Any gov.uk website doesn’t work when connected to the pihole. Requests are not blocked but never receive a reply. Pihole says “No reply received”.
What could be causing this ?
Do you have DNSSEC enabled? If so, is the time/date on your Pi correct for your local time? Accurate time is required for DNSSEC authentication to succeed.
What upstream DNS server are you using? Have you tried changing this to a different upstream DNS server?
There could also be a problem with the gov.uk nameserver.
There is a certain misconfiguration in the DNSSEC realm of gov.uk: it does not respond at all over TCP and sometimes queries get lost over UDP. Furthermore, some mandatory records are even missing. Interestingly, when you run, e.g. a local unbound instance, you may be able to navigate around these issues as the settings recommended by Pi-hole still manage to get the necessary records and finish validation.
Necessary to continue on this question: Which upstream server(s) are you using?
Is your ISP Virgin Media and are you using their Hub 5 router?
That router breaks DNSSEC TCP replies. It also fails to resolve .tv domains.
The answer is to use the router in modem mode and provide your own router or add a config to your pihole to divert queries for the failing domains.
This was discussed in Unable to get to gov.uk domain when using PiHole & Unbound - #7 by i7andy
Same here. With me it happened when Virgin Media changed my IP address.
I now have a file /etc/dnsmasq.d/99-my-settings.conf in which I have added:
server=/**.gov.uk/1.0.0.1
server=/*.tv/1.0.0.1
and then restarted dns
(There should be a single asterisk on that first line )
3 Likes
I worked through this problem with technical support at Janet, gov.uk's provider. Their initial reply was:
Please be advised, and rest assured, that DNSSec for .gov.uk is not failing and there are no issues with any of the nameservers that serve the zone. The perceived issue that you have reported is a direct result of DDoS mitigation attempts undertaken by the security systems that protect the Verizon nameserver that you reference. The automated tool that you reference generates a number of repeated and rapidly successive probes which are being mitigated before reaching the nameserver, hence the appearance of a failure of the nameserver itself to respond to some queries. If you examine a combination of results from the tool, you can see that they’re all related to query timeouts and that the specific queries that are timing out vary over successive attempts. This, ultimately, has no impact on genuine, operational DNS lookups aimed towards the nameserver.
Putting my router into modem mode and using an old router that I flashed with openwrt proved the problem is with Virgin Media's router.
Interesting, yes I do use VM and their Hub 5. I’ll give this a go. Thanks!
I still don't think this is accurate, third-party DNSSEC debugging tools show several issues, too, see e.g. the one @jfb linked above:
gov.uk zone: The server(s) were not responsive to queries over TCP. (192.76.144.14, 2001:600:1c0:e001::35:6)gov.uk/AAAA: No response was received from the server over UDP (tried 12 times). (192.76.144.14, 2001:600:1c0:e001::35:6, UDP_-NOEDNS)gov.uk/DNSKEY: No response was received from the server over UDP (tried 12 times). (192.76.144.14, 2001:600:1c0:e001::35:6, UDP_-EDNS0_4096_D_KN, UDP-NOEDNS)gov.uk/DNSKEY: No response was received from the server over UDP (tried 4 times). (192.76.144.14, 2001:600:1c0:e001::35:6, UDP_-_EDNS0_512_D_KN)gov.uk/NSEC3PARAM: No response was received from the server over UDP (tried 12 times). (192.76.144.14, UDP_-NOEDNS)gov.uk/SOA: No response was received from the server over TCP (tried 3 times). (192.76.144.14, 2001:600:1c0:e001::35:6, TCP_-_EDNS0_4096_D_N)gov.uk/SOA: No response was received from the server over UDP (tried 12 times). (192.76.144.14, 2001:600:1c0:e001::35:6, UDP_-NOEDNS)
Their support explain that because of the nature of DNSViz's multiple queries, their antiDDOS protection kicks in.
They suggested:
I do think that you’re on the right track though, in the sense that there’s a commonality in terms of the size / type of query responses that are failing.
One thing I’ve noticed is that when, say, querying Google’s DNS on 8.8.8.8 for “gov.uk dnskey”, the response is sent in a single UDP packet - whereas the responses from the authoritative servers are truncated using TCP. I’m wondering if the TCP response is causing an issue somewhere, perhaps. Some queries you could try to help determine this:
Compare “dig @8.8.8.8 gov.uk dnskey” with “dig @8.8.8.8 gov.uk dnskey +noedns”
Try: “dig @128.86.1.20 ac.uk dnskey” - the response for ac.uk is smaller than for gov.uk and so is unlikely to be truncated
Try “dig @128.86.1.20 ac.uk dnskey +tcp”
If you have a firewall that fronts your Internet connection, it would be worth running a packet capture on the WAN interface whilst running both working and non-working queries. You can then analyse the pcap file in Wireshark, or similar, and verify exactly what response you’re seeing from the nameservers. Some routers may also have this level of functionality if you don’t have a hardware firewall in place. If the responses look good from the WAN interface, then repeat the capture on the LAN facing interface and finally on the interface of the LAN device running the query to help pinpoint the cause. Of course, if you’re not seeing a response on the WAN interface at all, then further investigations by your ISP may be required.
At this point I decided I was working above my pay grade. If I put Virgin's Hub 5 router into modem mode and use another router (I used OpenWrt) then I end up on a different IP address range and DNSSEC works. It is either the router or the address range. I tried cloning the router's MAC address to get the same IP address but that didn't give me an IP address.
1 Like
My guess would have gone into the direction of MTU but as long as there is a viable workaround 
And calling blocking of 12 of current can be called "antiDDos" or is just too radical is on them...
I have added that into my config file, but it still does not seem to be working.
root@ubuntu:/etc/dnsmasq.d# cat 99-my-settings.conf
server=/*.gov.uk/1.0.0.1
root@ubuntu:/etc/dnsmasq.d#
Note: I do not have DNSSEC enabled.
Did you enable this setting?
I did not. I now have, but still not working. The query log now shows it as:
|2023-12-02 12:26:29||HTTPS|gov.uk|DESKTOP-DN5LD1K|0.0 µs||
| --- | --- | --- | --- | --- | --- | --- |
|Query received on: 2023-12-02 12:26:29.226
Client: **DESKTOP-DN5LD1K (192.168.0.240)**
Query Status: **UNKNOWN**
Reply: No reply received
Database ID: 4345991|
And on some:
|2023-12-02 12:26:41||A|gov.uk|DESKTOP-DN5LD1K|0.6 ms|Deny|
| --- | --- | --- | --- | --- | --- | --- |
|Query received on: 2023-12-02 12:26:41.197
Client: **DESKTOP-DN5LD1K (192.168.0.240)**
Query Status: **Forwarded to 127.0.0.1#5335**
Reply: SERVFAIL
Database ID: 4346015|
I bet you cannot access https://www.turnon.tv/ either.
I have these commented out for the day when I have to use my Hub 5 as a router
#server=/*.torproject.org/1.0.0.1
#server=/*.ncbi.nlm.nih.gov/1.0.0.1
#server=/*.infoblox.com/1.0.0.1
#server=/*.gov.uk/1.0.0.1
#server=/*.tv/1.0.0.1
It was the slow growth in exceptions that forced me to put my Hub 5 into modem mode.
It might be worth rebooting to see if your exception starts working.
Virgin Media support showed no interest in my problem.
Tom, login to the Virgin Media Community and have a look at
Sorry VM customers only.
Someone there posted
Hub 5 Router mode, current reported issues:
- Wi-Fi & DHCP Fail when both SSIDs are changed. ( in the Wizard and in the Menu )
- DHCP Fails with multiple DHCP devices.
- DHCP Reserved IP list fails to accept entries.
- DNS All queries are being intercepted by the Hub 5.
- DNS Queries for AWS hosts time out with both VM DNS & Public DNS.
6. DNS DNSSEC queries fail. - Port Forwarding may not work.
- RTSP stream / VRChat crashes & reboots Hub 5.
- Wi-Fi 6 / 802.11ax Fails to be visible to many 2.4GHz only devices.
- (Suspected) A laptop connected via 5GHz Wi-Fi may be unable to access a printer connected by 2.4GHz. May also mean mobile Phone on 5GHz is unable to detect / manage IoT on 2.4GHz.
Weirdly, I can access .tv domains, including the one you provided.
I have my Hub 5 in Router mode as do not have another router (well, I do but that's in another part of the house).
I have tried rebooting the Pi after adding those settings but does not work.
Does that mean this simply won't work using the Hub 5 in router mode?
So you do not have DNSSEC enabled. Have you installed unbound?
when i SSH into my pihole
dig @1.0.0.1 gov.uk
; <<>> DiG 9.18.19-1~deb12u1-Debian <<>> @1.0.0.1 gov.uk
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39658
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; EDE: 10 (RRSIGs Missing): (for DNSKEY gov.uk., id = 695)
;; QUESTION SECTION:
;gov.uk. IN A
;; ANSWER SECTION:
gov.uk. 2757 IN A 151.101.192.144
gov.uk. 2757 IN A 151.101.128.144
gov.uk. 2757 IN A 151.101.0.144
gov.uk. 2757 IN A 151.101.64.144
;; Query time: 15 msec
;; SERVER: 1.0.0.1#53(1.0.0.1) (UDP)
;; WHEN: Sat Dec 02 16:09:28 GMT 2023
;; MSG SIZE rcvd: 133
if you have installed unbound then
dig @1.0.0.1 gov.uk dnskey
;; Truncated, retrying in TCP mode.
; <<>> DiG 9.18.19-1~deb12u1-Debian <<>> @1.0.0.1 gov.uk dnskey
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49725
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; EDE: 10 (RRSIGs Missing): (for DNSKEY gov.uk., id = 695)
;; QUESTION SECTION:
;gov.uk. IN DNSKEY
;; ANSWER SECTION:
gov.uk. 1829 IN DNSKEY 256 3 8 AwEAAcJukFZUAWea7L1qKXRWGf8gJnQIReGMKjIK/VU5DEGnoMhJ8tDk 3LqhXhAzafLNhW9ybXfEyY0L4FDQEOdhr7syLhnEkmJWDLld2rYlyhVj sQthunsqf9KbBtTFUaDZaB8QAH3uZb/5/kWDSk/22RfkHivop54it40Z nFRmZvP3
gov.uk. 1829 IN DNSKEY 256 3 8 AwEAAcrWS7rvsJMswiDC6ty9ryAzA1BMc12vFm1rL23Uud8EeVbyKZBk k38z0fODPupIyjyui3xwU6stMeXqsrR1N1NpYMdmvsw5K4C5j1HiyaAV UfH+qasHSwkngy+gAHdU6esTr0EfY2p0tvSGc3ZFdbv15W+S1DPzK2Ml zehbNAotheIyjULUpTQXSnQRwChIA5xw0LVRA5v52yf8qCvdMIJEQbDi gX1r/moR2RZs2v5aCS9G5OlXDlvMNXf7cd1+8O7X6PorpsVak5atMNr/ wM5dgaOhyiFcHbIBxsT8zVJF3/ErWWohOI+j8Pf2nOizPb4Koo7ROAYg XjJ+CC9a+Qc=
gov.uk. 1829 IN DNSKEY 256 3 8 AwEAAeA4pzKgU1t4lKhkKDNlrnCUHySm6CJMgTnUUXElCht6L+C344y7 DhClQWsOtgVkWPUO4XzhjvMUHCxHowqH5C9qkiyIAmvTdkI+pGEL0VHB wCLvlEWdV+NG6CvUJAWNijwTPHPANqcttIGlUz33NMtUXFvfbm1UZTRL w0rbdQT5
gov.uk. 1829 IN DNSKEY 257 3 8 AwEAAZhEwwuAdnpNbyhIGJwh/D28XjVp9NacL3h8iMR9wCgwdZWf41p8 1qrJqrX1sKoJzPPq1G3ecIQignJzCPhyEwXb36MSmhabVAFvUY6p4KfQ IxVioffJ9lt0OJDbiWjK8mkDgi25+I57rk6RuBK/BARLSDenpU0qk7rC xTTiQBBoncav/3Db6xoQ4ciqaEsvhqZqhz3nau0oxKfaVc7PQbB0RLRd kBWkZv86nJsKVSmi5ACT3f3rgZ6PB8hAhY3slg5xWRK7BxSAwy0SbHIx mbcvKQtX57kOlHQFUgV+hJXn/4Y4HmtXdBo5tVKeIOVLZ3Kd/MCgAEaH a1GbPuYjFOs=
gov.uk. 1829 IN DNSKEY 257 3 8 AwEAAc4btyvhzTFwusTMj7fuVvXJVCeCFu70xH93voWNDf9rXwbamYO5 c64EmT+RAVqdKV5g44sHSlGjbpNsPsaVO/Gqzbxpbyk2Via5dZZxl7r1 oC8qo2L3G4U1whuDTsfRhWjHZOh9UoZkHvK2vL1I7EBkE+s3297n1pQX Wt2Ijlh3iOIbGYXLnAA+0OHdTROzcfQ57VYJ5nKoBOxkJFN6bqSadnJN CjzHrPVHSDL1xwwPubxKG2xCpr999lG+y+zLdEOA8/mRgS5KS2PF9BuV W17NHp8+sHSQ3A1X5YszNsF77+h2p7p9xQ9KnQ+9P8wMDWXo9C4NgTdO j/8kJ/F7xAs=
gov.uk. 1829 IN DNSKEY 257 3 8 AwEAAeIcG2L49RCQsIa2JycNpAQd2x/lEgwRUc2RXa8eLnfzj0EkpnUX rtTrYndUdFqoo1LlpVQfUIWSBMpcm7LOhD9EYvWSdXBB+k00jo2vE7yc nIcdmrPE768AkLlDZj87iuQsFxWQEw9pw7ZEbC7bwaqarp6FRJed70Bc ygotjsKPkXcw2rr/E8hW+DacKi46P+3a/HCTltvIRV/T4RUDyvOqnZ9o aRXBjaQ74EtFJF5aDKj3uFkN20st8CarE14UfVStP9RHTZKN1WN9PiHb gZrV+m2d9TrGrCnDkqJ78rQFeUL3NNLtF5uwoKXS1EA3djoIyCCg7dSb ldP8mkPFNik=
;; Query time: 11 msec
;; SERVER: 1.0.0.1#53(1.0.0.1) (TCP)
;; WHEN: Sat Dec 02 16:15:46 GMT 2023
;; MSG SIZE rcvd: 1469
If you get the same response then your 99-my-settings.conf is wrong or not being read.
If you get no response try a different dns server such as 8.8.8.8
Can you post the output from the delv utility, it's more useful when DNSSEC is involved.
# Try using an upstream remote DNS resolver
dan@Viking:~$ delv gov.uk @1.1.1.1
; fully validated
gov.uk. 3600 IN A 151.101.0.144
gov.uk. 3600 IN A 151.101.64.144
gov.uk. 3600 IN A 151.101.128.144
gov.uk. 3600 IN A 151.101.192.144
gov.uk. 3600 IN RRSIG A 8 2 3600 20231231140755 20231201140755 34185 gov.uk. J/GeFPa6t+AdQFzFNyQOO/zxJFhujLSVLh+Q9+rKIEzDxzBT0RcwZzVu vjtX+m+CEkIABCOm7y3G6SxX2FIDGSAcJ+AiUIzaJ2mfpV4UIZ1GhBe+ VEEXL1N2Rz1VLCutAoKs2mW9vue+gdmJ2lG6th0Xw7y+hBdjcemmMqbV aYM=
# Try using Pi-hole
dan@Viking:~$ delv gov.uk @192.168.88.4
; fully validated
gov.uk. 3577 IN A 151.101.0.144
gov.uk. 3577 IN A 151.101.64.144
gov.uk. 3577 IN A 151.101.128.144
gov.uk. 3577 IN A 151.101.192.144
gov.uk. 3577 IN RRSIG A 8 2 3600 20231231140755 20231201140755 34185 gov.uk. J/GeFPa6t+AdQFzFNyQOO/zxJFhujLSVLh+Q9+rKIEzDxzBT0RcwZzVu vjtX+m+CEkIABCOm7y3G6SxX2FIDGSAcJ+AiUIzaJ2mfpV4UIZ1GhBe+ VEEXL1N2Rz1VLCutAoKs2mW9vue+gdmJ2lG6th0Xw7y+hBdjcemmMqbV aYM=
# Try using unbound on lan
dan@Viking:~$ delv gov.uk @192.168.88.254
; fully validated
gov.uk. 3571 IN A 151.101.0.144
gov.uk. 3571 IN A 151.101.64.144
gov.uk. 3571 IN A 151.101.128.144
gov.uk. 3571 IN A 151.101.192.144
gov.uk. 3571 IN RRSIG A 8 2 3600 20231231140755 20231201140755 34185 gov.uk. J/GeFPa6t+AdQFzFNyQOO/zxJFhujLSVLh+Q9+rKIEzDxzBT0RcwZzVu vjtX+m+CEkIABCOm7y3G6SxX2FIDGSAcJ+AiUIzaJ2mfpV4UIZ1GhBe+ VEEXL1N2Rz1VLCutAoKs2mW9vue+gdmJ2lG6th0Xw7y+hBdjcemmMqbV aYM=
You can add some flags to the delv command, like +mtrace that will be quite verbose in the steps taken. I'll add that here:
dan@Viking:~$ delv +mtrace gov.uk @192.168.88.254
;; fetch: gov.uk/A
;; received packet from 192.168.88.254#53
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55639
;; flags: qr rd ra; QUESTION: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
;; QUESTION SECTION:
;gov.uk. IN A
;; ANSWER SECTION:
;gov.uk. 3334 IN A 151.101.64.144
;gov.uk. 3334 IN A 151.101.0.144
;gov.uk. 3334 IN A 151.101.128.144
;gov.uk. 3334 IN A 151.101.192.144
;gov.uk. 3334 IN RRSIG A 8 2 3600 (
; 20231231140755 20231201140755 34185 gov.uk.
; J/GeFPa6t+AdQFzFNyQOO/zxJFhu
; jLSVLh+Q9+rKIEzDxzBT0RcwZzVu
; vjtX+m+CEkIABCOm7y3G6SxX2FID
; GSAcJ+AiUIzaJ2mfpV4UIZ1GhBe+
; VEEXL1N2Rz1VLCutAoKs2mW9vue+
; gdmJ2lG6th0Xw7y+hBdjcemmMqbV
; aYM= )
;; fetch: gov.uk/DNSKEY
;; received packet from 192.168.88.254#53
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57888
;; flags: qr tc rd ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
;; QUESTION SECTION:
;gov.uk. IN DNSKEY
;; received packet from 192.168.88.254#53
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50519
;; flags: qr rd ra; QUESTION: 1, ANSWER: 8, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
;; QUESTION SECTION:
;gov.uk. IN DNSKEY
;; ANSWER SECTION:
;gov.uk. 86157 IN DNSKEY 257 3 8 (
; AwEAAeIcG2L49RCQsIa2JycNpAQd
; 2x/lEgwRUc2RXa8eLnfzj0EkpnUX
; rtTrYndUdFqoo1LlpVQfUIWSBMpc
; m7LOhD9EYvWSdXBB+k00jo2vE7yc
; nIcdmrPE768AkLlDZj87iuQsFxWQ
; Ew9pw7ZEbC7bwaqarp6FRJed70Bc
; ygotjsKPkXcw2rr/E8hW+DacKi46
; P+3a/HCTltvIRV/T4RUDyvOqnZ9o
; aRXBjaQ74EtFJF5aDKj3uFkN20st
; 8CarE14UfVStP9RHTZKN1WN9PiHb
; gZrV+m2d9TrGrCnDkqJ78rQFeUL3
; NNLtF5uwoKXS1EA3djoIyCCg7dSb
; ldP8mkPFNik=
; ) ; KSK; alg = RSASHA256 ; key id = 17539
;gov.uk. 86157 IN DNSKEY 257 3 8 (
; AwEAAc4btyvhzTFwusTMj7fuVvXJ
; VCeCFu70xH93voWNDf9rXwbamYO5
; c64EmT+RAVqdKV5g44sHSlGjbpNs
; PsaVO/Gqzbxpbyk2Via5dZZxl7r1
; oC8qo2L3G4U1whuDTsfRhWjHZOh9
; UoZkHvK2vL1I7EBkE+s3297n1pQX
; Wt2Ijlh3iOIbGYXLnAA+0OHdTROz
; cfQ57VYJ5nKoBOxkJFN6bqSadnJN
; CjzHrPVHSDL1xwwPubxKG2xCpr99
; 9lG+y+zLdEOA8/mRgS5KS2PF9BuV
; W17NHp8+sHSQ3A1X5YszNsF77+h2
; p7p9xQ9KnQ+9P8wMDWXo9C4NgTdO
; j/8kJ/F7xAs=
; ) ; KSK; alg = RSASHA256 ; key id = 695
;gov.uk. 86157 IN DNSKEY 256 3 8 (
; AwEAAcJukFZUAWea7L1qKXRWGf8g
; JnQIReGMKjIK/VU5DEGnoMhJ8tDk
; 3LqhXhAzafLNhW9ybXfEyY0L4FDQ
; EOdhr7syLhnEkmJWDLld2rYlyhVj
; sQthunsqf9KbBtTFUaDZaB8QAH3u
; Zb/5/kWDSk/22RfkHivop54it40Z
; nFRmZvP3
; ) ; ZSK; alg = RSASHA256 ; key id = 34185
;gov.uk. 86157 IN DNSKEY 256 3 8 (
; AwEAAcrWS7rvsJMswiDC6ty9ryAz
; A1BMc12vFm1rL23Uud8EeVbyKZBk
; k38z0fODPupIyjyui3xwU6stMeXq
; srR1N1NpYMdmvsw5K4C5j1HiyaAV
; UfH+qasHSwkngy+gAHdU6esTr0Ef
; Y2p0tvSGc3ZFdbv15W+S1DPzK2Ml
; zehbNAotheIyjULUpTQXSnQRwChI
; A5xw0LVRA5v52yf8qCvdMIJEQbDi
; gX1r/moR2RZs2v5aCS9G5OlXDlvM
; NXf7cd1+8O7X6PorpsVak5atMNr/
; wM5dgaOhyiFcHbIBxsT8zVJF3/Er
; WWohOI+j8Pf2nOizPb4Koo7ROAYg
; XjJ+CC9a+Qc=
; ) ; ZSK; alg = RSASHA256 ; key id = 52549
;gov.uk. 86157 IN DNSKEY 256 3 8 (
; AwEAAeA4pzKgU1t4lKhkKDNlrnCU
; HySm6CJMgTnUUXElCht6L+C344y7
; DhClQWsOtgVkWPUO4XzhjvMUHCxH
; owqH5C9qkiyIAmvTdkI+pGEL0VHB
; wCLvlEWdV+NG6CvUJAWNijwTPHPA
; NqcttIGlUz33NMtUXFvfbm1UZTRL
; w0rbdQT5
; ) ; ZSK; alg = RSASHA256 ; key id = 58200
;gov.uk. 86157 IN DNSKEY 257 3 8 (
; AwEAAZhEwwuAdnpNbyhIGJwh/D28
; XjVp9NacL3h8iMR9wCgwdZWf41p8
; 1qrJqrX1sKoJzPPq1G3ecIQignJz
; CPhyEwXb36MSmhabVAFvUY6p4KfQ
; IxVioffJ9lt0OJDbiWjK8mkDgi25
; +I57rk6RuBK/BARLSDenpU0qk7rC
; xTTiQBBoncav/3Db6xoQ4ciqaEsv
; hqZqhz3nau0oxKfaVc7PQbB0RLRd
; kBWkZv86nJsKVSmi5ACT3f3rgZ6P
; B8hAhY3slg5xWRK7BxSAwy0SbHIx
; mbcvKQtX57kOlHQFUgV+hJXn/4Y4
; HmtXdBo5tVKeIOVLZ3Kd/MCgAEaH
; a1GbPuYjFOs=
; ) ; KSK; alg = RSASHA256 ; key id = 16180
;gov.uk. 86157 IN RRSIG DNSKEY 8 2 86400 (
; 20231231140755 20231201140755 17539 gov.uk.
; U26ZBGjxssj8MfsVmAZfakT+c0mg
; Y3fcKUJzU3oAd76YcVWxkFDvatOF
; SsVH1XLEAKW1DPc+7oxkthmKgOyE
; J6O90v+bG2xBHRl1jV2nQU3LtsNv
; SPqYryoqX2NyZnB4GSO0gfUd8GVg
; 1nliJFxwFvX+WJchSZTbuuQvUIME
; m+9ntKIyfCHdcOWK92sUc3X+H7sd
; HKlEOoEFEUe4qijutJOpdZyKAxpf
; io1WrrRU3NwMPoFZnbBK4uD/+Ltx
; 1Nity/hXbszagZNgKTYM5nogT9vp
; jrRfAsypZXfsrhXCAn7aCzk4PJ53
; pbhU3IawIm3dPeUGzDbL8rVuXCJR
; Jp0HCA== )
;gov.uk. 86157 IN RRSIG DNSKEY 8 2 86400 (
; 20231231140755 20231201140755 34185 gov.uk.
; NxPK0EgqgI1NzEiufIhafHMAelxM
; nPAjMXXcK25e0oHkqOqAGT5/if57
; KAT8aSOxeTDW03jEYIshmErXG+96
; j5w0jUuKVtaqFpxkB5AViL6VfLcs
; 9aBiR9uXhwkNVey9xqRQU8tr4q5D
; 9n7l8BW8ihgbwNod3aq/VIOesn6B
; 7rU= )
;; fetch: gov.uk/DS
;; received packet from 192.168.88.254#53
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32841
;; flags: qr rd ra; QUESTION: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
;; QUESTION SECTION:
;gov.uk. IN DS
;; ANSWER SECTION:
;gov.uk. 34 IN DS 17539 8 2 (
; 2F0A0A65DB9E930F5B2C0425F67D
; F66416C076124652A281D9A8FFA7
; 73828F57 )
;gov.uk. 34 IN DS 695 8 2 (
; 7277592DBD8993BDE70704DBABD3
; 0AFDBB85057E658EF1428F18F5D9
; A534BCE0 )
;gov.uk. 34 IN RRSIG DS 8 2 300 (
; 20231216133302 20231202123855 43056 uk.
; 2qKljACQacgmVSxe7Vu1O+ORyipZ
; fXan1gZQdSLWZDLrCn6LObRq1aU9
; u39eBQcpFasG4t1Yu88bk1ME03Ek
; s2l+08LY6RPKUzmZRG7xR3KLgyWi
; Oh4m5OIUXHxEYzMNCzC3SqAGB8B1
; hp2v9UNBvmIxgeI8BuwFVkcU7Hg8
; bSQ= )
;; fetch: uk/DNSKEY
;; received packet from 192.168.88.254#53
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32388
;; flags: qr rd ra; QUESTION: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
;; QUESTION SECTION:
;uk. IN DNSKEY
;; ANSWER SECTION:
;uk. 3357 IN DNSKEY 256 3 8 (
; AwEAAeGOYY7fiJwowB47qBZS9G67
; Bas0rIb23LgGVw1du1K3Is6H2Lxf
; WvtEYyrZ5BE5ddSwLsgz7F8v/kIB
; XFhjltAkaU8o+AYSIqDDPlz4+0L1
; e/ofv42uJ6pcygi74WAWhJOE/Qoo
; RUeO8zwTIru7EgmtjxFXZunQJJmC
; ygY1l5OZ
; ) ; ZSK; alg = RSASHA256 ; key id = 43056
;uk. 3357 IN DNSKEY 257 3 8 (
; AwEAAbOOWSsuXCZ8x/DBsz2tC/58
; YYi/qul9Mk8sJm5HyNYgQ0oyg6KI
; xaPvmqcHfyiwma9p+f8SjFZa/51z
; YQQzWK1flMFyNMl2YMHS/E+7NNa+
; f1DND23FyBu2VGrXf50c72KVG1s1
; qnlEusPbkBzh2zdYRJtiVan+P4Or
; PmwRfxwfsl7blNWJQkHg2Gy+WeAm
; AY7PFFlHeDqfYQCJ5bqXJzcvTbh1
; dPzWuBPeynjXFXCbC5msJQbLcm1K
; Jx2cMNdJJxW9raXj75MJFtotwAGY
; i7UL285qqia1e6MWfbZKbSmBxkrl
; iGJNSfopBeesJ6LjWHaj+5W/rJdj
; yhjv3AWNMHE=
; ) ; KSK; alg = RSASHA256 ; key id = 43876
;uk. 3357 IN RRSIG DNSKEY 8 1 3600 (
; 20231216162225 20231202154710 43876 uk.
; Xsce4RwSUqzw5E6oB/WagCh212fb
; x9YElghCmFtCnCi8gHkHm9SYb5oe
; nH4mvjjSCG0XHgFM90VY33pSWlAG
; HqFuC139EGZ6yg/lPJrzRnZT0dRM
; 6ybBXLzxz2BBsmc09o9lAM4s7wtm
; pIy3J1t74vYTgNfKaJ3lr8zzCKsz
; 0MCZjIVM3MhctzopDrJSTaEszGEZ
; jpKTTFXXAV5f6VAjf7wBfctrI5hm
; 6+bryDp4PNJLKrUDg3BFz8jxpn4+
; yLaSFwbSo4u178pxAXYcvbIWLz/j
; sR+WrX0HCmYmu+3QQpDOlWXS1mKk
; sGFA+L31be3R242tE2ExqmigDYjd
; 1mBVcA== )
;; fetch: uk/DS
;; received packet from 192.168.88.254#53
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2977
;; flags: qr rd ra; QUESTION: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
;; QUESTION SECTION:
;uk. IN DS
;; ANSWER SECTION:
;uk. 42115 IN DS 43876 8 2 (
; A107ED2AC1BD14D924173BC7E827
; A1153582072394F9272BA37E2353
; BC659603 )
;uk. 42115 IN RRSIG DS 8 1 86400 (
; 20231214210000 20231201200000 46780 .
; eCqFtOBUjBeZlI3anj+tOhGOt9XQ
; 3LeG7DZZBZ8u5IOIjGcqvD0s2i9l
; 0z1CeH54l9zYt6sGmbALiAkw17RQ
; 3Ez5AKwlz6/Y9cXuu/EtNVAfIPGk
; NzV94p4YZVtQL9Cs2suOsHG+C0Sr
; /QWOA4kzeXucsB89SCrRJEbkXxmJ
; VtxEct2yNVXFFOGFRDkOzJhApYOo
; YbPYDOEsLRaQGrZfU3cpkPeNWkp7
; YwZA+xTS9rRyiMNTuhRKxK2Jdh65
; IHcWmtuu0RgK40ypkEpw+q05uGoV
; qBXJuPtm2CXrG5oHfX9GIWyYFpWf
; ylUpCwOt36t52W9wzH62QMnMko5O
; lzxU9w== )
;; fetch: ./DNSKEY
;; received packet from 192.168.88.254#53
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43870
;; flags: qr rd ra; QUESTION: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
;; QUESTION SECTION:
;. IN DNSKEY
;; ANSWER SECTION:
;. 86157 IN DNSKEY 256 3 8 (
; AwEAAddS95RV5uUtkUCN7vyvpb0k
; DZgmtXwN5Sj/d08+X7ND2sgWBabK
; nFhftrOsSx9DUhKR3gpMPIxac84N
; ou8Wzkiu2A/sTzP1F6KpCL8epgem
; dlZVd1ATHEjpB0KHIQmDjSEO/frG
; gi8ijQ2vDF3AMSrUwH7qntL1E5uf
; PHGKRM+agGghcAYfJHJN1dw7Ki3F
; o22RDB3VZBxU9yJ3vl/T4hngeL7z
; K84vgl62tlJJw1rK5S/3U4p/bZar
; jtMFOHDfh0DEj1ywtRpkpPnge03g
; mINoa2tz+Kff67kbQb0NhHJYzPRp
; ViaMEWZI9pgGH9ZyuFdNrNRx68XS
; iO7sya7/i+c=
; ) ; ZSK; alg = RSASHA256 ; key id = 46780
;. 86157 IN DNSKEY 257 3 8 (
; AwEAAaz/tAm8yTn4Mfeh5eyI96WS
; VexTBAvkMgJzkKTOiW1vkIbzxeF3
; +/4RgWOq7HrxRixHlFlExOLAJr5e
; mLvN7SWXgnLh4+B5xQlNVz8Og8kv
; ArMtNROxVQuCaSnIDdD5LKyWbRd2
; n9WGe2R8PzgCmr3EgVLrjyBxWezF
; 0jLHwVN8efS3rCj/EWgvIWgb9tar
; pVUDK/b58Da+sqqls3eNbuv7pr+e
; oZG+SrDK6nWeL3c6H5Apxz7LjVc1
; uTIdsIXxuOLYA4/ilBmSVIzuDWfd
; RUfhHdY6+cn8HFRm+2hM8AnXGXws
; 9555KrUB5qihylGa8subX2Nn6UwN
; R1AkUTV74bU=
; ) ; KSK; alg = RSASHA256 ; key id = 20326
;. 86157 IN RRSIG DNSKEY 8 0 172800 (
; 20231221000000 20231130000000 20326 .
; Vq+Z0sYiDdI6V+KCvfoTAYNxmsKi
; v703Lxyy4OREQPew0qYrrUySU54J
; n+NiOlkHLm+o83YW7ZZ0eyikQKrt
; 42dD2Hdigy7YiOeML1W3wqkZYDg/
; DoHo5i8zP+B6461Z/yVrjkcTSgM6
; C8FZuOaDqj5XPMghMfDo0fQy0spE
; L6rtLzGNXDZ+j5D+hcoQPYtZu9sv
; hm9AHqZoXLu5id7whpsVJhON4BM1
; pQRF7JSlTIi0cn7SGhFpfypnj/2E
; 5hUvJ1bRRkr+wItfi7B4+b19lDNg
; tLZiDs3opRMmStbaF3HEFgThUZ+H
; cCRzQASdyuZ4Y8xr1SUX/MpSlct5
; EBFshg== )
; fully validated
gov.uk. 3334 IN A 151.101.0.144
gov.uk. 3334 IN A 151.101.64.144
gov.uk. 3334 IN A 151.101.128.144
gov.uk. 3334 IN A 151.101.192.144
gov.uk. 3334 IN RRSIG A 8 2 3600 20231231140755 20231201140755 34185 gov.uk. J/GeFPa6t+AdQFzFNyQOO/zxJFhujLSVLh+Q9+rKIEzDxzBT0RcwZzVu vjtX+m+CEkIABCOm7y3G6SxX2FIDGSAcJ+AiUIzaJ2mfpV4UIZ1GhBe+ VEEXL1N2Rz1VLCutAoKs2mW9vue+gdmJ2lG6th0Xw7y+hBdjcemmMqbV aYM=
Little less verbose:
dan@Viking:~$ delv +rtrace gov.uk @1.1.1.1
;; fetch: gov.uk/A
;; fetch: gov.uk/DNSKEY
;; fetch: gov.uk/DS
;; fetch: uk/DNSKEY
;; fetch: uk/DS
;; fetch: ./DNSKEY
; fully validated
gov.uk. 3600 IN A 151.101.0.144
gov.uk. 3600 IN A 151.101.64.144
gov.uk. 3600 IN A 151.101.128.144
gov.uk. 3600 IN A 151.101.192.144
gov.uk. 3600 IN RRSIG A 8 2 3600 20231231140755 20231201140755 34185 gov.uk. J/GeFPa6t+AdQFzFNyQOO/zxJFhujLSVLh+Q9+rKIEzDxzBT0RcwZzVu vjtX+m+CEkIABCOm7y3G6SxX2FIDGSAcJ+AiUIzaJ2mfpV4UIZ1GhBe+ VEEXL1N2Rz1VLCutAoKs2mW9vue+gdmJ2lG6th0Xw7y+hBdjcemmMqbV aYM=
I'm on VM I had this issue with Pihole and Unbound, to resolve this issue I had to do this (found this fix on a reddit thread):
Edit Unbound Config
sudo nano -w /etc/unbound/unbound.conf.d/pi-hole.conf
Add following to bottom line of unbound config
domain-insecure: "gov.uk"
e.g.:
Ensure privacy of local IP ranges
private-address: XXX.XXX.XXX.XXX
private-address: XXX.XXX.XXX.XXX
private-address: XXX.XXX.XXX.XXX
private-address: XXX.XXX.XXX.XXX
domain-insecure: "gov.uk"
NOTE: Also had to disable DNSSEC in Pihole gui.