Strange issue - github cannot be resolved

0110 · July 30, 2018, 5:05pm

Please follow the below template, it will help us to help you!

Expected Behaviour:

pihole should be able to resolve github.com. I am running the ftldns and recursive resolver pihole. all other websites seem to work fine.

Actual Behaviour:

github.com doesn't open a page. when I look at the logs it says it was forwarded and had no issues. this stops me from updating pihole and many of the blocklists. it is a strange one because I can access other websites but not github. Also, when checking pihole advertisement test page, it shows that the adblocking isn't enabled. However when I check other websites some of the ads are being blocked. for example guardian newspaper website has ads but I cannot see them in my current setup.

Debug Token:

hkqwryn9ff

jfb · July 30, 2018, 5:11pm

Run these two commands and paste the results (from the terminal on the Pi-Hole device):

dig github.com

dig github.com @8.8.8.8

0110 · July 30, 2018, 5:12pm

pi@raspberrypi:~ $ dig github.com

; <<>> DiG 9.10.3-P4-Raspbian <<>> github.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41495
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;github.com.                    IN      A

;; Query time: 1 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Jul 30 17:11:22 UTC 2018
;; MSG SIZE  rcvd: 39

-------------------------------------------------------------------------------------------------------------------------------

pi@raspberrypi:~ $ dig github.com @8.8.8.8

; <<>> DiG 9.10.3-P4-Raspbian <<>> github.com @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27572
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;github.com.                    IN      A

;; ANSWER SECTION:
github.com.             59      IN      A       192.30.253.112
github.com.             59      IN      A       192.30.253.113

;; Query time: 22 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Mon Jul 30 17:11:44 UTC 2018
;; MSG SIZE  rcvd: 71

jfb · July 30, 2018, 5:32pm

Since you are on the FTLDNS branch, and the devs are putting the final work into 4.0, would you like to move to the 4.0 branch (lots of nice features, does everything the FTLDNS does)? For two reasons, (1) the install may flush your cache and clear the problem, and (2) any troubleshooting on the 4.0 branch will help the development of that branch.

echo release/v4.0 | sudo tee /etc/pihole/ftlbranch 
pihole checkout core release/v4.0 
pihole checkout web release/v4.0

0110 · July 30, 2018, 5:56pm

I have already done that but makes no difference. still the same issue.

RamSet · July 30, 2018, 6:14pm

You are running unbound on port 5353 but you are not requesting DNS resolutions via unbound.

Your /etc/dnsmasq.d/01-pihole.conf has only:

server=127.0.0.1

Should be:

server=127.0.0.1#5353

You can edit that file via CLI (by editing the file directly) or from the /admin/ interface.

Make sure you specify the port 5353 (the one currently configured in your unbound) in the interface.

0110 · July 30, 2018, 7:00pm

Hi,
I have just checked the file and it has the correct address 127.0.0.1#5353

See screenshot.

DanSchaper · July 30, 2018, 8:02pm

Try dig github.com -p 5353 to check the next step on the resolver chain. FTLDNS is giving you a response, but that response is empty as it's not getting any answer from its upstream resolver.

0110 · July 30, 2018, 8:01pm

Well I have just added these two and still no luck. I don't think they are getting blocked because the log shows they are getting forwarded but for some reason the log says they couldn't find server for GitHub.com.

If I temporarily change dns to Google it all seems to work fine.

0110 · July 30, 2018, 8:49pm

This is the output.

DanSchaper · July 30, 2018, 9:16pm

And one more dig github.com -p 53 to check and see if it was just a transient error that cleared please?

0110 · July 30, 2018, 9:19pm

Here is the output

0110 · July 30, 2018, 9:20pm

Here is the output of the command

0110 · July 30, 2018, 9:46pm

It was only a few seconds to restart like 1 or 2 secs. Here is the output.

0110 · July 31, 2018, 9:09am

here are the outputs of the three commands:

pi@raspberrypi:~ $ dig pi-hole.net -p 5353

; <<>> DiG 9.10.3-P4-Raspbian <<>> pi-hole.net -p 5353
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34519
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 6, ADDITIONAL: 13

    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 1472
    ;; QUESTION SECTION:
    ;pi-hole.net.                   IN      A

    ;; ANSWER SECTION:
    pi-hole.net.            86400   IN      A       206.189.252.21

    ;; AUTHORITY SECTION:
    pi-hole.net.            86400   IN      NS      ns5.pi-hole.net.
    pi-hole.net.            86400   IN      NS      ns4.pi-hole.net.
    pi-hole.net.            86400   IN      NS      ns2.pi-hole.net.
    pi-hole.net.            86400   IN      NS      ns1.pi-hole.net.
    pi-hole.net.            86400   IN      NS      ns6.pi-hole.net.
    pi-hole.net.            86400   IN      NS      ns3.pi-hole.net.

    ;; ADDITIONAL SECTION:
    ns1.pi-hole.net.        45598   IN      AAAA    2600:1800:10::1
    ns2.pi-hole.net.        45598   IN      AAAA    2600:1801:11::1
    ns3.pi-hole.net.        45598   IN      AAAA    2600:1802:12::1
    ns4.pi-hole.net.        45598   IN      AAAA    2600:1801:13::1
    ns5.pi-hole.net.        45598   IN      AAAA    2600:1802:14::1
    ns6.pi-hole.net.        45598   IN      AAAA    2600:1800:15::1
    ns1.pi-hole.net.        45598   IN      A       208.94.148.4
    ns2.pi-hole.net.        45598   IN      A       208.80.124.4
    ns3.pi-hole.net.        45598   IN      A       208.80.126.4
    ns4.pi-hole.net.        45598   IN      A       208.80.125.4
    ns5.pi-hole.net.        45598   IN      A       208.80.127.4
    ns6.pi-hole.net.        45598   IN      A       208.94.149.4

    ;; Query time: 9 msec
    ;; SERVER: 127.0.0.1#5353(127.0.0.1)
    ;; WHEN: Tue Jul 31 09:07:33 UTC 2018
    ;; MSG SIZE  rcvd: 428

pi@raspberrypi:~ $ dig pi-hole.com -p 5353

; <<>> DiG 9.10.3-P4-Raspbian <<>> pi-hole.com -p 5353
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56278
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 6, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1472
;; QUESTION SECTION:
;pi-hole.com.                   IN      A

;; ANSWER SECTION:
pi-hole.com.            3600    IN      A       159.203.180.3

;; AUTHORITY SECTION:
pi-hole.com.            86400   IN      NS      ns6.pi-hole.net.
pi-hole.com.            86400   IN      NS      ns2.pi-hole.net.
pi-hole.com.            86400   IN      NS      ns1.pi-hole.net.
pi-hole.com.            86400   IN      NS      ns5.pi-hole.net.
pi-hole.com.            86400   IN      NS      ns4.pi-hole.net.
pi-hole.com.            86400   IN      NS      ns3.pi-hole.net.

;; Query time: 83 msec
;; SERVER: 127.0.0.1#5353(127.0.0.1)
;; WHEN: Tue Jul 31 09:07:51 UTC 2018
;; MSG SIZE  rcvd: 175

pi@raspberrypi:~ $ dig github.com -p 5353

; <<>> DiG 9.10.3-P4-Raspbian <<>> github.com -p 5353
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17502
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 8, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1472
;; QUESTION SECTION:
;github.com.                    IN      A

;; AUTHORITY SECTION:
github.com.             3600    IN      NS      ns-1283.awsdns-32.org.
github.com.             3600    IN      NS      ns-1707.awsdns-21.co.uk.
github.com.             3600    IN      NS      ns-421.awsdns-52.com.
github.com.             3600    IN      NS      ns-520.awsdns-01.net.
github.com.             3600    IN      NS      ns1.p16.dynect.net.
github.com.             3600    IN      NS      ns2.p16.dynect.net.
github.com.             3600    IN      NS      ns3.p16.dynect.net.
github.com.             3600    IN      NS      ns4.p16.dynect.net.

;; Query time: 17 msec
;; SERVER: 127.0.0.1#5353(127.0.0.1)
;; WHEN: Tue Jul 31 09:07:56 UTC 2018
;; MSG SIZE  rcvd: 259

Here is the output of the file:

pi@raspberrypi:~ $ cat /etc/unbound/unbound.conf.d/pi-hole.conf

server:
    verbosity: 1
    port: 5353
    do-ip4: yes
    do-udp: yes
    do-tcp: yes

    # May be set to yes if you have IPv6 connectivity
    do-ip6: yes

    # Use this only when you downloaded the list of primary root servers!
    root-hints: "/var/lib/unbound/root.hints"

    # Trust glue only if it is within the servers authority
    harden-glue: yes

    # Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS
    harden-dnssec-stripped: yes

    # Don't use Capitalization randomization as it known to cause DNSSEC issues sometimes
    # see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 for further details
    use-caps-for-id: no

    # Reduce EDNS reassembly buffer size.
    # Suggested by the unbound man page to reduce fragmentation reassembly problems
    edns-buffer-size: 1472

    # TTL bounds for cache
    cache-min-ttl: 3600
    cache-max-ttl: 86400

    # Perform prefetching of close to expired message cache entries
    # This only applies to domains that have been frequently queried
    prefetch: yes

    # One thread should be sufficient, can be increased on beefy machines
    num-threads: 3

    # Ensure kernel buffer is large enough to not loose messages in traffic spikes
    so-rcvbuf: 1m

    # Ensure privacy of local IP ranges
    private-address: 10.8.0.0/8
    private-address: 192.168.1.0/8
    private-address: 10.9.0.0/8

0110 · July 31, 2018, 9:12am

this is what the log shows on pihole interface.

jfb · July 31, 2018, 3:10pm

Is there a reason you are running three unbound threads? Also, when you increase the number of threads, you typically change the cache settings, but I don't see any command lines for that in your pi-hole.conf file.

The recommended settings for unbound are:

 # One thread should be sufficient, can be increased on beefy machines
  num-threads: 1

 # more cache memory, rrset=msg*2
 rrset-cache-size: 100m
 msg-cache-size: 50m

0110 · August 1, 2018, 10:37am

I have changed it to the 1 thread but no difference. still cannot access GitHub.com

I think I am going to stop the unbound service until it is in master mode (hopeful). Will keep using ftldns for now and see what happens.

thanks for your help.

jfb · August 1, 2018, 2:09pm

I think there is something gone bad in your unbound install. I have been running unbound on both beta FTLDNS and 4.0 with no problems.
For now, to get your Pi-Hole running for you, I would change your upstream DNS server(s) to one or more of the usual DNS providers. Let us know if that fixes the GitHub problem.

0110 · August 6, 2018, 7:06pm

Apologies for reviving this thread again but I have just done fresh install of pihole and unbound. I am still facing the same issue. If i run the unbound i cannot access github.com

do you think there are any other steps that can be used to debug this? or do I need to reinstall full pi which I really don't want to.