Router DNS returning Refused

[pdc]

Hello,

I am seeing a strange issue where the router DNS is returning a status of REFUSED to clients, but if I check from the router, it works. It appears to be limited to www.cdc.gov but it's hard to say for sure.

I have a GT-AX6000 running 3004.388.6 with dn-vnstat and scMerlin add-ons.

From a client:

> dig @localhost www.cdc.gov

; <<>> DiG 9.16.48-Debian <<>> @localhost www.cdc.gov
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 36023
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;www.cdc.gov.            IN    A

;; Query time: 24 msec
;; SERVER: ::1#53(::1)
;; WHEN: Sat Apr 06 10:31:02 CDT 2024
;; MSG SIZE  rcvd: 40

I get the same refused response if I use @<router IP>. I get a good response (same as below) if I use @1.1.1.1.

From the router:

# dig www.cdc.gov

; <<>> DiG 9.18.19 <<>> www.cdc.gov
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38633
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;www.cdc.gov.                   IN      A

;; ANSWER SECTION:
www.cdc.gov.            171     IN      CNAME   www.akam.cdc.gov.
www.akam.cdc.gov.       20      IN      A       23.194.148.49

;; Query time: 54 msec
;; SERVER: 1.1.1.1#53(1.1.1.1) (UDP)
;; WHEN: Sat Apr 06 10:39:17 CDT 2024
;; MSG SIZE  rcvd: 79

I run pihole on a local server, but I see the REFUSED status even when blocking is disabled.

Any ideas what might be going on?

 

[pbond]

Do other websites resolve correctly when using @localhost?
How is your pihole configured? Specifically, is it set to blacklist the cdc.gov domain, either in its default filter list or some additional setting (eg blocking certain content eg medical sites?)
Does the cdc.gov domain show up in the Pihole log immediately after you try digging it? If so, what is its status?

The fact that DNS works when you specify the @1.1.1.1 param to dig suggests that the issue is with Pihole's configuration, and the 'Refused' status is what pihole returns when a domain is being blocked by one of its blacklists.

 

[pdc]

I found that my pihole was configured to use the router, back when I was running unbound. Now I'm simplifying things a bit and using a commercial DNS, so I configured pihole to use that instead of the router. Problem is solved. I'm not sure what was causing the problem, but I'm happy with the workaround. Strange that it was only the one site...