Some websites are failing to load

Expected Behaviour:

All websites are loading

Actual Behaviour:

Chrome returns

The webpage at https://www.aliexpress.com/ might be temporarily down or it may have moved permanently to a new web address.
ERR_NAME_RESOLUTION_FAILED

for some websites, I took aliexpress as example since it is such a big player that it should not be failing. Most of the websites load fine. Looking at my log in pi-hole tells me that aliexpress is not blocked. Other devices in the network have the same problem. Moving the DNS back to my router let's me access the websites again.

dig aliexpress.com

; <<>> DiG 9.10.3-P4-Raspbian <<>> aliexpress.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1811
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;aliexpress.com.                        IN      A

;; ANSWER SECTION:
aliexpress.com.         599     IN      A       198.11.132.250

;; Query time: 171 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Dec 22 11:54:23 UTC 2017
;; MSG SIZE  rcvd: 59

Debug Token:

Your debug token is: 2rsszkwu7f

In the Chrome error, the domain is "www.aliexpress.com" but with the dig command, you only query "aliexpress.com".
What if you use the "nslookup" command (works on Linux as well as Windows) instead of "dig" on a troubled client ?
In below example, 10.0.0.2 is my Pihole IP.

C:\>nslookup www.aliexpress.com
Server:  noads.dehakkelaar.nl
Address:  10.0.0.2

Non-authoritative answer:
Name:    e11956.b.akamaiedge.net
Address:  104.73.145.42
Aliases:  www.aliexpress.com, areaall-akamai.aliexpress.com
          areaall-akamai.aliexpress.com.gds.alibabadns.com, eu1111.alicdn.com.edgekey.net

Above example queries the DNS server(s) that is/are configured in the client OS (10.0.0.2 in my case).
If want to query a particular DNS server like for example Google's 8.8.8.8:

C:\>nslookup www.aliexpress.com 8.8.8.8
Server:  google-public-dns-a.google.com
Address:  8.8.8.8

Non-authoritative answer:
Name:    e11956.b.akamaiedge.net
Address:  104.73.145.42
Aliases:  www.aliexpress.com, areaall-akamai.aliexpress.com
          areaall-akamai.aliexpress.com.gds.alibabadns.com, eu1111.alicdn.com.edgekey.net

You can check on Pi-hole if any of the domains are on the lists with below one:

pi@noads:~ $ pihole -q www.aliexpress.com
::: /etc/pihole/list.0.raw.githubusercontent.com.domains (0 results)
::: /etc/pihole/list.1.mirror1.malwaredomains.com.domains (0 results)
::: /etc/pihole/list.2.sysctl.org.domains (0 results)
::: /etc/pihole/list.3.zeustracker.abuse.ch.domains (0 results)
::: /etc/pihole/list.4.s3.amazonaws.com.domains (0 results)
::: /etc/pihole/list.5.s3.amazonaws.com.domains (0 results)
::: /etc/pihole/list.6.hosts-file.net.domains (0 results)
::: /etc/pihole/list.preEventHorizon (0 results)
::: /etc/pihole/blacklist.txt does not exist

Or use the web GUI:
http://pi.hole/admin/queryads.php

Following results for pi-hole:

dig www.aliexpress.com

; <<>> DiG 9.10.3-P4-Raspbian <<>> www.aliexpress.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 30531
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;www.aliexpress.com.            IN      A

;; Query time: 4035 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Dec 22 14:27:45 UTC 2017
;; MSG SIZE  rcvd: 47


pihole -q www.aliexpress.com

  [i] No results found for www.aliexpress.com found within block lists

Seams like www.aliexpress.com get's a server fail

On the client system:

C:\WINDOWS\system32>nslookup www.aliexpress.com

Server:  p200[...]4CCA.dip0.t-ipconnect.de
Address:  2003:de:[...]:4cca

DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
*** Timeout for
p200300[...]A.dip0.t-ipconnect.de.

C:\WINDOWS\system32>nslookup www.aliexpress.com 8.8.8.8
Server:  google-public-dns-a.google.com
Address:  8.8.8.8

Non-authoritative answer:
Name:    e11956.b.akamaiedge.net
Address:  104.74.77.7
Aliases:  www.aliexpress.com
          areaall-akamai.aliexpress.com
          areaall-akamai.aliexpress.com.gds.alibabadns.com
          eu1111.alicdn.com.edgekey.net

I got it to work again but I am not sure what actually did the trick. Maybe someone can give me a hint?

  • I removed IPv6 DNS server from pi hole. Did not change anything but maybe it just needed time to propagate?
  • I disabled my routers firewall settings. Connecting to aliexpress worked again but it continued working after I enabled the firewall again.

The Vigor 130 firewall has some options to prevent flooding different packages (DoS) maybe I reseted the count by turning the firewall of once. Do someone know which firewall option could be the problem?


Added the Vigor 130 Manual as reference

Probably removing the ipv6 DNS did the trick as the clients were trying to resolve through ipv6.
And yes, whenever you change settings related to DHCP, these settings need to propagate first to the clients.
If you dont have ipv6 setup/configured in your LAN, best to disable this for all.

Well my ISP provides me with a DS-Lite connection. Meaning I have a shared IPv4 and every device has also an IPv6 so I thought I also need to enable IPv6 DNS to get a use case out of my IPv6 setup.

If so, make sure Pi-hole has a valid ipv6 address and is configured to use ipv6.
And you can test the same with the lookup command using the ipv6 addresses eg:

nslookup www.aliexpress.com <DNS_server_IPv6_address>

And mind this one as some ISP's dont behave :wink:

EDIT: Forgot to mention, you can configure Pi-hole ipv6 with below one:

pihole -r

If I interpret my test right the problem is that aliexpress is not reachable via IPv6. So my setup was correct but enabling IPv6 can lead to problems if websites do not support it. Shouldn't there be a fallback to IPv4?

C:\WINDOWS\system32>nslookup www.aliexpress.com 2001:4860:4860::8888
Server:  google-public-dns-a.google.com
Address:  2001:4860:4860::8888

DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
*** Timeout for google-public-dns-a.google.com.

C:\WINDOWS\system32>nslookup jwillmer.de 2001:4860:4860::8888
Server:  google-public-dns-a.google.com
Address:  2001:4860:4860::8888

Non-authoritative answer:
Name:    jwillmer.de
Addresses:  2400:cb00:2048:1::681c:167e
          2400:cb00:2048:1::681c:177e
          104.28.22.126
          104.28.23.126

No. IPv4 and IPv6 are different addressing systems in the same namespace (the Internet). There is no fallback by default (it might even be harmful, as IPv4 will have to die out at some point). Instead, the commonly seen behavior of e.g. browsers is to first query IPv6 and only if that fails query an IPv4 address.

Furthermore:

DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
*** Timeout for google-public-dns-a.google.com.

doesn't seem like there is no data available for the queried domain but rather your connection to the DNS server itself timed out (there was no negative response).

It really was the problem with my Vigor 130 firewall. I had the timeout problem today again and disabling the firewall immediately fixed the problem. Next time it occurs I try to pinpoint which firewall option is the problem.

I think the UDP flood defense is the problem since:

DNS primarily uses the User Datagram Protocol (UDP) on port number 53 to serve requests. wikipedia

Deactivating it worked for me, can anyone confirm that this could be the problem? If this does not permanent fix my problem I will update this thread.

I cant confirm but it sounds like that flood protection is a bit too strict :wink: