Pi-hole "BOGUS (refused upstream)" Error

I recently wondered why I was unable to access one of my own web pages. I just got a DNS error in the browser. Since I am using Pi-hole on a Raspberry Pi in my local network as a DNS server to enable Ad blocking, I noticed a "BOGUS (refused upstream)" in the Query log:

BOGUS (refused upstream) Error in Pi-hole

Usage of DNSSEC

After a quick search, I tackled the problem down to DNSSEC. If you didn't know, DNSSEC is the short form for Domain Name System Security Extensions. It helps extend local security by preventing malicious DNS attacks and manipulations through different mechanisms like authenticity and data integrity. DNSSEC causes the above problem. To solve it, one of the following should work, described in this article with more details:

  1. Enable DNSSEC on your domain
  2. Disable DNSSEC in Pi-hole
  3. Check the correct localization and time on your Pi-hole machine

1. Enable DNSSEC on your Domain

If you are lucky and the problem is related to one of your domains, check that DNSSEC is enabled. Review the current DNS settings directly with the provider who manages the domain. Often, a small checkbox like "Enable DNSSEC" is available. Remember that after changing domain settings, it needs some time (sometimes minutes, sometimes hours, or even up to days) until the setting is present everywhere in the world. You can test your domain using tools like the DNSSEC Analyzer from Verisign Labs.

2. Disable DNSSEC in Pi-hole

Another option is to disable the DNSSEC check in Pi-hole. Just navigate in the browser to your Pi-hole instance, login, go to Settings, and uncheck the "Use DNSSEC" checkbox under the "Advanced DNS settings" section (don't forget to hit the "Save" button at the bottom of the page).

Use DNSSEC Checkbox

3. Check Localization & Time

As mentioned in different discussions on the web, sometimes wrong time settings can cause the "BOGUS (refused upstream)" error. Therefore, check the current time and localization setting in the Linux shell with timedatectl status. To change the timezone to UTC, use sudo timedatectl set-timezone UTC. When running a Raspberry Pi, the sudo raspi-config helps. Just navigate to "5 Localisation Options" and check "L1 Locale" and "L2 Timezone". When using Pi-hole with docker, check the time settings inside the container.

After trying one, some, or all of the steps above, restart your system, maybe wait a day until all settings are applied, and check if it solves it.

References