Cant get quad 9 DoT to work using pi hole and unbound

Please follow the below template, it will help us to help you!

Expected Behaviour:

I am trying to set up Quad9 DNS-over-TLS (DoT) on my Pi-hole and Unbound installation. I expect DNS queries to be forwarded securely over TLS to Quad9’s servers (9.9.9.9 and 149.112.112.112) on port 853, and Pi-hole should handle the DNS requests and block ads accordingly. I am running Raspberry Pi OS Lite (64-bit) on a Raspberry Pi 4.
Actual Behaviour:

When configuring Unbound to use Quad9 over DNS-over-TLS, I encounter issues where Unbound fails to restart after adding the DNS-over-TLS configuration.
The error message in the logs points to SSL handshake failures (certificate verify failed), indicating that there may be issues with Unbound’s certificate validation process when trying to establish a secure connection to the Quad9 servers.
Pi-hole’s DNS service fails to start after enabling DNS-over-TLS, blocking access to the internet when it is enabled.
Without the TLS configuration, DNS queries are successfully forwarded over regular DNS, and Pi-hole functions normally.

Crash log entry:

Feb 09 18:39:43 raspberrypi unbound[4148]: [4148:0] notice: ssl handshake failed 149.112.112.11 port 853

Additionally, the dig query fails with a SERVFAIL error:

; <<>> DiG 9.18.33-1~deb12u2-Debian <<>> google.com @127.0.0.1 -p 5335
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 26181
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; MSG SIZE rcvd: 39

This is an unbound configuration issue, where obviously your unbound fails to communicate with Quad9's DoT servers.
Pi-hole is not involved in this.

If you'd share your unbound configuration, we could take a look for obvious misconfigurations, but to improve your chances for assistance, you should consider to also consult unbound's and Quad9's documentation and support channels.

Thanks for the reply this is the .conf im using

server:
    verbosity: 1
    interface: 127.0.0.1
    port: 5335
    do-ip4: yes
    do-ip6: yes

    hide-identity: yes
    hide-version: yes
    qname-minimisation: yes
    harden-glue: yes
    harden-dnssec-stripped: yes
    use-caps-for-id: yes
    edns-buffer-size: 1232
    do-not-query-localhost: no

    access-control: 127.0.0.1/32 allow
    access-control: ::1 allow

    forward-zone:
        name: "."
        forward-tls-upstream: yes
        forward-addr: 9.9.9.11@853#dns.quad9.net
        forward-addr: 149.112.112.11@853#dns.quad9.net

You may be missing two lines similar to the following ones before your forward zone:

   tls-upstream: yes
   tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt

If that still doesn't work, you should consult unbound's and Quad9's documentation and support channels.

Thanks for that, will try it and see if it works and if not will pop over to unbound.

Thanks for the help :slight_smile:

Ok tried this and got this error

Job for unbound.service failed because the control process exited with error code.
See "systemctl status unbound.service" and "journalctl -xeu unbound.service" for details.
root@ubuntu:/home/cybermodz#

and also this when i run the commands,

root@ubuntu:/home/cybermodz# systemctl status unbound.service
× unbound.service - Unbound DNS server
     Loaded: loaded (/usr/lib/systemd/system/unbound.service; enabled; preset: enabled)
     Active: failed (Result: exit-code) since Sun 2025-02-09 22:04:33 UTC; 2min 13s ago
       Docs: man:unbound(8)
    Process: 37290 ExecStartPre=/usr/libexec/unbound-helper chroot_setup (code=exited, status=1/FAILURE)
    Process: 37293 ExecStartPre=/usr/libexec/unbound-helper root_trust_anchor_update (code=exited, status=1/FAILURE)
    Process: 37296 ExecStart=/usr/sbin/unbound -d -p $DAEMON_OPTS (code=exited, status=1/FAILURE)
    Process: 37298 ExecStopPost=/usr/libexec/unbound-helper chroot_teardown (code=exited, status=1/FAILURE)
   Main PID: 37296 (code=exited, status=1/FAILURE)
        CPU: 113ms

Not too sure whats going on here when i try to run the service, also how can i contact unbounds support channels as might have to go down that route. Tried searching around for a fix to this.

Thanks

sudo unbound-checkconf /path/to/your/unbound.conf will check your unbound configuration file for errors (make sure you provide the correct path).

unbound's configuration file documentation can be found at NLnet Labs Documentation - Unbound - unbound.conf.5

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.