Every time I set up pihole on Debian 12 I encounter this error, so I'm making this blog post to remind myself how to fix it.
What happens is I set it up as per the instructions, first setting up unbound to use as the upstream DNS and then installing normally.
But after doing this, pi-hole does not actually work and does not actually respond to queries:
dig eda.gay @192.168.69.7
A common issue is other services using the port another service wants to use. netstat is a useful tool for finding out which service is running on a port. It can be installed with sudo apt install net-tools (I can never remember the package name). The port we are looking for here is 53. We can then check it with the command:
sudo netstat -nltup | grep 'Proto\|:53 \|:5053 \|:5353 \|:5335 \|:8953 \|:67 \|:80 \|:471'
Which gives us:
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 14551/lighttpd
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 635/connmand
tcp 0 0 127.0.0.1:5335 0.0.0.0:* LISTEN 4695/unbound
tcp6 0 0 :::80 :::* LISTEN 14551/lighttpd
tcp6 0 0 ::1:53 :::* LISTEN 635/connmand
udp 0 0 127.0.0.1:53 0.0.0.0:* 635/connmand
udp 0 0 127.0.0.1:5335 0.0.0.0:* 4695/unbound
udp 0 0 0.0.0.0:5353 0.0.0.0:* 625/avahi-daemon: r
udp6 0 0 ::1:53 :::* 635/connmand
udp6 0 0 :::5353 :::* 625/avahi-daemon: r
This tells us that the web services and stuff are running correctly, but a service called connmand is running on port 53. What is connman? I have no idea. Wikipedia tells us:
ConnMan is an internet connection manager for embedded devices running the Linux operating system.
I guess it's making its own DNS server and publishing itself to port 53. Let's turn of the connman DNS server so we can use pi-hole's instead.
Edit the file:
sudo vim /etc/systemd/system/multi-user.target.wants/connman.service
Change the line
ExecStart=/usr/sbin/connmand -n
to
ExecStart=/usr/sbin/connmand -n --nodnsproxy
Then restart the service:
sudo systemctl daemon-reload
sudo systemctl restart connman.service
sudo systemctl restart pihole-FTL.service
And yay it is working again, we can check with another dig.
Now netstat gives us:
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:4711 0.0.0.0:* LISTEN 15483/pihole-FTL
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 14551/lighttpd
tcp 0 0 0.0.0.0:53 0.0.0.0:* LISTEN 15483/pihole-FTL
tcp 0 0 127.0.0.1:5335 0.0.0.0:* LISTEN 4695/unbound
tcp6 0 0 :::80 :::* LISTEN 14551/lighttpd
tcp6 0 0 ::1:4711 :::* LISTEN 15483/pihole-FTL
tcp6 0 0 :::53 :::* LISTEN 15483/pihole-FTL
udp 0 0 0.0.0.0:53 0.0.0.0:* 15483/pihole-FTL
udp 0 0 127.0.0.1:5335 0.0.0.0:* 4695/unbound
udp 0 0 0.0.0.0:5353 0.0.0.0:* 625/avahi-daemon: r
udp6 0 0 :::53 :::* 15483/pihole-FTL
udp6 0 0 :::5353 :::* 625/avahi-daemon: r
Personally I think it would be useful if the pihole developers added a check to see if any foreign service is running on port 53 in the startup script.