First, let me say this post gave me TONs to try. You all really gave such good information!
The issue I am facing:
I’ve installed Pi-Hole on my RaspPi5 and installed Unbound. I started with the basic config file found here and I tried this one too, and then, about 100 tweaks.
I also tried resetting my keys and pulling in IANA certs and no matter what I do, I can’t get resolution via Unbound so that I can hook PiHole to use it. I get SERVFAIL. I have a megaload of query response was THROWAWAY in my logs which I know is supposed to point to cert issues or time issues, both don’t seem i think to be a problem.
I am hoping I’m not in that pool of people where “there is just no fixing it.” I’ve been beating my head against the wall, troubleshooting this for the last few days. Do y’all have any ideas? Thank you!!!
Querying google.com
dig google.com @127.0.0.1 -p 5335
; <<>> DiG 9.20.15-1~deb13u1-Debian <<>> google.com @127.0.0.1 -p 5335
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 61420
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;google.com. IN A
;; Query time: 20 msec
;; SERVER: 127.0.0.1#5335(127.0.0.1) (UDP)
;; WHEN: Sun Nov 02 22:15:32 EST 2025
;; MSG SIZE rcvd: 39
My .conf file
server:
verbosity: 4
interface: 127.0.0.1
port: 5335
do-ip4: yes
do-udp: yes
do-tcp: yes
do-ip6: no
prefer-ip6: no
root-hints: "/var/lib/unbound/root.hints"
harden-glue: yes
harden-large-queries: yes
harden-dnssec-stripped: yes
edns-buffer-size: 1232
rrset-roundrobin: yes
cache-min-ttl: 300
cache-max-ttl: 86400
serve-expired: yes
harden-algo-downgrade: yes
harden-short-bufsize: yes
hide-identity: yes
identity: "Server"
hide-version: yes
do-daemonize: no
neg-cache-size: 4m
qname-minimisation: yes
deny-any: yes
minimal-responses: yes
prefetch: yes
prefetch-key: yes
num-threads: 1
msg-cache-size: 50m
rrset-cache-size: 100m
so-reuseport: yes
so-rcvbuf: 4m
so-sndbuf: 4m
unwanted-reply-threshold: 100000
log-queries: no
log-replies: no
log-servfail: no
log-local-actions: no
logfile: "/var/log/unbound/unbound.log"
private-address: 192.168.0.0/16
private-address: 169.254.0.0/16
private-address: 172.16.0.0/12
private-address: 10.0.0.0/8
private-address: fd00::/8
private-address: fe80::/10
Trying to regenerate my certskeys
sudo -u unbound unbound-anchor -vv -f /etc/resolv.conf
/usr/share/dns/root.key has content
no last_success probe time in anchor file
/etc/unbound/icannbundle.pem: No such file or directory
using builtin certificate
have 1 trusted certificates
trusted certificates (0/1)
Issuer: O=ICANN, OU=ICANN Certification Authority, CN=ICANN Root CA, C=US
Validity
Not Before: Dec 23 04:19:12 2009 GMT
Not After : Dec 18 04:19:12 2029 GMT
Subject: O=ICANN, OU=ICANN Certification Authority, CN=ICANN Root CA, C=US
resolved server address 23.54.127.44
resolved server address 23.54.127.47
resolved server address 2600:1402:1400:15::17d1:bcc5
resolved server address 2600:1402:1400:15::17d1:bcd8
connect to 23.54.127.44
server SSL certificate
Issuer: C=US, O=Let's Encrypt, CN=R12
Validity
Not Before: Oct 31 21:05:45 2025 GMT
Not After : Jan 29 21:05:44 2026 GMT
Subject: CN=data.iana.org
SSL_write: GET /root-anchors/root-anchors.xml HTTP/1.1
SSL_write: Host: data.iana.org
SSL_write: User-Agent: unbound-anchor/1.22.0
SSL_write:
header: 'HTTP/1.1 200 OK'
header: 'Last-Modified: Tue, 05 Nov 2024 19:23:41 GMT'
header: 'ETag: "745-6262f56c4cf39-gzip"'
header: 'Access-Control-Allow-Origin: *'
header: 'X-Frame-Options: SAMEORIGIN'
header: 'Referrer-Policy: origin-when-cross-origin'
header: 'Access-Control-Allow-Methods: GET'
header: 'Content-Type: text/xml'
header: 'Strict-Transport-Security: max-age=48211200; preload'
header: 'Cache-Control: max-age=36910'
header: 'Date: Mon, 03 Nov 2025 03:14:45 GMT'
header: 'Alt-Svc: h3=":443"; ma=93600,h3-29=":443"; ma=93600'
header: 'Content-Length: 1861'
header: 'Connection: keep-alive'
header: 'Akamai-Cache-Status: Hit from child'
at 0/1861
read 1861 data
fetched root-anchors/root-anchors.xml (1861 bytes)
connect to 2600:1402:1400:15::17d1:bcd8
connect: Network is unreachable
connect to 2600:1402:1400:15::17d1:bcc5
connect: Network is unreachable
connect to 23.54.127.44
server SSL certificate
Issuer: C=US, O=Let's Encrypt, CN=R12
Validity
Not Before: Oct 31 21:05:45 2025 GMT
Not After : Jan 29 21:05:44 2026 GMT
Subject: CN=data.iana.org
SSL_write: GET /root-anchors/root-anchors.p7s HTTP/1.1
SSL_write: Host: data.iana.org
SSL_write: User-Agent: unbound-anchor/1.22.0
SSL_write:
header: 'HTTP/1.1 200 OK'
header: 'Last-Modified: Mon, 04 Aug 2025 16:19:24 GMT'
header: 'ETag: "9db-63b8c788f08b3"'
header: 'Vary: Accept-Encoding'
header: 'Accept-Ranges: bytes'
header: 'X-Frame-Options: SAMEORIGIN'
header: 'Referrer-Policy: origin-when-cross-origin'
header: 'Strict-Transport-Security: max-age=48211200; preload'
header: 'Content-Length: 2523'
header: 'Content-Type: application/pkcs7-signature'
header: 'Cache-Control: max-age=47008'
header: 'Date: Mon, 03 Nov 2025 03:14:45 GMT'
header: 'Alt-Svc: h3=":443"; ma=93600,h3-29=":443"; ma=93600'
header: 'Connection: keep-alive'
header: 'Akamai-Cache-Status: Hit from child'
at 0/2523
read 2523 data
fetched root-anchors/root-anchors.p7s (2523 bytes)
parsed the PKCS7 signature
setup the X509_STORE
signer 0: Subject: /O=ICANN/CN=DNSSEC Trust Anchor Verification/emailAddress=dnssec@iana.org
the PKCS7 signature verified
XML was parsed successfully, 2 keys
success: the anchor has been updated using the cert
Netstat -tupl
netstat -tupl
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 localhost:5335 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:https 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:domain 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:ssh 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:http 0.0.0.0:* LISTEN -
tcp6 0 0 [::]:https [::]:* LISTEN -
tcp6 0 0 [::]:domain [::]:* LISTEN -
tcp6 0 0 [::]:ssh [::]:* LISTEN -
tcp6 0 0 [::]:http [::]:* LISTEN -
udp 0 0 localhost:5335 0.0.0.0:* -
udp 0 0 0.0.0.0:mdns 0.0.0.0:* -
udp 0 0 0.0.0.0:47080 0.0.0.0:* -
udp 0 0 0.0.0.0:domain 0.0.0.0:* -
udp 0 0 0.0.0.0:ntp 0.0.0.0:* -
udp6 0 0 [::]:mdns [::]:* -
udp6 0 0 [::]:39148 [::]:* -
udp6 0 0 [::]:domain [::]:* -
udp6 0 0 [::]:ntp [::]:* -
Time stuff
timedatectl timesync-status
Server: 23.142.248.9 (2.debian.pool.ntp.org)
Poll interval: 34min 8s (min: 32s; max 34min 8s)
Leap: normal
Version: 4
Stratum: 2
Reference: A975510C
Precision: 1us (-24)
Root distance: 20.125ms (max: 5s)
Offset: -6.154ms
Delay: 54.301ms
Jitter: 11.675ms
Packet count: 44
Frequency: +6.568ppm
timedatectl
Local time: Mon 2025-11-03 19:23:41 EST
Universal time: Tue 2025-11-04 00:23:41 UTC
RTC time: Tue 2025-11-04 00:23:41
Time zone: America/New_York (EST, -0500)
System clock synchronized: yes
NTP service: active
RTC in local TZ: no
Details about my system:
Pi5
Linux 6.12.47+rpt-rpi-2712 #1 SMP PREEMPT Debian 1:6.12.47-1+rpt1 (2025-09-16) aarch64 GNU/Linux
What I have changed since installing Pi-hole, I added LetsEncrypt for the Pi-Hole management site. Then I added unbound