Pihole wont resolve Polish domains

Help
1

Expected Behaviour:

Opening polish websites like 'wp.pl' or 'amazon.pl' on a browser / ping from CLI.
Pihole 2023.03.0 running on a Synology NAS via Docker.
No problems otherwise. Blacklist entries get blocked, everything works fine, it just wont open any polish domains. Tried different DNS provider settings, nothing worked.

Actual Behaviour:

Browser responds with 'DNS_PROBE_FINISHED_NXDOMAIN'.
CLI can't ping the domains.
If I bypass pihole using my providers DNS or using a VPN the sites are accessible, so it has something to do with pihole. Adlists show nothing. Whitelisting the domains also won't work.
Whats weird is, that the Tail pihole.log shows that the IP was gathered, see the log below, IP in bold:

Apr 14 19:29:21: query[A] www.wp.pl from 192.168.x.1
Apr 14 19:29:21: forwarded www.wp.pl to 9.9.9.9
Apr 14 19:29:21: query[AAAA] www.wp.pl from 192.168.x.1
Apr 14 19:29:21: forwarded www.wp.pl to 9.9.9.9
Apr 14 19:29:21: dnssec-query[DS] wp.pl to 9.9.9.9
Apr 14 19:29:21: dnssec-query[DNSKEY] pl to 9.9.9.9
Apr 14 19:29:21: reply www.wp.pl is 212.77.98.9
Apr 14 19:29:21: reply www.wp.pl is NODATA-IPv6
Apr 14 19:29:21: query[AAAA] www.wp.pl from 192.168.x.1
Apr 14 19:29:21: forwarded www.wp.pl to 9.9.9.9
Apr 14 19:29:21: query[A] www.wp.pl from 192.168.x.1
Apr 14 19:29:21: forwarded www.wp.pl to 9.9.9.9
Apr 14 19:29:21: dnssec-query[DS] wp.pl to 9.9.9.9
Apr 14 19:29:21: dnssec-query[DNSKEY] pl to 9.9.9.9
Apr 14 19:29:21: reply www.wp.pl is 212.77.98.9
Apr 14 19:29:21: query[A] www.wp.pl from 192.168.x.1
Apr 14 19:29:21: forwarded www.wp.pl to 9.9.9.9
Apr 14 19:29:21: dnssec-query[DS] wp.pl to 9.9.9.9
Apr 14 19:29:22: dnssec-query[DNSKEY] pl to 9.9.9.9
Apr 14 19:29:22: reply www.wp.pl is NODATA-IPv6
Apr 14 19:29:22: reply www.wp.pl is 212.77.98.9

Debug Token:

https://tricorder.pi-hole.net/fFwhnVKG/

2

How did you start your container? Please post the compose file or docker run command.

3

I started it via the Synology GUI docker, no compose, no cli.
Which details are you looking for?

4

I just figured out that if I uncheck "Use DNSSEC" in the Advanced DNS settings all sites work as intended.
But the DNS providers I chose supported DNSSEC.

Can somebody please explain why that is?
And can I leave this unchecked?

5

We're interested in your Pi-hole container's configuration parameters.

That only means that they would deliver DNSSEC signed replies.
Validation is handled among Pi-hole and the respective DNS server authoritative for a requested domain.

Pi-hole would verify that DNS replies have not been manipulated by third parties, by checking the cryptographic signature against the DNS server authoritative for the requested domain.

If an authoritative DNS server is capable of digitally signing its DNS records (i.e. it supports DNSSEC), then Pi-hole will check them and only mark the replies as SECURE and deliver them to clients if they pass DNSSEC validation.
If they fail DNSSEC, Pi-hole will discard the replies and mark them as BOGUS, i.e. a client can't resolve that domain.

If an authoritative DNS server is not supporting DNSSEC, Pi-hole can't apply DNSSEC validation. Pi-hole will mark such replies as INSECURE and deliver them to clients.

For further details, see also Understanding DNSSEC validation using Pi-hole's Query Log.

You could, but you'd sacrifice some trust if you switch off DNSSEC, as Pi-hole would not validate DNS replies at all.

From the details you've shared so far, it's not evident whether DNSSEC would have told you that some DNS replies can't be trusted.

We'd need more details to answer that.
How did those failed requests register in Pi-hole's Query Log?

Note that DNSSEC validation would require accurate time information on the machine hosting Pi-hole, or else all checks would fail.
It is unlikely that your time is inaccurate, as you are only observing resolution failures for some polish domains, but it's worth checking nevertheless.

Even with accurate times, sporadic failures for very short periods are to be expected, e.g. when an authoritative DNS server is down for maintenance, or if it has been updating its public keys used for digital signature, but DNS replies as cached by upstream resolvers would still be signed with the previous key.
Usually, such failures should go away after a short while.

And finally, we've received a similar report about .pl domains a while ago, where public DNS adjustments seem to have been causing temporary failures, see DNSSEC resolving problem with .pl domains - #14 by s.beimer.

6

Thank you for the link to the same problem - I really searched hard for the same problem to proceed.

This old thread indicates that the problem was out if his control and rather the fault of the sites/domains. But then again shouldn't this affect all users of pihole? I asked a few people on discord and Reddit and none else had problems resolving.

As for my container environment, sure I'll upload it, but it's stock, except for:

DNSMASQ_LISTENING: local

ServerIP: Change this to the IP address of your NAS.

Basically this: https://www.wundertech.net/wp-content/uploads/2022/10/image-91.png

image-91
image-91633×540 14.5 KB

As for the logs: basically what I initially posted. I did not get BOGUS like in the other thread.

7

I'm getting an 'Error 1011 - Access denied' for that image link.

Please adjust your post.
In this forum, you can paste images directly. :wink:

8

Updated it, I'm on a mobile browser and didn't see the upload icon at first. Thank you for pointing it out.

9

Note:
(This is not directly related to the problem you are seeing)

ServerIP variable is deprecated and it was replaced by FTLCONF_LOCAL_IPV4.
Use only FTLCONF_LOCAL_IPV4=192.168.0.220 and remove the old variable.

1 Like
10

Thank you for the heads up, I just fixed it.

11

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.