pihole-FTL failed to create listening socket for port 53

ddhub · February 22, 2019, 7:25pm

Sorry for the confusion -- I set up the third system from scratch for testing purposes after it seemed, that "Type=idle" in stubby.service could be of help (it wasnt). This is the output of the third system (stubby and cloudflared installed, cloudflared deactivated) after reboot, pihole-FTL not started manually:

date
Fr 22. Feb 20:16:15 CET 2019

systemctl status pihole-FTL -l
● pihole-FTL.service - LSB: pihole-FTL daemon
   Loaded: loaded (/etc/init.d/pihole-FTL; static; vendor preset: enabled)
   Active: inactive (dead)
     Docs: man:systemd-sysv-generator(8)

journalctl -u pihole-FTL
-- Logs begin at Fri 2019-02-22 20:15:30 CET, end at Fri 2019-02-22 20:16:17 CET. --
-- No entries --

DNSSEC: Not enabled in stubby, but enabled in pihole.

ddhub · February 22, 2019, 7:27pm

...and after systemctl restart pihole-FTL, now with correct port 4711:

netstat -nltup | grep 'Proto\|:53 \|:67 \|:80 \|:4711 \|:10053 '
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      636/lighttpd        
tcp        0      0 127.0.0.1:53            0.0.0.0:*               LISTEN      863/pihole-FTL      
tcp        0      0 192.168.73.121:53       0.0.0.0:*               LISTEN      863/pihole-FTL      
tcp        0      0 127.0.0.2:10053         0.0.0.0:*               LISTEN      558/stubby          
tcp        0      0 127.0.0.1:4711          0.0.0.0:*               LISTEN      863/pihole-FTL      
tcp6       0      0 :::80                   :::*                    LISTEN      636/lighttpd        
tcp6       0      0 ::1:53                  :::*                    LISTEN      863/pihole-FTL      
tcp6       0      0 ::1:4711                :::*                    LISTEN      863/pihole-FTL      
udp        0      0 127.0.0.1:53            0.0.0.0:*                           863/pihole-FTL      
udp        0      0 192.168.73.121:53       0.0.0.0:*                           863/pihole-FTL      
udp        0      0 0.0.0.0:67              0.0.0.0:*                           863/pihole-FTL      
udp        0      0 127.0.0.2:10053         0.0.0.0:*                           558/stubby          
udp6       0      0 ::1:53                  :::*                                863/pihole-FTL

ddhub · February 22, 2019, 7:32pm

Just to make it clear: I have three systems running.
None of them autostarts pihole, no matter which listening-address I use for stubby.

Anyway, I will change the remaining with 127.0.0.2:53 to 127.0.0.2:10053,
and report back later this evening.

Thank you very much for your commitment.

deHakkelaar · February 22, 2019, 7:36pm

Ok that output says nothing.
Only difference with mine is "generated" instead of "static" whatever that means.

pi@noads:~ $ sudo systemctl status pihole-FTL -l
● pihole-FTL.service - LSB: pihole-FTL daemon
   Loaded: loaded (/etc/init.d/pihole-FTL; generated; vendor preset: enabled)

And what if you disable DNSSEC on Pi-hole as well ?
I've read postings here of dnsmasq versions having problems with DNSSEC I believe.
Try the search as I dont have DNSSEC!

jfb · February 22, 2019, 7:38pm

Running DNSSEC with stubby adds no value. The stubby DNS traffic is already encrypted within a tunnel and secure from tampering.

Disable DNSSEC in Pi-Hole when you use an encrypted DNS server or unbound.

ddhub · February 22, 2019, 7:45pm

Well, I dont really need DNSSEC, so I will switch it of and report back.

But, DNSSEC validation not only means to check if dns-reply is not modified.
It will also authenticate the sender of the dns-reply against the trust anchor.

And besides that, the dns-reply could still be tampered on its way from the authoritative dns-server to the upstream resolver. Only the part from the upstream resolver to stubby goes throught the tunnel.

Anyway, I will try switching DNSSEC off, thank you for the hint

jfb · February 22, 2019, 7:47pm

Note that DNSSEC on or off in Pi-Hole won't affect any problems you are having with pihole-FTL binding to the correct ports.

ddhub · February 22, 2019, 9:34pm

@deHakkelaar:

Good news.

On my second system, lets call it "backup", pihole-FTL finally autostarts at boot-time,
after adding this to /etc/dnsmasq.d/99-my-settings.conf:

listen-address=::1,127.0.0.1,192.168.1.102
bind-interfaces

dns resolution works, web-interface works, and dnssec works, too.

I will try this setting on my first pihole system named "main", which we did not discuss so far. And I will also further investigate on the system "testing", that most of our conversation was about today (pihole, stubby and cloudflared). This will be probably on monday.

Thank you.

jasteri · March 15, 2019, 5:53pm

Hi ddhub,
did you get the chance to try it on your other Piholes? Would be interested in your findings. Thx.

ddhub · March 15, 2019, 10:06pm

Hi jasteri,

there are still issues with both other systems. We had to stop investigation for some days, but will return to the subject next week again.

greetings, ddhub

system · April 21, 2019, 7:55am

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.