The requirement to use TCP exclusively would only apply to the DoT connection between a client and your reverse proxy.
The subsequent forward from your proxy to Pi-hole should follow the plain DNS protocol.
If your proxy would be set up accordingly, I'd expect it to be unlikely that you would observe that issue.
That said, while I am unable to reproduce your observation with well known domains like google.com... (click for dig result):
$ dig @192.168.127.128 google.com +tcp
; <<>> DiG 9.11.5-P4-5.1+deb10u7-Debian <<>> @192.168.127.128 google.com +tcp
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34852
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;google.com. IN A
;; ANSWER SECTION:
google.com. 300 IN A 172.217.19.78
;; Query time: 40 msec
;; SERVER: 192.168.127.128#53(192.168.127.128)
;; WHEN: Mon Jul 25 10:24:46 CEST 2022
;; MSG SIZE rcvd: 55
... I can recreate your observation when forcing resolution of your sample domain via TCP:
~$ dig @192.168.1.28 axeleroy.com +tcp
; <<>> DiG 9.11.5-P4-5.1+deb10u7-Debian <<>> @192.168.1.28 axeleroy.com +tcp
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 14307
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; OPT=15: 00 0c ("..")
;; QUESTION SECTION:
;axeleroy.com. IN A
;; Query time: 187 msec
;; SERVER: 192.168.1.28#53(192.168.1.28)
;; WHEN: Mon Jul 25 09:49:26 CEST 2022
;; MSG SIZE rcvd: 47
Note the EDE error code 00 0c
in that answer.
That is also reflected and made human-readable in Pi-hole's log:
Jul 25 09:49:26 dnsmasq[25638]: 2338 192.168.1.28/43803 query[A] axeleroy.com from 192.168.1.28
Jul 25 09:49:26 dnsmasq[25638]: 2338 192.168.1.28/43803 forwarded axeleroy.com to 127.0.1.1#5335
Jul 25 09:49:26 dnsmasq[25638]: 2339 dnssec-query[DS] axeleroy.com to 127.0.1.1#5335
Jul 25 09:49:26 dnsmasq[25638]: 2338 192.168.1.28/43803 reply axeleroy.com is 213.186.33.5
Jul 25 09:49:26 dnsmasq[25638]: 2338 192.168.1.28/43803 validation axeleroy.com is BOGUS (EDE: NSEC(3) missing)
Note that the failure of that lookup is related to DNSSEC.
If you own or administrate axeleroy.com
, you may want to verify its DNSSEC configuration.
However, I also tried a forced TCP lookup for sigok.verteiltesysteme.net
, a well known DNSSEC signed domain that's also known to behave correctly.
And indeed, that again triggers the same EDE error code:
~$ dig @192.168.1.28 sigok.verteiltesysteme.net +tcp
; <<>> DiG 9.11.5-P4-5.1+deb10u7-Debian <<>> @192.168.1.28 sigok.verteiltesysteme.net +tcp
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 58895
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; OPT=15: 00 0c ("..")
;; QUESTION SECTION:
;sigok.verteiltesysteme.net. IN A
;; Query time: 107 msec
;; SERVER: 192.168.1.28#53(192.168.1.28)
;; WHEN: Mon Jul 25 10:09:10 CEST 2022
;; MSG SIZE rcvd: 61
Jul 25 10:09:10 dnsmasq[25834]: 2662 192.168.1.28/49609 query[A] sigok.verteiltesysteme.net from 192.168.1.28
Jul 25 10:09:10 dnsmasq[25834]: 2662 192.168.1.28/49609 forwarded sigok.verteiltesysteme.net to 127.0.1.1#5335
Jul 25 10:09:10 dnsmasq[25834]: 2663 dnssec-query[DS] verteiltesysteme.net to 127.0.1.1#5335
Jul 25 10:09:10 dnsmasq[25834]: 2662 192.168.1.28/49609 validation sigok.verteiltesysteme.net is BOGUS (EDE: NSEC(3) missing)
Jul 25 10:09:10 dnsmasq[25834]: 2662 192.168.1.28/49609 reply sigok.verteiltesysteme.net is 134.91.78.139
I can also confirm that a preceding successful UDP lookup will allow a subsequent forced TCP lookup to succeed as well, probably because the answer would then be cached.
As this is tied to DNSSEC, this seems to be a bug in upstream dnsmasq
rather than pihole-FTL
, but let's see if @DL6ER would be able to confirm that suspicion of mine.