Unbound Pi-hole resolving with huge delay - throwing 4711 - hostname problem

thorstenman · February 11, 2023, 3:23pm

I had the problem with Pi-hole not resolving anymore - FTL was not working anymore. Fixed this. But solution was not found straight forward. Looks like I broke something else.

Three different behaviors I need to fix:

Sometimes URLs cannot be resolved - Pi-hole log throwing SERVFAIL. It could be that this only happens if „new“ addresses hit the unbound pi-hole which usually takes longer. But for me I even need to open it several times before it is finally successful.
Reconfiguring of the Pi-hole via the UI throws a 4711 error („PHP error (2): fsockopen(): unable to connect to 127.0.0.1:4711 (Connection refused) in /var/www/html/admin/scripts/pi-hole/php/FTL.php:47“) from time to time. Never had this issue before.
Hostnames are not found and revolved. I already added local DNS records. But Pi-hole ignores those but cannot get and make use of DHCP.

I use a Raspi 4 for which is used in parallel for HomeBridge and ioBroker as well as smaller stuff. Whole setup is connected via Ethernet - directly to my FritzBox which I also use as DHCP server. IPv6 is disable in my network. Software is update to date.

My initial error which now led to these behaviors pushed me to change main PI-hole config files. I even reinstalled Pi-hole and unbound. Could be that this was a bad idea…

thorstenman · February 12, 2023, 4:38pm

Looks strange:

pi@HomeBridge:/etc/init.d $ host sigok.verteiltesysteme.net
Host sigok.verteiltesysteme.net not found: 2(SERVFAIL)
pi@HomeBridge:/etc/init.d $ host sigfail.verteiltesysteme.net
Host sigfail.verteiltesysteme.net not found: 2(SERVFAIL)
pi@HomeBridge:/etc/init.d $ ping sigok.verteiltesysteme.net
ping: sigok.verteiltesysteme.net: Temporärer Fehler bei der Namensauflösung
pi@HomeBridge:/etc/init.d $ ping sigfail.verteiltesysteme.net
ping: sigfail.verteiltesysteme.net: Temporärer Fehler bei der Namensauflösung
pi@HomeBridge:/etc/init.d $ dig sigok.verteiltesysteme.net

; <<>> DiG 9.11.5-P4-5.1+deb10u8-Raspbian <<>> sigok.verteiltesysteme.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 17635
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;sigok.verteiltesysteme.net.    IN      A

;; Query time: 1 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: So Feb 12 17:35:40 CET 2023
;; MSG SIZE  rcvd: 55

pi@HomeBridge:/etc/init.d $ dig sigfail.verteiltesysteme.net

; <<>> DiG 9.11.5-P4-5.1+deb10u8-Raspbian <<>> sigfail.verteiltesysteme.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 53284
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;sigfail.verteiltesysteme.net.  IN      A

;; Query time: 1 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: So Feb 12 17:35:47 CET 2023
;; MSG SIZE  rcvd: 57

DanSchaper · February 12, 2023, 5:41pm

verteiltesysteme.net has been broken for a while now. Use https://dnssec.works.

github.com/pi-hole/FTL

Tests: Use dnssec.works instead of verteiltesysteme.net

pi-hole:development ← pi-hole:tests/dnssec.works

opened 06:43PM - 09 Nov 22 UTC

DL6ER

+39 -39

**By submitting this pull request, I confirm the following:** - [X] I have re…ad and understood the [contributors guide](https://github.com/pi-hole/pi-hole/blob/master/CONTRIBUTING.md). - [X] I have checked that [another pull request](https://github.com/pi-hole/FTL/pulls) for this purpose does not exist. - [X] I have considered, and confirmed that this submission will be valuable to others. - [X] I accept that this submission may not be used, and the pull request closed at the will of the maintainer. - [X] I give this submission freely, and claim no ownership to its content. **How familiar are you with the codebase?:** ## 10 --- Use `dnssec.works` instead of `verteiltesysteme.net` for FTL's CI tests as the latter broke (see [here](https://github.com/pi-hole/FTL/pull/1469#issuecomment-1307718167) for further details). This PR updates the test to use a different DNSSEC validation service: https://dnssec.works/

thorstenman · February 21, 2023, 11:49am

That helped me already! Fixed different topics regarding my Pi-hole. Works great now!

Only issue left is the missing local name resolution: I tried a lot already. I am using Conditional Forwarding. Checkmarks for non-FQDN and reverse lookups forwarding enabled/disabled. My resolv.com links to contains 127.0.01 as nameserver, domain is set (of course the same stored within Conditional Forwarding config). DHCP on my Fritzbox. I even edited a comprehensive list of Pi-hole internal DNS names (/etc/pihole/custom.list). The /etc/hosts/ only contains the 127.0.0.1/localhost. 01-piholeconfi in /etc/dnsmasq.d/ looks like this:

#addn-hosts=/etc/pihole/local.list
#addn-hosts=/etc/pihole/custom.list
localise-queries
no-resolv
log-queries
log-facility=/var/log/pihole/pihole.log
log-async
cache-size=10000
#bogus-priv
server=127.0.0.1#5353
domain-needed
expand-hosts
bogus-priv
local-service
rev-server=192.168.0.0/24,192.168.178.1
server=/fritz.box/192.168.178.1

Pi-hole config in pihole-FTL.conf:

RATE_LIMIT=2000/60
BLOCK_TTL=10
BLOCK_ICLOUD_PR=true
#SHOW_DNSSEC=true
NAMES_FROM_NETDB=true
REFRESH_HOSTNAMES=IPV4
RESOLVE_IPV4=yes
RESOLVE_IPV6=yes
REFRESH_HOSTNAMES=ALL
CHECK_LOAD=false
CHECK_SHMEM=90
CHECK_DISK=90
CNAME_DEEP_INSPECT=true
#BLOCK_ESNI=true
REPLY_WHEN_BUSY=ALLOW
PIHOLE_PTR=HOSTNAMEFQDN
MAXDBDAYS=365
DBINTERVAL=60
DBIMPORT=yes
PRIVACYLEVEL=0

Anyone with an idea?

Bucking_Horn · February 21, 2023, 6:48pm

Please upload a debug log and post just the token URL that is generated after the log is uploaded by running the following command from the Pi-hole host terminal:

pihole -d

or do it through the Web interface:

Tools > Generate Debug Log

thorstenman · February 21, 2023, 8:53pm

Uploaded. URL is https://tricorder.pi-hole.net/5ltO0ihe/

Btw, from time to time I still get the strange 4711 error messages when reconfiguring via the UI.

thorstenman · March 4, 2023, 10:16pm

Can someone have a look?

chrislph · March 4, 2023, 10:47pm

It will have expired now, its only available for 48 hours. Would you please be able to create a fresh debug log and upload and post the new token URL.

thorstenman · March 5, 2023, 4:34pm

Thanks in advance! Log is here: https://tricorder.pi-hole.net/TEkjlQMM/

rdwebdesign · March 5, 2023, 8:33pm

Regarding this item:

the error PHP error (2): fsockopen(): unable to connect to 127.0.0.1:4711 (Connection refused) only means connection to FTL failed (probably because FTL was offline).
Nothing else can be inferred from this PHP error message.

rdwebdesign · March 5, 2023, 8:49pm

Your debug log shows FTL is now running and resolving addresses without issues.

thorstenman · March 5, 2023, 9:14pm

OK, that sounds good. I also do not see issues soured the main functionality. Good to hear! Message also does not occur too often.

But still my Pi-hole does not resolves names. In the meantime it again uses local DNS names configured in the custom list. Even though conditional forwarding is enabled it does not use names from the DHCP server.

You have an idea here?

Bucking_Horn · March 5, 2023, 10:44pm

For such a hostname you observe as not found, what's the output of:

nslookup hostname

thorstenman · March 11, 2023, 2:59pm

$ nslookup TiPhone
;; connection timed out; no servers could be reached

$ nslookup TiPhone.fritz.box
Server: 127.0.0.1
Address: 127.0.0.1#53

** server can't find TiPhone.fritz.box: NXDOMAIN

system · April 1, 2023, 2:59pm

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.