The issue I am facing:
Whatsapp calls fail. Everything else works fine.
Details about my system:
Running Pihole on a docker container. Using the following docker-compose file:
version: "3.7"
services:
pihole:
container_name: pihole
image: pihole/pihole:latest
dns: 127.0.0.1
restart: unless-stopped
domainname: 'pihole.atomflare.tk'
network_mode: 'host'
ports:
- 53:53/tcp
- 53:53/udp
- 67:67/udp
- 547:547/udp
- 8083:8083/tcp
environment:
TZ: 'Europe/Madrid'
WEBPASSWORD: 'password'
DNS1: 127.0.0.1#5335
DNS2: 127.0.0.1#5335
IPv6: "no"
DNSSEC: "false"
cap_add:
- NET_ADMIN
- CAP_SYS_NICE
- CAP_NET_RAW
volumes:
- /media/volumes/pihole/etc:/etc/pihole:rw
- /media/volumes/pihole/dnsmask:/etc/dnsmasq.d:rw
- /media/volumes/pihole/lighttpd:/etc/lighttpd:rw
Running unbound as upstream DNS. Decided to put it locally and not within a docker container due to several issues I was facing in my setup.
I followed the official Pihole guide. Here is my pihole.conf file:
server:
# The verbosity number, level 0 means no verbosity, only errors.
# Level 1 gives operational information. Level 2 gives detailed
# operational information. Level 3 gives query level information,
# output per query. Level 4 gives algorithm level information.
# Level 5 logs client identification for cache misses. Default is
# level 1.
verbosity: 0
interface: 127.0.0.1
port: 5335
do-ip4: yes
do-udp: yes
do-tcp: yes
# May be set to yes if you have IPv6 connectivity
do-ip6: no
# You want to leave this to no unless you have *native* IPv6. With 6to4 and
# Terredo tunnels your web browser should favor IPv4 for the same reasons
prefer-ip6: no
# Use this only when you downloaded the list of primary root servers!
# Read the root hints from this file. Make sure to
# update root.hints evry 5-6 months.
root-hints: "/var/lib/unbound/root.hints"
# Trust glue only if it is within the servers authority
harden-glue: yes
# Ignore very large queries.
harden-large-queries: yes
# Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS
# If you want to disable DNSSEC, set harden-dnssec stripped: no
harden-dnssec-stripped: yes
# Number of bytes size to advertise as the EDNS reassembly buffer
# size. This is the value put into datagrams over UDP towards
# peers. The actual buffer size is determined by msg-buffer-size
# (both for TCP and UDP).
edns-buffer-size: 1232
# Rotates RRSet order in response (the pseudo-random
# number is taken from Ensure privacy of local IP
# ranges the query ID, for speed and thread safety).
# private-address: 192.168.0.0/16
rrset-roundrobin: yes
# Time to live minimum for RRsets and messages in the cache. If the minimum
# kicks in, the data is cached for longer than the domain owner intended,
# and thus less queries are made to look up the data. Zero makes sure the
# data in the cache is as the domain owner intended, higher values,
# especially more than an hour or so, can lead to trouble as the data in
# the cache does not match up with the actual data anymore
cache-min-ttl: 300
cache-max-ttl: 86400
# Have unbound attempt to serve old responses from cache with a TTL of 0 in
# the response without waiting for the actual resolution to finish. The
# actual resolution answer ends up in the cache later on.
serve-expired: yes
# Harden against algorithm downgrade when multiple algorithms are
# advertised in the DS record.
harden-algo-downgrade: yes
# Ignore very small EDNS buffer sizes from queries.
harden-short-bufsize: yes
# Refuse id.server and hostname.bind queries
hide-identity: yes
# Report this identity rather than the hostname of the server.
identity: "Server"
# Refuse version.server and version.bind queries
hide-version: yes
# Prevent the unbound server from forking into the background as a daemon
do-daemonize: no
# Number of bytes size of the aggressive negative cache.
neg-cache-size: 4m
# Send minimum amount of information to upstream servers to enhance privacy
qname-minimisation: yes
# Deny queries of type ANY with an empty response.
# Works only on version 1.8 and above
deny-any: yes
# Do no insert authority/additional sections into response messages when
# those sections are not required. This reduces response size
# significantly, and may avoid TCP fallback for some responses. This may
# cause a slight speedup
minimal-responses: yes
# Perform prefetching of close to expired message cache entries
# This only applies to domains that have been frequently queried
# This flag updates the cached domains
prefetch: yes
# Fetch the DNSKEYs earlier in the validation process, when a DS record is
# encountered. This lowers the latency of requests at the expense of little
# more CPU usage.
prefetch-key: yes
# One thread should be sufficient, can be increased on beefy machines. In reality for
# most users running on small networks or on a single machine, it should be unnecessary
# to seek performance enhancement by increasing num-threads above 1.
num-threads: 1
# more cache memory. rrset-cache-size should twice what msg-cache-size is.
msg-cache-size: 50m
rrset-cache-size: 100m
# Faster UDP with multithreading (only on Linux).
so-reuseport: yes
# Ensure kernel buffer is large enough to not lose messages in traffix spikes
so-rcvbuf: 4m
so-sndbuf: 4m
# Set the total number of unwanted replies to keep track of in every thread.
# When it reaches the threshold, a defensive action of clearing the rrset
# and message caches is taken, hopefully flushing away any poison.
# Unbound suggests a value of 10 million.
unwanted-reply-threshold: 100000
# Minimize logs
# Do not print one line per query to the log
log-queries: no
# Do not print one line per reply to the log
log-replies: no
# Do not print log lines that say why queries return SERVFAIL to clients
log-servfail: no
# Do not print log lines to inform about local zone actions
log-local-actions: no
# Do not print log lines that say why queries return SERVFAIL to clients
logfile: /dev/null
# Ensure privacy of local IP ranges
private-address: 192.168.0.0/16
private-address: 169.254.0.0/16
private-address: 172.16.0.0/12
private-address: 10.0.0.0/8
private-address: fd00::/8
private-address: fe80::/10
What I have changed since installing Pi-hole:
Added some adlists. Whitelisted whatsapp services. Enabled DHCP through the web interface.
Other thing I noticed it is that I started to get sometimes the dnsmaks warning:
dnsmasq-dhcp[7207]: no address range available for DHCP request via lo
Additionally I set all my devices in my LAN to use Pihole as DNS, I disabled DHCP in my gateway router, and I set up at my gateway firewall router rules that prevent any incoming conexions from port 53, except to my pihole server.
My debug token: https://tricorder.pi-hole.net/KuRSkreB/
Please help me figure out what I am possibly doing wrong in my set up.
Thank you in advance.