Weird PiHole Behaviour since using unbound / PiHole and ufw

Help
1

Hello,
I have started running unbound on my PiHole following this guide: Redirecting...
Ever since, I am experiencing weird behavior regarding name resolution and what I can see in the logs

Expected Behaviour:

Each DNS request should be resolved in the 1st try, as it did before using 1.1.1.1 as upstream DNS. The normal response time should be below 250ms

Actual Behaviour:

I see quite many Unknown statuses with N/A results, sometimes with resolve times of way over 1 million milliseconds.

  • What are those N/A results and is there a way to avoid them?
  • Why do some of the N/A results have no timestamp at all, and other have those extremely long run times?

Annotation%202019-12-14%20155634
Annotation%202019-12-14%201556341237×848 76.4 KB

Further, I see several "double" name resolutions. Please have a look and can you tell me what's actually happening?

  • The name resolution of a domain happens twice in a row.
  • 1st try return a (OK) forwarded status and N/A as reply.
  • 2nd try, immediately following the first, shows a (OK) forwarded INSECURE status and CNAME or IP reply.
  • What is causing this behavior / Are there any technical explanations if that's a normal behavior or is it rather pointing out to any misconfiguration? Please advise.
  • Sometimes, those N/A reply also have those long >1 million milliseconds timestamp, as described in the above screenshot.
    They also happen at (OK) forwarded statuses. That would translate roughly to 25 minutes for a single DNS reply. Tho I'm not seeing such long wait times when loading websites etc, so that timestamp seems fishy to me.
    (can provide screenshot should that reappear in the future).

Annotation%202019-12-14%20154834
Annotation%202019-12-14%201548341232×831 77.2 KB

Third and final question:

I am running UFW firewall on my PiHole.

Since I started using unbound, I have opened port 5353 in the firewall. Since unbound is running on localhost, is it necessary at all to open port 5353 in UFW?

  • Please have a look at my UFW config and tell me if everything is configured correctly.
  • Are there any excess ports open that I might close? I'm running PiVPN, PiHole, netdata, SSH and SNMP on that RasPi.
  • Is it safe for PiHole functionality to limit ports 53 and 5353 to access only from 10.0.0.0/8, as I did for PiHole Webserver, SSH and netdata?

Annotation%202019-12-14%20161700
Annotation%202019-12-14%20161700591×379 68.3 KB

Debug Token:

https://tricorder.pi-hole.net/ztgilby2pp

2

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.