Pihole status green, but queries not working

Expected and Actual Behavior:

Trying to run:
dig google.com @<dns.server.ip>
I expect to get a response, but I don't get any response (times out).

;; communications error to <ip>#53: timed out
;; no servers could be reached

Running pihole status gives me all green.

-OS: "Ubuntu 22.04.3 LTS"

Debug Token:

https://tricorder.pi-hole.net/VTwG95He/

Your Pi-hole is exposed to the Internet.

Ports 80, 443, 53 and 22 are open.

This is a safety risk and it could be used as an open resolver.

I'm really only using this while developing, my firewall blocks all incoming traffic otherwise.
Is this what's causing the issue? It's worked so far...

No it doesn't.
Ports are open:
https://dnschecker.org/port-scanner.php?query=<YOUR_EXTERNAL_IP>

Also, http://<YOUR_EXTERNAL_IP>/admin/login.php shows Pi-hole web interface login page.

I've been debugging for the past few hours, will be disabled if you try now.

Is this what's causing the issue?

You closed all ports except port 22. Make sure your server is save.

Maybe.

Check if you have any rules blocking internal traffic (inside your network) to ports 80, 53 or 4711.

In the documentation you can find a list of ports used by Pi-hole and some firewall configurations:

Note:
These ports should always be closed to external traffic.

I'm fairly certain it's not the firewall, because when it's disabled it has worked in the past.

I'm not sure why pihole is listening on port 53, but when I try to query it I time out (debut logs show this too). Any other things to help diagnose this?

Pi-hole is listening on port 53 because this is the port used by DNS.

From the terminal on the Pi-hole host OS, what is the output of the following command:

dig flurry.com @127.0.0.1

As jfb said, 53 is the DNS port.
Also, this is explained in the link I posted above (Prerequisites - Pi-hole documentation).

Please read the full statement: I understand that pihole needs to use port 53 to listen to dns, however even though it is listening, none of my dns queries are reaching it.

(I had to change the at symbol due to discourse error)

dig flurry.com at127.0.0.1

;; communications error to 127.0.0.1#53: timed out
;; communications error to 127.0.0.1#53: timed out
;; communications error to 127.0.0.1#53: timed out

; <<>> DiG 9.18.28-0ubuntu0.22.04.1-Ubuntu <<>> flurry.com at127.0.0.1
;; global options: +cmd
;; no servers could be reached

The same is also indicated in the tricoder logs: listening works, but queries fail

If you wrap your text in code block format, you can post these symbols.

Instead of just the text, put the ` character before and after.

dig flurry.com @ 127.0.0.1

Not following you here. Please clarify.

And, please upload a fresh debug token and post the URL here.

It seems you are running a cloud-based Pi-hole on Linode/Akamai infrastructure.

Your debug log shows your Pi-hole is receiving traffic from public IPs.

You are running your Pi-hole as a publicly available open resolver.

Open resolvers pose a potential threat for all Internet users, e.g. by serving as a multiplier in a DNS Amplification attack .

The Pi-hole team strongly discourages Pi-hole’s usage as an open resolver, and we won't provide support in that case.

One sensible use case of setting up Pi-hole in the cloud is to be exclusively accessible for VPN clients via authenticated, secure VPN connections.