[Solved] Pi-Hole not resolving amazon.com

Expected Behaviour:

Able to resolve amazon.com to an IP address that I can ping. I am running Pi-hole on a docker pulled from docker hub pihole/pihole:v5.0.

Actual Behaviour:

root@pihole:~# dig amazon.com
; <<>> DiG 9.10.3-P4-Debian <<>> amazon.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 23596
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;amazon.com.                    IN      A

;; Query time: 0 msec
;; SERVER: 127.0.0.11#53(127.0.0.11)
;; WHEN: Sun May 24 09:09:06 UTC 2020
;; MSG SIZE  rcvd: 39
root@pihole:~# dig amazon.com @10.*.*.3

; <<>> DiG 9.10.3-P4-Debian <<>> amazon.com @10.*.*.3
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 45061
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;amazon.com.                    IN      A

;; Query time: 400 msec
;; SERVER: 10.100.10.3#53(10.100.10.3)
;; WHEN: Sun May 24 09:10:16 UTC 2020
;; MSG SIZE  rcvd: 39
root@pihole:~# dig amazon.com @8.8.8.8
; <<>> DiG 9.10.3-P4-Debian <<>> amazon.com @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 54263
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;amazon.com.                    IN      A

;; Query time: 199 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sun May 24 09:13:34 UTC 2020
;; MSG SIZE  rcvd: 39

Debug Token:

https://tricorder.pi-hole.net/n95x7jq686

Looks like you don't have any network connectivity. Can you ping any of the intended DNS server IP addresses?

@DanSchaper, thanks for the response. Yes, I am able to ping the servers. I am also able to actually browse to some sites like google, did a search for dns amazon.com got the IP from the site and was able to ping that as well.

The latency is normal for me, it's always around 180-240.

root@pihole:/# ping -c 3 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=52 time=199 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=52 time=199 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=52 time=198 ms

--- 8.8.8.8 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2001ms
rtt min/avg/max/mdev = 198.954/199.026/199.066/0.517 ms
root@pihole:/# ping -c 3 1.1.1.1
PING 1.1.1.1 (1.1.1.1) 56(84) bytes of data.
64 bytes from 1.1.1.1: icmp_seq=1 ttl=58 time=199 ms
64 bytes from 1.1.1.1: icmp_seq=2 ttl=58 time=203 ms
64 bytes from 1.1.1.1: icmp_seq=3 ttl=58 time=199 ms

--- 1.1.1.1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2002ms
rtt min/avg/max/mdev = 199.099/200.737/203.298/1.834 ms

And dig @8.8.8.8 still fails with SERVFAIL notification?

yep, same as above no IP for the A record either.

That would indicate the problem is with the network. Possibly a firewall or something blocking the traffic. There is nothing that involves Pi-hole for a dig to an external DNS IP.

Actually, the error is with DNSSEC, the response is showing as BOGUS.

   May 24 08:25:45 dnsmasq[336]: validation unagi.amazon.com is BOGUS
   May 24 08:25:45 dnsmasq[336]: reply error is SERVFAIL

Ok, I have google and cloudflare selected right now but I can change that if needed.

If DNSSEC is showing BOGUS then the upstreams won't matter much. The most common reason for DNSSEC to fail is a bad time/date.

To check if DNSSEC is the cause you can disable DNSSEC and see if that fixes things.

My times are current set to UTC and I verified they are right on. I have an ntp client running in the proxmox host and in the docker vm.

I will turn off DNSSEC and give that a try.

I turned off DNSSEC and while that helped I was having 403 issues with sites.

I am going to mark this as solved.

This was not a Pi-hole issue but a VPN issue. My traffic runs through an ExpressVPN which normally doesn't have any issues but I got the bright idea of switching VPN endpoints and that solved my issues. I haven't see Express VPN mess with my traffic in the past but something is surely going on with that endpoint.

Thank you for your troubleshooting! Everything is working perfectly now... I'm sure that Pi-hole was always performing as expected.

I am having similar issues. I read through this thread and kinda got some ideas but still confused and non working amazon. I really want to keep using Pihole but dont know how to get amazon back on. I am also using VPN and I tried turning it off or disabling Pihole nothing works. This problem started happening since I installed Pihole so something can be related. Thanks.

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.