Things have randomly stopped! (all queries refused, regardless of server)

ptruman · April 1, 2024, 2:23pm

The issue I am facing:

All queries are being "REFUSED" regardless of what server I use.
If I enter docker command line (docker exec -it pihole /bin/bash) and type

*nslookup*
*server 8.8.8.8*
*testdomains.com*

...it works. If I set pihole DNS to use Google (or manually 8.8.8.8) it fails.
If I query my upstream servers manually via nslookup, queries work:

root@openmediavault:/etc/docker# nslookup
> server 10.74.90.135
Default server: 10.74.90.135
Address: 10.74.90.135#53
> testdomains.com
** server can't find testdomains.com: REFUSED
^C
root@openmediavault:/etc/docker# nslookup
> server 8.8.8.8
Default server: 8.8.8.8
Address: 8.8.8.8#53
> testdomains.com
Server:         8.8.8.8
Address:        8.8.8.8#53

Non-authoritative answer:
Name:   testdomains.com
Address: 69.89.31.216
> server 10.74.1.1
Default server: 10.74.1.1
Address: 10.74.1.1#53
> testdomains.com
Server:         10.74.1.1
Address:        10.74.1.1#53

Non-authoritative answer:
Name:   testdomains.com
Address: 69.89.31.216

Details about my system:

DOCKER TAG 2024.03.2
PI-HOLE V5.18.2
FTL V5.25.1
WEB INTERFACE V5.21

What I have changed since installing Pi-hole:

Nothing presently.
I was using pihole for DNS and DHCP, and have temporarily updated DNSMASQ to point to my router (10.74.1.1) for DNS to regain access, which in turn is using 8.8.8.8

Debug Token : https://tricorder.pi-hole.net/en2gesDk/

ptruman · April 1, 2024, 3:09pm

EDIT : I've spun up a new (raw) piHole docker on a separate IP with NO config barring using Google as upstream, and it's working - so something has got very broken in my existing docker - just not sure what.

rdwebdesign · April 1, 2024, 4:03pm

Your debug log shows these messages:

   [2024-04-01 15:07:58.043 1485M] WARNING in dnsmasq core: possible DNS-rebind attack detected: cdn-01.yumenetworks.com
   [2024-04-01 15:07:58.366 1485M] WARNING in dnsmasq core: possible DNS-rebind attack detected: cdn-01.yumenetworks.com
   [2024-04-01 15:14:55.994 1485M] WARNING in dnsmasq core: possible DNS-rebind attack detected: goosebumpsradio.com
   [2024-04-01 15:14:56.340 1485M] WARNING in dnsmasq core: possible DNS-rebind attack detected: goosebumpsradio.com
   [2024-04-01 15:24:22.528 1485M] WARNING in dnsmasq core: possible DNS-rebind attack detected: frnafinance.fr
   [2024-04-01 15:24:22.821 1485M] WARNING in dnsmasq core: possible DNS-rebind attack detected: frnafinance.fr
   [2024-04-01 15:25:06.337 1485M] WARNING in dnsmasq core: possible DNS-rebind attack detected: hil.valuez.top
   [2024-04-01 15:25:06.575 1485M] WARNING in dnsmasq core: possible DNS-rebind attack detected: hil.valuez.top

ptruman · April 1, 2024, 6:10pm

I found the problem - an upstream server on the network had a failed process which (combined with some EDNS settings) had broken upstream resolution. I've sorted that now,. The goosebumpsradio.com address was one of Pihole testing itself (it came up one of the diag logs)

system · April 22, 2024, 6:11pm

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.