Pi-hole v6 "DNS server failure"

I just upgraded to Pi-hole v6, hooray!

Alas:

image291×182 6.77 KB

The web UI led me to sudo pihole -d, which spit out lots of output, and this:

Your debug token is: https://tricorder.pi-hole.net/ubxnGTCf/

Hopefully someone can help me?

Edit: Since the error is called "DNS Server failure", I assume it might have something to do with my unbound setup...? But it doesn't look like my configuration is wrong?

image599×359 14.6 KB

erik@MinipcLG2:~$ cat /etc/unbound/unbound.conf.d/pi-hole.conf
server:
    # If no logfile is specified, syslog is used
    # logfile: "/var/log/unbound/unbound.log"
    verbosity: 0

    interface: 127.0.0.1
    port: 5335
    do-ip4: yes
    do-udp: yes
    do-tcp: yes

    # May be set to yes if you have IPv6 connectivity
    do-ip6: no

    # You want to leave this to no unless you have *native* IPv6. With 6to4 and
    # Terredo tunnels your web browser should favor IPv4 for the same reasons
    prefer-ip6: no

    # Use this only when you downloaded the list of primary root servers!
    # If you use the default dns-root-data package, unbound will find it automatically
    #root-hints: "/var/lib/unbound/root.hints"

    # Trust glue only if it is within the server's authority
    harden-glue: yes

    # Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS
    harden-dnssec-stripped: yes

    # Don't use Capitalization randomization as it known to cause DNSSEC issues sometimes
    # see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 for further details
    use-caps-for-id: no

    # Reduce EDNS reassembly buffer size.
    # IP fragmentation is unreliable on the Internet today, and can cause
    # transmission failures when large DNS messages are sent via UDP. Even
    # when fragmentation does work, it may not be secure; it is theoretically
    # possible to spoof parts of a fragmented DNS message, without easy
    # detection at the receiving end. Recently, there was an excellent study
    # >>> Defragmenting DNS - Determining the optimal maximum UDP response size for DNS <<<
    # by Axel Koolhaas, and Tjeerd Slokker (https://indico.dns-oarc.net/event/36/contributions/776/)
    # in collaboration with NLnet Labs explored DNS using real world data from the
    # the RIPE Atlas probes and the researchers suggested different values for
    # IPv4 and IPv6 and in different scenarios. They advise that servers should
    # be configured to limit DNS messages sent over UDP to a size that will not
    # trigger fragmentation on typical network links. DNS servers can switch
    # from UDP to TCP when a DNS response is too big to fit in this limited
    # buffer size. This value has also been suggested in DNS Flag Day 2020.
    edns-buffer-size: 1232

    # Perform prefetching of close to expired message cache entries
    # This only applies to domains that have been frequently queried
    prefetch: yes

    # One thread should be sufficient, can be increased on beefy machines. In reality for most users running on small networks or on a single machine, it should be unnecessary to seek performance enhancement by increasing num-threads above 1.
    num-threads: 1

    # Ensure kernel buffer is large enough to not lose messages in traffic spikes
    so-rcvbuf: 1m

    # Ensure privacy of local IP ranges
    private-address: 192.168.0.0/16
    private-address: 169.254.0.0/16
    private-address: 172.16.0.0/12
    private-address: 10.0.0.0/8
    private-address: fd00::/8
    private-address: fe80::/10

Anyway, I saw:

So I ran sudo PIHOLE_SKIP_OS_CHECK=true pihole -r gain. I'll see how it goes after the new update.

Another issue: I can't access my openHAB UI anymore, which should be http://192.168.1.9:8080/. I assume Pi-hole "took over" that port, or something like that?

Some searching, led me to confirmation:

erik@MinipcLG2:~$ sudo netstat -tulpe --numeric-ports | grep 8080
tcp        0      0 0.0.0.0:8080            0.0.0.0:*               LISTEN      pihole     18412      2398/pihole-FTL
tcp6       0      0 [::]:8080               [::]:*                  LISTEN      pihole     18414      2398/pihole-FTL

Is there another port I can "refer" pihole to?

Thanks in advance for anyone's help!

Your debug log shows port 53 to be already claimed by dnsmasq:

*** [ DIAGNOSING ]: Ports in use
    udp:0.0.0.0:51212 is in use by avahi-daemon
[✓] udp:0.0.0.0:53 is in use by pihole-FTL
[✗] udp:192.168.122.1:53 is in use by dnsmasq (https://docs.pi-hole.net/main/prerequisites/#ports)

You'd need to stop and disable dnsmasq from taking port 53.

Thanks for the help!

How would I do that?

Or maybe a better question: since Pi-hole and unbound are the only way I'm "playing" with DNS, why is dnsmasq on my system? And if you have no idea, I assume it's safe to uninstall it?

The snippet you quoted contained a link (Prerequisites - Pi-hole documentation). There I read that I can "configure ports manually". Could that be a solution for my openHAB UI problem? Or should I have chosen to enable lighttpd while installing? (I misunderstood "web sites" as actual web sites...)

Strange, after the update, I see:

  [✓] Update complete!

Core version is v6.0 (Latest: v6.0.1)
Web version is v6.0 (Latest: v6.0)
FTL version is v6.0 (Latest: v6.0)

Why wasn't the core version updated?

That's for you to figure, e.g. you may have installed some additional software besides Pi-hole that pulled in dnsmasq as a dependency, or you may have enabled a same-machine NetworkManager's access point, or...

Depending on how and why dnsmasq was introduced, it perhaps may be safe to uninstall it, as Pi-hole's embedded pihole-FTL is a tailored version of dnsmasq and can act as a drop-in replacement, but you may lose some or all of its configuration details.

During the upgrade to v6, a dialog would have been displayed to decide how to proceed with the old lighttpd installation.

If this is to remain, Pi-hole switches the integrated web server to port 8080.

If lighttpd is actually no longer running and no other existing web server is using port 80, you can also move your Pi-hole web server back to port 80, e.g. via the web interface in Expert mode under All settings | Webserver and API via webserver.port, or by editing /etc/pihole/pihole.toml.

Thanks, editing /etc/pihole/pihole.toml did the trick!

erik@MinipcLG2:~$ sudo apt remove dnsmasq
Pakketlijsten worden ingelezen... Klaar
Boom van vereisten wordt opgebouwd... Klaar
De statusinformatie wordt gelezen... Klaar
Pakket 'dnsmasq' is niet geïnstalleerd, en wordt dus niet verwijderd
0 opgewaardeerd, 0 nieuw geïnstalleerd, 0 te verwijderen en 0 niet opgewaardeerd.
erik@MinipcLG2:~$ sudo apt list | grep dnsmasq

WARNING: apt does not have a stable CLI interface. Use with caution in scripts.

dnsmasq-base-lua/noble 2.90-2build2 amd64
dnsmasq-base/noble,now 2.90-2build2 amd64 [geïnstalleerd]
dnsmasq-utils/noble 2.90-2build2 amd64
dnsmasq/noble 2.90-2build2 all

I assume Linux Mint came with it pre-installed.

Reading some more here on the forum, it looks like I should first disable dnsmasq, before uninstalling. But I can't seem to find how to disable it...?

Thanks again for your help!

(By the way, why was this not an issue before the upgrade to Pi-Hole v6? dnsmasq was already there...)

~$ which dnsmasq
/usr/sbin/dnsmasq

~$ sudo apt-cache policy dnsmasq-base
dnsmasq-base:
  Installed: 2.90-4~deb12u1
  Candidate: 2.90-4~deb12u1
  Version table:
 *** 2.90-4~deb12u1 500
        500 http://ftp.gwdg.de/debian bookworm/main amd64 Packages
        100 /var/lib/dpkg/status

~$ sudo ss -tulpn sport = 53
Netid    State    Recv-Q    Send-Q       Local Address:Port         Peer Address:Port    Process

You could try to investigate how the currently running dnsmasq was started.
What's the output of:

sudo ps -feww | grep "PID\|dnsmasq"

And, with that output's value from the PID column substituting <PID>:

ls -l /proc/<PID>/exe

erik@MinipcLG2:~$ which dnsmasq
/usr/sbin/dnsmasq

erik@MinipcLG2:~$ sudo apt-cache policy dnsmasq-base
dnsmasq-base:
  Geïnstalleerd: 2.90-2build2
  Kandidaat:     2.90-2build2
  Versietabel:
 *** 2.90-2build2 500
        500 http://archive.ubuntu.com/ubuntu noble/main amd64 Packages
        100 /var/lib/dpkg/status

erik@MinipcLG2:~$ sudo ss -tulpn sport = 53
Netid       State        Recv-Q       Send-Q             Local Address:Port             Peer Address:Port      Process
udp         UNCONN       214144       0                        0.0.0.0:53                    0.0.0.0:*          users:(("pihole-FTL",pid=1938,fd=20))
udp         UNCONN       0            0                  192.168.122.1:53                    0.0.0.0:*          users:(("dnsmasq",pid=1566,fd=5))
tcp         LISTEN       0            32                 192.168.122.1:53                    0.0.0.0:*          users:(("dnsmasq",pid=1566,fd=6))

erik@MinipcLG2:~$ sudo ps -feww | grep "PID\|dnsmasq"
UID          PID    PPID  C STIME TTY          TIME CMD
libvirt+    1566       1  0 20:23 ?        00:00:00 /usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf --leasefile-ro --dhcp-script=/usr/lib/libvirt/libvirt_leaseshelper
root        1567    1566  0 20:23 ?        00:00:00 /usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf --leasefile-ro --dhcp-script=/usr/lib/libvirt/libvirt_leaseshelper
erik        8629    4826  0 21:17 pts/0    00:00:00 grep --color=auto PID\|dnsmasq

erik@MinipcLG2:~$ ls -l /proc/1566/exe
ls: kan symbolische koppeling '/proc/1566/exe' niet lezen: Toegang geweigerd
lrwxrwxrwx 1 root root 0 feb 19 20:23 /proc/1566/exe
erik@MinipcLG2:~$ ls -l /proc/1567/exe
ls: kan symbolische koppeling '/proc/1567/exe' niet lezen: Toegang geweigerd
lrwxrwxrwx 1 root root 0 feb 19 20:39 /proc/1567/exe
erik@MinipcLG2:~$ sudo ls -l /proc/1566/exe
lrwxrwxrwx 1 root root 0 feb 19 20:23 /proc/1566/exe -> /usr/sbin/dnsmasq
erik@MinipcLG2:~$ sudo ls -l /proc/1567/exe
lrwxrwxrwx 1 root root 0 feb 19 20:39 /proc/1567/exe -> /usr/sbin/dnsmasq

It seems that dnsmasq was started by something related to libvirt, suggesting you may be running some kind of virtualisation software on Linux Mint.

You may want to investigate why and how that depends on dnsmasq, especially if you were actively using something like a VM on LinuxMint.

I did do something with a virtual machine a while ago. It's nothing active. But it doesn't sound impossible I had then installed something with a name like "libvirt".

But it's more than one package, apparently:

erik@MinipcLG2:/usr/sbin$ sudo apt list | grep libvirt | grep stall

WARNING: apt does not have a stable CLI interface. Use with caution in scripts.

gir1.2-libvirt-glib-1.0/noble,now 5.0.0-2build3 amd64 [geïnstalleerd,automatisch]
libvirt-clients/noble-updates,now 10.0.0-2ubuntu8.5 amd64 [geïnstalleerd,automatisch]
libvirt-daemon-config-network/noble-updates,now 10.0.0-2ubuntu8.5 all [geïnstalleerd,automatisch]
libvirt-daemon-config-nwfilter/noble-updates,now 10.0.0-2ubuntu8.5 all [geïnstalleerd,automatisch]
libvirt-daemon-driver-qemu/noble-updates,now 10.0.0-2ubuntu8.5 amd64 [geïnstalleerd,automatisch]
libvirt-daemon-system-systemd/noble-updates,now 10.0.0-2ubuntu8.5 all [geïnstalleerd,automatisch]
libvirt-daemon-system/noble-updates,now 10.0.0-2ubuntu8.5 amd64 [geïnstalleerd,automatisch]
libvirt-daemon/noble-updates,now 10.0.0-2ubuntu8.5 amd64 [geïnstalleerd,automatisch]
libvirt-glib-1.0-0/noble,now 5.0.0-2build3 amd64 [geïnstalleerd,automatisch]
libvirt-glib-1.0-data/noble,now 5.0.0-2build3 all [geïnstalleerd,automatisch]
libvirt-l10n/noble-updates,now 10.0.0-2ubuntu8.5 all [geïnstalleerd,automatisch]
libvirt0/noble-updates,now 10.0.0-2ubuntu8.5 amd64 [geïnstalleerd,automatisch]
python3-libvirt/noble,now 10.0.0-1build1 amd64 [geïnstalleerd,automatisch]

Possibly it's only the last one, which I installed. Then again, the "automatisch" tag suggests Linux Mint installed the packages?

Anyway, I haven't got any VM's running... And my investigation skills are limited

(Maybe it would be a better idea to create a VM, and run Pi-Hole in it, instead of in Linux Mint? However, I would prefer to have the current setup fixed for now. Some home automation stuff is broken because of the DNS problem, apparently...)

Does your Mint use SystemD ??

What does

systemctl status dnsmasq

give as output ?

You can stop and disable it with :

systemctl stop dnsmasq
systemctl disable dnsmasq

And YES indeed : Some kind of dedicated device or VM or LXC would be a better idea for Pi-Hole and other similar "Server like" software

... or Docker, but you will still need port 53 free on the host machine.

Yes

erik@MinipcLG2:~$ systemctl status dnsmasq
Unit dnsmasq.service could not be found.

I had tried that already...

Okay, I'll figure out how to do that then. I assume the 'Teleporter' thingy will let me easily transfer my configurations, as soon as I have a VM running with Pi-hole 6?

I have fixed my short-term problem by removing 192.168.1.9 as DNS server. (I have a second system as back-up, which for now will be the primary and only DNS server.)

Perhaps, but Docker adds an additional level of complexity, so a bare metal install is often the most straight forward and simpler approach for unexperienced users.

But more importantly, it may not address your port conflict.
Depending on your VM's or Docker's network driver configuration, you may still need to clear port 53 on the device that runs your virtual Pi-hole.

Try browsing all your SystemD Units :

systemctl list-units

and look for DNSmasq in the list

It could be dnsmasqd or something instead of just dnsmasq...

I think it should, but since it's very new please check all settings afterwards!

You never know...

erik@MinipcLG2:~$ sudo systemctl list-units | grep -i dns
  avahi-daemon.service                                                                     loaded active     running   Avahi mDNS/DNS-SD Stack
  unbound.service                                                                          loaded active     running   Unbound DNS server
  avahi-daemon.socket                                                                      loaded active     running   Avahi mDNS/DNS-SD Stack Activation Socket

And when you just browse all units ?

Or do one of these for the grep command :

grep dns*
grep *dns*

If you still don't see DNSmasq anywhere then I think it's some software starting it for itself somehow...?!?!

You won't find any units, as the dnsmasq processes are not running as a service, as the earlier ps results would suggest that they have been started manually, likely by the libvirt service.

Ahh... OK! Thnx!