I've been using PiHole and Unbound on my Pi 4 for a few months now and it's been fine.
However, last week my OpenWRT router (Archer C7v2, OpenWRT v.22.03.4) turned off its Wifi for no apparent reason, which I fixed, but after that the DNS stopped working until I unchecked DNSSEC in the PiHole settings.
Any reason why this might have happened? DNSSEC was working fine before (at least I'm fairly certain it was). I'd like to re-enable it, if possible. If I turn it back on, DNS stops working.
Do I need to set a "trust anchor" or something? I could very well have misconfigured something or just not set it up correctly in the first place... I'm new to all of this Pi / PiHole / Unbound stuff, but am fairly tech literate. Just not sure what's going on with DNSSEC.
The debug log cut off towards the end, but it's best to send these via the official debug server. To do that can you run it again please and let it upload when prompted. It will give you a debug token URL which you can post here.
Also what is the output of the command below please? You can post that here. It will show your Unbound related config files without all their comments.
Well, I just didn't want the MAC addresses being sent to another server, so I removed those and posted the log here. Can you just use what I posted here, by chance?
Here's the output of the command you asked me to run:
Can you go into more detail – in what way did DNS stop working?
When using Unbound as per the Pi-hole guide then DNSSEC is always running. The DNSSEC option in Pi-hole just tells Pi-hole to capture the DNSSEC responses and displays them on an extra line in the Status column. They are also logged.
How did you install Unbound? If you used the apt package manager then the root hints are taken care of automatically as part of that process.
The debug log part you posted appears to show Pi-hole working okay; it's blocking ad domains. Pi-hole appears unable to reach a public DNS server, but it can reach your router, so is there a setting in your router which is firewalling Pi-hole from reaching DNS externally perhaps?
The only other part which stands out is in your Unbound config
I understand, but even one person gaining access to someone's MAC addresses isn't wise, nor is it good security practice, so I'd rather not. Hopefully you can understand.
Websites don't come up, says "server not found", etc.
Yes, via apt.
Well, DNSSEC is currently off, because it renders the internet unusable. So, if I enable DNSSEC and re-run the debug log it might not show that (but I'm not sure). Should I try doing that?
I'm not sure, I don't recall changing it.
Actually, I think I also used this page as reference at some point, because it has that value - maybe I copied it from there, but I'm not sure since it was a few months ago and my notes don't include those details:
What shows up in the Query Log when that happens (ie DNSSEC is on)? Do you see BOGUS or some other message?
This is where the unredacted debug log would be useful. It includes the head and tail of the pihole.log which has some of this info. Your diligence about MAC addresses is good, and, as jfb says, only the Pi-hole debug team has access to the logs on the authenticated server and they are automatically deleted after 48 hours. It's done that way to provide a good balance between privacy and access to practical logs for debugging. The info is only used for debugging that log, so please have no concerns about submitting logs.
Good idea, will help see if anything crops up, and you can check the Query Log afterwards for the above DNSSEC messages. Please let it upload and then post the debug token URL.
Can you edit it to be 1232? Might as well eliminate it as a variable.
sudo nano /etc/unbound/unbound.conf.d/pi-hole.conf
...edit the line to use the value 1232, save changes...
sudo service unbound restart
It's worth doing the DNSSEC tests and seeing what they give.
Ok, I enabled the DNSSEC checkbox in PiHole Settings.
Ok, I changed that.
After making those changes, I browsed to a few places and let some email accounts try checking for new mail.
Here are some snippets of what I saw in the PiHole Query Log after doing enabling DNSSEC in PiHole (yes, BOGUS msgs):
2023-08-24 20:52:11 DS pi-hole.net pi.hole OK (sent to localhost#5335) N/A
2023-08-24 20:52:11 A discourse.pi-hole.net 192.168.1.104 OK (answered by localhost#5335)
BOGUS (DNSSEC sig not yet valid) CNAME (0.6ms)
2023-08-24 20:52:11 DS pi-hole.net pi.hole OK (sent to localhost#5335) N/A
2023-08-24 20:52:11 A discourse.pi-hole.net 192.168.1.104 OK (answered by localhost#5335)
BOGUS (DNSSEC sig not yet valid) CNAME (0.7ms)
2023-08-24 20:52:11 DS pi-hole.net pi.hole OK (sent to localhost#5335) N/A
2023-08-24 20:52:11 A discourse.pi-hole.net 192.168.1.104 OK (answered by localhost#5335)
BOGUS (DNSSEC sig not yet valid) CNAME (0.6ms)
2023-08-24 20:57:56 DS readthedocs.io pi.hole OK (sent to localhost#5335) N/A
2023-08-24 20:57:56 A unbound.docs.nlnetlabs.nl 192.168.1.104 OK (answered by localhost#5335)
BOGUS (DNSSEC sig not yet valid) CNAME (1.7ms)
2023-08-24 20:57:56 DS readthedocs.io pi.hole OK (sent to localhost#5335) N/A
2023-08-24 20:57:56 A unbound.docs.nlnetlabs.nl 192.168.1.104 OK (answered by localhost#5335)
BOGUS (DNSSEC sig not yet valid) CNAME (1.7ms)
2023-08-24 20:57:56 DS readthedocs.io pi.hole OK (sent to localhost#5335) N/A
2023-08-24 20:58:00 DS livechatinc.com pi.hole OK (sent to localhost#5335) N/A
2023-08-24 20:58:00 A api.livechatinc.com 192.168.1.104 OK (answered by localhost#5335)
BOGUS (DNSSEC sig not yet valid) CNAME (0.6ms)
2023-08-24 20:58:00 DS livechatinc.com pi.hole OK (sent to localhost#5335) N/A
2023-08-24 20:58:00 A api.livechatinc.com 192.168.1.104 OK (answered by localhost#5335)
BOGUS (DNSSEC sig not yet valid) CNAME (0.6ms)
2023-08-24 20:58:00 DS livechatinc.com pi.hole OK (sent to localhost#5335) N/A
2023-08-24 20:58:00 A api.livechatinc.com 192.168.1.104 OK (answered by localhost#5335)
BOGUS (DNSSEC sig not yet valid) CNAME (0.6ms)
2023-08-24 20:58:36 A imap.mail.me.com.lan 192.168.1.104 OK (cache)
SECURE NXDOMAIN (0.1ms)
2023-08-24 20:58:36 A smtp.mail.me.com.lan 192.168.1.104 OK (cache)
SECURE NXDOMAIN (0.1ms)
2023-08-24 20:58:36 AAAA smtp.mail.me.com.lan 192.168.1.104 OK (cache)
SECURE NXDOMAIN (0.1ms)
2023-08-24 20:58:36 DS me.com pi.hole OK (sent to localhost#5335) N/A
2023-08-24 20:58:36 AAAA imap.mail.me.com 192.168.1.104 OK (answered by localhost#5335)
BOGUS (DNSSEC sig not yet valid) CNAME (1.5ms)
2023-08-24 20:58:36 DS me.com pi.hole OK (sent to localhost#5335) N/A
2023-08-24 20:58:36 A imap.mail.me.com 192.168.1.104 OK (answered by localhost#5335)
BOGUS (DNSSEC sig not yet valid) CNAME (1.7ms)
2023-08-24 20:58:36 DS me.com pi.hole OK (sent to localhost#5335) N/A
2023-08-24 20:58:36 A smtp.mail.me.com 192.168.1.104 OK (answered by localhost#5335)
BOGUS (DNSSEC sig not yet valid) CNAME (1.7ms)
Well, I still think it is very bad security practice that your debug script uploads users' MAC addresses. It doesn't matter how many people can see it, it matters that it is being uploaded to any server off of someone's personal machine or server, especially considering most people don't know the potential security implications of doing this. Frankly, I'm surprised you are doing this and even allowing this to occur.
MAC addresses are network hardware addresses that people cannot change, not like IP addresses, which can be. They are tied to a person's machine / device permanently or until they get a new network card. I would highly encourage you guys to modify your debug script to redact all MAC addresses before uploading.
People should absolutely be concerned about allowing their machine's / device's MAC addresses to be uploaded to an unknown server and viewable by anyone at all.
I will include my debug log here, without MAC addresses:
*** [ INITIALIZING ]
[i] 2023-08-24:13:52:37 debug log has been initialized.
[i] System has been running for 1 days, 0 hours, 12 minutes
*** [ INITIALIZING ] Sourcing setup variables
[i] Sourcing /etc/pihole/setupVars.conf...
*** [ DIAGNOSING ]: Core version
[✓] Version: v5.17.1
[i] Remotes: origin https://github.com/pi-hole/pi-hole.git (fetch)
origin https://github.com/pi-hole/pi-hole.git (push)
[i] Branch: master
[i] Commit: v5.17.1-0-g6a45c6a
*** [ DIAGNOSING ]: Web version
[✓] Version: v5.20.1
[i] Remotes: origin https://github.com/pi-hole/AdminLTE.git (fetch)
origin https://github.com/pi-hole/AdminLTE.git (push)
[i] Branch: master
[i] Commit: v5.20.1-0-g3a11976
*** [ DIAGNOSING ]: FTL version
[✓] Version: v5.23
[i] Branch: master
[i] Commit: d201776e
*** [ DIAGNOSING ]: lighttpd version
[i] 1.4.59
*** [ DIAGNOSING ]: php version
[i] 7.4.33
*** [ DIAGNOSING ]: Operating system
[i] Distro: Raspbian
[i] Version: 11
[✗] dig return code: 10
[✗] dig response: dig: couldn't get address for 'ns1.pi-hole.net': failure
[✗] Error: dig command failed - Unable to check OS
*** [ DIAGNOSING ]: SELinux
[i] SELinux not detected
*** [ DIAGNOSING ]: FirewallD
[i] Firewalld service inactive
*** [ DIAGNOSING ]: Processor
[✓] aarch64
*** [ DIAGNOSING ]: Disk usage
Filesystem Size Used Avail Use% Mounted on
/dev/root 29G 2.6G 26G 10% /
devtmpfs 1.7G 0 1.7G 0% /dev
tmpfs 1.9G 1.4M 1.9G 1% /dev/shm
tmpfs 759M 1.1M 758M 1% /run
tmpfs 5.0M 4.0K 5.0M 1% /run/lock
/dev/mmcblk0p1 255M 51M 205M 20% /boot
*** [ DIAGNOSING ]: Network interfaces and addresses
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether ******* brd ff:ff:ff:ff:ff:ff
inet 192.168.1.105/24 brd 192.168.1.255 scope global dynamic noprefixroute eth0
valid_lft 2504840sec preferred_lft 2504840sec
inet6 fe80::975:8159:c907:3d6c/64 scope link noprefixroute
valid_lft forever preferred_lft forever
3: wlan0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN group default qlen 1000
link/ether ******* brd ff:ff:ff:ff:ff:ff permaddr *******
*** [ DIAGNOSING ]: Network routing table
default via 192.168.1.1 dev eth0 proto dhcp metric 100
192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.105 metric 100
*** [ DIAGNOSING ]: Networking
[✓] IPv4 address(es) bound to the eth0 interface:
192.168.1.105/24
[✓] IPv6 address(es) bound to the eth0 interface:
fe80::975:8159:c907:3d6c/64
[i] Default IPv4 gateway(s):
192.168.1.1
* Pinging first gateway 192.168.1.1...
[✓] Gateway responded.
[i] Default IPv6 gateway(s):
*** [ DIAGNOSING ]: Ports in use
udp:0.0.0.0:60616 is in use by avahi-daemon
udp:127.0.0.1:5335 is in use by unbound
udp:0.0.0.0:5353 is in use by avahi-daemon
[✓] udp:0.0.0.0:53 is in use by pihole-FTL
udp:*:5353 is in use by avahi-daemon
udp:*:46371 is in use by avahi-daemon
[✓] udp:*:53 is in use by pihole-FTL
tcp:0.0.0.0:44323 is in use by pmproxy
tcp:0.0.0.0:44322 is in use by pmproxy
tcp:0.0.0.0:44321 is in use by pmcd
tcp:127.0.0.1:5335 is in use by unbound
tcp:0.0.0.0:22 is in use by sshd
[✓] tcp:0.0.0.0:53 is in use by pihole-FTL
[✓] tcp:0.0.0.0:80 is in use by lighttpd
tcp:127.0.0.1:25 is in use by exim4
tcp:0.0.0.0:4331 is in use by pmlogger
tcp:0.0.0.0:4330 is in use by pmlogger
tcp:127.0.0.1:8953 is in use by unbound
[✓] tcp:127.0.0.1:4711 is in use by pihole-FTL
tcp:[::]:44323 is in use by pmproxy
tcp:[::]:44322 is in use by pmproxy
tcp:[::]:44321 is in use by pmcd
tcp:[::1]:25 is in use by exim4
[✓] tcp:[::1]:4711 is in use by pihole-FTL
tcp:[::]:22 is in use by sshd
[✓] tcp:[::]:53 is in use by pihole-FTL
[✓] tcp:[::]:80 is in use by lighttpd
tcp:[::]:4331 is in use by pmlogger
tcp:[::]:4330 is in use by pmlogger
tcp:*:9090 is in use by systemd
*** [ DIAGNOSING ]: Name resolution (IPv4) using a random blocked domain and a known ad-serving domain
[✓] managersurf.tk is 0.0.0.0 on lo (127.0.0.1)
[✓] managersurf.tk is 0.0.0.0 on eth0 (192.168.1.105)
[✓] No IPv4 address available on wlan0
[✗] Failed to resolve doubleclick.com via a remote, public DNS server (8.8.8.8)
*** [ DIAGNOSING ]: Name resolution (IPv6) using a random blocked domain and a known ad-serving domain
[✓] kelatedaily.myradiotoolbar.com is :: on lo (::1)
[✓] kelatedaily.myradiotoolbar.com is :: on eth0 (fe80::975:8159:c907:3d6c)
[✓] No IPv6 address available on wlan0
[✗] Failed to resolve doubleclick.com via a remote, public DNS server (2001:4860:4860::8888)
*** [ DIAGNOSING ]: Discovering active DHCP servers (takes 10 seconds)
Scanning all your interfaces for DHCP servers
Timeout: 10 seconds
* Received 310 bytes from eth0:192.168.1.1
Offered IP address: 192.168.1.105
Server IP address: 192.168.1.1
Relay-agent IP address: N/A
BOOTP server: (empty)
BOOTP file: (empty)
DHCP options:
Message type: DHCPOFFER (2)
server-identifier: 192.168.1.1
lease-time: 2592000 ( 30d )
renewal-time: 1296000 ( 15d )
rebinding-time: 2268000 ( 26d 6h )
netmask: 255.255.255.0
broadcast: 192.168.1.255
router: 192.168.1.1
domain-name: "lan"
hostname: "raspberrypi"
dns-server: 192.168.1.105
--- end of options ---
DHCP packets received on interface eth0: 1
*** [ DIAGNOSING ]: Pi-hole processes
[✓] lighttpd daemon is active
[✓] pihole-FTL daemon is active
*** [ DIAGNOSING ]: Pi-hole-FTL full status
● pihole-FTL.service - Pi-hole FTL
Loaded: loaded (/etc/systemd/system/pihole-FTL.service; enabled; vendor preset: enabled)
Active: active (running) since Thu 2023-08-24 13:49:00 PDT; 3min 57s ago
Process: 12980 ExecStartPre=/opt/pihole/pihole-FTL-prestart.sh (code=exited, status=0/SUCCESS)
Main PID: 12993 (pihole-FTL)
Tasks: 19 (limit: 3933)
CPU: 1.437s
CGroup: /system.slice/pihole-FTL.service
└─12993 /usr/bin/pihole-FTL -f
Aug 24 13:49:00 raspberrypi pihole-FTL[12993]: [2023-08-24 13:49:00.529 12993M] MOZILLA_CANARY: Enabled
Aug 24 13:49:00 raspberrypi pihole-FTL[12993]: [2023-08-24 13:49:00.529 12993M] PIHOLE_PTR: internal PTR generation enabled (pi.hole)
Aug 24 13:49:00 raspberrypi pihole-FTL[12993]: [2023-08-24 13:49:00.529 12993M] ADDR2LINE: Enabled
Aug 24 13:49:00 raspberrypi pihole-FTL[12993]: [2023-08-24 13:49:00.529 12993M] REPLY_WHEN_BUSY: Drop queries when the database is busy
Aug 24 13:49:00 raspberrypi pihole-FTL[12993]: [2023-08-24 13:49:00.529 12993M] BLOCK_TTL: 2 seconds
Aug 24 13:49:00 raspberrypi pihole-FTL[12993]: [2023-08-24 13:49:00.529 12993M] BLOCK_ICLOUD_PR: Enabled
Aug 24 13:49:00 raspberrypi pihole-FTL[12993]: [2023-08-24 13:49:00.529 12993M] CHECK_LOAD: Enabled
Aug 24 13:49:00 raspberrypi pihole-FTL[12993]: [2023-08-24 13:49:00.529 12993M] CHECK_SHMEM: Warning if shared-memory usage exceeds 90%
Aug 24 13:49:00 raspberrypi pihole-FTL[12993]: [2023-08-24 13:49:00.529 12993M] CHECK_DISK: Warning if certain disk usage exceeds 90%
Aug 24 13:49:00 raspberrypi pihole-FTL[12993]: [2023-08-24 13:49:00.529 12993
*** [ DIAGNOSING ]: Lighttpd configuration test
perl: warning: Setting locale failed.
perl: warning: Please check that your locale settings:
LANGUAGE = (unset),
LC_ALL = (unset),
LANG = "en_CA.UTF-8"
are supported and installed on your system.
perl: warning: Falling back to the standard locale ("C").
perl: warning: Setting locale failed.
perl: warning: Please check that your locale settings:
LANGUAGE = (unset),
LC_ALL = (unset),
LANG = "en_CA.UTF-8"
are supported and installed on your system.
perl: warning: Falling back to the standard locale ("C").
[✓] No error in lighttpd configuration
*** [ DIAGNOSING ]: Setup variables
PIHOLE_INTERFACE=eth0
QUERY_LOGGING=true
INSTALL_WEB_SERVER=true
INSTALL_WEB_INTERFACE=true
LIGHTTPD_ENABLED=true
CACHE_SIZE=10000
DNS_FQDN_REQUIRED=true
DNS_BOGUS_PRIV=true
DNSMASQ_LISTENING=local
BLOCKING_ENABLED=true
DHCP_ACTIVE=false
DHCP_START=192.168.1.201
DHCP_END=192.168.1.251
DHCP_ROUTER=192.168.1.1
DHCP_LEASETIME=24
PIHOLE_DOMAIN=lan
DHCP_IPv6=false
DHCP_rapid_commit=false
DNSSEC=true
REV_SERVER=false
PIHOLE_DNS_1=127.0.0.1#5335
*** [ DIAGNOSING ]: Dashboard headers
[✓] Web interface X-Header: X-Pi-hole: The Pi-hole Web interface is working!
*** [ DIAGNOSING ]: Pi-hole FTL Query Database
-rw-rw-r-- 1 pihole pihole 44M Aug 24 13:52 /etc/pihole/pihole-FTL.db
*** [ DIAGNOSING ]: Gravity Database
-rw-rw-r-- 1 pihole pihole 128M Aug 20 04:06 /etc/pihole/gravity.db
*** [ DIAGNOSING ]: Info table
property value
-------------------- ----------------------------------------
version 15
updated 1692529591
gravity_count 1948201
Last gravity run finished at: Sun Aug 20 04:06:31 PDT 2023
----- First 10 Gravity Domains -----
localhost.localdomain
ck.getcookiestxt.com
eu1.clevertap-prod.com
wizhumpgyros.com
coccyxwickimp.com
webmail-who-int.000webhostapp.com
010sec.com
01mspmd5yalky8.com
0byv9mgbn0.com
ns6.0pendns.org
*** [ DIAGNOSING ]: Groups
id enabled name date_added date_modified description
---- ------- -------------------------------------------------- ------------------- ------------------- --------------------------------------------------
0 1 Default 2023-04-05 22:23:49 2023-04-05 22:23:49 The default group
*** [ DIAGNOSING ]: Domainlist (0/1 = exact white-/blacklist, 2/3 = regex white-/blacklist)
id type enabled group_ids domain date_added date_modified comment
----- ---- ------- ------------ ---------------------------------------------------------------------------------------------------- ------------------- ------------------- --------------------------------------------------
30 0 1 0 aax-us-east.amazon-adsystem.com 2023-05-07 09:49:47 2023-05-07 09:49:47 Added from Query Log
54 1 1 0 rtb2-useast.e-volution.ai 2023-08-02 10:50:27 2023-08-02 10:50:27 Added from Query Log
*** [ DIAGNOSING ]: Clients
id group_ids ip date_added date_modified comment
---- ------------ ---------------------------------------------------------------------------------------------------- ------------------- ------------------- --------------------------------------------------
1 0 4C:32:75:92:B9:65 2023-04-19 21:45:29 2023-04-19 21:45:29 laptop
*** [ DIAGNOSING ]: Adlists
id enabled group_ids address date_added date_modified comment
----- ------- ------------ ---------------------------------------------------------------------------------------------------- ------------------- ------------------- --------------------------------------------------
1 1 0 https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts 2023-04-05 22:23:51 2023-04-05 22:23:51 Migrated from /etc/pihole/adlists.list
6 1 0 https://blocklistproject.github.io/Lists/everything.txt 2023-04-14 23:12:52 2023-04-14 23:12:52 Everything list from https://github.com/blocklistp
roject/Lists
7 1 0 https://v.firebog.net/hosts/Easyprivacy.txt 2023-04-14 23:19:53 2023-04-14 23:19:53 Easyprivacy list from https://firebog.net/
8 1 0 https://hostfiles.frogeye.fr/firstparty-trackers-hosts.txt 2023-04-14 23:20:11 2023-04-14 23:20:11 First party trackers list from https://firebog.net
/
9 1 0 https://raw.githubusercontent.com/PolishFiltersTeam/KADhosts/master/KADhosts.txt 2023-04-14 23:26:00 2023-04-14 23:26:00 Suspicious list from https://firebog.net/
10 1 0 https://v.firebog.net/hosts/static/w3kbl.txt 2023-04-14 23:27:56 2023-04-14 23:27:56 Personal Blocklist by WaLLy3K from https://firebog
.net/
11 1 0 https://public-dns.info/nameservers-all.txt 2023-04-14 23:41:35 2023-04-14 23:41:35 Block all DNS servers to address DoH https://labzi
lla.io/blog/force-dns-pihole
*** [ DIAGNOSING ]: contents of /etc/pihole
-rw-r--r-- 1 root root 0 Apr 5 22:23 /etc/pihole/custom.list
-rw-r--r-- 1 root root 65 Aug 20 04:06 /etc/pihole/local.list
-rw-r--r-- 1 root root 241 Apr 5 22:23 /etc/pihole/logrotate
/var/log/pihole/pihole.log {
su root root
daily
copytruncate
rotate 5
compress
delaycompress
notifempty
nomail
}
/var/log/pihole/FTL.log {
su root root
weekly
copytruncate
rotate 3
compress
delaycompress
notifempty
nomail
}
-rw-rw-r-- 1 pihole root 147 Aug 24 13:48 /etc/pihole/pihole-FTL.conf
PRIVACYLEVEL=0
RATE_LIMIT=2000/120
-rw-r--r-- 1 root root 325 Aug 23 15:54 /etc/pihole/versions
CORE_VERSION=v5.17.1
CORE_BRANCH=master
CORE_HASH=6a45c6a8
GITHUB_CORE_VERSION=v5.17.1
GITHUB_CORE_HASH=8495565a
WEB_VERSION=v5.20.1
WEB_BRANCH=master
WEB_HASH=3a11976e
GITHUB_WEB_VERSION=v5.20.1
GITHUB_WEB_HASH=41682f17
FTL_VERSION=v5.23
FTL_BRANCH=master
FTL_HASH=d201776e
GITHUB_FTL_VERSION=v5.23
GITHUB_FTL_HASH=1a114133
*** [ DIAGNOSING ]: contents of /etc/dnsmasq.d
-rw-r--r-- 1 root root 1.5K Aug 24 13:48 /etc/dnsmasq.d/01-pihole.conf
addn-hosts=/etc/pihole/local.list
addn-hosts=/etc/pihole/custom.list
localise-queries
no-resolv
log-queries
log-facility=/var/log/pihole/pihole.log
log-async
cache-size=10000
server=127.0.0.1#5335
domain-needed
expand-hosts
bogus-priv
dnssec
trust-anchor=.,20326,8,2,E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D
local-service
-rw-r--r-- 1 root root 2.2K Jun 19 09:43 /etc/dnsmasq.d/06-rfc6761.conf
server=/test/
server=/localhost/
server=/invalid/
server=/bind/
server=/onion/
-rw-r--r-- 1 root root 53 May 15 12:26 /etc/dnsmasq.d/10-NXDOMAIN.conf
server=/mask.icloud.com/
server=/mask-h2.icloud.com/
-rw-r--r-- 1 root root 21 Apr 14 08:52 /etc/dnsmasq.d/99-edns.conf
edns-packet-max=1232
*** [ DIAGNOSING ]: contents of /etc/lighttpd
-rw-r--r-- 1 root root 2.2K Jan 19 2022 /etc/lighttpd/lighttpd.conf
server.modules = (
"mod_indexfile",
"mod_access",
"mod_alias",
"mod_redirect",
)
server.document-root = "/var/www/html"
server.upload-dirs = ( "/var/cache/lighttpd/uploads" )
server.errorlog = "/var/log/lighttpd/error.log"
server.pid-file = "/run/lighttpd.pid"
server.username = "www-data"
server.groupname = "www-data"
server.port = 80
server.feature-flags += ("server.h2proto" => "enable")
server.feature-flags += ("server.h2c" => "enable")
server.feature-flags += ("server.graceful-shutdown-timeout" => 5)
server.http-parseopts = (
"header-strict" => "enable",# default
"host-strict" => "enable",# default
"host-normalize" => "enable",# default
"url-normalize-unreserved"=> "enable",# recommended highly
"url-normalize-required" => "enable",# recommended
"url-ctrls-reject" => "enable",# recommended
"url-path-2f-decode" => "enable",# recommended highly (unless breaks app)
"url-path-dotseg-remove" => "enable",# recommended highly (unless breaks app)
)
index-file.names = ( "index.php", "index.html" )
url.access-deny = ( "~", ".inc" )
static-file.exclude-extensions = ( ".php", ".pl", ".fcgi" )
include_shell "/usr/share/lighttpd/use-ipv6.pl " + server.port
include_shell "/usr/share/lighttpd/create-mime.conf.pl"
include "/etc/lighttpd/conf-enabled/*.conf"
server.modules += (
"mod_dirlisting",
"mod_staticfile",
)
*** [ DIAGNOSING ]: contents of /etc/lighttpd/conf.d
/etc/lighttpd/conf.d does not exist.
*** [ DIAGNOSING ]: contents of /etc/lighttpd/conf-enabled
total 0
lrwxrwxrwx 1 root root 32 Apr 5 22:23 05-setenv.conf -> ../conf-available/05-setenv.conf
lrwxrwxrwx 1 root root 35 Apr 5 22:23 10-accesslog.conf -> ../conf-available/10-accesslog.conf
lrwxrwxrwx 1 root root 33 Apr 5 22:23 10-fastcgi.conf -> ../conf-available/10-fastcgi.conf
lrwxrwxrwx 1 root root 38 Apr 5 22:23 15-pihole-admin.conf -> ../conf-available/15-pihole-admin.conf
lrwxrwxrwx 1 root root 38 Apr 5 22:22 99-unconfigured.conf -> ../conf-available/99-unconfigured.conf
lrwxrwxrwx 1 root root 38 Apr 5 22:23 /etc/lighttpd/conf-enabled/15-pihole-admin.conf -> ../conf-available/15-pihole-admin.conf
server.errorlog := "/var/log/lighttpd/error-pihole.log"
$HTTP["url"] =~ "^/admin/" {
server.document-root = "/var/www/html"
server.stream-response-body = 1
accesslog.filename = "/var/log/lighttpd/access-pihole.log"
accesslog.format = "%{%s}t|%h|%V|%r|%s|%b"
fastcgi.server = (
".php" => (
"localhost" => (
"socket" => "/run/lighttpd/pihole-php-fastcgi.socket",
"bin-path" => "/usr/bin/php-cgi",
"min-procs" => 1,
"max-procs" => 1,
"bin-environment" => (
"PHP_FCGI_CHILDREN" => "4",
"PHP_FCGI_MAX_REQUESTS" => "10000",
),
"bin-copy-environment" => (
"PATH", "SHELL", "USER"
),
"broken-scriptfilename" => "enable",
)
)
)
setenv.add-response-header = (
"X-Pi-hole" => "The Pi-hole Web interface is working!",
"X-Frame-Options" => "DENY",
"X-XSS-Protection" => "0",
"X-Content-Type-Options" => "nosniff",
"Content-Security-Policy" => "default-src 'self' 'unsafe-inline';",
"X-Permitted-Cross-Domain-Policies" => "none",
"Referrer-Policy" => "same-origin"
)
$HTTP["url"] =~ "^/admin/\." {
url.access-deny = ("")
}
$HTTP["url"] =~ "/(teleporter|api_token)\.php$" {
$HTTP["referer"] =~ "/admin/settings\.php" {
setenv.set-response-header = ( "X-Frame-Options" => "SAMEORIGIN" )
}
}
}
else $HTTP["url"] == "/admin" {
url.redirect = ("" => "/admin/")
}
$HTTP["host"] == "pi.hole" {
$HTTP["url"] == "/" {
url.redirect = ("" => "/admin/")
}
}
server.modules += ( "mod_access", "mod_accesslog", "mod_redirect", "mod_fastcgi", "mod_setenv" )
*** [ DIAGNOSING ]: contents of /etc/cron.d
-rw-r--r-- 1 root root 1.7K Jun 19 09:43 /etc/cron.d/pihole
6 4 * * 7 root PATH="$PATH:/usr/sbin:/usr/local/bin/" pihole updateGravity >/var/log/pihole/pihole_updateGravity.log || cat /var/log/pihole/pihole_updateGravity.log
00 00 * * * root PATH="$PATH:/usr/sbin:/usr/local/bin/" pihole flush once quiet
@reboot root /usr/sbin/logrotate --state /var/lib/logrotate/pihole /etc/pihole/logrotate
54 15 * * * root PATH="$PATH:/usr/sbin:/usr/local/bin/" pihole updatechecker
@reboot root PATH="$PATH:/usr/sbin:/usr/local/bin/" pihole updatechecker reboot
*** [ DIAGNOSING ]: contents of /var/log/lighttpd
-rw-r--r-- 1 www-data www-data 350 Aug 23 13:39 /var/log/lighttpd/error-pihole.log
-----head of error-pihole.log------
2023-08-20 00:00:16: server.c.1787) logfiles cycled UID = 0 PID = 28573
2023-08-23 13:38:50: server.c.1976) server stopped by UID = 0 PID = 1
2023-08-23 13:39:02: server.c.1513) server started (lighttpd/1.4.59)
2023-08-23 13:39:46: server.c.1976) server stopped by UID = 0 PID = 1
2023-08-23 13:39:58: server.c.1513) server started (lighttpd/1.4.59)
-----tail of error-pihole.log------
2023-08-20 00:00:16: server.c.1787) logfiles cycled UID = 0 PID = 28573
2023-08-23 13:38:50: server.c.1976) server stopped by UID = 0 PID = 1
2023-08-23 13:39:02: server.c.1513) server started (lighttpd/1.4.59)
2023-08-23 13:39:46: server.c.1976) server stopped by UID = 0 PID = 1
2023-08-23 13:39:58: server.c.1513) server started (lighttpd/1.4.59)
*** [ DIAGNOSING ]: contents of /var/log/pihole
-rw-r--r-- 1 pihole pihole 15K Aug 24 13:49 /var/log/pihole/FTL.log
-----head of FTL.log------
[2023-08-24 06:59:46.542 627M] Resizing "FTL-dns-cache" from 8192 to (768 * 16) == 12288 (/dev/shm: 1.4MB used, 2.0GB total, FTL uses 1.4MB)
[2023-08-24 12:07:18.782 627M] Resizing "FTL-dns-cache" from 12288 to (1024 * 16) == 16384 (/dev/shm: 1.5MB used, 2.0GB total, FTL uses 1.4MB)
[2023-08-24 13:01:46.734 627M] Resizing "FTL-dns-cache" from 16384 to (1280 * 16) == 20480 (/dev/shm: 1.5MB used, 2.0GB total, FTL uses 1.4MB)
[2023-08-24 13:48:51.297 627M] Shutting down...
[2023-08-24 13:48:51.579 627M] Finished final database update (stored 8 queries)
[2023-08-24 13:48:51.579 627M] Waiting for threads to join
[2023-08-24 13:48:51.580 627M] Thread database (0) is idle, terminating it.
[2023-08-24 13:48:51.581 627M] Thread housekeeper (1) is idle, terminating it.
[2023-08-24 13:48:51.582 627M] Thread DNS client (2) is idle, terminating it.
[2023-08-24 13:48:51.582 627M] All threads joined
[2023-08-24 13:48:51.582 627M] Joining API worker thread 0
[2023-08-24 13:48:51.582 627M] Joining API worker thread 1
[2023-08-24 13:48:51.583 627M] Joining API worker thread 2
[2023-08-24 13:48:51.583 627M] Joining API worker thread 3
[2023-08-24 13:48:51.583 627M] Joining API worker thread 4
[2023-08-24 13:48:51.587 627M] ########## FTL terminated after 1d 8m 53s (code 0)! ##########
[2023-08-24 13:48:51.768 12913M] Using log file /var/log/pihole/FTL.log
[2023-08-24 13:48:51.768 12913M] ########## FTL started on raspberrypi! ##########
[2023-08-24 13:48:51.768 12913M] FTL branch: master
[2023-08-24 13:48:51.768 12913M] FTL version: v5.23
[2023-08-24 13:48:51.768 12913M] FTL commit: d201776e
[2023-08-24 13:48:51.769 12913M] FTL date: 2023-05-28 11:55:26 +0100
[2023-08-24 13:48:51.769 12913M] FTL user: pihole
[2023-08-24 13:48:51.769 12913M] Compiled for armv8a (compiled on CI) using arm-linux-gnueabihf-gcc (Debian 8.3.0-2) 8.3.0
[2023-08-24 13:48:51.769 12913M] Starting config file parsing (/etc/pihole/pihole-FTL.conf)
[2023-08-24 13:48:51.769 12913M] SOCKET_LISTENING: only local
[2023-08-24 13:48:51.769 12913M] AAAA_QUERY_ANALYSIS: Show AAAA queries
[2023-08-24 13:48:51.769 12913M] MAXDBDAYS: max age for stored queries is 365 days
[2023-08-24 13:48:51.769 12913M] RESOLVE_IPV6: Resolve IPv6 addresses
[2023-08-24 13:48:51.769 12913M] RESOLVE_IPV4: Resolve IPv4 addresses
[2023-08-24 13:48:51.769 12913M] DBINTERVAL: saving to DB file every minute
[2023-08-24 13:48:51.769 12913M] DBFILE: Using /etc/pihole/pihole-FTL.db
[2023-08-24 13:48:51.769 12913M] MAXLOGAGE: Importing up to 24.0 hours of log data
[2023-08-24 13:48:51.770 12913M] PRIVACYLEVEL: Set to 0
[2023-08-24 13:48:51.770 12913M] IGNORE_LOCALHOST: Show queries from localhost
-----tail of FTL.log------
[2023-08-24 13:49:00.529 12993M] BLOCK_TTL: 2 seconds
[2023-08-24 13:49:00.529 12993M] BLOCK_ICLOUD_PR: Enabled
[2023-08-24 13:49:00.529 12993M] CHECK_LOAD: Enabled
[2023-08-24 13:49:00.529 12993M] CHECK_SHMEM: Warning if shared-memory usage exceeds 90%
[2023-08-24 13:49:00.529 12993M] CHECK_DISK: Warning if certain disk usage exceeds 90%
[2023-08-24 13:49:00.529 12993M] Finished config file parsing
[2023-08-24 13:49:00.534 12993M] Creating mutex
[2023-08-24 13:49:00.534 12993M] Creating mutex
[2023-08-24 13:49:00.536 12993M] PID of FTL process: 12993
[2023-08-24 13:49:00.537 12993M] Database version is 12
[2023-08-24 13:49:00.537 12993M] Resizing "FTL-strings" from 40960 to (81920 * 1) == 81920 (/dev/shm: 1.2MB used, 2.0GB total, FTL uses 1.2MB)
[2023-08-24 13:49:00.537 12993M] Imported 0 alias-clients
[2023-08-24 13:49:00.538 12993M] Database successfully initialized
[2023-08-24 13:49:00.555 12993M] New upstream server: 127.0.0.1:5335 (0/1024)
[2023-08-24 13:49:00.592 12993M] Imported 4083 queries from the long-term database
[2023-08-24 13:49:00.593 12993M] -> Total DNS queries: 4083
[2023-08-24 13:49:00.593 12993M] -> Cached DNS queries: 1415
[2023-08-24 13:49:00.593 12993M] -> Forwarded DNS queries: 2021
[2023-08-24 13:49:00.593 12993M] -> Blocked DNS queries: 647
[2023-08-24 13:49:00.593 12993M] -> Unknown DNS queries: 0
[2023-08-24 13:49:00.593 12993M] -> Unique domains: 510
[2023-08-24 13:49:00.593 12993M] -> Unique clients: 7
[2023-08-24 13:49:00.593 12993M] -> Known forward destinations: 1
[2023-08-24 13:49:00.593 12993M] Successfully accessed setupVars.conf
[2023-08-24 13:49:00.594 12993M] listening on 0.0.0.0 port 53
[2023-08-24 13:49:00.594 12993M] listening on :: port 53
[2023-08-24 13:49:00.597 12993M] PID of FTL process: 12993
[2023-08-24 13:49:00.598 12993M] Listening on port 4711 for incoming IPv4 telnet connections
[2023-08-24 13:49:00.598 12993M] Listening on port 4711 for incoming IPv6 telnet connections
[2023-08-24 13:49:00.599 12993M] Listening on port 4711 for incoming socket telnet connections
[2023-08-24 13:49:00.600 12993M] INFO: FTL is running as user pihole (UID 999)
[2023-08-24 13:49:00.601 12993M] Reloading DNS cache
[2023-08-24 13:49:00.716 12993/T13022] Compiled 0 whitelist and 8 blacklist regex filters for 7 clients in 13.9 msec
[2023-08-24 13:49:00.716 12993/T13022] Blocking status is enabled
[2023-08-24 13:49:06.626 12993M] Resizing "FTL-queries" from 180224 to (8192 * 44) == 360448 (/dev/shm: 1.3MB used, 2.0GB total, FTL uses 1.3MB)
*** [ DIAGNOSING ]: contents of /dev/shm
total 1.4M
-rw------- 1 pihole pihole 324K Aug 24 13:49 FTL-clients
-rw------- 1 pihole pihole 248 Aug 24 13:49 FTL-counters
-rw------- 1 pihole pihole 4.0K Aug 24 13:49 FTL-dns-cache
-rw------- 1 pihole pihole 20K Aug 24 13:49 FTL-domains
-rw------- 1 pihole pihole 56 Aug 24 13:49 FTL-lock
-rw------- 1 pihole pihole 12K Aug 24 13:49 FTL-overTime
-rw------- 1 pihole pihole 4.0K Aug 24 13:49 FTL-per-client-regex
-rw------- 1 pihole pihole 352K Aug 24 13:52 FTL-queries
-rw------- 1 pihole pihole 16 Aug 24 13:49 FTL-settings
-rw------- 1 pihole pihole 80K Aug 24 13:50 FTL-strings
-rw------- 1 pihole pihole 604K Aug 24 13:49 FTL-upstreams
*** [ DIAGNOSING ]: contents of /etc
-rw-r--r-- 1 root root 24 Jun 19 09:43 /etc/dnsmasq.conf
conf-dir=/etc/dnsmasq.d
-rw-r--r-- 1 root root 62 Aug 21 18:17 /etc/resolv.conf
search lan
nameserver 192.168.1.105
*** [ DIAGNOSING ]: Pi-hole diagnosis messages
*** [ DIAGNOSING ]: Locale
locale: Cannot set LC_CTYPE to default locale: No such file or directory
locale: Cannot set LC_MESSAGES to default locale: No such file or directory
locale: Cannot set LC_ALL to default locale: No such file or directory
LANG=en_CA.UTF-8
*** [ DIAGNOSING ]: Pi-hole log
-rw-r----- 1 pihole pihole 1.1M Aug 24 13:52 /var/log/pihole/pihole.log
-----head of pihole.log------
Aug 24 00:00:27 dnsmasq[627]: query[AAAA] raspberrypi.lan from 192.168.1.105
Aug 24 00:00:27 dnsmasq[627]: forwarded raspberrypi.lan to 127.0.0.1#5335
Aug 24 00:00:27 dnsmasq[627]: reply raspberrypi.lan is NXDOMAIN
Aug 24 00:00:27 dnsmasq[627]: query[AAAA] raspberrypi from 192.168.1.105
Aug 24 00:00:27 dnsmasq[627]: Pi-hole hostname raspberrypi is fe80::975:8159:c907:3d6c
Aug 24 00:00:27 dnsmasq[627]: query[AAAA] raspberrypi.lan from 192.168.1.105
Aug 24 00:00:27 dnsmasq[627]: cached raspberrypi.lan is NXDOMAIN
Aug 24 00:00:27 dnsmasq[627]: query[AAAA] raspberrypi from 192.168.1.105
Aug 24 00:00:27 dnsmasq[627]: Pi-hole hostname raspberrypi is fe80::975:8159:c907:3d6c
Aug 24 00:06:14 dnsmasq[627]: query[A] time.g.aaplimg.com from 192.168.1.219
Aug 24 00:06:14 dnsmasq[627]: forwarded time.g.aaplimg.com to 127.0.0.1#5335
Aug 24 00:06:14 dnsmasq[627]: reply time.g.aaplimg.com is 17.253.4.125
Aug 24 00:06:14 dnsmasq[627]: reply time.g.aaplimg.com is 17.253.16.253
Aug 24 00:06:14 dnsmasq[627]: reply time.g.aaplimg.com is 17.253.16.125
Aug 24 00:08:15 dnsmasq[627]: query[HTTPS] cma.itunes.apple.com from 192.168.1.219
Aug 24 00:08:15 dnsmasq[627]: cached cma.itunes.apple.com is <CNAME>
Aug 24 00:08:15 dnsmasq[627]: forwarded cma.itunes.apple.com to 127.0.0.1#5335
Aug 24 00:08:15 dnsmasq[627]: query[A] cma.itunes.apple.com from 192.168.1.219
Aug 24 00:08:15 dnsmasq[627]: forwarded cma.itunes.apple.com to 127.0.0.1#5335
Aug 24 00:08:16 dnsmasq[627]: reply cma.itunes.apple.com is <CNAME>
-----tail of pihole.log------
Aug 24 13:52:37 dnsmasq[12993]: validation ns1.pi-hole.net is BOGUS
Aug 24 13:52:37 dnsmasq[12993]: reply ns1.pi-hole.net is 2600:9000:5301:9700::1
Aug 24 13:52:37 dnsmasq[12993]: validation ns1.pi-hole.net is BOGUS
Aug 24 13:52:37 dnsmasq[12993]: reply ns1.pi-hole.net is 205.251.193.151
Aug 24 13:52:37 dnsmasq[12993]: query[A] ns1.pi-hole.net.lan from 192.168.1.105
Aug 24 13:52:37 dnsmasq[12993]: forwarded ns1.pi-hole.net.lan to 127.0.0.1#5335
Aug 24 13:52:37 dnsmasq[12993]: query[AAAA] ns1.pi-hole.net.lan from 192.168.1.105
Aug 24 13:52:37 dnsmasq[12993]: forwarded ns1.pi-hole.net.lan to 127.0.0.1#5335
Aug 24 13:52:37 dnsmasq[12993]: validation result is SECURE
Aug 24 13:52:37 dnsmasq[12993]: reply ns1.pi-hole.net.lan is NXDOMAIN
Aug 24 13:52:37 dnsmasq[12993]: validation result is SECURE
Aug 24 13:52:37 dnsmasq[12993]: reply ns1.pi-hole.net.lan is NXDOMAIN
Aug 24 13:52:41 dnsmasq[12993]: query[A] managersurf.tk from 127.0.0.1
Aug 24 13:52:41 dnsmasq[12993]: gravity blocked managersurf.tk is 0.0.0.0
Aug 24 13:52:41 dnsmasq[12993]: query[A] managersurf.tk from 192.168.1.105
Aug 24 13:52:41 dnsmasq[12993]: gravity blocked managersurf.tk is 0.0.0.0
Aug 24 13:52:46 dnsmasq[12993]: query[AAAA] kelatedaily.myradiotoolbar.com from ::1
Aug 24 13:52:46 dnsmasq[12993]: gravity blocked kelatedaily.myradiotoolbar.com is ::
Aug 24 13:52:46 dnsmasq[12993]: query[AAAA] kelatedaily.myradiotoolbar.com from fe80::975:8159:c907:3d6c
Aug 24 13:52:46 dnsmasq[12993]: gravity blocked kelatedaily.myradiotoolbar.com is ::
********************************************
********************************************
[✓] ** FINISHED DEBUGGING! **
MAC addresses are layer 2, completely worthless outside of the local segment. Once you hit a router then the router is going to substitute it's MAC in for any data link operations anyways.
Not really. Maybe if you're on the same switch but again, there's nothing valuable about a MAC address once you cross a border like a router.
Edit: Just as a guess as well, does your MAC contain 81 and 3D in it's octets?
No, it was off by 4 hours. I changed it and now DNSSEC works, go figure. No more BOGUS (dude).
I included some records here (I just shift-reloaded the Unbound docs page I had open to get these):
2023-08-25 01:44:49 DNSKEY io pi.hole OK (answered by localhost#5335)
SECURE DNSSEC (2.8ms)
2023-08-25 01:44:49 DS readthedocs.io pi.hole OK (answered by localhost#5335) NODATA (45.9ms)
2023-08-25 01:44:49 DS io pi.hole OK (answered by localhost#5335)
SECURE DNSSEC (1.2ms)
2023-08-25 01:44:49 DNSKEY nlnetlabs.nl pi.hole OK (answered by localhost#5335)
SECURE DNSSEC (2.9ms)
2023-08-25 01:44:49 DNSKEY nl pi.hole OK (answered by localhost#5335)
SECURE DNSSEC (7.8ms)
2023-08-25 01:44:49 DS nlnetlabs.nl pi.hole OK (answered by localhost#5335)
SECURE DNSSEC (12.0ms)
2023-08-25 01:44:49 DNSKEY . pi.hole OK (answered by localhost#5335)
SECURE DNSSEC (1.3ms)
2023-08-25 01:44:49 DS nl pi.hole OK (answered by localhost#5335)
SECURE DNSSEC (3.1ms)
2023-08-25 01:44:48 A unbound.docs.nlnetlabs.nl 192.168.1.104 OK (answered by localhost#5335)
INSECURE CNAME (826.6ms)
2023-08-25 01:44:45 PTR 1.1.168.192.in-addr.arpa pi.hole OK (cache)
INSECURE NXDOMAIN (0.4ms)
2023-08-25 01:44:45 PTR 1.1.168.192.in-addr.arpa localhost OK (cache)
INSECURE NXDOMAIN (0.5ms)
2023-08-25 01:44:45 PTR c.6.d.3.7.0.9.c.9.5.1.8.5.7.9.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa localhost OK (cache)
INSECURE RRNAME (0.6ms)
2023-08-25 01:44:45 PTR 105.1.168.192.in-addr.arpa localhost OK (cache)
INSECURE RRNAME (0.4ms)
2023-08-25 01:44:45 PTR 104.1.168.192.in-addr.arpa pi.hole OK (cache)
INSECURE NXDOMAIN (0.4ms)
2023-08-25 01:44:45 PTR 104.1.168.192.in-addr.arpa localhost OK (cache)
INSECURE NXDOMAIN (0.5ms)
2023-08-25 01:44:45 PTR 219.1.168.192.in-addr.arpa pi.hole OK (cache)
INSECURE NXDOMAIN (1.4ms)
2023-08-25 01:44:45 PTR 219.1.168.192.in-addr.arpa localhost OK (cache)
INSECURE NXDOMAIN (2.0ms)
2023-08-25 01:44:41 PTR 1.1.168.192.in-addr.arpa pi.hole OK (cache)
INSECURE NXDOMAIN (0.1ms)
2023-08-25 01:44:41 PTR 1.1.168.192.in-addr.arpa localhost OK (cache)
INSECURE NXDOMAIN (0.1ms)
2023-08-25 01:44:41 PTR c.6.d.3.7.0.9.c.9.5.1.8.5.7.9.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa localhost OK (cache)
INSECURE RRNAME (0.2ms)
2023-08-25 01:44:41 PTR 105.1.168.192.in-addr.arpa localhost OK (cache)
INSECURE RRNAME (0.2ms)
2023-08-25 01:44:41 PTR 104.1.168.192.in-addr.arpa pi.hole OK (cache)
INSECURE NXDOMAIN (0.2ms)
2023-08-25 01:44:41 PTR 104.1.168.192.in-addr.arpa localhost OK (cache)
INSECURE NXDOMAIN (0.1ms)
2023-08-25 01:44:41 PTR 219.1.168.192.in-addr.arpa pi.hole OK (cache)
INSECURE NXDOMAIN (0.5ms)
2023-08-25 01:44:41 PTR 219.1.168.192.in-addr.arpa localhost OK (cache)
INSECURE NXDOMAIN (0.8ms)
As an aside, why all the entries like that - still not really clear on what PTR records are or what's goin on here. And what's this c.6.d.3.7.0.9.c.9.5.1.8.5.7.9.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa business?
Thanks very much, though, that seems to have fixed it. I wonder how it got off by 4 hours like that. Noob mistake on my part most likely! Oh well. Glad it was an easy fix.
About the MAC addresses, @DanSchaper, I do understand what you're saying, but I'd still redact and remove them before uploading, it is only good practice, I don't think anyone would want their MAC address out there in the wild without their knowledge, whether it is used in this context or some other context (like when connecting to public wifi, then MAC addresses can be exposed, etc). It could be valuable to someone nefarious; point being people can't easily change their MAC addresses. Besides, not including it in the debug uploads would only improve trust with users who understand what MAC addresses are, and increasing trust is rarely a bad thing. But, maybe I'm wrong and this is a non-issue, but I still prefer not to publish it. People would benefit from having a habit of being more protective of their data these days, as many users of PiHole can probably already appreciate.
Anyway, don't get me wrong, I think PiHole is great and appreciate and admire you guys for having built it, so thank you for that.
And thanks again @chrislph for your help with this issue, as well!
No worries, it shows that DNSSEC was doing its job too which is good! The timedatectl command will show if a NTP service is active. If not it would be worth activating one now that this device is running DNSSEC services.
It's Pi-hole discovering the hostnames of the IP addresses it knows about. I suspect this was triggered by you fixing the clock.
Normally DNS is being used to look up an IP address for a given domain name. Those are stored in A records (for IPv4) and AAAA records (for IPv6).
Sometimes you need to know the opposite – look up a domain name for a given IP address. Since DNS is based around querying names, this is managed by querying a record called a PTR record, and by turning the IP address into a kind of 'fake' domain name by reversing it and appending .in-addr.arpa.
Pi-hole, routers, mesh systems, etc, often send out a mass of these queries to gather info about what's around them. Eg on the network here:
Look up IP from domain name by querying A record for domain name
dig A piaware.lan
;; ANSWER SECTION:
piaware.lan. 0 IN A 192.168.1.4
Look up domain name from IP by querying PTR record for 'fake' domain name made up from IP
dig PTR 4.1.168.192.in-addr.arpa
;; ANSWER SECTION:
4.1.168.192.in-addr.arpa. 0 IN PTR piaware.lan.
dig has a shortcut for that; you can just use dig -x with the normal IP and it takes care of all the reversing and PTR stuff under the hood.
dig -x 192.168.1.4
;; ANSWER SECTION:
4.1.168.192.in-addr.arpa. 0 IN PTR piaware.lan.
The long one you saw is the same process for IPv6. It reverses the IPv6 address, which is much longer hence all the characters, and adds the slightly different appended name .ip6.arpa.
Ah, okay, that makes sense. I appreciate you taking the time to explain that to me, thank you.
I'm still learning about this stuff. I have a sense that I might not quite have PiHole and Unbound (or even OpenWRT) totally configured correctly, but it will take time to get it all right, I'm sure. It's working well, but there are a lot of options and settings. I honestly was surprised at how easy it was to configure PiHole and Unbound, so sometimes I think there has to be more to it - but maybe not.
For example, I think have my Raspberry Pi set up on the network as a DNS server correctly for OpenWRT, but I'm not positive. It's set under Interfaces->WAN->Edit->Use custom DNS servers. It's not set under the LAN settings, but WAN. Does that sound correct to you? I think that's right. It seems to work well, despite the recent DNSSEC issue. And I have the RaspberryPi set as a reserved IP in OpenWRT.
The other thing is that DNS seemed a bit "snappier" before when I was using Quad9. Maybe that's just my imagination, or just the impression I get from the occasional "extended" (uncached) lookups by Unbound (for newly visited domains, as I understand it?), etc. Do you happen to have any "speed tweaks" or config options you'd recommend to ensure the speediest DNS experience, by chance?
Overall, I'm very happy with PiHole, Unbound, and OpenWRT.