Whatsapp calls fail with Pihole

The issue I am facing:
Whatsapp calls fail. Everything else works fine.

Details about my system:
Running Pihole on a docker container. Using the following docker-compose file:

version: "3.7"

services:
  pihole:
    container_name: pihole
    image: pihole/pihole:latest
    dns: 127.0.0.1
    restart: unless-stopped
    domainname: 'pihole.atomflare.tk'
    network_mode: 'host'
    ports:
      - 53:53/tcp
      - 53:53/udp
      - 67:67/udp
      - 547:547/udp
      - 8083:8083/tcp
    environment:
      TZ: 'Europe/Madrid'
      WEBPASSWORD: 'password'
      DNS1: 127.0.0.1#5335
      DNS2: 127.0.0.1#5335
      IPv6: "no"
      DNSSEC: "false"
    cap_add:
      - NET_ADMIN
      - CAP_SYS_NICE
      - CAP_NET_RAW
    volumes:
      - /media/volumes/pihole/etc:/etc/pihole:rw
      - /media/volumes/pihole/dnsmask:/etc/dnsmasq.d:rw
      - /media/volumes/pihole/lighttpd:/etc/lighttpd:rw

Running unbound as upstream DNS. Decided to put it locally and not within a docker container due to several issues I was facing in my setup.

I followed the official Pihole guide. Here is my pihole.conf file:

server:

    # The  verbosity  number, level 0 means no verbosity, only errors.
    # Level 1 gives operational information. Level  2  gives  detailed
    # operational  information. Level 3 gives query level information,
    # output per query.  Level 4 gives  algorithm  level  information.
    # Level 5 logs client identification for cache misses.  Default is
    # level 1.
    verbosity: 0

    interface: 127.0.0.1
    port: 5335
    do-ip4: yes
    do-udp: yes
    do-tcp: yes

    # May be set to yes if you have IPv6 connectivity
    do-ip6: no

    # You want to leave this to no unless you have *native* IPv6. With 6to4 and
    # Terredo tunnels your web browser should favor IPv4 for the same reasons
    prefer-ip6: no

    # Use this only when you downloaded the list of primary root servers!
    # Read  the  root  hints from this file. Make sure to
    # update root.hints evry 5-6 months.
    root-hints: "/var/lib/unbound/root.hints"

    # Trust glue only if it is within the servers authority
    harden-glue: yes

    # Ignore very large queries.
    harden-large-queries: yes

    # Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS
    # If you want to disable DNSSEC, set harden-dnssec stripped: no
    harden-dnssec-stripped: yes

    # Number of bytes size to advertise as the EDNS reassembly buffer
    # size. This is the value put into  datagrams over UDP towards
    # peers. The actual buffer size is determined by msg-buffer-size
    # (both for TCP and UDP).
    edns-buffer-size: 1232

    # Rotates RRSet order in response (the pseudo-random
    # number is taken from Ensure privacy of local IP
    # ranges the query ID, for speed and thread safety).
    # private-address: 192.168.0.0/16
    rrset-roundrobin: yes

    # Time to live minimum for RRsets and messages in the cache. If the minimum
    # kicks in, the data is cached for longer than the domain owner intended,
    # and thus less queries are made to look up the data. Zero makes sure the
    # data in the cache is as the domain owner intended, higher values,
    # especially more than an hour or so, can lead to trouble as the data in
    # the cache does not match up with the actual data anymore
    cache-min-ttl: 300
    cache-max-ttl: 86400

    # Have unbound attempt to serve old responses from cache with a TTL of 0 in
    # the response without waiting for the actual resolution to finish. The
    # actual resolution answer ends up in the cache later on.
    serve-expired: yes

    # Harden against algorithm downgrade when multiple algorithms are
    # advertised in the DS record.
    harden-algo-downgrade: yes

    # Ignore very small EDNS buffer sizes from queries.
    harden-short-bufsize: yes

    # Refuse id.server and hostname.bind queries
    hide-identity: yes

    # Report this identity rather than the hostname of the server.
    identity: "Server"

    # Refuse version.server and version.bind queries
    hide-version: yes

    # Prevent the unbound server from forking into the background as a daemon
    do-daemonize: no

    # Number  of  bytes size of the aggressive negative cache.
    neg-cache-size: 4m

    # Send minimum amount of information to upstream servers to enhance privacy
    qname-minimisation: yes

    # Deny queries of type ANY with an empty response.
    # Works only on version 1.8 and above
    deny-any: yes

    # Do no insert authority/additional sections into response messages when
    # those sections are not required. This reduces response size
    # significantly, and may avoid TCP fallback for some responses. This may
    # cause a slight speedup
    minimal-responses: yes

    # Perform prefetching of close to expired message cache entries
    # This only applies to domains that have been frequently queried
    # This flag updates the cached domains
    prefetch: yes

    # Fetch the DNSKEYs earlier in the validation process, when a DS record is
    # encountered. This lowers the latency of requests at the expense of little
    # more CPU usage.
    prefetch-key: yes

    # One thread should be sufficient, can be increased on beefy machines. In reality for
    # most users running on small networks or on a single machine, it should be unnecessary
    # to seek performance enhancement by increasing num-threads above 1.
    num-threads: 1

    # more cache memory. rrset-cache-size should twice what msg-cache-size is.
    msg-cache-size: 50m
    rrset-cache-size: 100m

    # Faster UDP with multithreading (only on Linux).
    so-reuseport: yes

    # Ensure kernel buffer is large enough to not lose messages in traffix spikes
    so-rcvbuf: 4m
    so-sndbuf: 4m

    # Set the total number of unwanted replies to keep track of in every thread.
    # When it reaches the threshold, a defensive action of clearing the rrset
    # and message caches is taken, hopefully flushing away any poison.
    # Unbound suggests a value of 10 million.
    unwanted-reply-threshold: 100000

    # Minimize logs
    # Do not print one line per query to the log
    log-queries: no
    # Do not print one line per reply to the log
    log-replies: no
    # Do not print log lines that say why queries return SERVFAIL to clients
    log-servfail: no
    # Do not print log lines to inform about local zone actions
    log-local-actions: no
    # Do not print log lines that say why queries return SERVFAIL to clients
    logfile: /dev/null

    # Ensure privacy of local IP ranges
    private-address: 192.168.0.0/16
    private-address: 169.254.0.0/16
    private-address: 172.16.0.0/12
    private-address: 10.0.0.0/8
    private-address: fd00::/8
    private-address: fe80::/10

What I have changed since installing Pi-hole:
Added some adlists. Whitelisted whatsapp services. Enabled DHCP through the web interface.

Other thing I noticed it is that I started to get sometimes the dnsmaks warning:

 dnsmasq-dhcp[7207]: no address range available for DHCP request via lo

Additionally I set all my devices in my LAN to use Pihole as DNS, I disabled DHCP in my gateway router, and I set up at my gateway firewall router rules that prevent any incoming conexions from port 53, except to my pihole server.

My debug token: https://tricorder.pi-hole.net/KuRSkreB/

Please help me figure out what I am possibly doing wrong in my set up.

Thank you in advance.

You added more than just "some". I would disable all but the stock list and work from there.

gravity_count 4594338

I note that you also have several lists intended to block YouTube ads. These don't work, and will eventually interfere with YT content.

This entry is in your regex whitelist, but appears to be derived fro the URL of a public whitelist. This will do nothing as a regex filter.

(\.|^)https://raw\.githubusercontent\.com/anudeepnd/whitelist/master/domains/whitelist\.txt$

Use these tools to determine why your desired content will not load:

https://docs.pi-hole.net/ftldns/dnsmasq_warn/

No DHCP context has been configured for this interface. Check your DHCP settings.

This warning is expected during debug log generation as Pi-hole is trying to request a DHCP lease on all available interfaces. We do this to test that the server replies properly.

When an interface does not have a DHCP configuration (such as the loopback interface lo , or other special interfaces such as docker0 ), this warning is printed. You can safely ignore it when it happens only during DHCP testing, e.g., during Pi-hole debug log generation. If it happens often, you can use the option no-dhcp-interface=IF_NAME (insert the interface name here) to specifically disable DHCP on this interface.

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.