I have two DietPi Raspi's with identical pihole setup running in my network used by different clients.
Let's call them A and B. There is also other stuff running, e.g tailscale.
The problem is that domain spiegel.de is not accessable to clients through pihole A.
But all clients can reach the website through pihole B.
This is reproducable. And it is - at the moment - the only destination that shows this behaviour.
The configuration includes unbound. So custom Ip is set to 127.0.0.1#5335 and DNSSEC is on in the DNS settings. But it doesn't matter whether DNSSEC is on or off.
This all only happens when unbound is used. If I switch to regular DNS Servers everything is fine.
I have done pihole -r and reinstalled unbound on pihole A.
dig 1.www.spiegel.de
; <<>> DiG 9.16.48-Debian <<>> 1.www.spiegel.de
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 27387
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;1.www.spiegel.de. IN A
;; AUTHORITY SECTION:
spiegel.de. 86400 IN SOA pns101.cloudns.net. tech.brandshelter.com. 2023112281 86400 86400 86400 86400
;; Query time: 424 msec
;; SERVER: 100.100.100.100#53(100.100.100.100)
;; WHEN: Sun May 05 00:31:34 CEST 2024
;; MSG SIZE rcvd: 120
the same output as pihole B
Server 100.100.100.100 is the one from tailscale written to /etc/resolv.conf
If I stop tailscale resolve.conf shows my local router's ip address and #127.0.0.1 in the second line.
And here s the only difference I could find between the two setups.
On pihole B, if I stop tailscale, it would show only 127.0.0.1
If I change resolve.conf on pihole A to 127.0.0.1 it doesn't seem to have anny effect.
Anyway, after taking tailscale down ping www.spiegel.de would fail with a dns resolution error and dig 1.www.spiegel.de would result in
; <<>> DiG 9.16.48-Debian <<>> 1.www.spiegel.de
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 27576
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;1.www.spiegel.de. IN A
;; Query time: 8 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sun May 05 14:14:28 CEST 2024
;; MSG SIZE rcvd: 45
nslookup www.spiegel.de
;; connection timed out; no servers could be reached
nslookup www.focus.de
Server: 127.0.0.1
Address: 127.0.0.1#53
Non-authoritative answer:
www.focus.de canonical name = www.focus.de.26045.edgekey.net.
www.focus.de.26045.edgekey.net canonical name = e26045.dscf.akamaiedge.net.
Name: e26045.dscf.akamaiedge.net
Address: 23.15.178.224
Name: e26045.dscf.akamaiedge.net
Address: 23.15.178.154
e26045.dscf.akamaiedge.net canonical name = e26045.dscf.akamaiedge.net.0.1.cn.akamaiedge.net.
Name: e26045.dscf.akamaiedge.net.0.1.cn.akamaiedge.net
Address: 2a02:26f0:b700:4::210:cc4a
Name: e26045.dscf.akamaiedge.net.0.1.cn.akamaiedge.net
Address: 2a02:26f0:b700:4::210:cc50
Name: e26045.dscf.akamaiedge.net.0.1.cn.akamaiedge.net
Address: 2a02:26f0:b700:4::210:cc55
Any ideas on how to further investigate this?