bmartino1 Posted June 23 Share Posted June 23 (edited) sad panda. new pihole problem. The docker doesn't seem to be getting the correct resolv.conf. at starting Cloudflare In log I get Starting unbound Starting stubby Starting cloudflared 2024-06-23T21:43:07Z WRN Your version 2024.6.0 is outdated. We recommend upgrading it to 2024.6.1 [✗] DNS resolution is currently unavailable when I console to the docker at root@PIHOLEDOHDOT:/# cat /etc/resolv.conf file, I get: root@PIHOLEDOHDOT:/# cat /etc/resolv.conf nameserver 127.0.0.11 options ndots:0 root@PIHOLEDOHDOT:/# ^for stuby/Cloudflare this should be 127.0.0.1 and or other upstream dns servers. Pihole works normally otherwise. But dockers autostart and pihole -up / pihole -g never starts the gravity update.... when it should be pulling unraids resolve.conf: root@BMM-Unraid:~# cat /etc/resolv.conf # Generated by rc.inet1 nameserver 192.168.2.1 nameserver 208.67.222.222 nameserver 9.9.9.9 Edited June 23 by bmartino1 Quote Link to comment
bmartino1 Posted June 23 Share Posted June 23 (edited) 18 hours ago, bmartino1 said: sad panda. new pihole problem. THe docker donw't seem to be getting the correct resolv.conf. at starting Cloudflare i get Starting unbound Starting stubby Starting cloudflared 2024-06-23T21:43:07Z WRN Your version 2024.6.0 is outdated. We recommend upgrading it to 2024.6.1 [✗] DNS resolution is currently unavailable when I console to the docker at root@PIHOLEDOHDOT:/# cat /etc/resolv.conf file, I get: root@PIHOLEDOHDOT:/# cat /etc/resolv.conf nameserver 127.0.0.11 options ndots:0 root@PIHOLEDOHDOT:/# ^for stuby/Cloudflare this should be 127.0.0.1 and or other upstream dns servers. Pihole works normaly other wise. but dockers autostart and pihole -up / pihle -g never starts the gravity update.... when it should be pulling unraids resolve.conf: root@BMM-Unraid:~# cat /etc/resolv.conf # Generated by rc.inet1 nameserver 192.168.2.1 nameserver 208.67.222.222 nameserver 9.9.9.9 I was able to fix this by creating a 1 to 1 file for the docker My resolve conf contains: root@PIHOLEDOHDOT:/# cat /etc/resolv.conf #Docker Default: nameserver 127.0.0.11 options ndots:0 #Local Machine nameserver 192.168.2.10 nameserver 127.0.0.1 #Unriad: # Generated by rc.inet1 nameserver 192.168.2.1 nameserver 208.67.222.222 nameserver 9.9.9.9 #My other Upstream DNS: #domain localdomain #search localdomain nameserver 130.126.2.131 #nameserver 8.8.8.8 #nameserver 1.1.1.1 #Docker local DNS: #stubby(DOT) and cloudflare(DOH) nameserver 127.1.1.1#5153 nameserver 127.2.2.2#5253 #unbound: nameserver 127.0.0.1#5335 root@PIHOLEDOHDOT:/# Edited June 24 by bmartino1 Corect update dns in resolve conf Quote Link to comment
bmartino1 Posted June 23 Share Posted June 23 (edited) this appears to be happening as my local LAN is now 192.168.2.1 and not the default home router domains of 192.168.1.1 found in the dnsmasq conf that is forcibly overwritten at docker start: as i edited that conf earlier and set them both to 192.168.2.X to fix this... with out being able to edit the file 01-pihole.conf under the dnsmasq folder. https://docs.pi-hole.net/ftldns/configfile/ I'm presented with a failed resolv.conf with no dns resolver. To fix this i have to make another 99-fix-pihole-01.conf https://docs.pi-hole.net/ftldns/configfile/ ^I also edit my etc ftl conf and this requires me to have the config edit to add option domain. with the correct information The docker would need a code update for first run to download and a check if to not download... Edited June 23 by bmartino1 Quote Link to comment
ZappyZap Posted June 23 Author Share Posted June 23 i will have a look , but so far i am not able to reproduce Quote Link to comment
bmartino1 Posted June 23 Share Posted June 23 31 minutes ago, ZappyZap said: i will have a look , but so far i am not able to reproduce Thank you for taking a look. The 4 changes I have recently was an upstream Fiber was melted due to a fire by the neighbors, I upgraded from purple to gold with my router (same config no changes) for firewalla (litelrr migrates all setting from the previous device to the new. so new fiber ran and a new public IP... I then changed my internal DHCP server from 192.168.1.x to 192.168.2.x to fix friends multi vpn ip connection issues. I will copy off the data i have edited, purge the folders and reinstall I have backups from pihole and via the app data restore plugin. I just happened to notice the issues in the log due to the netprobe monitoring being weird wiht pihole. Not sure what caused it nor why it happening now. From what i can tell the docker is reverting the edits made to the conf at docker start. The docker is off i edit the config I start the docker i check the config and it reverts(sometimes) i can't fully reproduce it either. Regardless something somewhere isn't happy so I will start fresh... From testing from above as i have ad unbound issues with the reslv conf and that happen to be preventing the docker from talking upstream to do cloudflare dns query. the only other changes is the unraid setting to update the docker, as I have been on the 192.168.2.x for a while now(3m). and piholes configs been untouched until today. hopefully a fresh purge all pihole and download will work. Quote Link to comment
ZappyZap Posted June 23 Author Share Posted June 23 i can see the warning from cloudflare version outdated , and this will get push tonight , but that's not your main issue but for your over issue , i cannot reproduce at all 1 Quote Link to comment
bmartino1 Posted June 23 Share Posted June 23 10 minutes ago, ZappyZap said: i can see the warning from cloudflare version outdated , and this will get push tonight , but that's not your main issue but for your over issue , i cannot reproduce at all thank you. after the dns error i then saw a spam of the cloudflafe conf dns quey error. so i stoped and edited down to just cloudflasre 1.1.1.1 was able to resolve once then stop start and it errored again. having expereince this before with unbound and cloudflare i decided to take a look at the resolve conf. and use dig and other to not being able to run dns. even though the web ui was up and pihole was getting and routing query... Which was werid in and of itself... my concern atm is with unraid maintenance trying to grap a fresh download: Quote Link to comment
bmartino1 Posted June 24 Share Posted June 24 (edited) atm a fresh download: which has to be the resolv conf but: Edited June 24 by bmartino1 weirdness Quote Link to comment
ZappyZap Posted June 24 Author Share Posted June 24 just tested : Checking if custom gravity.db is set in /etc/pihole/pihole-FTL.conf Starting unbound Starting stubby Starting cloudflared [i] Neutrino emissions detected... [✓] Pulling blocklist source list into range [✓] Preparing new gravity database [✓] Creating new gravity databases [i] Using libz compression [i] Target: https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts [✓] Status: Retrieval successful [✓] Parsed 158918 exact domains and 0 ABP-style domains (ignored 1 non-domain entries) Sample of non-domain entries: - "0.0.0.0" [i] List stayed unchanged [i] Target: https://s3.amazonaws.com/lists.disconnect.me/simple_tracking.txt [✓] Status: No changes detected [✓] Parsed 34 exact domains and 0 ABP-style domains (ignored 0 non-domain entries) [i] Target: https://s3.amazonaws.com/lists.disconnect.me/simple_ad.txt [✓] Status: No changes detected [✓] Parsed 2701 exact domains and 0 ABP-style domains (ignored 0 non-domain entries) [i] Target: https://v.firebog.net/hosts/Easyprivacy.txt [✓] Status: No changes detected [✓] Parsed 37674 exact domains and 0 ABP-style domains (ignored 0 non-domain entries) [i] Target: https://big.oisd.nl [✓] Status: Retrieval successful [✓] Parsed 0 exact domains and 273526 ABP-style domains (ignored 0 non-domain entries) [i] List has been updated [✓] Building tree [✓] Swapping databases [✓] The old database remains available [i] Number of gravity domains: 472853 (469770 unique domains) [i] Number of exact blacklisted domains: 0 [i] Number of regex blacklist filters: 14 [i] Number of exact whitelisted domains: 2 [i] Number of regex whitelist filters: 0 [✓] Cleaning up stray matter [✓] FTL is listening on port 53 [✓] UDP (IPv4) [✓] TCP (IPv4) [✓] UDP (IPv6) [✓] TCP (IPv6) [✓] Pi-hole blocking is enabled Pi-hole version is v5.18.2 (Latest: v5.18.2) web version is v5.21 (Latest: v5.21) FTL version is v5.25.2 (Latest: v5.25.2) Container tag is: 2024.06.0 1 Quote Link to comment
bmartino1 Posted June 24 Share Posted June 24 Thank you for all your help on this. Its a internal issue ill have to hunt down but atm have a temp stop gap running. Thanks for update, Cloudflare. Sadly this is something new i will have to live with. I've tried fresh downlands and restores from ealier via the app data backup plugin. Not sure why the firewalla gold is now blocking some even with new extra rules to allow and not limit the trafffic to pihole. Depending on others router settings. and running this docker. as this appears to only be affecting DOH. if others use the docker and get: Starting unbound Starting stubby Starting cloudflared [✗] DNS resolution is currently unavailable You can temp fix it by adding your own resolv conf. But this means that your router is not handling traffic correctly. ZappyZap thank you for taking a look into this. not sure why this started happen, didn't have an issue a week ago and been running the firewalla gold for more than 3 months. As i'm still troubleshooting this that last thing I can think of is deleted the unraid docker btrfs/xfs image. I even did a fresh linux router wipe and start new with the firewalla gold. Then tested so it in network and may even be related to your unraid docker image like last times weirdness of disk full and log space. To the community: FYI: with https://docs.pi-hole.net/ftldns/configfile/ the /etc/ file path location in pihole your docker form a fresh start only generates the local_ipV4 and MacVendorDB.do location even if i set the rate limit in the webui. not sure when pihole comits / writes to a file. Regardless as i set teh same settings inthe webui and then add the file... Here is my edited FTL for reference: pihole-FTL.conf #; Pi-hole FTL config file #; Comments should start with #; to avoid issues with PHP and bash reading this file #https://docs.pi-hole.net/ftldns/configfile/#check_load MACVENDORDB=/macvendor.db LOCAL_IPV4=192.168.2.10 RATE_LIMIT=3000/120 #;Default Rate Limited #;RATE_LIMIT=1000/60 #;Disable Rate limmit - warrnign high ram usage #;RATE_LIMIT=0/0 BLOCKINGMODE=NXDOMAIN #;BLOCKINGMODE=NULL CHECK_LOAD=true CHECK_SHMEM=90 #;PIHOLE_PTR=HOSTNAMEFQDN #;PIHOLE_PTR=HOSTNAME PIHOLE_PTR=PI.HOLE CNAME_DEEP_INSPECT=false REFRESH_HOSTNAMES=IPV4 BLOCK_ICLOUD_PR=false MOZILLA_CANARY=false REPLY_WHEN_BUSY=true SHOW_DNSSEC=true SOCKET_LISTENING=all RESOLVE_IPV4=yes RESOLVE_IPV6=yes IGNORE_LOCALHOST=yes PRIVACYLEVEL=0 I don't want to stop apple's relay, I don't want to stop mozila relay for privatized dns. They should be true if you want to force those to use pihole but then they will complain about not being secure... I want to give a modest Rate limit and timeout (most ques if error will redo and fix based on the response at 3000/120 giving a higher package and 2 min timeout given (especial for 10 GB networks) - this should be set via pihole web gui. but for some reason it not writing to this... The webui dns host names to Gui option "Conditional forwarding" Has some issues sometimes off the bat PTR Setting sometimes needs set to fix host names and its refreshes. I had issues in the past from a potential DOD/DOS attack and added the SHM i also run with docker extra options: --shm-size="3G" making a 3GB ram disk for queries. as the attacked worked, against pihole without some of the setting above to put it into database busy and stopped responding to requests. With this FTL config it will instead refuse and nxDomain (block) the query and has the resource when a dos attack comes to handle it. (tested and confirmed with Kali...) thees other options for my recommended security are: BLOCKINGMODE=NXDOMAIN #;BLOCKINGMODE=NULL REPLY_WHEN_BUSY=true CHECK_LOAD=true CHECK_SHMEM=90 IGNORE_LOCALHOST=yes SHOW_DNSSEC=true SOCKET_LISTENING=all RESOLVE_IPV4=yes RESOLVE_IPV6=yes PRIVACYLEVEL=0 Quote Link to comment
ZappyZap Posted June 24 Author Share Posted June 24 Thanks @bmartino1 let me know if you found anything , i am still trying to reproduce. Quote Link to comment
bmartino1 Posted Wednesday at 01:01 AM Share Posted Wednesday at 01:01 AM (edited) seemed to be a layer 2/ layer 3 route issue with how pihole was forwarding its request to my router. not sure what broke where. it appears to be back in operation. but i have to run the resolv conf to fix root@piholedohdot:/# nslookup 192.168.2.1 1.2.168.192.in-addr.arpa name = firewalla.localdomain. root@piholedohdot:/# ping google.com PING google.com (142.250.190.110) 56(84) bytes of data. 64 bytes from ord37s35-in-f14.1e100.net (142.250.190.110): icmp_seq=1 ttl=121 time=11.2 ms 64 bytes from ord37s35-in-f14.1e100.net (142.250.190.110): icmp_seq=2 ttl=121 time=11.2 ms ^C --- google.com ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1001ms rtt min/avg/max/mdev = 11.193/11.202/11.211/0.009 ms root@piholedohdot:/# nslookup google.com Server: 127.0.0.11 Address: 127.0.0.11#53 Non-authoritative answer: Name: google.com Address: 142.250.190.110 Name: google.com Address: 2607:f8b0:4009:81b::200e root@piholedohdot:/# dig google.com ; <<>> DiG 9.16.48-Debian <<>> google.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41626 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;google.com. IN A ;; ANSWER SECTION: google.com. 1481 IN A 142.250.190.110 ;; Query time: 9 msec ;; SERVER: 127.0.0.11#53(127.0.0.11) ;; WHEN: Wed Jun 26 00:48:19 American 2024 ;; MSG SIZE rcvd: 55 root@piholedohdot:/# again At this time I don't think its a issue with unraid / Your docker. just weird that it started out of the blue. But as you can see above its using the dockers resolv conf via unbound 127.0.0.11 .... #Docker Default: nameserver 127.0.0.11 options ndots:0 #Pihole Itself nameserver 192.168.2.10 nameserver 127.0.0.1 #Unriad: # Generated by rc.inet1 nameserver 192.168.2.1 nameserver 208.67.222.222 nameserver 9.9.9.9 #My other Upstream DNS: #domain localdomain #search localdomain nameserver 130.126.2.131 #nameserver 8.8.8.8 #nameserver 1.1.1.1 #Docker local DNS: #stubby(DOT) and cloudflare(DOH) #nameserver 127.1.1.1#5153 #nameserver 127.2.2.2#5253 #unbound: #nameserver 127.0.0.1#5335 I did have to turn off forward reverse lookups to use with firewalla layer 3 dns stuff most lily a 3rd praty iptable comand. As i also tried to use docker compose with your docker and have it run on the firewalla it self. https://help.firewalla.com/hc/en-us/articles/360051625034-Guide-How-to-install-Pi-Hole-on-Gold-Purple-Beta #to use with firewalla you need to create the network first so the copose file done't create one and chagne the ip address with in: Firewalla comands at startup: /home/pi/.firewalla/config/post_main.d/start_pi_hole.sh cd /home/pi/.firewalla/run/docker/pi-hole sudo systemctl start docker sudo docker network create --subnet=172.16.0.0/24 pihole sudo docker-compose pull sudo ip route add 172.16.0.0/24 dev br-$(sudo docker network inspect pihole |jq -r '.[0].Id[0:12]') table lan_routable sudo ip route add 172.16.0.0/24 dev br-$(sudo docker network inspect pihole |jq -r '.[0].Id[0:12]') table wan_routable sudo docker-compose up --detach root@Firewalla:/home/pi/.firewalla/run/docker/pi-hole# cat docker-compose.yaml version: "3" services: pihole-dot-doh: container_name: pihole hostname: piholedohdot mac_address: 02:42:C0:A8:01:CC shm_size: 1G image: devzwf/pihole-dot-doh:latest pull_policy: always #Depends on how you handle docker network - not required with docker bridge. # ports: # - "53:53/tcp" # - "53:53/udp" # - "67:67/udp" # - "80:80/tcp" # - "443:443/tcp" environment: - TZ=America/Chicago - HOST_CONTAINERNAME=pihole - TCP_PORT_53=53 - UDP_PORT_53=53 - UDP_PORT_67=67 - TCP_PORT_80=80 - TCP_PORT_443=443 - DNS1=127.2.2.2#5253 - DNS2=127.1.1.1#5153 - WEBPASSWORD=firewalla - INTERFACE=eth0 - ServerIP=172.16.0.2 - IPv6=False - DNSMASQ_LISTENING=all volumes: #Folders needs created and chmod 777 / chown nobody:users ... - /data/Unraid-PiholeDOHDOT/Pihole/:/etc/pihole/:rw - /data/Unraid-PiholeDOHDOT/dnsmasq/:/etc/dnsmasq.d/:rw - /data/Unraid-PiholeDOHDOT/config/:/config:rw - /data/Unraid-PiholeDOHDOT/other1for1/error-pihole.log:/var/log/lighttpd/error-pihole.log:rw - /data/Unraid-PiholeDOHDOT/other1for1/resolv.conf:/etc/resolv.conf:rw - /etc/localtime:/etc/localtime:ro restart: unless-stopped cap_add: - NET_ADMIN networks: pihole: ipv4_address: 172.16.0.2 logging: driver: "json-file" options: max-size: "10m" max-file: "3" networks: pihole: external: name: pihole ^ example firewalla to use this docker. when messing with this the firewalla finally started answering correctly to the pi hole docker on unraid. Edited Wednesday at 02:30 AM by bmartino1 fix firewalla compose file Quote Link to comment
ZappyZap Posted Wednesday at 01:47 AM Author Share Posted Wednesday at 01:47 AM Pihole container do not use DNS1 and DNS2 anymore but PIHOLE_DNS_ https://github.com/pi-hole/docker-pi-hole Quote Link to comment
bmartino1 Posted Wednesday at 01:58 AM Share Posted Wednesday at 01:58 AM (edited) 45 minutes ago, ZappyZap said: Pihole container do not use DNS1 and DNS2 anymore but PIHOLE_DNS_ https://github.com/pi-hole/docker-pi-hole ? I saw that in the logs of the docker and follow the offical pihole project. its added to the dns records "host file in the docker": the dns 1 and 2 temple fills the webui custom ip option: I'm not using pihole as a dhcp server. Edited Wednesday at 02:32 AM by bmartino1 spelling Quote Link to comment
bmartino1 Posted Wednesday at 01:59 AM Share Posted Wednesday at 01:59 AM (edited) a fresh download of your unraid template still has that option. So I should edit the template and add environment variable PIHOLE_DNS_ with options 127.2.2.2#5253;127.1.1.1#5153;127.0.0.1#5335 Edited Wednesday at 02:09 AM by bmartino1 confrim tempate add Quote Link to comment
ZappyZap Posted Wednesday at 04:23 AM Author Share Posted Wednesday at 04:23 AM Doh.... i was sure i update it .... damn , will be done tomorrow Thanks to found out 1 Quote Link to comment
bmartino1 Posted Wednesday at 10:28 PM Share Posted Wednesday at 10:28 PM 18 hours ago, ZappyZap said: Doh.... i was sure i update it .... damn , will be done tomorrow Thanks to found out per the log with the dns 1 and dns 2 templates. It appears that pihole is making that record and using that variable: [i] Converting DNS1 to PIHOLE_DNS_ [i] Converting DNS2 to PIHOLE_DNS_ [i] Setting DNS servers based on PIHOLE_DNS_ variable I'm not very concerned about it. It up and working as it should. Quote Link to comment
ZappyZap Posted Thursday at 02:30 AM Author Share Posted Thursday at 02:30 AM interesting.... Quote Link to comment
.thumb.jpg.bec61e4e919a9235cc4475f8cb53d5e3.jpg)
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.