Setting DNSsec even temporarily permanently breaks pihole


#1

I am using two piholes (one as backup mostly) on my home local network.
It works beautifully. They both use my opnsense router to use DNS, which goes
out my vpn client. I check that dnssec is supported, and the test on the website
says that it is. If I then click the button to use enable dnssec, it changes the
dns server by adding #53 to the end of the ip address. This is now permanent can
can not be undone. If I try to edit and save it, pihole changes it back. If I disable
dnssec, and then change the dns ip, pihole changes it back. If i ssh into that pihole,
it can no ping any address (like google). Therefore, it cannot update, it cannot be
repaired, etc. Pihole also just makes endless calls to try and get the right time, but
cannot reach the NIST servers. It is now useless. The only way to fix it, is to
reinstall the whole thing. If you make the mistake of enabling dnssec again, it
is broken and you have to start all over.

Expected Behaviour:

That none of this happens

Actual Behaviour:

What I described above

Debug Token:

Since it can no longer reach anything, I cannot upload the logs


#2

Setting DNSSEC does not cause #53 to be added to the upstream DNS IP. That is a coincidence only because changing the setting causes the config to be rebuilt.
The default DNS port is 53, so adding #53 should have no effect. However, you did not mention where this setting lives?
If DNS resolution is down, you should still be able to ping IP addresses.


#3

I am not surewhat you mean by “where this setting lived”. I don’t know where the config files reside, so can only tell that this is the setting from the web GUI: Settings->DNS.

Right, I can ping IP, just no name resolution. I had resolution until I set dnssec. Re-disabling dnssec does not fix it.


#4

You can add any #port as long it correspondents with the upstream end server. #53 is default so remove on apply.

DNSSEC is problematic in Pi-hole/DNSmasq so please avoid this. Restart pihole to flush all cache.


#5

OK. I will avoid from now on. BTW, restarting pihole does not fix the problem. The only way to fix is to
reinstall everything from scratch, as far as I have found. Perhaps the button to activate DNSSEC should
not be there at all?


#6

Have you tried to troubleshoot what is causing the DNS server to not work? Check the logs:

sudo service pihole-FTL status
less /var/log/pihole.log
less /var/log/pihole-FTL.log

#7

I did not look at the logs. I just reinstalled everything so that I could get the pihole working.
At the moment, I am reluctant to go through it all again, because I will probably have to reinstall
and that takes some time that I don’t have. I wish that I had though of that. I was trying to find
the config files instead. Sorry.