOP-LJ6A4Q2:~$ dig edmreleases.net @1.1.1.1

; <<>> DiG 9.11.3-1ubuntu1.3-Ubuntu <<>> edmreleases.net @1.1.1.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39423
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1452
;; QUESTION SECTION:
;edmreleases.net.               IN      A

;; ANSWER SECTION:
edmreleases.net.        293     IN      A       104.27.154.80
edmreleases.net.        293     IN      A       104.27.155.80

;; Query time: 25 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Mon Feb 18 22:08:15 DST 2019
;; MSG SIZE  rcvd: 76

jfb · February 18, 2019, 4:49pm

Is this the only domain that does not resolve?

What is the activity in /var/log/pihole.log when you dig the domain and there is no reply?

itsbhanusharma · February 18, 2019, 4:54pm

That'd be my best guess since i've tried at least 100 most popular websites and all of them open fine. my other websites resolve just fine but this one does not.

Mostly irrelevant, here is a tail after digging on pihole directly

ubuntu@ubuntu:~$ dig edmreleases.net @127.0.0.1

; <<>> DiG 9.11.3-1ubuntu1.3-Ubuntu <<>> edmreleases.net @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 5138
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1452
;; QUESTION SECTION:
;edmreleases.net.               IN      A

;; Query time: 23 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Feb 18 16:53:01 UTC 2019
;; MSG SIZE  rcvd: 44

ubuntu@ubuntu:~$ tail /var/log/pihole.log
Feb 18 16:52:54 dnsmasq[1436]: /etc/pihole/gravity.list metrics.brightcove.com is 0.0.0.0
Feb 18 16:53:00 dnsmasq[1436]: query[AAAA] discourse.pi-hole.net from 192.168.10.237
Feb 18 16:53:00 dnsmasq[1436]: cached discourse.pi-hole.net is NODATA-IPv6
Feb 18 16:53:01 dnsmasq[1436]: query[A] edmreleases.net from 127.0.0.1
Feb 18 16:53:01 dnsmasq[1436]: forwarded edmreleases.net to 1.0.0.1
Feb 18 16:53:01 dnsmasq[1436]: validation edmreleases.net is BOGUS
Feb 18 16:53:01 dnsmasq[1436]: reply edmreleases.net is 104.27.154.80
Feb 18 16:53:01 dnsmasq[1436]: reply edmreleases.net is 104.27.155.80
Feb 18 16:53:04 dnsmasq[1436]: query[A] metrics.brightcove.com from 192.168.10.244
Feb 18 16:53:04 dnsmasq[1436]: /etc/pihole/gravity.list metrics.brightcove.com is 0.0.0.0

jfb · February 18, 2019, 4:56pm

itsbhanusharma:

Feb 18 16:53:01 dnsmasq[1436]: query[A] edmreleases.net from 127.0.0.1 
Feb 18 16:53:01 dnsmasq[1436]: forwarded edmreleases.net to 1.0.0.1 
Feb 18 16:53:01 dnsmasq[1436]: validation edmreleases.net is BOGUS

Check that the time on the Pi-Hole host device is correct, since DNSSEC relies on an accurate time. If time is correct, then disable DNSSEC in Pi-Hole and see if the behavior continues.

itsbhanusharma · February 18, 2019, 4:58pm

Time is correct, Just checked.

Trying this, give me a few minutes

itsbhanusharma · February 18, 2019, 4:59pm

Ok so after disabling DNSSEC, it resolves once again!

where to start troubleshooting?

jfb · February 18, 2019, 5:02pm

This is a dnsmasq function, and there have been DNSSEC problems identified in dnsmasq. You are on the latest version of Pi-Hole, which contains v2.80 of dnsmasq. I would check the dnsmasq list at:

Note that with a local instance of unbound running, I was able to successfully dig that domain, and unbound also uses DNSSEC. So, the problem does not appear to lie with the domain authentication signature.

itsbhanusharma · February 18, 2019, 5:05pm

Can that be some sort of bad DNSSEC cache of sorts? since I did some changes to the domain in the day which includes changing the DNSSEC record at registrar

jfb · February 18, 2019, 5:07pm

I would not think that dnsmasq would cache that information for a long period of time, but I am not expert in dnsmasq at all.

@DL6ER will certainly be able to provide better information, as he is the lead FTL developer.

itsbhanusharma · February 18, 2019, 5:09pm

So one pattern I see here is that it goes bad as soon as I enable dnssec at pihole.
I'm not using pihole as DHCP if that matters. that's handled by my mikrotik router which sends pihole IP as DNS server.

DanSchaper · February 18, 2019, 5:18pm

DNSSEC on domains is kind of a dark art. Just doing a quick check on that domain looks like it's registered with Name and DNS is hosted at CloudFlare. So you deployed new DS keys to Name that Cloudflare provided for you? It does look like the domain signatures are all valid and you just may be in a window of waiting for the signed records to be propagated across the CloudFlare servers. Propagation can take up to 24 hours depending on various conditions.

How long ago did you upload the new DS key? Was it a replacement of DS keys or the first time converting from unsigned to DNSSEC for that domain? Have you tried restarting pihole-FTL to clear out the local cache? The response from Pi-hole is that the proper IP address is being returned from your upstream but the record that is being sent is not signed with the correct key. That is why you are seeing the BOGUS response in the log tailing.

itsbhanusharma · February 18, 2019, 5:24pm

Yes, Sir

approx 6 hours at this point.

I'd say this is the case (unless someone else has attempted to do it ... there are at least two other people who have access to that domain so I'm only 99% sure that I'm the first one to try it)

Multiple restarts, no success, I've even rebuilt it still no success.

DanSchaper · February 18, 2019, 5:25pm

What does the CloudFlare panel show under DNSSEC?

itsbhanusharma · February 18, 2019, 5:27pm

Cloudflare looks happy.

DanSchaper · February 18, 2019, 5:28pm

Have a look over https://support.cloudflare.com/hc/en-us/articles/360021111972 and run through the steps.

itsbhanusharma · February 18, 2019, 5:28pm

with dnssec on pihole enabled or disabled?

DanSchaper · February 18, 2019, 5:30pm

Should work with it enabled for everything to pass.

itsbhanusharma · February 18, 2019, 5:34pm

And it seems like it just worked this time after enabling DNSSEC for some reason that I don't understand.

All tests give expected result. shall I post here?

DanSchaper · February 18, 2019, 5:35pm

If it's working it just may have been a cache issue on the CloudFlare resolver you were being routed to. No need to post the results here if things are all working.

itsbhanusharma · February 18, 2019, 5:36pm

Thank you for enlightenment this was really helpful and helped calm the panic inside.

also, thanks for a quick response @jfb