PiHole not resolve ANY dns query

Expected Behaviour:

[Pi-Hole should resolve ANY dns query
-Raspbian 10 buster
-Pi-Hole v5.3.1
-Web v5.5
-FTL v5.8.1]

Actual Behaviour:

[Currently this query failed
nslookup -type=ANY google.com pi_hole_ip
Server: pihole
Address: pi_hole_ip

*** pihole can't find google.com: Unspecified error

The same query send to DNS 9.9.9.9 or directly to my router finish correctly like
nslookup -type=ANY google.com 9.9.9.9
Server: dns9.quad9.net
Address: 9.9.9.9

Non-authoritative answer:
google.com internet address = 172.217.20.206
google.com AAAA IPv6 address = 2a00:1450:401b:803::200e
google.com MX preference = 50, mail exchanger = alt4.aspmx.l.google.com
google.com MX preference = 30, mail exchanger = alt2.aspmx.l.google.com
google.com MX preference = 40, mail exchanger = alt3.aspmx.l.google.com
google.com MX preference = 20, mail exchanger = alt1.aspmx.l.google.com
google.com MX preference = 10, mail exchanger = aspmx.l.google.com
google.com
primary name server = ns1.google.com
responsible mail addr = dns-admin.google.com
serial = 373544068
refresh = 900 (15 mins)
retry = 900 (15 mins)
expire = 1800 (30 mins)
default TTL = 60 (1 min)
google.com nameserver = ns3.google.com
google.com nameserver = ns4.google.com
google.com nameserver = ns2.google.com
google.com nameserver = ns1.google.com

Any other query type A or MX pihole resolv correctly]

Debug Token:

[https://tricorder.pi-hole.net/kgx30qbs0c]

First, I will mention that the very same command works for me just fine.

What are the related lines in your /var/log/pihole.log lines?

I do see

May 14 17:13:47 dnsmasq[2532791]: 50418 127.0.0.1/54775 query[ANY] google.com from 127.0.0.1 
May 14 17:13:47 dnsmasq[2532791]: 50418 127.0.0.1/54775 forwarded google.com to 127.0.0.1 
May 14 17:13:47 dnsmasq[2532791]: 50418 127.0.0.1/54775 validation result is INSECURE

which is expected.

Note that ANY queries are not guaranteed to deliver consistent results.

If your motivation for manually requesting them would be to retrieve multiple protocol answers in one go, you should be prepared to handle incomplete results (see also proposed RFC 8482)

The result you'll get for an ANY request will depend on quite a few factors, including current caching state and any upstream DNS server used.

As ANY queries are "frequently used to exploit the amplification potential of DNS servers" (quoting the RFC linked above), some public DNS providers have disabled support for ANY queries altogether, e.g. Cloudflare did say goodbye to ANY in 2015.

Consequently, an ANY DNS request for domains via Cloudflare's 1.1.1.1 results in NOTIMP:

dig google.com ANY @1.1.1.1

; <<>> DiG 9.11.5-P4-5.1+deb10u3-Debian <<>> google.com ANY @1.1.1.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOTIMP, id: 17997
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;google.com.                    IN      ANY

;; Query time: 13 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Fri May 14 18:02:52 CEST 2021
;; MSG SIZE  rcvd: 39

So if your Pi-hole would be using Cloudflare or a similar behaving upstream, your observation would be expected.

The NOTIMP status from above dig means "not implemented".
Selecting Google or Quad9 upstream in Pi-hole allows ANY queries though results differ slightly:

pi@ph5b:~ $ dig google.com ANY @8.8.8.8
[..]
;; ANSWER SECTION:
google.com.             299     IN      A       108.177.119.102
google.com.             299     IN      A       108.177.119.138
google.com.             299     IN      A       108.177.119.113
google.com.             299     IN      A       108.177.119.101
google.com.             299     IN      A       108.177.119.100
google.com.             299     IN      A       108.177.119.139
google.com.             299     IN      AAAA    2a00:1450:4013:c00::71
google.com.             299     IN      AAAA    2a00:1450:4013:c00::8b
google.com.             299     IN      AAAA    2a00:1450:4013:c00::8a
google.com.             299     IN      AAAA    2a00:1450:4013:c00::65
google.com.             59      IN      SOA     ns1.google.com. dns-admin.google.com. 373544068 900 900 1800 60
google.com.             21599   IN      NS      ns2.google.com.
google.com.             21599   IN      NS      ns3.google.com.
google.com.             3599    IN      TXT     "docusign=1b0a6754-49b1-4db5-8540-d2c12664b289"
google.com.             599     IN      MX      10 aspmx.l.google.com.
google.com.             3599    IN      TXT     "google-site-verification=wD8N7i1JTNTkezJ49swvWW48f8_9xveREV4oB-0Hf5o"
google.com.             599     IN      MX      20 alt1.aspmx.l.google.com.
google.com.             3599    IN      TXT     "v=spf1 include:_spf.google.com ~all"
google.com.             3599    IN      TXT     "docusign=05958488-4752-4ef2-95eb-aa7ba8a3bd0e"
google.com.             3599    IN      TXT     "facebook-domain-verification=22rm551cu4k0ab0bxsw536tlds4h95"
google.com.             599     IN      MX      40 alt3.aspmx.l.google.com.
google.com.             21599   IN      NS      ns4.google.com.
google.com.             3599    IN      TXT     "apple-domain-verification=30afIBcvSuDV2PLX"
google.com.             21599   IN      NS      ns1.google.com.
google.com.             3599    IN      TXT     "globalsign-smime-dv=CDYX+XFHUw2wml6/Gb8+59BsH31KzUr6c1l2BPvqKX8="
google.com.             599     IN      MX      50 alt4.aspmx.l.google.com.
google.com.             3599    IN      TXT     "google-site-verification=TV9-DBe4R80X4v0M4U_bd_J9cpOJM0nikft0jAgjmsQ"
google.com.             21599   IN      CAA     0 issue "pki.goog"
google.com.             599     IN      MX      30 alt2.aspmx.l.google.com.
google.com.             3599    IN      TXT     "MS=E4A68B9AB2BB9670BCE1541

pi@ph5b:~ $ dig google.com ANY @9.9.9.9
[..]
;; ANSWER SECTION:
google.com.             34      IN      A       142.250.187.238
google.com.             224     IN      AAAA    2a00:1450:4009:820::200e
google.com.             327     IN      MX      40 alt3.aspmx.l.google.com.
google.com.             327     IN      MX      20 alt1.aspmx.l.google.com.
google.com.             327     IN      MX      50 alt4.aspmx.l.google.com.
google.com.             327     IN      MX      30 alt2.aspmx.l.google.com.
google.com.             327     IN      MX      10 aspmx.l.google.com.
google.com.             27      IN      SOA     ns1.google.com. dns-admin.google.com. 373752905 900 900 1800 60
google.com.             28757   IN      NS      ns3.google.com.
google.com.             28757   IN      NS      ns2.google.com.
google.com.             28757   IN      NS      ns4.google.com.
google.com.             28757   IN      NS      ns1.google.com.

Also running your own recursive resolver allows ANY:

pi@ph5b:~ $ dig google.com ANY @localhost
[..]
;; ANSWER SECTION:
google.com.             300     IN      A       172.217.17.142
google.com.             300     IN      AAAA    2a00:1450:400e:807::200e
google.com.             3600    IN      TXT     "globalsign-smime-dv=CDYX+XFHUw2wml6/Gb8+59BsH31KzUr6c1l2BPvqKX8="
google.com.             3600    IN      TXT     "facebook-domain-verification=22rm551cu4k0ab0bxsw536tlds4h95"
google.com.             3600    IN      TXT     "google-site-verification=wD8N7i1JTNTkezJ49swvWW48f8_9xveREV4oB-0Hf5o"
google.com.             3600    IN      TXT     "MS=E4A68B9AB2BB9670BCE15412F62916164C0B20BB"
google.com.             3600    IN      TXT     "apple-domain-verification=30afIBcvSuDV2PLX"
google.com.             3600    IN      TXT     "google-site-verification=TV9-DBe4R80X4v0M4U_bd_J9cpOJM0nikft0jAgjmsQ"
google.com.             3600    IN      TXT     "v=spf1 include:_spf.google.com ~all"
google.com.             3600    IN      TXT     "docusign=1b0a6754-49b1-4db5-8540-d2c12664b289"
google.com.             3600    IN      TXT     "docusign=05958488-4752-4ef2-95eb-aa7ba8a3bd0e"
google.com.             600     IN      MX      40 alt3.aspmx.l.google.com.
google.com.             600     IN      MX      20 alt1.aspmx.l.google.com.
google.com.             600     IN      MX      50 alt4.aspmx.l.google.com.
google.com.             600     IN      MX      30 alt2.aspmx.l.google.com.
google.com.             600     IN      MX      10 aspmx.l.google.com.
google.com.             86400   IN      NS      ns1.google.com.
google.com.             86400   IN      NS      ns3.google.com.
google.com.             86400   IN      NS      ns4.google.com.
google.com.             86400   IN      NS      ns2.google.com.
google.com.             60      IN      SOA     ns1.google.com. dns-admin.google.com. 373752905 900 900 1800 60
google.com.             86400   IN      CAA     0 issue "pki.goog"

Thanks, deHakkelaar
That nicely complements my:

and

Website google.com is only example the same problem I got for ebay.com or yahoo.com or any other domain

May 17 16:45:34 dnsmasq[14281]: query[ANY] ebay.com from 192.168.25.2
May 17 16:45:34 dnsmasq[14281]: forwarded ebay.com to 9.9.9.9
...
May 17 16:45:36 dnsmasq[14281]: query[ANY] ebay.com from 192.168.25.2
May 17 16:45:36 dnsmasq[14281]: forwarded ebay.com to 9.9.9.9
...
May 17 16:49:59 dnsmasq[14281]: /etc/pihole/local.list 172.16.25.2 is pihole
May 17 16:49:59 dnsmasq[14281]: query[ANY] yahoo.com from 192.168.25.2
May 17 16:49:59 dnsmasq[14281]: forwarded yahoo.com to 149.112.112.112
May 17 16:49:59 dnsmasq[14281]: query[ANY] yahoo.com from 192.168.25.2
May 17 16:49:59 dnsmasq[14281]: forwarded yahoo.com to 149.112.112.112
...
May 17 16:50:01 dnsmasq[14281]: query[ANY] yahoo.com from 192.168.25.2
May 17 16:50:01 dnsmasq[14281]: forwarded yahoo.com to 149.112.112.112

After that I got timeout

nslookup -type=ANY yahoo.com 172.16.25.2
Server:  pihole
Address:  172.16.25.2

DNS request timed out.
    timeout was 2 seconds.
*** pihole can't find yahoo.com: Unspecified error

nslookup -type=ANY yahoo.com 9.9.9.9
Server:  dns9.quad9.net
Address:  9.9.9.9

Non-authoritative answer:
yahoo.com       nameserver = ns2.yahoo.com
yahoo.com
        primary name server = ns1.yahoo.com
        responsible mail addr = hostmaster.yahoo-inc.com
        serial  = 2021051702
        refresh = 3600 (1 hour)
        retry   = 300 (5 mins)
        expire  = 1814400 (21 days)
        default TTL = 600 (10 mins)
yahoo.com       nameserver = ns1.yahoo.com
yahoo.com       nameserver = ns5.yahoo.com
yahoo.com       nameserver = ns4.yahoo.com
yahoo.com       nameserver = ns3.yahoo.com

Why are you using ANY queries? That's a bad practice to do.

It's only for test reasons.
If other global dns resolv ANY query why pihole don't want to do that ?

Because there is no reason to and as has been pointed out to you, other global DNS resolvers are blocking ANY queries now as they are useless and are used for targeted attacks.

Unbound even has the option of specifically blocking ANY types:

deny-any: <yes or no>
              If  yes,  deny  queries of type ANY with an empty response.  De-
              fault is no.  If disabled, unbound responds with a short list of
              resource records if some can be found in the cache and makes the
              upstream type ANY query if there are none.

As you see, either the queries are denied completely or you get what is in unbounds cache first before it will even make an upstream query.

Then change your tests, they are outdated.

Thank for your explanation.
We can close this case.

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.