Domains such as ProtonMail.com (and mail.protonmail.com), intoDNS.com and several other seemingly random domains fail to resolve through Pi-Hole. They are not listed in any blacklist and resolve just fine through another pi-hole installation I have with the same setup procedures.
I am using unbound on this new installation, as well as a previous working installation.
Actual Behaviour:
The domains that fail to resolve appear in the query log with:
Status: OK (forwarded to localhost#5335)
Reply: SERVFAIL
However I do not have DNSSEC enabled. (And enabling doesn't resolve or adjust the issue)
Comparing cat /etc/resolv.conf between the two servers (the pihole that is older, and works fine and the new installation that is causing my problems) I see that the pihole that works is using the automatically generated local network nameserver whereas the new one is using 127.0.0.1#5335
What is the best way to reverse this step? I can modify /etc/resolv.conf manually however it will be overwritten if rebooted and chattr +i'ing the file seems like a temporary fix at best.
Okay, yet another fresh install and I can confirm that the issue persists. The only difference I can find between the new install, and the currently working installs are the software versions of Pi-Hole.
New install version that does not work properly for me:
Current Pi-hole version is v5.3.1.
Current AdminLTE version is v5.5.
Current FTL version is v5.8.1.
Old install version that does work properly for me:
Pi-hole version is v5.2.4 (Latest: v5.3.1)
AdminLTE version is v5.4 (Latest: v5.5)
FTL version is v5.7 (Latest: v5.8.1)
Both installs are similar in that they're Debian 10 servers with Unbound install. On the brand new install I still can't resolve domains that -should- work, and do work, if using DNS from the other Pi-Hole.
The old pi-hole will be decommissioned soon and I need to get the other one working as reliably as the old one.
Edit file /etc/dhcpcd.conf and change the static nameserver in that file. Example of a Pi using Pi-hole for DNS - you would change the loopback IP to the IP of the DNS(s) of your choice.
This points to a problem with the unbound install on that Pi. Pi-hole is insensitive to the inner workings of unbound - it just receives a reply from unbound. If the reply is SERVFAIL, that's an indicator that unbound was unable to resolve.
Have you checked that the date/time on that Pi is correct? Any errors when you run unbound-checkconf ?
You could try diagnose similar for that mail.protonmail.com domain.
Enable unbound remote control first:
With this, you can see what DNS servers unbound is going to ask for the mail.protonmail.com domain:
pi@ph5b:~ $ sudo unbound-control lookup mail.protonmail.com.
The following name servers are used for lookup of mail.protonmail.com.
;rrset 598 13 0 2 0
com. 598 IN NS l.gtld-servers.net.
com. 598 IN NS b.gtld-servers.net.
com. 598 IN NS c.gtld-servers.net.
com. 598 IN NS d.gtld-servers.net.
com. 598 IN NS e.gtld-servers.net.
com. 598 IN NS f.gtld-servers.net.
com. 598 IN NS g.gtld-servers.net.
com. 598 IN NS a.gtld-servers.net.
com. 598 IN NS h.gtld-servers.net.
com. 598 IN NS i.gtld-servers.net.
com. 598 IN NS j.gtld-servers.net.
com. 598 IN NS k.gtld-servers.net.
com. 598 IN NS m.gtld-servers.net.
;rrset 598 1 1 11 5
com. 598 IN DS 30909 8 2 E2D3C916F6DEEAC73294E8268FB5885044A833FC5459588F4A9184CFC41A5766
com. 598 IN RRSIG DS 8 1 86400 20210527170000 20210514160000 14631 . S0HbAhlHla5719KHvyczUV6jXtOCoIVHIlFUUDB1i/5PYxskNSLSziOwulDBL7AOnpZwlHCLjcBEdPPMaJSYjnpLTr5YBbq+uWKLLJTwOgBCobqa2ucUNI7RLNfO4AnBMlfFh3gVcHzLBaYpM+eJZ6masjzc6vX/dw3CXb3yzLI7KQOO8QwH814I2sE4+WUluBFwr+5utGdfe2qpqgdXSBzrXND4p1INdcN+wBhDs1zskaTC1IuCn6A8dXwr45sPfK13SMx1CJfFsMzB3WbSv4JJoW1ZqyMcsvecuz0g0LC/g6Rv6HPgr/sfxCodsJi8tiwCUFNUnkbIAgURTfw2iw== ;{id = 14631}
;rrset 598 1 0 1 0
m.gtld-servers.net. 598 IN A 192.55.83.30
;rrset 598 1 0 1 0
m.gtld-servers.net. 598 IN AAAA 2001:501:b1f9::30
;rrset 598 1 0 1 0
k.gtld-servers.net. 598 IN A 192.52.178.30
;rrset 598 1 0 1 0
k.gtld-servers.net. 598 IN AAAA 2001:503:d2d::30
;rrset 598 1 0 1 0
j.gtld-servers.net. 598 IN A 192.48.79.30
;rrset 598 1 0 1 0
j.gtld-servers.net. 598 IN AAAA 2001:502:7094::30
;rrset 598 1 0 1 0
i.gtld-servers.net. 598 IN A 192.43.172.30
;rrset 598 1 0 1 0
i.gtld-servers.net. 598 IN AAAA 2001:503:39c1::30
;rrset 598 1 0 1 0
h.gtld-servers.net. 598 IN A 192.54.112.30
;rrset 598 1 0 1 0
h.gtld-servers.net. 598 IN AAAA 2001:502:8cc::30
;rrset 598 1 0 1 0
a.gtld-servers.net. 598 IN A 192.5.6.30
;rrset 598 1 0 1 0
a.gtld-servers.net. 598 IN AAAA 2001:503:a83e::2:30
;rrset 598 1 0 1 0
g.gtld-servers.net. 598 IN A 192.42.93.30
;rrset 598 1 0 1 0
g.gtld-servers.net. 598 IN AAAA 2001:503:eea3::30
;rrset 598 1 0 1 0
f.gtld-servers.net. 598 IN A 192.35.51.30
;rrset 598 1 0 1 0
f.gtld-servers.net. 598 IN AAAA 2001:503:d414::30
;rrset 598 1 0 1 0
e.gtld-servers.net. 598 IN A 192.12.94.30
;rrset 598 1 0 1 0
e.gtld-servers.net. 598 IN AAAA 2001:502:1ca1::30
;rrset 598 1 0 1 0
d.gtld-servers.net. 598 IN A 192.31.80.30
;rrset 598 1 0 1 0
d.gtld-servers.net. 598 IN AAAA 2001:500:856e::30
;rrset 598 1 0 1 0
c.gtld-servers.net. 598 IN A 192.26.92.30
;rrset 598 1 0 1 0
c.gtld-servers.net. 598 IN AAAA 2001:503:83eb::30
;rrset 598 1 0 1 0
b.gtld-servers.net. 598 IN A 192.33.14.30
;rrset 598 1 0 1 0
b.gtld-servers.net. 598 IN AAAA 2001:503:231d::2:30
;rrset 598 1 0 1 0
l.gtld-servers.net. 598 IN A 192.41.162.30
;rrset 598 1 0 1 0
l.gtld-servers.net. 598 IN AAAA 2001:500:d937::30
Delegation with 13 names, of which 0 can be examined to query further addresses.
It provides 26 IP addresses.
2001:500:d937::30 not in infra cache.
192.41.162.30 expired, rto 187184 msec, tA 0 tAAAA 0 tother 0.
2001:503:231d::2:30 not in infra cache.
192.33.14.30 expired, rto 187184 msec, tA 0 tAAAA 0 tother 0.
2001:503:83eb::30 not in infra cache.
192.26.92.30 expired, rto 187184 msec, tA 0 tAAAA 0 tother 0.
2001:500:856e::30 not in infra cache.
192.31.80.30 expired, rto 187184 msec, tA 0 tAAAA 0 tother 0.
2001:502:1ca1::30 not in infra cache.
192.12.94.30 expired, rto 187184 msec, tA 0 tAAAA 0 tother 0.
2001:503:d414::30 not in infra cache.
192.35.51.30 expired, rto 187184 msec, tA 0 tAAAA 0 tother 0.
2001:503:eea3::30 not in infra cache.
192.42.93.30 rto 415 msec, ttl 324, ping 15 var 100 rtt 415, tA 0, tAAAA 0, tother 0, EDNS 0 probed.
2001:503:a83e::2:30 not in infra cache.
192.5.6.30 rto 311 msec, ttl 324, ping 3 var 77 rtt 311, tA 0, tAAAA 0, tother 0, EDNS 0 probed.
2001:502:8cc::30 not in infra cache.
192.54.112.30 rto 419 msec, ttl 324, ping 15 var 101 rtt 419, tA 0, tAAAA 0, tother 0, EDNS 0 probed.
2001:503:39c1::30 not in infra cache.
192.43.172.30 not in infra cache.
2001:502:7094::30 not in infra cache.
192.48.79.30 not in infra cache.
2001:503:d2d::30 not in infra cache.
192.52.178.30 not in infra cache.
2001:501:b1f9::30 not in infra cache.
192.55.83.30 not in infra cache.
Ask one of those IP's who is authoritative for the protonmail.com domain:
pi@ph5b:~ $ dig +norecurse @192.55.83.30 ns protonmail.com.
; <<>> DiG 9.11.5-P4-5.1+deb10u5-Raspbian <<>> +norecurse @192.55.83.30 ns protonmail.com.
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39531
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 3, ADDITIONAL: 4
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;protonmail.com. IN NS
;; AUTHORITY SECTION:
protonmail.com. 172800 IN NS ns1.protonmail.com.
protonmail.com. 172800 IN NS ns2.protonmail.com.
protonmail.com. 172800 IN NS ns3.protonmail.com.
;; ADDITIONAL SECTION:
ns1.protonmail.com. 172800 IN A 185.70.40.19
ns2.protonmail.com. 172800 IN A 185.70.41.19
ns3.protonmail.com. 172800 IN A 3.127.12.149
;; Query time: 19 msec
;; SERVER: 192.55.83.30#53(192.55.83.30)
;; WHEN: Sat May 15 21:23:35 CEST 2021
;; MSG SIZE rcvd: 145
And ask one of them for the A record for mail.protonmail.com:
pi@ph5b:~ $ dig +norecurse @185.70.40.19 a mail.protonmail.com.
; <<>> DiG 9.11.5-P4-5.1+deb10u5-Raspbian <<>> +norecurse @185.70.40.19 a mail.protonmail.com.
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56500
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 4
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: c4b02d65ee2c9081683a9d9160a020040f4099610ddcc3c5 (good)
;; QUESTION SECTION:
;mail.protonmail.com. IN A
;; ANSWER SECTION:
mail.protonmail.com. 1200 IN A 185.70.41.130
;; AUTHORITY SECTION:
protonmail.com. 1200 IN NS ns2.protonmail.com.
protonmail.com. 1200 IN NS ns3.protonmail.com.
protonmail.com. 1200 IN NS ns1.protonmail.com.
;; ADDITIONAL SECTION:
ns1.protonmail.com. 1200 IN A 185.70.40.19
ns2.protonmail.com. 1200 IN A 185.70.41.19
ns3.protonmail.com. 1200 IN A 3.127.12.149
;; Query time: 32 msec
;; SERVER: 185.70.40.19#53(185.70.40.19)
;; WHEN: Sat May 15 21:24:52 CEST 2021
;; MSG SIZE rcvd: 194
Could you post output for those to see if anything differs?
And are the resolv.conf files the same now on both nodes and what is content?
cat /etc/resolv.conf
EDIT: changed the unbound-control lookup a bit to include the full domain instead of only the .com domain.