Adblocking not working with unbound

Expected Behaviour:

Enabled unbound dns as per instructions on blog. Works as far as I can tell (DNS leak gives my own IP as my DNS, DNSSEC works, IPv6, etc) unbound is port 5353. router is a linksys 8500 with DD-WRT installed. Pihole is running raspbian stretch, FTLDNS, all up-to-date. additionally https://rootcanary.org/test.html gives me a return result of all unlocked, not sure if that's a good or bad thing.

Actual Behaviour:

Not blocking ads.

Debug Token:

2qguw5f8ts

Looks like you have unbound bound to two different ports.

[5353] is in use by unbound
[8953] is in use by unbound

Do you have multiple instances running?

Not to my knowledge, I only installed it once. how can I check?

My workaround to get it working again is to setup my pihole as the dhcp, which I probably will just keep doing, however I'm not sure if I did something wrong or it's an unattended side effect.

side note, how do I uninstall cloudflared?

I installed it from here:
https://docs.pi-hole.net/guides/dns-over-https/

Those dual ports might actually be normal behavior...

So everything works if you use Pi-hole as the DHCP server?

I, too, have just made the switch to unbound from cloudflared, and it seems that unbound is indeed listening on two ports by default, though not sure what this means. @DL6ER or @DanSchaper will probably know!

pi@pihole:~ $ sudo netstat -tulpn | grep "unbound"
tcp        0      0 127.0.0.1:8953          0.0.0.0:*               LISTEN      9822/unbound
tcp        0      0 127.0.0.1:5353          0.0.0.0:*               LISTEN      9822/unbound
udp        0      0 127.0.0.1:5353          0.0.0.0:*                           9822/unbound

That said, running dig google.com @127.0.0.1 -p 8953 yields no answer.

Personally not looked into removing cloudflared right now, but in the mean time i've stopped and masked the service (sudo systemctl stop cloudflared && sudo systemctl mask cloudflared

1 Like

I wend ahead and deleted all the cloudflared folders/user and stopped cloudflared via systemctrl stop cloudflared.

I did a dig at 8953 and returned no results as well:

; <<>> DiG 9.10.3-P4-Raspbian <<>> @127.0.0.1 -p 8953 google.com
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached.

Is it ossible DD-WRT is port sniffing and going to port 5353 for DNS instead of 53? I didn't it up to use a specific port (didn't give me the option) I assumed I plugged in the IP and it would goto port 53

From Unbound documentation

Remote Control Options
[...]
control-port:
The port number to listen on for IPv4 or IPv6 control interfaces,
default is 8953. If you change this and permissions have been
dropped, you must restart the server for the change to take
effect.

4 Likes

Okay, I figured it out I think, I just don't know how to solve it, maybe someone can help me because IPv6 hurts my head.

I have my DD-WRT router pointing my IPv6 DNS to the IPv6 of the pihole that is on the web interface page. (should it look different? ie I know the 127.0.0.1 of IPv6 is ::1) and then I have my pi-hole point ipv6 too ::1#5353.

am I doing something wrong?

That sounds right. The clients get the IPv6 of the Pi-hole and Pi-hole uses the internal unbound server running on port 5353.

1 Like

awesome... so how are ads getting through? I don't get it. if I disable IPv6 ads are blocked.

Your router is probably sending out other IPv6 DNS settings as well, such as your ISP's DNS server.

1 Like

That was my thought as well, however dnsleaktest.com tells me my only dns it sees is my IPv4 local

That's because your computer only used one of the servers for that lookup. Check ipconfig /all if on Windows to see all the DNS servers you're using.

You're onto something, it's looking to my router for my DNS instead of my pi... the DHCP should have it auto point to the pi... wonder what is set up wrong.

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.