Please follow the below template, it will help us to help you!
Expected Behaviour:
I am trying to set up Quad9 DNS-over-TLS (DoT) on my Pi-hole and Unbound installation. I expect DNS queries to be forwarded securely over TLS to Quad9’s servers (9.9.9.9 and 149.112.112.112) on port 853, and Pi-hole should handle the DNS requests and block ads accordingly. I am running Raspberry Pi OS Lite (64-bit) on a Raspberry Pi 4.
Actual Behaviour:
When configuring Unbound to use Quad9 over DNS-over-TLS, I encounter issues where Unbound fails to restart after adding the DNS-over-TLS configuration.
The error message in the logs points to SSL handshake failures (certificate verify failed), indicating that there may be issues with Unbound’s certificate validation process when trying to establish a secure connection to the Quad9 servers.
Pi-hole’s DNS service fails to start after enabling DNS-over-TLS, blocking access to the internet when it is enabled.
Without the TLS configuration, DNS queries are successfully forwarded over regular DNS, and Pi-hole functions normally.
Crash log entry:
Feb 09 18:39:43 raspberrypi unbound[4148]: [4148:0] notice: ssl handshake failed 149.112.112.11 port 853
Additionally, the dig query fails with a SERVFAIL error:
This is an unbound configuration issue, where obviously your unbound fails to communicate with Quad9's DoT servers.
Pi-hole is not involved in this.
If you'd share your unbound configuration, we could take a look for obvious misconfigurations, but to improve your chances for assistance, you should consider to also consult unbound's and Quad9's documentation and support channels.
Job for unbound.service failed because the control process exited with error code.
See "systemctl status unbound.service" and "journalctl -xeu unbound.service" for details.
root@ubuntu:/home/cybermodz#
and also this when i run the commands,
root@ubuntu:/home/cybermodz# systemctl status unbound.service
× unbound.service - Unbound DNS server
Loaded: loaded (/usr/lib/systemd/system/unbound.service; enabled; preset: enabled)
Active: failed (Result: exit-code) since Sun 2025-02-09 22:04:33 UTC; 2min 13s ago
Docs: man:unbound(8)
Process: 37290 ExecStartPre=/usr/libexec/unbound-helper chroot_setup (code=exited, status=1/FAILURE)
Process: 37293 ExecStartPre=/usr/libexec/unbound-helper root_trust_anchor_update (code=exited, status=1/FAILURE)
Process: 37296 ExecStart=/usr/sbin/unbound -d -p $DAEMON_OPTS (code=exited, status=1/FAILURE)
Process: 37298 ExecStopPost=/usr/libexec/unbound-helper chroot_teardown (code=exited, status=1/FAILURE)
Main PID: 37296 (code=exited, status=1/FAILURE)
CPU: 113ms
Not too sure whats going on here when i try to run the service, also how can i contact unbounds support channels as might have to go down that route. Tried searching around for a fix to this.