Showing results for 
Search instead for 
Did you mean: 

DNSSEC blocking

Tuning in

I've been using a Pi-hole for approximately a year with DNSSEC via Unbound and previous to that I was using Simple DNSCrypt, recently the Pi-hole stopped resolving addresses, even when I removed Unbound from the equation and switched to standard DNSSEC resolving natively in Pi-hole using either DNSWatch or Quad9 servers I got nothing except the cached results.

When I disabled DNSSEC and used standard DNS lookups, everything started working fine, I even did a clean install of Pi-hole and no joy, Simple DNSCrypt had no luck either. soon as I put my SuperHub 5 into modem mode and connected via my AX3000 I could resolve DNSSEC on every device.

So my question for a Virgin representative is, are you now blocking DNSSEC (an open standard) on your routers or network? ...and if so, why?


Alessandro Volta

But the more interesting question is why was you using router mode if modem mode works!

With VM anything is possible I even think in router mode VM makes DNS requests to VM DNS as a way for them to test their network as a way to check the network so a update to the hub may try to link your DNS requests to a given DNS that supports DNSSEC and then does its own DNS to VM DNS which does not support DNSSEC and so it fails in router mode and not modem mode.

...Or VM have done this to stop people using other DNS making you choose modem mode or their way router mode   



With the Hub 5 in Router mode the DNS server behaviour has looked very odd some time.

E.g. one can use:    nslookup    a Hub 5 will resolve where a 3 & 4 will not.

It as also been noted that with Hub 5's :

1) All DNS queries are being intercepted by the Hub 5 - for what purpose ?
2) DNS Queries for some AWS hosts time out with both VM DNS & any Public DNS - blocking genuine websites.

Hub 5 only looks useful as a modem.

...because at the time I negotiated the SuperHub 5 when they suddenly deactivated my SuperHub 3 with no notice, I wasn't flush with cash and I expected a brand new device to you know, work. My AX3000 has been in Access Point mode providing wireless for the rear of the house.

Honestly I expected more after all the previous problems with Virgin router firmwares and chipsets, I thought they would have learnt better by now, this SH5 doesn't even passthru DHCP requests to my server for approximately half of my Android devices on wireless, I have to specify their IPs manually, wth is that about?

My personal finances and choice of network topology are irrelevant though.

Your wild supposition doesn't really answer why the sudden changes after years of successful usage on a SH3 and SH5, it would be more realistic to assume a policy change.

They are very successfully implementing court ordered blocks to domains such as TPB, etc... I really don't understand why we should have even less privacy with DNSSEC being blocked (arguably as important to the future of a secure internet as SPF and SenderID is to reducing spam email, DNSSEC is going to see much more common usage, it's not just for nerds now, quite a few OSes/devices have it baked in now).

I assume it's a method to force standard DNS usage which can be harvested quite trivially (even using non VM DNS) without having to invest in deep packet inspection to log our browsing habits.

Alessandro Volta

I'm sure many more people will see this and some will complain but for some things like this VM will not back down.

VM seem to want you to use the internet their way and for things they want to support how sad that is.


Tuning in

I will admit I am assuming malice but considering the DHCP problem I mentioned and the history of poor routers it could simply be incompetence following RFCs/well documented standards.

Well I bought another AX3000 now, DNSSEC problem resolved, DHCP problem resolved, faster wireless, faster speedtests, more control.

I was dumb to get my hopes up about the SH5.

It was also a blast during this fault finding process to find I couldn't get through to technical support on the phone until I have payed an invoice that isn't due until the 15th of September... stay classy Virgin.


"Your wild supposition" - With 35 years of infrastructure delivery experience that was quite comical !

Folks do their nuts in screaming for a Hub 5, but in Router mode this is the reality ...

1. Wi-Fi & DHCP Fail when both SSIDs are changed. ( in the Wizard and in the Menu )
2. DHCP Fails with multiple DHCP devices.
3. DHCP Reserved IP list fails to accept entries.
4. DNS All queries are being intercepted by the Hub 5.
5. DNS Queries for AWS hosts time out with both VM DNS & Public DNS.
6. DNS DNSSEC queries fail.
7. Port Forwarding may not work.
8. RTSP stream / VRChat crashes & reboots Hub 5.
9. Wi-Fi 6 / 802.11ax Fails to be visible to many 2.4GHz only devices.

"Your wild supposition" was a reply to legacy1 if you see the header of the post as he took a stab of guestimating the process.

I've been a sysadmin for 20 years mate, I wasn't disrespecting you, there's only so much we can infer by packet sniffing, etc. Suffice to say, non of us have written this god awful firmware originally developed for the US market (where they love to sniff your traffic for profit and LEA) before the thing was rebranded and had a new shell slapped on it and deployed it on an underpowered chipset and none of us can fathom the spaghetti logic implemented.

Regarding asking for a SH5, I simply needed a new router after they refused to let me use a SH2 (I misspoke when I said SH3, I refused to touch that trash after the whole Puma chipset, jitter issues) anymore and needed half decent wireless, my fault for expecting it to be feature complete.

None of this explains why I used to be able to use DNSSEC and it's suddenly stopped working, I configured the thing week one, seven months ago and have barely touched it since, for it to suddenly change seems nefarious as there are plenty of reasons for preventing DNSSEC that benefit VM.