The issue I am facing:
I have been using my Pi-hole + Unbound for a couple weeks without issue, when I suddenly started having this error randomly pop up in Firefox (with its DoH disabled) for a bunch of different pages:
It is "fixed" each time by simply refreshing the page once or twice. I was wondering what might be causing it, so I went to my Pi-hole query log and saw entries that look like this:
There is usually a Retried status immediately followed by a BOGUS / SERVFAIL. I did a query log over the past seven days and saw that there were over 3000 Retried entries across several different devices, not just this one.
I haven't made any configuration changes in the past few weeks, so I'm not sure why it has suddenly started to fail when trying to resolve pages. The only thing I can think of is that I changed the speed of my AT&T broadband plan about the same time, and maybe they pushed some sort of change to their BGW210 modem I'm forced to use.
After doing some Googling, others who've had lots of Retried and/or SERVFAIL errors said they might have an issue with packet filtering upstream of the Pi-hole on Port 53 or something, but I haven't been able to figure out if that's my problem, or even how to fix it. Any help would be appreciated!
Details about my system:
AT&T fiber jack > Arris BGW210 modem/router [in pass-through mode] > AmpliFi Instant Router > Gigabit switch > Raspberry Pi (+ rest of network)
Debug Token: https://tricorder.pi-hole.net/x6im0qciqu
server: # If no logfile is specified, syslog is used # logfile: "/var/log/unbound/unbound.log" verbosity: 0 interface: 127.0.0.1 port: 5335 do-ip4: yes do-udp: yes do-tcp: yes # May be set to yes if you have IPv6 connectivity do-ip6: no # You want to leave this to no unless you have *native* IPv6. With 6to4 and # Terredo tunnels your web browser should favor IPv4 for the same reasons prefer-ip6: no # Use this only when you downloaded the list of primary root servers! root-hints: "/var/lib/unbound/root.hints" # Trust glue only if it is within the server's authority harden-glue: yes # Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS harden-dnssec-stripped: yes # Don't use Capitalization randomization as it known to cause DNSSEC issues sometimes # see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 for further details use-caps-for-id: no # Reduce EDNS reassembly buffer size. # Suggested by the unbound man page to reduce fragmentation reassembly problems edns-buffer-size: 1472 # Perform prefetching of close to expired message cache entries # This only applies to domains that have been frequently queried prefetch: yes # One thread should be sufficient, can be increased on beefy machines. In reality for most users running on small networks or on a single machine, it should be unnecessary to seek performance enhancement by increasing num-threads above 1. num-threads: 1 # Ensure kernel buffer is large enough to not lose messages in traffic spikes so-rcvbuf: 1m # Ensure privacy of local IP ranges private-address: 192.168.0.0/16 private-address: 169.254.0.0/16 private-address: 172.16.0.0/12 private-address: 10.0.0.0/8 private-address: fd00::/8 private-address: fe80::/10
What I have changed since installing Pi-hole:
- Installed Unbound using the standard guide here: https://docs.pi-hole.net/guides/dns/unbound/
- Pi-hole serves as my network's DHCP provider
- Also installed Homebridge for smart home stuff