Streaming Apps on Roku being Blocked

stxdigitizing · May 23, 2021, 7:03pm

I'm running two PI's with standard ad list running as recursive using unbound. Lan clients use the PI's as DNS. This was a recent change. When I start my Roku device it loads fine no problems. When I start any of the streaming apps like Netflix, HBO Max etc... they load but no movie thumbnails show up and they do not stream any movies if I try and play them. To test all i did was add 8.8.8.8 and primary on the LAN and after I restarted the Roku with the new LAN settings everything started working. Not sure why the PI is blocking these apps from playing content. It is also blocking websites I normally visit or some of the clients visit.

Pick of netfix screen:

2021-05-23 13.28.103780×3024 1.84 MB

distribution used

NAME="Ubuntu"
VERSION="18.04.5 LTS (Bionic Beaver)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 18.04.5 LTS"
VERSION_ID="18.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=bionic
UBUNTU_CODENAME=bionic

PI Version

 Pi-hole version is v5.3.1 (Latest: v5.3.1)
  AdminLTE version is v5.5 (Latest: v5.5)
  FTL version is v5.8.1 (Latest: v5.8.1)

Bucking_Horn · May 23, 2021, 7:33pm

stxdigitizing · May 25, 2021, 6:08am

So I did some investigating on the problem. Here are my results.

I tested both Roku and ultimate-guitar.com.

I didn't have any luck with Roku However in testing ultimate-guitar I noticed a weird thing.

when I navigate to the website www.ultimate-guitar.com I receive a DNS_PROBE_FINISHED_NXDOMAIN error.

Pihole -t shows

May 25 00:51:27 dnsmasq[29758]: reply www.ultimate-guitar.com is <CNAME>
May 25 00:51:27 dnsmasq[29758]: reply cds.z4d4x3c3.hwcdn.net is NXDOMAIN

NSLOOKUP shows

@pihole1:/var/log/unbound$ nslookup ultimate-guitar.com
Server:         127.0.0.1
Address:        127.0.0.1#53

Non-authoritative answer:
Name:   ultimate-guitar.com
Address: 178.18.22.152

@pihole1:/var/log/unbound$ nslookup www.ultimate-guitar.com
Server:         127.0.0.1
Address:        127.0.0.1#53

** server can't find www.ultimate-guitar.com: NXDOMAIN

The moment I dig with @1.1.1.1 I am able to go to the website no problems until the record goes stale and I can't reach site. Only other thing is it will not work on subdomains i get same nxdomain error. for example navigating to tabs.ultimate-guitar.com.

@pihole1:/var/log/unbound$ dig ultimate-guitar.com @1.1.1.1

; <<>> DiG 9.11.3-1ubuntu1.15-Ubuntu <<>> ultimate-guitar.com @1.1.1.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47847
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;ultimate-guitar.com.           IN      A

;; ANSWER SECTION:
ultimate-guitar.com.    600     IN      A       178.18.22.152

;; Query time: 22 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Tue May 25 00:54:38 CDT 2021
;; MSG SIZE  rcvd: 53

Bucking_Horn · May 25, 2021, 5:04pm

This doesn't seem to be a Pi-hole issues, as far your examples go.
They'd suggest that it is one of your upstream DNS servers,

The interesting line would be the forwarded one preceding those above, as that would reveal which of your Pi-hole's upstream server did return NXDOMAIN.

stxdigitizing · May 25, 2021, 8:11pm

I went and duplicated it and ran pihole -t on server side. This is what it shows.

14:58:33: query[A] www.ultimate-guitar.com from 10.0.0.26
14:58:33: forwarded www.ultimate-guitar.com to 127.0.0.1
14:58:33: reply www.ultimate-guitar.com is <CNAME>

14:58:41: query[A] www.ultimate-guitar.com from 10.0.0.26
14:58:41: forwarded www.ultimate-guitar.com to 127.0.0.1
14:58:41: reply www.ultimate-guitar.com is <CNAME>
14:58:41: reply cds.z4d4x3c3.hwcdn.net is NXDOMAIN

here are the unbound log section if it helps.

info: sending query: ultimate-guitar.com. A IN
[1621911639] unbound[27020:0] debug: sending to target: <com.> 192.35.51.30#53
[1621911639] unbound[27020:0] debug: iterator[module 2] operate: extstate:module_state_initial event:module_event_pass
[1621911639] unbound[27020:0] info: iterator operate: query com. DNSKEY IN
[1621911639] unbound[27020:0] info: resolving com. DNSKEY IN
[1621911639] unbound[27020:0] info: finishing processing for com. DNSKEY IN
[1621911639] unbound[27020:0] debug: validator[module 1] operate: extstate:module_state_initial event:module_event_moddone
[1621911639] unbound[27020:0] info: validator operate: query com. DNSKEY IN
[1621911639] unbound[27020:0] debug: subnet[module 0] operate: extstate:module_state_initial event:module_event_moddone
[1621911639] unbound[27020:0] info: subnet operate: query com. DNSKEY IN
[1621911639] unbound[27020:0] debug: iterator[module 2] operate: extstate:module_wait_reply event:module_event_reply
[1621911639] unbound[27020:0] info: iterator operate: query www.ultimate-guitar.com. A IN
[1621911639] unbound[27020:0] info: response for www.ultimate-guitar.com. A IN
[1621911639] unbound[27020:0] info: reply from <com.> 192.35.51.30#53
[1621911639] unbound[27020:0] info: query response was ANSWER
[1621911639] unbound[27020:0] info: processQueryTargets: www.ultimate-guitar.com. A IN
[1621911639] unbound[27020:0] info: sending query: www.ultimate-guitar.com. A IN
[1621911639] unbound[27020:0] debug: sending to target: <com.> 192.54.112.30#53
[1621911639] unbound[27020:0] debug: cache memory msg=148120 rrset=186461 infra=21411 val=82279 subnet=74488
[1621911640] unbound[27020:0] debug: iterator[module 2] operate: extstate:module_wait_reply event:module_event_reply
[1621911640] unbound[27020:0] info: iterator operate: query www.ultimate-guitar.com. A IN
[1621911640] unbound[27020:0] info: sanitize: removing extraneous answer RRset: cds.z4d4x3c3.hwcdn.net. A IN
[1621911640] unbound[27020:0] info: response for www.ultimate-guitar.com. A IN
[1621911640] unbound[27020:0] info: reply from <com.> 192.54.112.30#53
[1621911640] unbound[27020:0] info: query response was CNAME
[1621911640] unbound[27020:0] info: resolving www.ultimate-guitar.com. A IN
[1621911640] unbound[27020:0] info: resolving (init part 2):  www.ultimate-guitar.com. A IN
[1621911640] unbound[27020:0] info: resolving (init part 3):  www.ultimate-guitar.com. A IN
[1621911640] unbound[27020:0] info: processQueryTargets: www.ultimate-guitar.com. A IN
[1621911640] unbound[27020:0] debug: removing 2 labels
[1621911640] unbound[27020:0] info: processQueryTargets: www.ultimate-guitar.com. A IN
[1621911640] unbound[27020:0] debug: removing 1 labels
[1621911640] unbound[27020:0] info: processQueryTargets: www.ultimate-guitar.com. A IN
[1621911640] unbound[27020:0] info: sending query: cds.z4d4x3c3.hwcdn.net. A IN
[1621911640] unbound[27020:0] debug: sending to target: <net.> 192.26.92.30#53
[1621911640] unbound[27020:0] debug: iterator[module 2] operate: extstate:module_state_initial event:module_event_pass
[1621911640] unbound[27020:0] info: iterator operate: query net. DNSKEY IN
[1621911640] unbound[27020:0] info: resolving net. DNSKEY IN
[1621911640] unbound[27020:0] info: finishing processing for net. DNSKEY IN
[1621911640] unbound[27020:0] debug: validator[module 1] operate: extstate:module_state_initial event:module_event_moddone
[1621911640] unbound[27020:0] info: validator operate: query net. DNSKEY IN
[1621911640] unbound[27020:0] debug: subnet[module 0] operate: extstate:module_state_initial event:module_event_moddone
[1621911640] unbound[27020:0] info: subnet operate: query net. DNSKEY IN
[1621911640] unbound[27020:0] debug: cache memory msg=148120 rrset=186461 infra=21411 val=82279 subnet=74488
[1621911640] unbound[27020:0] debug: iterator[module 2] operate: extstate:module_wait_reply event:module_event_reply
[1621911640] unbound[27020:0] info: iterator operate: query www.ultimate-guitar.com. A IN
[1621911640] unbound[27020:0] info: iterator operate: chased to cds.z4d4x3c3.hwcdn.net. A IN
[1621911640] unbound[27020:0] info: response for www.ultimate-guitar.com. A IN
[1621911640] unbound[27020:0] info: reply from <net.> 192.26.92.30#53
[1621911640] unbound[27020:0] info: query response was ANSWER
[1621911640] unbound[27020:0] info: finishing processing for www.ultimate-guitar.com. A IN
[1621911640] unbound[27020:0] debug: validator[module 1] operate: extstate:module_wait_module event:module_event_moddone
[1621911640] unbound[27020:0] info: validator operate: query www.ultimate-guitar.com. A IN
[1621911640] unbound[27020:0] debug: subnet[module 0] operate: extstate:module_state_initial event:module_event_pass
[1621911640] unbound[27020:0] info: subnet operate: query ultimate-guitar.com. DS IN
[1621911640] unbound[27020:0] debug: validator[module 1] operate: extstate:module_state_initial event:module_event_pass
[1621911640] unbound[27020:0] info: validator operate: query ultimate-guitar.com. DS IN
[1621911640] unbound[27020:0] debug: iterator[module 2] operate: extstate:module_state_initial event:module_event_pass
[1621911640] unbound[27020:0] info: resolving ultimate-guitar.com. DS IN
[1621911640] unbound[27020:0] info: finishing processing for ultimate-guitar.com. DS IN
[1621911640] unbound[27020:0] debug: validator[module 1] operate: extstate:module_wait_module event:module_event_moddone
[1621911640] unbound[27020:0] info: validator operate: query ultimate-guitar.com. DS IN
[1621911640] unbound[27020:0] debug: subnet[module 0] operate: extstate:module_wait_module event:module_event_moddone
[1621911640] unbound[27020:0] info: subnet operate: query ultimate-guitar.com. DS IN
[1621911640] unbound[27020:0] info: NSEC3s for the referral proved no DS.
[1621911640] unbound[27020:0] debug: validator[module 1] operate: extstate:module_wait_subquery event:module_event_pass
[1621911640] unbound[27020:0] info: validator operate: query www.ultimate-guitar.com. A IN
[1621911640] unbound[27020:0] info: Verified that unsigned response is INSECURE
[1621911640] unbound[27020:0] debug: subnet[module 0] operate: extstate:module_state_initial event:module_event_pass
[1621911640] unbound[27020:0] info: subnet operate: query hwcdn.net. DS IN
[1621911640] unbound[27020:0] debug: validator[module 1] operate: extstate:module_state_initial event:module_event_pass
[1621911640] unbound[27020:0] info: validator operate: query hwcdn.net. DS IN
[1621911640] unbound[27020:0] debug: iterator[module 2] operate: extstate:module_state_initial event:module_event_pass
[1621911640] unbound[27020:0] info: resolving hwcdn.net. DS IN
[1621911640] unbound[27020:0] info: finishing processing for hwcdn.net. DS IN
[1621911640] unbound[27020:0] debug: validator[module 1] operate: extstate:module_wait_module event:module_event_moddone
[1621911640] unbound[27020:0] info: validator operate: query hwcdn.net. DS IN
[1621911640] unbound[27020:0] debug: subnet[module 0] operate: extstate:module_wait_module event:module_event_moddone
[1621911640] unbound[27020:0] info: subnet operate: query hwcdn.net. DS IN
[1621911640] unbound[27020:0] info: NSEC3s for the referral proved no DS.
[1621911640] unbound[27020:0] debug: validator[module 1] operate: extstate:module_wait_subquery event:module_event_pass
[1621911640] unbound[27020:0] info: validator operate: query www.ultimate-guitar.com. A IN
[1621911640] unbound[27020:0] info: validator operate: chased to cds.z4d4x3c3.hwcdn.net. A IN
[1621911640] unbound[27020:0] info: Verified that unsigned response is INSECURE

Weird thing happened. When I go home. went to page went right to NXDOMAIN page. walked away for about 5 minutes when I got back the page had opened up on it's own.

Bucking_Horn · May 26, 2021, 6:44am

This proves that your issue is not with Pi-hole:

stxdigitizing:

14:58:41: query[A] www.ultimate-guitar.com from 10.0.0.26
14:58:41: forwarded www.ultimate-guitar.com to 127.0.0.1
14:58:41: reply www.ultimate-guitar.com is <CNAME>
14:58:41: reply cds.z4d4x3c3.hwcdn.net is NXDOMAIN

Pi-hole is answering whatever the DNS server at 127.0.0.1 is returning as answer.

Since its a local unbound that provides those answers, you are correct in turning to unbound's logs for further analysis.
Your respective log excerpt doesn't show where unbound receives the NXDOMAIN, but I think it's safe to assume that unbound wouldn't invent that answer either, i.e. an authoritative DNS server queried by unbound is returning that NXDOMAIN.

Since this is not a Pi-hole issue, I am re-categorising your topic to Community Help.

stxdigitizing · May 26, 2021, 6:58am

Well after all that I figured it out. I added forward-zone using Cloudflare DOT and it worked.

added the following to pi-hole.conf in /etc/unbound/unbound.conf.d/pi-hole.conf

#TLS cert bundle
    #tls-cert-bundle: "/etc/ssl/certs/ca-root-nss.crt"
    ssl-upstream: yes
    #connect to Cloudflare
    forward-zone:
    name: "."
    #forward-tls-upstream: yes
    #Cloudflare DNS
    #forward-addr: 2606:4700:4700::1111@853#cloudflare-dns.com
    forward-addr: 1.1.1.1@853#one.one.one.one
    #forward-addr: 2606:4700:4700::1001@853#cloudflare-dns.com
    forward-addr: 1.0.0.1@853#one.one.one.one

Thanks for the help... great experience going to subscribe to the github! Thanks Bucking_Horn!

system · June 16, 2021, 6:59am

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.