Pi-hole + unbound can't reach a specific site

Help Community Help
1

The issue I am facing: Can’t connect to gicareforkids.com

Details about my system: RPi 5, Dietpi, pihole+unbound the only things added to base install

What I have changed since installing Pi-hole: Tried 9.9.9.9 with and without DNSSEC, no luck

First off I realize this is likely an issue with my system and not Pi-hole or unbound, but since there is a great deal of DNS expertise here I am checking to see if I can get some pointers here.

Trying to navigate to gicareforkids.com gets me a “We can’t connect to the server at www.gicareforkids.com” error in Firefox. Looking at the pi-hole query, the query for gicareforkids.com shows a green cloud icon forwarded from unbound for both A and HTTPS entries.

I’ve tried temporarily removing unbound from custom DNS and using Quad 9’s both with and without DNSSEC. Same error.

Based on other troubleshooting, I ran the following dig commands with their results below:

dig @127.0.0.1 a gicareforkids.com

; <<>> DiG 9.18.33-1~deb12u2-Debian <<>> @127.0.0.1 a gicareforkids.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 32635
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;gicareforkids.com.             IN      A

;; Query time: 1436 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Tue Sep 30 12:51:31 EDT 2025
;; MSG SIZE  rcvd: 46

dig @8.8.8.8 a gicareforkids.com

; <<>> DiG 9.18.33-1~deb12u2-Debian <<>> @8.8.8.8 a gicareforkids.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 38909
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
; EDE: 23 (Network Error): ([205.251.192.17] rcode=REFUSED for gicareforkids.com/a)
; EDE: 23 (Network Error): ([205.251.199.153] rcode=REFUSED for gicareforkids.com/a)
; EDE: 23 (Network Error): ([205.251.196.219] rcode=REFUSED for gicareforkids.com/a)
; EDE: 23 (Network Error): ([205.251.194.218] rcode=REFUSED for gicareforkids.com/a)
; EDE: 22 (No Reachable Authority): (At delegation gicareforkids.com for gicareforkids.com/a)
;; QUESTION SECTION:
;gicareforkids.com.             IN      A

;; Query time: 108 msec
;; SERVER: 8.8.8.8#53(8.8.8.8) (UDP)
;; WHEN: Tue Sep 30 12:43:53 EDT 2025
;; MSG SIZE  rcvd: 350

 dig +tcp +trace @127.0.0.1 gicareforkids.com DNSKEY

; <<>> DiG 9.18.33-1~deb12u2-Debian <<>> +tcp +trace @127.0.0.1 gicareforkids.com DNSKEY
; (1 server found)
;; global options: +cmd
.                       1904    IN      NS      f.root-servers.net.
.                       1904    IN      NS      g.root-servers.net.
.                       1904    IN      NS      h.root-servers.net.
.                       1904    IN      NS      i.root-servers.net.
.                       1904    IN      NS      j.root-servers.net.
.                       1904    IN      NS      k.root-servers.net.
.                       1904    IN      NS      l.root-servers.net.
.                       1904    IN      NS      m.root-servers.net.
.                       1904    IN      NS      a.root-servers.net.
.                       1904    IN      NS      b.root-servers.net.
.                       1904    IN      NS      c.root-servers.net.
.                       1904    IN      NS      d.root-servers.net.
.                       1904    IN      NS      e.root-servers.net.
.                       1904    IN      RRSIG   NS 8 0 518400 20251013050000 20250930040000 46441 . rSPIFZn9u0IeI2ydJ9IRGcsW2/mapMunydcUEqjhmGB+NIBaHhUs2i8V PyqbQUNy3p0Z29TgfYlXP5YOb9NO1Fop3MoUV3INlvYM5RdH8c2KtmO9 KGIErdCDJwTRAzA3JuMQNTTqDLVoReXsDQwy8oBIf2FfKtpWNBbZpu23 YrhKOng1JMUoxI0BXlWedgdnDtxvMen5wT8hXZfvkDMoZxjpiyUrRfS/ 9rvcGp+D4ksAwHO0REBUwuKWHJGy1g3aVPYZf0OO4SPDi0mMX2Nm6ZZa JEqBTd3YujpBLYyArJUBzYkIq3l6h1uFXR6o5QuG13WpmGjoyoXjvABX MesP2A==
;; Received 525 bytes from 127.0.0.1#53(127.0.0.1) in 4 ms

com.                    172800  IN      NS      a.gtld-servers.net.
com.                    172800  IN      NS      b.gtld-servers.net.
com.                    172800  IN      NS      c.gtld-servers.net.
com.                    172800  IN      NS      d.gtld-servers.net.
com.                    172800  IN      NS      e.gtld-servers.net.
com.                    172800  IN      NS      f.gtld-servers.net.
com.                    172800  IN      NS      g.gtld-servers.net.
com.                    172800  IN      NS      h.gtld-servers.net.
com.                    172800  IN      NS      i.gtld-servers.net.
com.                    172800  IN      NS      j.gtld-servers.net.
com.                    172800  IN      NS      k.gtld-servers.net.
com.                    172800  IN      NS      l.gtld-servers.net.
com.                    172800  IN      NS      m.gtld-servers.net.
com.                    86400   IN      DS      19718 13 2 8ACBB0CD28F41250A80A491389424D341522D946B0DA0C0291F2D3D7 71D7805A
com.                    86400   IN      RRSIG   DS 8 1 86400 20251013150000 20250930140000 46441 . SDhIOFhSpp05XW2z4lYj+NGsHv6s4/zv7ZO4avSDpXsYzTZ0v/eIpmjs vVJlWi2dheMu9Y1I0QB/jK3/3snCe2wW4EEuHtn7pmlazsUWZH4J1bT7 8/DqmOkfnN9QU4v5PZkB+9CsZQiewnrYCQ8/wt7ZFsfE0yEOshY6PQ+5 Z4rGIKRaq2Bp9uytaJ3/8ImXXgH3o+q8tB/mX9VTo2dRLTf9tfibs7/7 WATphdT/OgXvjenOhwqAnPogIhmt+RiALo12LnKC+qggN2HgZF0bta8T hGGSGpcAYq0t981U7Qw/1ZilT02Pyo4tg1Q4v7xWLts3zwagdtTvhpMq 5FD8qw==
;; Received 1177 bytes from 192.5.5.241#53(f.root-servers.net) in 16 ms

gicareforkids.com.      172800  IN      NS      ns-17.awsdns-02.com.
gicareforkids.com.      172800  IN      NS      ns-730.awsdns-27.net.
gicareforkids.com.      172800  IN      NS      ns-1243.awsdns-27.org.
gicareforkids.com.      172800  IN      NS      ns-1945.awsdns-51.co.uk.
CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 900 IN NSEC3 1 1 0 - CK0Q3UDG8CEKKAE7RUKPGCT1DVSSH8LL NS SOA RRSIG DNSKEY NSEC3PARAM
CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 900 IN RRSIG NSEC3 13 2 900 20251006002624 20250928231624 20545 com. iby6+GfgfO9y3Z9vtFGv3arhAiDEMNsW2FGzpidwA5LoresBb3uZdeno Dpq2h+5cuJsOr1Qjkqv8xiUjIN8Rtw==
1NTLNACT75774MHHGNE9NNGUT1HBCH74.com. 900 IN NSEC3 1 1 0 - 1NTLTSM6E7FVC53IOQ0SIN36Q4U0IM1C NS DS RRSIG
1NTLNACT75774MHHGNE9NNGUT1HBCH74.com. 900 IN RRSIG NSEC3 13 2 900 20251005001703 20250927230703 20545 com. ktHy5Tmn79X7WHc+xdkICAb7FOkh0W/DzwyLXgsVi3t6fJCfkZ5lAyRt sR/c9nE3U5FcVURVNmhpgsSrd75gfw==
;; Received 555 bytes from 192.12.94.30#53(e.gtld-servers.net) in 28 ms

;; Received 35 bytes from 205.251.196.219#53(ns-1243.awsdns-27.org) in 64 ms

dig @127.0.0.1 -p 5335 a gicareforkids.com

; <<>> DiG 9.18.33-1~deb12u2-Debian <<>> @127.0.0.1 -p 5335 a gicareforkids.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 36926
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;gicareforkids.com.             IN      A

;; Query time: 736 msec
;; SERVER: 127.0.0.1#5335(127.0.0.1) (UDP)
;; WHEN: Tue Sep 30 12:55:59 EDT 2025
;; MSG SIZE  rcvd: 46

I gave all these to ChatGPT, and it said the error appeared to be with the gicareforkids website and not my setup. However, if I turn off WiFi and connect with my phone, I’m able to reach gicareforkids.com without issue. Is there anything else I can try, or is this error truly outside my control?

2

Since public DNS resolvers also fail to resolve gicareforkids.com, the issue is indeed with public DNS rather than a specific DNS software.

DNSSEC validation confirms that DNS records for gicareforkids.com are malconfigured:

pihole-dnsviz-cgicareforkids.com
pihole-dnsviz-cgicareforkids.com1067×760 28 KB

Only the maintainers for the gicareforkids.com can address this, by fixing their misconfigured DNS records.

3

Thanks for the quick and detailed reply. I’m curious why my T-mobile based cell service is able to connect, but perhaps they have cached DNS records that mask the misconfiguration.

4

And just like that, the site is back up after being unreachable for 2 days. I found the dnsviz tool you used above, and the re-analysis found no errors.