Two piholes same LAN one now fails lookups

OUaVMJ · October 16, 2025, 6:38am

i have two piholes on LAN. 192.168.1.195 & 192.168.1.193 respectively.

rpi195 returns lookups [NOERROR] as i would expect but rpi193 [SERVFAIL] doesn't. though it used to work.

can't see much difference when comparing each pihole.toml and dnsmasq.conf.

could use some help. how bout i generate a pihole debug file from rpi193 and let me know what you find or other advice you have?

thanks…

some examples of my DNS lookups to visualize:

$ nslookup 192.168.1.195
195.1.168.192.in-addr.arpa	name = rpi-pihole5.blank.internal.

$ nslookup 192.168.1.193
193.1.168.192.in-addr.arpa	name = rpi-pihole3.blank.internal.

$ nslookup 192.168.1.193 192.168.1.193
193.1.168.192.in-addr.arpa	name = rpi-pihole3.blank.internal.

$ nslookup 192.168.1.195 192.168.1.193
195.1.168.192.in-addr.arpa	name = rpi-pihole5.blank.internal.

$ nslookup yahoo.com 192.168.1.193
;; Got SERVFAIL reply from 192.168.1.193
Server:		192.168.1.193
Address:	192.168.1.193#53

** server can't find yahoo.com: SERVFAIL

$ nslookup yahoo.com 192.168.1.195
Server:		192.168.1.195
Address:	192.168.1.195#53

Non-authoritative answer:
Name:	yahoo.com
Address: 98.137.11.163
[...]


#----------------------------------------------
$ nslookup rpi-pihole5
Server:		192.168.1.195
Address:	192.168.1.195#53

Name:	rpi-pihole5.blank.internal
Address: 192.168.1.195

$ nslookup rpi-pihole5 192.168.1.193
Server:		192.168.1.193
Address:	192.168.1.193#53

Name:	rpi-pihole5.blank.internal
Address: 192.168.1.195
;; Got SERVFAIL reply from 192.168.1.193
** server can't find rpi-pihole5.blank.internal: SERVFAIL

#----------------------------------------------
$ nslookup opennic.net 
Server:		192.168.1.195
Address:	192.168.1.195#53

Non-authoritative answer:
Name:	opennic.net
Address: 15.197.212.58

$ nslookup opennic.net 192.168.1.193
;; Got SERVFAIL reply from 192.168.1.193
Server:		192.168.1.193
Address:	192.168.1.193#53

** server can't find opennic.net: SERVFAIL


#------------------------------------------------
[on pihole195, NOERROR]

$ dig pi-hole.net @localhost -p 5335

; <<>> DiG 9.16.50-Debian <<>> pi-hole.net @localhost -p 5335
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30957
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;pi-hole.net.			IN	A

;; ANSWER SECTION:
pi-hole.net.		30	IN	A	162.244.93.14

;; Query time: 4 msec
;; SERVER: 127.0.0.1#5335(127.0.0.1)
;; WHEN: Wed Oct 15 22:59:01 PDT 2025
;; MSG SIZE  rcvd: 56

#------------------------------------------------
[on pihole193, SERVFAIL]

$ dig pi-hole.net @localhost -p 5335

; <<>> DiG 9.18.33-1~deb12u2-Debian <<>> pi-hole.net @localhost -p 5335
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 18815
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;pi-hole.net.			IN	A

;; Query time: 1663 msec
;; SERVER: 127.0.0.1#5335(localhost) (UDP)
;; WHEN: Wed Oct 15 22:57:35 PDT 2025
;; MSG SIZE  rcvd: 40

#------------------------------------------------

OUaVMJ · October 17, 2025, 12:31am

debug token

https://tricorder.pi-hole.net/oWXc5ny8/

OUaVMJ · October 19, 2025, 5:39pm

no replies/suggestions, how does one ask the support folks for help here so i can get my pihole working?

OUaVMJ · October 23, 2025, 7:48pm

spending time now to go through as many logs and confs as i can comparing them to the rpi-pihole5 (that works) and the rpi-pihole3 (that fails on returning dns lookups). gonna take a coupls of days to complete that.

rdwebdesign · October 23, 2025, 7:55pm

Are you sure there is no network issue or firewall blocking the queries from .193?

From 192.168.1.193, what is the output of nslookup yahoo.com 8.8.8.8?

OUaVMJ · October 25, 2025, 1:23am

after looking at everything, confs etc and seeing basically these two rpi’s running pihole + unbound are basically config’d identical. only main diff is rpi5 has ISC-dhcpd running.

i had recently purchased a new netgate fw router and configured it and added my VPN’s to it. for whatever reason somewhere in the mix i put rpi3 through one VPN and the other rpi5 through another. at that time i could have sworn both were working but i guess not. so a search sent me to a thread at pi-hole : unbound-getting-servfail-when-connected-to-nordvpn

although rpi3, the one returning SERVFAIL, was though Surfshark, and the rpi5, that works, is through protonVPN. i have NordVPN too so of course unbound didn’t work there either. they both work ok through ProtonVPN.

@rdwebdesign, that works, whether rpi3 is in or out of the VPN tunnel. even Surfshark. both rpi’s have quad9 dns in /etc/resolv.conf. appreciate your reply and help! though i had ventured over to the netgate appliance prior to reading your question to me i’m gonna tick yours as solution. you know, you’ve looked at everying else, go look at your firewall.

i think, and i’m guessing, my issue had to do with unbound in the VPNs that others have threaded about. i haven’t sent a tech request to ProtonVPN and ask about any restrictions they have regarding unbound, but i may just for the education.

for now, glad this is solved.

dfx334 · October 28, 2025, 10:08pm

If I understood it correctly, are you able to use unbound in a tunnel with ProtonVPN? Or are you using a DNS server? At this time I have a ticket opened with NordVPN about this issue and they are investigating it, so I will be happy to post any update on the matter as soon as I have news about it.

system · November 4, 2025, 10:09pm

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.