Operator Error Made Pi-hole Crawl

Please follow the below template, it will help us to help you!

Not a Pi-hole issue but a plea for help.

As a newbie (sorry), I've made some undocumented changes and run into a BIG issue. Pi-hole is not responding in a timely manner. I don't know how to troubleshoot the issue. I have Nagios looking after the IoT devices in the farm and not a single NRPE check (mostly via FQDN) can receive a reply before the task times out. It is one big RED sheet on the Nagios summary page. I need help to get Pi-hole back to configuration 48 hours ago without resorting to uninstall/reinstall, please.

The Pi-hole query log has two corresponding entries for any device in the farm:

  • A record Status is OK (cached) and Reply is IP (0.1ms)
  • AAAA record Status is OK (forwarded) and Reply is NA

Of course, AAAA entry is not relevant for this request for assistance.

Ping takes a few seconds to get started and then works fine (from Ubuntu desktop client) until interrupted.

Nslookup responds as follows:

$ nslookup raspbari1.parkcircus.org
Server:		127.0.0.1
Address:	127.0.0.1#53

Name:	raspbari1.parkcircus.org
Address: 172.16.1.147
;; connection timed out; no servers could be reached

Pi-hole is the DCHP and primary DNS server in the farm. The router is not supposed to forward local network (non-FQDN as well as local domain) names to the standard external servers (Google, OpenDNS, Cloudfare, etc) that are used for general Internet connectivity.

Expected Behaviour:

I would like Pi-hole to respond quickly to intranet DNS queries (as before for the last two years! :smiley:). The Pi-hole upgrade is not an issue. I have changed some setting that is making the query responses extremely slow.

I would like response times (presumably with Pi-hole DNS role) to improve so that basic applications (e.g. Nagios) do not experience socket timeout errors. The devices in the intranet farm are configured to use Pi-hole as the primary DNS server. Also, nslookup should complete without any timeout error message.

-operating system
Linux raspberrypi 4.19.66-v7+ #1253 SMP Thu Aug 15 11:49:46 BST 2019 armv7l GNU/Linux
-hardware
ARMv7 Raspberry Pi (buster)
-Pi-hole
Pi-hole version is v5.1.1 (Latest: v5.1.1)
AdminLTE version is v5.1 (Latest: v5.1)
FTL version is v5.1 (Latest: v5.1)

I have been using Pi-hole essentially as a black box with two static IP addresses (Pi-hole itself and the router). All other devices have leased addresses from Pi-hole.

Actual Behaviour:

The browser use on the primary desktop client (Firefox) for external access has no noticeable latency. But when I try to access any local intranet site every request crawls very, very slowly. Most applications, OSS and home grown apps are experiencing socket timeouts.

Debug Token:

https://tricorder.pi-hole.net/jn0nn9h9q0

My first thought would be to unchange these settings.

Also, looking at your debug log, Pi-hole is the DHCP server yet you have conditional forwarding enabled to send lookups to the router, and you also have the router listed as one of your upstream DNS servers. With Pi-hole working as the DHCP server, you should not need (nor want) conditional forwarding or the router as one of the upstream DNS servers.

Also, this is somewhat different than most users - why are you using the /23 subnet?

    PIHOLE_INTERFACE=eth0
    IPV4_ADDRESS=172.16.0.2/23
1 Like

Hello @jfb,

Yeah, everyone zeros in on the /23! I need 172.16.0.x and 172.16.1.x addresses.

You are right! Conditional forwarding was one of the many changes that I did because the router is OPNsense. I'll remove that setting and try again and post my findings shortly. Thanks.

Kind regards.

Hello @jfb,

I guess I have to just say NO to OPNsense for now! Your suggestion to remove conditional forwarding worked like a charm. Nagios is now slowly becoming green and no delays with ping and nslookup completes successfully.

Where can I read more about conditional forwarding, please?

Issue closed with delight!

Kind regards.

Hello @jfb,

Just one last clarification, please.

For some reason the Pi-hole server does not respond to DNS queries when its FQDN is used. I have its static IP address recorded in the pane for Static DHCP Leases Configuration in the Settings -> DHCP tab.

What other "settings" do I need to configure to ensure that the Pi-hole server IP address is returned for use by intranet apps? Other static IP address assignments can be obtained from Pi-hole through their FQDN. I understand that I could easily use the IP address instead of the FQDN in my apps but I would like to avoid if possible for practical purposes. Thanks.

Kind regards.

Could try change hostname for Pi-hole into that FQDN.
Dont know what its now:

hostname -f

Hello @deHakkelaar,

Your suggestion to capture the pair in /etc/hosts is correct (that is what I had to resort t in an earlier infrastructure in another physical location) but I want to understand why Pi-hole will not do the resolution from its records. Of course, pursuing this type of granularity got me into trouble earlier.

The static table is being successfully for all other entries but not for the Pi-hole server itself.

Kind regards.

Tail the logs when do those queries:

pihole -t

Use below one on any Windows, Linux or MacOS client to query that FQDN:

nslookup <DOMAIN>

Or specify the DNS server to query:

nslookup <DOMAIN> <DNS_SERVER_IP_ADDRESS>

Hello @deHakkelaar,

Thx again for stepping up. This is what I tried (pardon my feeble knowledge in these matters):

70.113.235.14 is the static WAN address assigned by ISP.

$ nslookup raspbari25.parkcircus.org
Server:		127.0.0.53
Address:	127.0.0.53#53

** server can't find raspbari25.parkcircus.org: NXDOMAIN

$ nslookup parkcircus.org
Server:		127.0.0.53
Address:	127.0.0.53#53

Non-authoritative answer:
Name:	parkcircus.org
Address: 70.113.235.14

$ nslookup raspbari25.parkcircus.org 172.16.0.2
Server:		172.16.0.2
Address:	172.16.0.2#53

** server can't find raspbari25.parkcircus.org: NXDOMAIN

$

Extract from Pi-hole server (viz. raspbari25.parkcircus.org) follows:

Aug  2 16:28:20: query[A] raspbari25.parkcircus.org from 172.16.0.247
Aug  2 16:28:20: cached raspbari25.parkcircus.org is NXDOMAIN
Aug  2 16:28:20: query[AAAA] raspbari25.parkcircus.org from 172.16.0.247
Aug  2 16:28:20: cached raspbari25.parkcircus.org is NXDOMAIN
Aug  2 16:28:20: query[A] raspbari25.parkcircus.org.parkcircus.org from 172.16.0.247
Aug  2 16:28:20: cached raspbari25.parkcircus.org.parkcircus.org is NXDOMAIN
Aug  2 16:28:20: query[AAAA] raspbari25.parkcircus.org.parkcircus.org from 172.16.0.247
Aug  2 16:28:20: cached raspbari25.parkcircus.org.parkcircus.org is NXDOMAIN

Instead of
cached raspbari25.parkcircus.org is NXDOMAIN
if the response was
DHCP raspbari25.parkcircus.org is 172.16.0.2
then I guess I would be happy?

Kind regards.

Above is the bit going south for you in your reasoning.
During Pi-hole setup, the IP address on the Pi-hole host was changed into a static IP address.
This makes the Pi-hole host independent from DHCP or any reservations.
Creating a DHCP reservation is not the same as configuring a static IP address on the device itself!

Hello @deHakkelaar,

So if I remove the static assignment, apps should be able to query the FQDN for the IP address? Worth backing up and trying, I guess. :smiley: Thanks.

Kind regards.

Forgot to mention, only when a client connects via DHCP, its hostname will have DNS records created for them on the host doing DHCP.
As Pi-hole doesnt connect through DHCP anymore, the DHCP server/host would not be able to know its name.

You should not have to create any static assignments.
Just below should be sufficient:

Hello @deHakkelaar,

I'll try your recommendation since it can also help me to stop tilting at windmills (and wasting other people's valuable time). I don't have any other choice for now.

Thank you very much for your patience and understanding. I really appreciate your helpful suggestions that permit me to make more efficient use of Pi-hole (and learn along the path).

Kind regards.

I created a Local DNS Record as a temporary fix unless you (or anyone authoritative) can tell me to something in addition to your earlier suggestion. Thanks.

Kind regards.

If you do what I recommended, you have all bases covered.
If software wants to know name, it can do so with the hostname -f command/library.
Or if software reads the /etc/hosts file (like Pi-hole does), it will also resolve to the correct host.

It is a client application that may append a local domain search suffix to a DNS query to help a resolution succeed.

For Pi-hole to provide correct answers, you'd still have to define an A record for each domain.
raspbari25 is a domain, and so is raspbari25.parkcircus.org.

So the definition in /etc/hosts you mention works and may have looked like this:

172.16.0.2 raspbari25 raspbari25.parkcircus.org
Note that `nslookup` on Windows may provide misleading results if you define just one of those domains (click)

E.g. some Windows versions may append the search suffix by default, so nslookup raspbari25 will reply an answer even if only an A record for raspbari25.parkcircus.org has been defined.

If on the other hand you just defined an A record for raspbari25, the same nslookup raspbari25 will reply NXDOMAIN. You'd have to use a trailing dot to have the query succeed: nslookup raspbari25.


Hello @Bucking_Horn,

Creating the A record was what worked for me after my original stumble at the new location. (I was not enamored with the /etc/hosts solution). I got myself into a mess with Conditional Forwarding and forgot all about the A record because in trying to get out of the self-inflicted mess, I deleted the A records too in my naivete. Thanks to all you folks, I've learnt my lessons - use Teleporter and abandon Conditional Forwarding until I understand where it can be used. Many, many thanks again.

Kind regards.

P.S. Now I need to learn about CNAME records too! :wink:

Here's another Oops, a newbie learned:
If you select eth0 for the interface and using the Rapsberry Pi device, make sure you plug in an ethernet cable to your router (Synology RT2600ac in my case). I thought it was using a wireless LAN connection. After making the change to the LAN DNS server address in the routher to the Rapsberry device address, I could not connect to any site. I spent hours trying to trouble shoot the network connection (with my wife who is also a computer nerd). I was all set to send a plea for help to the community when I went through the install instructions one more time and noticed the Interface page had eth0 and wlan0. The light bulb went on. Connected the cable and Bingo! Works like a champ. My web mail used to crawl, stall, and get hung up. Now it flies. Furthermore, not sure if this wishful thinking on my part, but when I do a tracert to my ISP - pings are very fast, faster than I recall them being. Awesome!

Moral of the story: If you select eth0 for the interface. Make sure you are physically connected with an ethernet cable to the router. I only had to make a simple change to the last octet of the router LAN primary DNS address once connected. And I've been in the IT world for years ...

DOH!

@MetTech1984, thx for sharing. I'm too embarrassed (and senile) to list my experience and certificates. Most readers will assume (based on my self-inflicted issues) that I'm a professional fake. :rofl:

However, owing to the spirit and enthusiasm here, I've managed to learn quite a bit. It is difficult to do so in some of the other larger forums where there is more patrolling than guiding. Above all, I've been seeing incremental refinements to Pi-hole for the last two years that I've been using it. This has given me the confidence to stay with it & to plug it given the opportunity.

Kind regards.