Pi-hole system unable to resolve domains after installing pihole and unbound

Jorgsmash · June 28, 2019, 7:22pm

Please follow the below template, it will help us to help you!

Expected Behaviour:

[After installing pi-hole and configuring it to work with unbound, the pi-hole system should be able to resolve domain names so the system can install updates, install packages, update the pi-hole blocklists, and browse the Internet in general. pinging a domain name should return a reply.]

Actual Behaviour:

_[Ported from a question I sent a user:
Hey just wondering if you could help me with an issue. I just set up unbound to work with my pi-hole using this guide: https://docs.pi-hole.net/guides/unbound/

I have had this issue in the past but previously it was just with setting up a regular pi-hole instance in a VM and also an instance using DNS over https.

My issue is after I install pihole, the system that I install it on loses the ability to resolve IPs. I installed pi-hole on a linux box on my local network, 192.168.0.11.

DNS settings in my router are set to that IP. All other machines on my LAN can resolve IPs, but the box I installed the pi-hole on and set up unbound cannot resolve IPs. The dig commands work though.

Looking into the issue I found this thread: Unbound and IPv6 DNS

I am unable to ping domains from the pi-hole linux box but ping6 works for some reason. I can even run the dig commands and they resolve correctly. But trying to browse the web via web browser, update pihole blocklists, or update the system all fail due to dns not resolving.

I cannot ssh into the linux box to copy text bc I can't get openssh to install and didn't have it set up beforehand so I'll have to copy some pics into here:

As you can see in the last one, for some reason ping ipv4 isnt working but ping6 is. Destination host unreachable message I have seen before when I have set up other pi-hole instances.

I have a hunch this is due to the linux machine (192.168.0.11) being set in the router DNS settings, so the linux box is assigned DNS settings from my router via DHCP, and then it is asking itself to resolve DNS. I'm not sure if that's the issue but it's happened to me before and I've never been able to resolve (punny) it.

Here is the unbound/pi-hole.conf:

]_

Debug Token:

[Replace this text with the debug token provided from running pihole -d (or running the debug script through the web interface]

RamSet · June 28, 2019, 7:29pm

Your DNS service IS working (IPV4 included) as per one of your screenshots, the IP of google.com was resolved by the DNS query.

The problem lies with routing, gateway settings maybe ?

As for IPV6, if both IPV6 and IPV4 are present (active) within a network, IPV6 is preferred.

I believe this is not related with Pi-hole or Unbound since everything in the screenshots, is showing that they work.

DNS is only there to "translate" google.com or whatever domain name one might want to access, to an IP (since a name is easier to remember than the IP address) and again, based on your screenshots, it seems to be doing just that.

How it connects AFTER it knows the translation, depends on the local settings/parameters/routing, things that are outside the scope and functionality of Pi-hole and unbound for that matter.

What happens if you put the IP that's resolved by ping in the browser?

Jorgsmash · June 28, 2019, 7:35pm

So this doesn't look right to me. I feel like the first line should read:

default 192.168.0.1 0.0.0.0

Not sure about the Flags or Metric. The Iface is correct.

Not sure if the other two lines are correct either. Also not sure how this got fiddled with in the first place.

Jorgsmash · June 28, 2019, 7:37pm

As for pasting the IP in the browser, I get an error:

ERR_ADDRESS_UNREACHABLE

Definitely seems like I have a route issue.

RamSet · June 28, 2019, 7:41pm

What happens when you traceroute that IP ?

Jorgsmash · June 28, 2019, 8:07pm

I can't run traceroute because it's not installed and I can't install it:

"Command 'traceroute' not found, but can be installed with:"

Regarding the route: I misspoke, the command was incorrect. This looks fine to me now. Thoughts?

deHakkelaar · June 29, 2019, 2:36am

Last screenshot routes looks ok
To delete a default route:

$ ip r
default via 10.0.0.1 dev wlan0
10.0.0.0/24 dev wlan0 proto kernel scope link src 10.0.0.220

$ sudo ip route del default via 10.0.0.1 dev wlan0
$

$ ip r
10.0.0.0/24 dev wlan0 proto kernel scope link src 10.0.0.220

To add default route again:

$ sudo ip route add default via 10.0.0.1 dev wlan0
$

$ ip r
default via 10.0.0.1 dev wlan0
10.0.0.0/24 dev wlan0 proto kernel scope link src 10.0.0.220

Jorgsmash · June 29, 2019, 1:10pm

What would you suggest my next step be in diagnosing the issue?

Jorgsmash · June 29, 2019, 2:12pm

So this is on a separate machine, 192.x.x.17, and I don't understand why this would happen. The .17 is asking the pi-hole (.11) for the IP of linode.com, the pi-hole forwards the IP to the .17 machine, and the .17 machine says that the request timed out. Why would this happen?

deHakkelaar · June 30, 2019, 1:15am

Too much confusing info for me.
The last screenshots you posted is missing the Reply column.

How have you concluded above and what do you mean by that ?
Are you talking about pings (ICMP) or DNS queries ?
Totaly makes no sense.

And are the routes working now on Pi-hole ?

ip -4 address

ip -6 address

ip -4 route

ip -6 route

traceroute -4n 8.8.8.8

traceroute -6n 2001:4860:4860::8888

The screenshots aren't helping either (prefer text output).
Try get the IP part working first on Pi-hole box and clients.
Troubleshoot DNS later.
Sorry if sounds bit harsh.

Jorgsmash · June 30, 2019, 1:24am

I use nslookup on a random pc in my house via Windows command line. Looking up the ip of linode.com. The pihole web console clearly shows the query from my random computer (. 17) and says that the answer is forwarded to that machine. While the actual machine says the pihole timed out.

deHakkelaar · June 30, 2019, 1:25am

Pi-hole forwards the DNS query to its upstream configured DNS server.
I believe in your case thats Unbound on 127.0.0.1:5353.

Actual machine doing the DNS query times out probably because Unbound is not responding quick enough.

EDIT: try do lookup from that Windows client with a name that Pi-hole knows about and wont need to forward:

nslookup pi.hole 192.168.0.11

Jorgsmash · June 30, 2019, 1:30am

So when the pihole responds and says "forwarded" it's not handing the ip off to my pc, it's forwarding it to the upstream dns server?

deHakkelaar · June 30, 2019, 1:32am

Yes its forwarding the DNS query for name linode.com to its upstream configured DNS.

Try do lookup from that Windows client with a name that Pi-hole knows about and wont need to forward:

nslookup pi.hole 192.168.0.11

EDIT: typo

Jorgsmash · June 30, 2019, 1:53am

Ok will do. Not at home now but will respond back when I try this.

deHakkelaar · June 30, 2019, 1:55am

Ow and get sshd up and running on Pi-hole!
Do below to fix name resolution temporarily (will revert back on reboot):

echo 'nameserver 8.8.8.8' | sudo tee /etc/resolv.conf

Check if you can resolve:

nslookup pi-hole.net

Install sshd:

sudo apt install openssh-server openssh-client

Enable it to start at boot:

sudo systemctl enable ssh

Start sshd:

sudo systemctl start ssh

And test:

ssh 127.0.0.1

EDIT: added openssh-client just to be sure.

Jorgsmash · July 1, 2019, 9:13pm

So in doing this:

$ cat /etc/resolv.conf
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
#     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
# 127.0.0.53 is the systemd-resolved stub resolver.
# run "systemd-resolve --status" to see details about the actual nameservers.

nameserver 127.0.0.1
search Hogwarts.academy
options edns0
$ echo 'nameserver 8.8.8.8' | sudo tee /etc/resolv.conf
[sudo] password 
nameserver 8.8.8.8
$ nslookup pi-hole.net
;; connection timed out; no servers could be reached

$

Jorgsmash · July 1, 2019, 9:27pm

Every time I check the status of the unbound service:

$ sudo service unbound status
● unbound.service - Unbound DNS server
   Loaded: loaded (/lib/systemd/system/unbound.service; enabled; vendor preset: enabled)
   Active: active (running) since Sat 2019-06-29 10:26:50 EDT; 2 days ago
     Docs: man:unbound(8)
 Main PID: 16099 (unbound)
    Tasks: 1 (limit: 4492)
   CGroup: /system.slice/unbound.service
           └─16099 /usr/sbin/unbound -d

Jun 30 09:46:12 sara-MacBookPro unbound[16099]: [16099:0] error: serviced_tcp_initiate: failed to send tcp query
Jun 30 09:46:26 sara-MacBookPro unbound[16099]: [16099:0] error: serviced_tcp_initiate: failed to send tcp query
Jun 30 09:46:42 sara-MacBookPro unbound[16099]: [16099:0] error: serviced_tcp_initiate: failed to send tcp query
Jun 30 09:46:42 sara-MacBookPro unbound[16099]: [16099:0] error: serviced_tcp_initiate: failed to send tcp query
Jun 30 09:46:42 sara-MacBookPro unbound[16099]: [16099:0] error: serviced_tcp_initiate: failed to send tcp query
Jun 30 09:47:00 sara-MacBookPro unbound[16099]: [16099:0] error: serviced_tcp_initiate: failed to send tcp query
Jun 30 09:47:02 sara-MacBookPro unbound[16099]: [16099:0] error: serviced_tcp_initiate: failed to send tcp query
Jun 30 09:47:02 sara-MacBookPro unbound[16099]: [16099:0] error: serviced_tcp_initiate: failed to send tcp query
Jun 30 09:47:35 sara-MacBookPro unbound[16099]: [16099:0] error: serviced_tcp_initiate: failed to send tcp query
Jun 30 11:08:40 sara-MacBookPro unbound[16099]: [16099:0] error: serviced_tcp_initiate: failed to send tcp query
sara@sara-MacBookPro:~$ sudo service unbound restart

sara@sara-MacBookPro:~$
sara@sara-MacBookPro:~$ sudo service unbound status
● unbound.service - Unbound DNS server
   Loaded: loaded (/lib/systemd/system/unbound.service; enabled; vendor preset: enabled)
   Active: active (running) since Mon 2019-07-01 17:22:22 EDT; 4s ago
     Docs: man:unbound(8)
  Process: 21247 ExecStartPre=/usr/lib/unbound/package-helper root_trust_anchor_update (code=exited, status=0/SUCCESS)
  Process: 21244 ExecStartPre=/usr/lib/unbound/package-helper chroot_setup (code=exited, status=0/SUCCESS)
 Main PID: 21268 (unbound)
    Tasks: 1 (limit: 4492)
   CGroup: /system.slice/unbound.service
           └─21268 /usr/sbin/unbound -d

Jul 01 17:21:47 sara-MacBookPro systemd[1]: Starting Unbound DNS server...
Jul 01 17:22:22 sara-MacBookPro package-helper[21247]: /var/lib/unbound/root.key has content
Jul 01 17:22:22 sara-MacBookPro package-helper[21247]: fail: the anchor is NOT ok and could not be fixed
Jul 01 17:22:22 sara-MacBookPro unbound[21268]: [1562016142] unbound[21268:0] warning: so-rcvbuf 1048576 was not granted. Got 425984. To fix: start with root p
Jul 01 17:22:22 sara-MacBookPro unbound[21268]: [21268:0] info: start of service (unbound 1.6.7).
Jul 01 17:22:22 sara-MacBookPro systemd[1]: Started Unbound DNS server.
sara@sara-MacBookPro:~$

deHakkelaar · July 2, 2019, 2:02pm

See above posting of mine to check IP/routes.
First get IP part working, worry bout DNS later!

EDIT: and this:

Jorgsmash · July 2, 2019, 4:36pm

Thanks for your help. I decided to remove unbound and start fresh. Upon reinstalling pi-hole after fully removing, I now have a new issue. You can find it here: Lighttpd 403 admin page - #3 by Jorgsmash

Thanks again!