One-Container - SERVFAIL

[Werfjes]

Hi I have installed OneContainer on Raspberry and receiving SERVFAIL

Time	Type	Domain	Client	Status	Reply	Action

2022-11-01 22:20:20 | A | cloud.abcd.com | 172.18.0.1 | OK (answered by localhost#5335) | SERVFAIL (69.3ms)

I am a bit lossed.... as

• sigfail.verteiltesysteme.net & dig sigok.verteiltesysteme.net & ping google.com are working perfectly
• however unbound cannot open 127.0.0.1 port 8953 (as can be seen in ouput:/# sudo unbound -d -vvvv)

PS I have also a dnsmasq warning

DNSMASQ_WARN	Warning in dnsmasq core:ignoring query from non-local network 192.168.88.4 (logged only once)

Please help me

Thanks Marc

Environment

Variable	Value
DNSMASQ_LISTENING	single
DNSMASQ_USER	pihole
DNSSEC	"true"
FTL_CMD	no-daemon
FTLCONF_LOCAL_IPV4
IPv6	True
PATH	/opt/pihole:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
PHP_ENV_CONFIG	/etc/lighttpd/conf-enabled/15-fastcgi-php.conf
PHP_ERROR_LOG	/var/log/lighttpd/error-pihole.log
phpver	php
PIHOLE_DNS	127.0.0.1#5335
REV_SERVER	false
REV_SERVER_CIDR
REV_SERVER_DOMAIN
REV_SERVER_TARGET
S6_BEHAVIOUR_IF_STAGE2_FAILS	2
S6_CMD_WAIT_FOR_SERVICES_MAXTIME	0
S6_KEEP_ENV	1

dig sigfail.verteiltesysteme.net @127.0.0.1 -p 5335 ; <<>> DiG 9.16.33-Debian <<>> sigfail.verteiltesysteme.net @127.0.0.1 -p 5335 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 38755 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ;; QUESTION SECTION: ;sigfail.verteiltesysteme.net. IN A

;; Query time: 35 msec ;; SERVER: 127.0.0.1#5335(127.0.0.1) ;; WHEN: Tue Nov 01 19:40:22 UTC 2022 ;; MSG SIZE rcvd: 57

dig sigok.verteiltesysteme.net @127.0.0.1 -p 5335 ; <<>> DiG 9.16.33-Debian <<>> sigok.verteiltesysteme.net @127.0.0.1 -p 5335 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 46293 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ;; QUESTION SECTION: ;sigok.verteiltesysteme.net. IN A

;; Query time: 35 msec ;; SERVER: 127.0.0.1#5335(127.0.0.1) ;; WHEN: Tue Nov 01 19:42:02 UTC 2022 ;; MSG SIZE rcvd: 55

/# sudo unbound -d -vvvv [1667331143] unbound[807:0] notice: Start of unbound 1.13.1. [1667331143] unbound[807:0] debug: creating udp4 socket 127.0.0.1 5335 [1667331143] unbound[807:0] debug: creating tcp4 socket 127.0.0.1 5335 [1667331143] unbound[807:0] debug: creating tcp4 socket 127.0.0.1 8953 [1667331143] unbound[807:0] error: can't bind socket: Address already in use for 127.0.0.1 port 8953 (len 16) [1667331143] unbound[807:0] error: cannot open control interface 127.0.0.1 8953 [1667331143] unbound[807:0] fatal error: could not open ports

[pluim003]

Is there something else on port 8953?

The DNSMASQ-warning I also got when in the GUI I had allow only local requests ticked. Had it the way as shown below and tried the only allow local requests but reverted back almost immediately.

Tested dig and I get:

pi@raspberrypi:~/pi-hole $ dig sigok.verteiltesysteme.net

; <<>> DiG 9.16.33-Debian <<>> sigok.verteiltesysteme.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24796
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;sigok.verteiltesysteme.net.    IN      A

;; ANSWER SECTION:
sigok.verteiltesysteme.net. 60  IN      A       134.91.78.139

;; Query time: 95 msec
;; SERVER: 10.0.0.150#53(10.0.0.150)
;; WHEN: Wed Nov 02 09:49:33 CET 2022
;; MSG SIZE  rcvd: 71

pi@raspberrypi:~/pi-hole $ dig sigfail.verteiltesysteme.net

; <<>> DiG 9.16.33-Debian <<>> sigfail.verteiltesysteme.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 24430
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;sigfail.verteiltesysteme.net.  IN      A

;; Query time: 215 msec
;; SERVER: 10.0.0.150#53(10.0.0.150)
;; WHEN: Wed Nov 02 09:49:42 CET 2022
;; MSG SIZE  rcvd: 57

whether or not I run it from within the container as on the host.

One more thing, above it says PIHOLE_DNS with the value 127.0.0.1#5335. The environmentvariable-name should be PIHOLE_DNS_ .

How does your docker-compose-file look like?

[Werfjes]

Hi, thanks for you help and time.

I am using Portainer deployment of the docker, I just redeployed it, in the hope it may help, but alas.

As can be seen in the screenshots: The Docker and PiHole runs, however only without Unbound but with Google DNS.

And I would like to use Unbound. :-)

Changing (in the PiHole website) the:

• upstream DNS from Google DSN to Unbound by adding 127.0.0.1#5335 -> resulting in SERVFAILS.
• Interface Settings from "Only local" to "All origins" (or anyother one) -> resulting in SERVFAILS and N/A.

Question: Is there something else on port 8953? Reply: I dont think so, on :

• Raspberry nothing is using 8953 (checked via sudo netstat -tulpn | grep LISTEN )
• docker console netstat doesnt work, however I didnt open a port (in docker). Just do double check, I opened 8953 UPD & TCP ports and redeployed the docker, now $ sudo netstat -tulpn | grep LISTEN gives 8953 ports are used by docker proxy

                      tcp        0      0 0.0.0.0:8953            0.0.0.0:*               LISTEN      7065/docker-proxy
                      tcp6       0      0 :::8953                 :::*                    LISTEN      7072/docker-proxy

and still SERFAIL issues

I looked again to: sudo unbound -d -vvvv still complains "cannot open control interface 127.0.0.1 8953" It seems that the local host ip (127.0.0.1) is giving issues. I have found something on this (thanks google). but it is way to complex for me https://github.com/NLnetLabs/unbound/issues/252

Question:How does your docker-compose-file look like? Reply:I am using the default compose file (only changed the 5335 setting) added into Portainer and deployed it...... This is the compose file:

---

version: '3.0'
volumes:
  etc_pihole-unbound:
  etc_pihole_dnsmasq-unbound:
services:
  pihole:
    container_name: pihole
    image: cbcrowe/pihole-unbound:latest
    hostname: ${HOSTNAME}
    domainname: ${DOMAIN_NAME}
    ports:
      - 443:443/tcp
      - 53:53/tcp
      - 53:53/udp
      - ${PIHOLE_WEBPORT:-80}:80/tcp #Allows use of different port to access pihole web interface when other docker containers use port 80
      - 5335:5335/tcp # Uncomment to enable unbound access on local server
      # - 22/tcp # Uncomment to enable SSH
    environment:
      - FTLCONF_LOCAL_IPV4=${FTLCONF_LOCAL_IPV4}
      - TZ=${TZ:-UTC}
      - WEBPASSWORD=${WEBPASSWORD}
      - WEBTHEME=${WEBTHEME:-default-light}
      - REV_SERVER=${REV_SERVER:-false}
      - REV_SERVER_TARGET=${REV_SERVER_TARGET}
      - REV_SERVER_DOMAIN=${REV_SERVER_DOMAIN}
      - REV_SERVER_CIDR=${REV_SERVER_CIDR}
      - PIHOLE_DNS_=127.0.0.1#5335
      - DNSSEC="true"
      - DNSMASQ_LISTENING=single
    volumes:
      - etc_pihole-unbound:/etc/pihole:rw
      - etc_pihole_dnsmasq-unbound:/etc/dnsmasq.d:rw
    restart: unless-stopped

---

I sincerely hope this info helps

Kind regards, Marc

[pluim003]

Hmm… frankly I don’t know what’s going wrong. Maybe someone else knows it. Don’t see anything weird in the docker-compose-file. I have used Chris’s image for about 8 months without any problems. Now running with a fork and modified with a more recent version of Unbound.

Your logs don’t also show the specific clients but only localhost or the ip-adress of the container? Maybe that can give a clue.

How do the environment variables look like? Could you paste the values from your .env-file (ofcourse removing the webpassword).

[Werfjes]

i thought the environment variables were loaded via docker compose file.

Thus: environment: - FTLCONF_LOCAL_IPV4=${FTLCONF_LOCAL_IPV4} - TZ=${TZ:-UTC} - WEBPASSWORD=${WEBPASSWORD} - WEBTHEME=${WEBTHEME:-default-light} - REV_SERVER=${REV_SERVER:-false} - REV_SERVER_TARGET=${REV_SERVER_TARGET} - REV_SERVER_DOMAIN=${REV_SERVER_DOMAIN} - REV_SERVER_CIDR=${REV_SERVER_CIDR} - PIHOLE_DNS_=127.0.0.1#5335 - DNSSEC="true" - DNSMASQ_LISTENING=single

And I dont use a rev_server... so... only thing could be the FTLCONF_LOCAL_IPV4....

[pluim003]

Well, if you don’t put them hardcoded in your docker-compose-file the values have to be in a file called .env in that same folder. So I’m wondering what the values are in the .env-file. There will be lines like Dunno what happens if it’s blank. I’ll check out my .env-file later this evening (or tomorrow).

[Werfjes]

That would help a lot. I have been fiddeling with the values / settings..

So if you could help... Thanks

[pluim003]

pi@raspberrypi:~/pi-hole $ cat .env
HOSTNAME=pihole.mydomain.nl
TZ=Europe/Amsterdam
WEBPASSWORD=xxxxxx
WEB_PORT=8100
FTLCONF_LOCAL_IPV4=10.0.0.150
REV_SERVER=true
REV_SERVER_TARGET=10.0.0.1
REV_SERVER_DOMAIN=pihole.local
REV_SERVER_CIDR=10.0.0.0/24
#DNS1=10.0.0.150
FTLCONF_MAXDBDAYS=180

Note I use the 10.0.0.x as this one is connected to my TP-Link Deco-mesh.

For the one connected to the Fritz:

pi@raspberrydick:~/pi-hole $ cat .env
HOSTNAME=pihole2.mydomain.nl
TZ=Europe/Amsterdam
WEBPASSWORD=xxxxx
WEB_PORT=8100
FTLCONF_LOCAL_IPV4=192.168.178.35
REV_SERVER=true
REV_SERVER_TARGET=192.168.178.1
REV_SERVER_DOMAIN=pihole2.local
REV_SERVER_CIDR=192.168.178.0/24
#DNS1=192.168.178.35
FTLCONF_MAXDBDAYS=180

mydomain is something else but replaced the original value here.

[Werfjes]

Well I am completely lost now.

added the Enviroment variables... redeployed and still SERVFAIL

However the client IP numbers are wrong... !?!??

[pluim003]

You mean the 172.18.0.1? That's the ip from your dockercontainer and you will most likely see that in the overview of containers in Portainer:

Then I'm also lost. I now presume/assume it has to do something with:

[1667331143] unbound[807:0] debug: creating tcp4 socket 127.0.0.1 8953 [1667331143] unbound[807:0] error: can't bind socket: Address already in use for 127.0.0.1 port 8953 (len 16) [1667331143] unbound[807:0] error: cannot open control interface 127.0.0.1 8953 [1667331143] unbound[807:0] fatal error: could not open ports

I found on your already mentiond link https://github.com/NLnetLabs/unbound/issues/252 that this port has to do with remote control. The weird thing is that in my conf it's set to yes, but if I enter the command it won't do anything with port 8953. Could you check remote-control.conf (in unbound.conf.d) and check the settings. If it's yes, I would suggest changing it to no and see if that solves it. My conf below.

root@pihole:/etc/unbound/unbound.conf.d# cat remote-control.conf
remote-control:
  control-enable: yes
  # by default the control interface is is 127.0.0.1 and ::1 and port 8953
  # it is possible to use a unix socket too
  control-interface: /run/unbound.ctl

If this doesn't help then I'm afraid I can't help you further with this problem. As I guess it might be unbound-specific then I'd suggest trying it there.

[Werfjes]

In both my raspberry and my docker I dont have a remote-control.conf

pi@raspberrypi:/etc/unbound/unbound.conf.d $ ls
resolvconf_resolvers.conf

root@36af1e916d5a:/etc/unbound/unbound.conf.d# ls
pi-hole.conf  root-auto-trust-anchor-file.conf

in fact in both Docker and Rapsberry, there is

find remote-controle.conf
find: 'remote-controle.conf': No such file or directory

Well thanks for you help

[pluim003]

The thing can also be an additon to the regular unbound.conf. And it could be that it got there through another install. It's on a volume so will stay there upon recreating my container and overwrite the original contents of the image.

[unclamped]

Hello, I'm experiencing this same issue. Raspberry Pi 4 running Portainer and one-container, dig requests trying to use unbound will always time out, and running unbound -d -vvvv will throw the same error about port 8953. I tried to add a new port to the stack and it didn't work either.

[Werfjes]

Hi Guys, can you give us please some love, help and support in these cold and difficult times :-)

[pluim003]

Hass it worked before? What happens with the original pihole-container (without unbound)? There is a newer pihole-release which I use in my latest image (forked repo from Chris, but together with the latest release of unbound).

[Werfjes]

Hi Pluim,

Well I have a Raspberry PiHole & unbound working without a container. but I will try to setup the original pihole-container (without unbound). and get back to you

[unclamped]

Hass it worked before? What happens with the original pihole-container (without unbound)? There is a newer pihole-release which I use in my latest image (forked repo from Chris, but together with the latest release of unbound).

This is my first time trying out this project, so no, it has not ever worked for me. The official Pi-hole container works perfectly fine. I'll do some testing with your fork after Sunday, thanks for bringing this up.

[amphibithen]

I had this same issue multiple times now. I've had the single container implementation running successfully, but randomly this started happening twice in a few months. First time I don't recall what I did to fix it, but this time I disabled custom upstream (127.0.0.1#5335) and disabled Use DNSSEC in pihole, enabling Cloudflare ipv4. After saving, I brought docker compose down and back up, changed settings back to what they were before (enable Use DNSSEC, enable upstream 127.0.0.1#5335, disable cloudflare ipv4) and after saving everything started working again. I even tried restarted compose again just to be sure and it's still working (which would suggest either a timing issue, or something that's persistent in the volumes). So I unexpectedly fixed the issue, but still don't know the cause (so I assume it will happen again).

Also, I still see the same errors is my unbound logs:

[1667331143] unbound[807:0] error: can't bind socket: Address already in use for 127.0.0.1 port 8953 (len 16) [1667331143] unbound[807:0] error: cannot open control interface 127.0.0.1 8953 [1667331143] unbound[807:0] fatal error: could not open ports

Not sure if it was a matter of timing, or this is just a (different) problem that is not affecting the usage of it. But does the main problem have anything to do with DNSSEC options? RE: pihole I am capable and know some, know near nothing about unbound other than troubleshooting a few things and then forget it over a few months and re-learn it when have to troubleshoot again.

When looking into this I also discovered it's using an older version of unbound, to get things working I did some modification to the compose file and envs, and honestly I'm not a big fan of how the process of building the image is non-standard. I will probably look into moving away from this implementation to a different one, but (also honestly) when I tried to do this before I couldn't find any other ones that worked so well out of the box. Maybe there is a better one nowadays...

If it helps I can post all of my configs etc. but not sure if that'll help here? I'd be interested to know if my steps of disable/reenable pihole --> unbound connection works for others (who had it working before in the past, as first time users could have a host of other issues)

[pluim003]

When looking into this I also discovered it's using an older version of unbound, to get things working I did some modification to the compose file and envs, and honestly I'm not a big fan of how the process of building the image is non-standard. I will probably look into moving away from this implementation to a different one, but (also honestly) when I tried to do this before I couldn't find any other ones that worked so well out of the box. Maybe there is a better one nowadays...

If it helps I can post all of my configs etc. but not sure if that'll help here? I'd be interested to know if my steps of disable/reenable pihole --> unbound connection works for others (who had it working before in the past, as first time users could have a host of other issues)

I forked the repo of Chris a while ago and modified it so that it uses the most recent version of Unbound (from debian:testing) which in the latest image is 1.17.0, but the next one will contain 1.17.1 (as that has now been promoted to testing). It's working fine for ages at my site although I don't look frequently in the unbound-logfiles but recently at least no errors.

[unclamped]

Hey, I totally forgot about this issue. Sorry about that. I tried installing your fork with docker and Portainer (by the way, the advice from Chris about the volumes is no longer needed. You can safely remove it), but I'm getting an issue when trying to deploy it: failed to deploy a stack: Network pihole-unbound_default Creating Network pihole-unbound_default Created Container pihole-unbound Creating Container pihole-unbound Created Container pihole-unbound Starting Error response from daemon: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: error during container init: error mounting "/data/compose/23/one-container/resolv.conf" to rootfs at "/etc/resolv.conf": mount /data/compose/23/one-container/resolv.conf:/etc/resolv.conf (via /proc/self/fd/6), flags: 0x5000: not a directory: unknown: Are you trying to mount a directory onto a file (or vice-versa)? Check if the specified host path exists and is the expected type

[unclamped]

The issue in my previous comment is now being tracked on https://github.com/pluim003/docker-pihole-unbound/issues/14

[pluim003]

Wondering if the original problem, mentioned by @Werfjes is still present.

[Werfjes]

Hi,

I gave up installing "docker-pihole-unbound" with portainer. Due to the above mentioned issue.

However I installed "docker-pihole-unbound" with compose and worked fine ...