Can't get Unbound to resolve - RaspPi/PiHole

Help Community Help
1

First, let me say this post gave me TONs to try. You all really gave such good information!

The issue I am facing:

I’ve installed Pi-Hole on my RaspPi5 and installed Unbound. I started with the basic config file found here and I tried this one too, and then, about 100 tweaks.

I also tried resetting my keys and pulling in IANA certs and no matter what I do, I can’t get resolution via Unbound so that I can hook PiHole to use it. I get SERVFAIL. I have a megaload of query response was THROWAWAY in my logs which I know is supposed to point to cert issues or time issues, both don’t seem i think to be a problem.

I am hoping I’m not in that pool of people where “there is just no fixing it.” I’ve been beating my head against the wall, troubleshooting this for the last few days. Do y’all have any ideas? Thank you!!!

Querying google.com

dig google.com @127.0.0.1 -p 5335

; <<>> DiG 9.20.15-1~deb13u1-Debian <<>> google.com @127.0.0.1 -p 5335
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 61420
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;google.com.                    IN      A

;; Query time: 20 msec
;; SERVER: 127.0.0.1#5335(127.0.0.1) (UDP)
;; WHEN: Sun Nov 02 22:15:32 EST 2025
;; MSG SIZE  rcvd: 39

My .conf file

server:

    verbosity: 4

    interface: 127.0.0.1
    port: 5335
    do-ip4: yes
    do-udp: yes
    do-tcp: yes

    do-ip6: no

    prefer-ip6: no

    root-hints: "/var/lib/unbound/root.hints"

    harden-glue: yes

    harden-large-queries: yes

    harden-dnssec-stripped: yes

    edns-buffer-size: 1232

    rrset-roundrobin: yes

    cache-min-ttl: 300
    cache-max-ttl: 86400

    serve-expired: yes

    harden-algo-downgrade: yes

    harden-short-bufsize: yes

    hide-identity: yes

    identity: "Server"

    hide-version: yes

    do-daemonize: no

    neg-cache-size: 4m

    qname-minimisation: yes

    deny-any: yes

    minimal-responses: yes

    prefetch: yes

    prefetch-key: yes

    num-threads: 1

    msg-cache-size: 50m
    rrset-cache-size: 100m

    so-reuseport: yes

    so-rcvbuf: 4m
    so-sndbuf: 4m

    unwanted-reply-threshold: 100000

    log-queries: no
    log-replies: no
    log-servfail: no
    log-local-actions: no
    logfile: "/var/log/unbound/unbound.log"

    private-address: 192.168.0.0/16
    private-address: 169.254.0.0/16
    private-address: 172.16.0.0/12
    private-address: 10.0.0.0/8
    private-address: fd00::/8
    private-address: fe80::/10

Trying to regenerate my certskeys

sudo -u unbound unbound-anchor -vv -f /etc/resolv.conf
/usr/share/dns/root.key has content
no last_success probe time in anchor file
/etc/unbound/icannbundle.pem: No such file or directory
using builtin certificate
have 1 trusted certificates
trusted certificates (0/1)
        Issuer: O=ICANN, OU=ICANN Certification Authority, CN=ICANN Root CA, C=US
        Validity
            Not Before: Dec 23 04:19:12 2009 GMT
            Not After : Dec 18 04:19:12 2029 GMT
        Subject: O=ICANN, OU=ICANN Certification Authority, CN=ICANN Root CA, C=US
resolved server address 23.54.127.44
resolved server address 23.54.127.47
resolved server address 2600:1402:1400:15::17d1:bcc5
resolved server address 2600:1402:1400:15::17d1:bcd8
connect to 23.54.127.44
server SSL certificate
        Issuer: C=US, O=Let's Encrypt, CN=R12
        Validity
            Not Before: Oct 31 21:05:45 2025 GMT
            Not After : Jan 29 21:05:44 2026 GMT
        Subject: CN=data.iana.org
SSL_write: GET /root-anchors/root-anchors.xml HTTP/1.1
SSL_write: Host: data.iana.org
SSL_write: User-Agent: unbound-anchor/1.22.0
SSL_write:
header: 'HTTP/1.1 200 OK'
header: 'Last-Modified: Tue, 05 Nov 2024 19:23:41 GMT'
header: 'ETag: "745-6262f56c4cf39-gzip"'
header: 'Access-Control-Allow-Origin: *'
header: 'X-Frame-Options: SAMEORIGIN'

header: 'Referrer-Policy: origin-when-cross-origin'
header: 'Access-Control-Allow-Methods: GET'
header: 'Content-Type: text/xml'
header: 'Strict-Transport-Security: max-age=48211200; preload'
header: 'Cache-Control: max-age=36910'
header: 'Date: Mon, 03 Nov 2025 03:14:45 GMT'
header: 'Alt-Svc: h3=":443"; ma=93600,h3-29=":443"; ma=93600'
header: 'Content-Length: 1861'
header: 'Connection: keep-alive'
header: 'Akamai-Cache-Status: Hit from child'
at 0/1861
read 1861 data
fetched root-anchors/root-anchors.xml (1861 bytes)
connect to 2600:1402:1400:15::17d1:bcd8
connect: Network is unreachable
connect to 2600:1402:1400:15::17d1:bcc5
connect: Network is unreachable
connect to 23.54.127.44
server SSL certificate
        Issuer: C=US, O=Let's Encrypt, CN=R12
        Validity
            Not Before: Oct 31 21:05:45 2025 GMT
            Not After : Jan 29 21:05:44 2026 GMT
        Subject: CN=data.iana.org
SSL_write: GET /root-anchors/root-anchors.p7s HTTP/1.1
SSL_write: Host: data.iana.org
SSL_write: User-Agent: unbound-anchor/1.22.0
SSL_write:
header: 'HTTP/1.1 200 OK'
header: 'Last-Modified: Mon, 04 Aug 2025 16:19:24 GMT'
header: 'ETag: "9db-63b8c788f08b3"'
header: 'Vary: Accept-Encoding'
header: 'Accept-Ranges: bytes'
header: 'X-Frame-Options: SAMEORIGIN'
header: 'Referrer-Policy: origin-when-cross-origin'
header: 'Strict-Transport-Security: max-age=48211200; preload'
header: 'Content-Length: 2523'
header: 'Content-Type: application/pkcs7-signature'
header: 'Cache-Control: max-age=47008'
header: 'Date: Mon, 03 Nov 2025 03:14:45 GMT'
header: 'Alt-Svc: h3=":443"; ma=93600,h3-29=":443"; ma=93600'
header: 'Connection: keep-alive'
header: 'Akamai-Cache-Status: Hit from child'
at 0/2523
read 2523 data
fetched root-anchors/root-anchors.p7s (2523 bytes)
parsed the PKCS7 signature
setup the X509_STORE
signer 0: Subject: /O=ICANN/CN=DNSSEC Trust Anchor Verification/emailAddress=dnssec@iana.org
the PKCS7 signature verified
XML was parsed successfully, 2 keys
success: the anchor has been updated using the cert

Netstat -tupl

netstat -tupl
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 localhost:5335          0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:https           0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:domain          0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:ssh             0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:http            0.0.0.0:*               LISTEN      -
tcp6       0      0 [::]:https              [::]:*                  LISTEN      -
tcp6       0      0 [::]:domain             [::]:*                  LISTEN      -
tcp6       0      0 [::]:ssh                [::]:*                  LISTEN      -
tcp6       0      0 [::]:http               [::]:*                  LISTEN      -
udp        0      0 localhost:5335          0.0.0.0:*                           -
udp        0      0 0.0.0.0:mdns            0.0.0.0:*                           -
udp        0      0 0.0.0.0:47080           0.0.0.0:*                           -
udp        0      0 0.0.0.0:domain          0.0.0.0:*                           -
udp        0      0 0.0.0.0:ntp             0.0.0.0:*                           -
udp6       0      0 [::]:mdns               [::]:*                              -
udp6       0      0 [::]:39148              [::]:*                              -
udp6       0      0 [::]:domain             [::]:*                              -
udp6       0      0 [::]:ntp                [::]:*                              -

Time stuff

timedatectl timesync-status
       Server: 23.142.248.9 (2.debian.pool.ntp.org)
Poll interval: 34min 8s (min: 32s; max 34min 8s)
         Leap: normal
      Version: 4
      Stratum: 2
    Reference: A975510C
    Precision: 1us (-24)
Root distance: 20.125ms (max: 5s)
       Offset: -6.154ms
        Delay: 54.301ms
       Jitter: 11.675ms
 Packet count: 44
    Frequency: +6.568ppm


timedatectl
               Local time: Mon 2025-11-03 19:23:41 EST
           Universal time: Tue 2025-11-04 00:23:41 UTC
                 RTC time: Tue 2025-11-04 00:23:41
                Time zone: America/New_York (EST, -0500)
System clock synchronized: yes
              NTP service: active
          RTC in local TZ: no

Details about my system:

Pi5

Linux 6.12.47+rpt-rpi-2712 #1 SMP PREEMPT Debian 1:6.12.47-1+rpt1 (2025-09-16) aarch64 GNU/Linux

What I have changed since installing Pi-hole, I added LetsEncrypt for the Pi-Hole management site. Then I added unbound

2

I believe I’ve solved this, unfortunately.

When I query with DNSSEC from my laptop, or my Pi (through my ISP), I get this answer:

dig +dnssec isc.org @8.8.8.8                                                                                                                          [22:37:28]

; <<>> DiG 9.10.6 <<>> +dnssec isc.org @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 210
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;isc.org.                       IN      A

;; ANSWER SECTION:
isc.org.                1       IN      A       151.101.2.217
isc.org.                1       IN      A       151.101.66.217
isc.org.                1       IN      A       151.101.194.217
isc.org.                1       IN      A       151.101.130.217

;; Query time: 132 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sun Nov 09 22:42:14 EST 2025
;; MSG SIZE  rcvd: 100

However, when I used NordVPN, I get the RRSIG response

dig +dnssec isc.org @8.8.8.8                                                                                                                          [11:23:48]

; <<>> DiG 9.10.6 <<>> +dnssec isc.org @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61086
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
;; QUESTION SECTION:
;isc.org.                       IN      A

;; ANSWER SECTION:
isc.org.                300     IN      A       151.101.194.217
isc.org.                300     IN      A       151.101.2.217
isc.org.                300     IN      A       151.101.66.217
isc.org.                300     IN      A       151.101.130.217
isc.org.                300     IN      RRSIG   A 13 2 300 20251119074146 20251105070546 27566 isc.org. EL2favsMlzsVuvsE6t5cH/LZJy4pzyDPYvUaDGYhXdQcwDb4F9rybnjQ sR5icIutWm5shEeLxE/BrmLxj2tEsw==

Pretty crappy - Spectrum/Charter Internet BTW

3

So, I thought I’d get cleaver and wire in NordVPN to my pi and have it connect.

When I do, I can make DNS query with DNSSEC and it works without any issue at all. However, when I start unbound back up and try to send DNS traffic over and I’m right back to getting SERVFAIL. I have tried just about everything but will probably resort to just using VPN with Pi-hole.

4

Start by defaulting the Unbound config to the official guide settings below?

And post output for below one after?

sudo rgrep -v '^ *\(#\|$\)' /etc/unbound/unbound.conf*

If still experiencing SERVFAIL, increase Unbound log verbosity and inspect the log/journal:

For SERVFAIL, you might have to up verbosity to four to see why its failing.

EDIT: Also have a read below:

5

Thank you for the help. I uninstalled and reinstalled unbound.

VPN is disconnected
Pi-hole is stopped

Running Config copied directly from the site (only enabled logging and set verbosity to 4) (

/etc/unbound/unbound.conf:include-toplevel: "/etc/unbound/unbound.conf.d/*.conf"
/etc/unbound/unbound.conf.d/pi-hole.conf:server:
/etc/unbound/unbound.conf.d/pi-hole.conf:    logfile: "/var/log/unbound/unbound.log"
/etc/unbound/unbound.conf.d/pi-hole.conf:    verbosity: 4
/etc/unbound/unbound.conf.d/pi-hole.conf:    interface: 127.0.0.1
/etc/unbound/unbound.conf.d/pi-hole.conf:    port: 5335
/etc/unbound/unbound.conf.d/pi-hole.conf:    do-ip4: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:    do-udp: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:    do-tcp: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:    do-ip6: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:    prefer-ip6: no
/etc/unbound/unbound.conf.d/pi-hole.conf:    harden-glue: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:    harden-dnssec-stripped: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:    use-caps-for-id: no
/etc/unbound/unbound.conf.d/pi-hole.conf:    edns-buffer-size: 1232
/etc/unbound/unbound.conf.d/pi-hole.conf:    prefetch: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:    num-threads: 1
/etc/unbound/unbound.conf.d/pi-hole.conf:    so-rcvbuf: 1m
/etc/unbound/unbound.conf.d/pi-hole.conf:    private-address: 192.168.0.0/16
/etc/unbound/unbound.conf.d/pi-hole.conf:    private-address: 169.254.0.0/16
/etc/unbound/unbound.conf.d/pi-hole.conf:    private-address: 172.16.0.0/12
/etc/unbound/unbound.conf.d/pi-hole.conf:    private-address: 10.0.0.0/8
/etc/unbound/unbound.conf.d/pi-hole.conf:    private-address: fd00::/8
/etc/unbound/unbound.conf.d/pi-hole.conf:    private-address: fe80::/10
/etc/unbound/unbound.conf.d/pi-hole.conf:    private-address: 192.0.2.0/24
/etc/unbound/unbound.conf.d/pi-hole.conf:    private-address: 198.51.100.0/24
/etc/unbound/unbound.conf.d/pi-hole.conf:    private-address: 203.0.113.0/24
/etc/unbound/unbound.conf.d/pi-hole.conf:    private-address: 255.255.255.255/32
/etc/unbound/unbound.conf.d/pi-hole.conf:    private-address: 2001:db8::/32

netstat shows the running service

pi@void:/etc/unbound/unbound.conf.d $ netstat -tunl
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0      0 127.0.0.1:5335          0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN
tcp6       0      0 :::22                   :::*                    LISTEN
udp        0      0 0.0.0.0:51546           0.0.0.0:*
udp        0      0 127.0.0.1:5335          0.0.0.0:*
udp        0      0 0.0.0.0:5353            0.0.0.0:*
udp6       0      0 :::50242                :::*
udp6       0      0 :::53761                :::*
udp6       0      0 :::5353                 :::*

dig shows no go


; <<>> DiG 9.20.15-1~deb13u1-Debian <<>> pi-hole.net @127.0.0.1 -p 5335
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 35659
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;pi-hole.net.                   IN      A

;; Query time: 23 msec
;; SERVER: 127.0.0.1#5335(127.0.0.1) (UDP)
;; WHEN: Mon Nov 24 17:31:01 EST 2025
;; MSG SIZE  rcvd: 40

Part of the verbosity log, which shows each root and continues the THROWAWAY message (the errors I was having before)

[1764023461] unbound[80468:0] debug: iter_handle processing q with state QUERY RESPONSE STATE
[1764023461] unbound[80468:0] info: query response was THROWAWAY
[1764023461] unbound[80468:0] debug: iter_handle processing q with state QUERY TARGETS STATE
[1764023461] unbound[80468:0] info: processQueryTargets: . NS IN
[1764023461] unbound[80468:0] debug: processQueryTargets: targetqueries 0, currentqueries 0 sentcount 32
[1764023461] unbound[80468:0] info: DelegationPoint<.>: 13 names (0 missing), 26 addrs (26 result, 0 avail) parentNS
[1764023461] unbound[80468:0] info:   A.ROOT-SERVERS.NET. * A AAAA
[1764023461] unbound[80468:0] info:   B.ROOT-SERVERS.NET. * A AAAA
[1764023461] unbound[80468:0] info:   C.ROOT-SERVERS.NET. * A AAAA
[1764023461] unbound[80468:0] info:   D.ROOT-SERVERS.NET. * A AAAA
[1764023461] unbound[80468:0] info:   E.ROOT-SERVERS.NET. * A AAAA
[1764023461] unbound[80468:0] info:   F.ROOT-SERVERS.NET. * A AAAA
[1764023461] unbound[80468:0] info:   G.ROOT-SERVERS.NET. * A AAAA
[1764023461] unbound[80468:0] info:   H.ROOT-SERVERS.NET. * A AAAA
[1764023461] unbound[80468:0] info:   I.ROOT-SERVERS.NET. * A AAAA
[1764023461] unbound[80468:0] info:   J.ROOT-SERVERS.NET. * A AAAA
[1764023461] unbound[80468:0] info:   K.ROOT-SERVERS.NET. * A AAAA
[1764023461] unbound[80468:0] info:   L.ROOT-SERVERS.NET. * A AAAA
[1764023461] unbound[80468:0] info:   M.ROOT-SERVERS.NET. * A AAAA
[1764023461] unbound[80468:0] debug:    ip4 198.41.0.4 port 53 (len 16)
[1764023461] unbound[80468:0] debug:    ip4 170.247.170.2 port 53 (len 16)
[1764023461] unbound[80468:0] debug:    ip4 192.33.4.12 port 53 (len 16)
[1764023461] unbound[80468:0] debug:    ip4 199.7.91.13 port 53 (len 16)
[1764023461] unbound[80468:0] debug:    ip4 192.203.230.10 port 53 (len 16)
[1764023461] unbound[80468:0] debug:    ip4 192.5.5.241 port 53 (len 16)
[1764023461] unbound[80468:0] debug:    ip4 192.112.36.4 port 53 (len 16)
[1764023461] unbound[80468:0] debug:    ip4 198.97.190.53 port 53 (len 16)
[1764023461] unbound[80468:0] debug:    ip4 192.36.148.17 port 53 (len 16)
[1764023461] unbound[80468:0] debug:    ip4 192.58.128.30 port 53 (len 16)
[1764023461] unbound[80468:0] debug:    ip4 193.0.14.129 port 53 (len 16)
[1764023461] unbound[80468:0] debug:    ip4 199.7.83.42 port 53 (len 16)
[1764023461] unbound[80468:0] debug:    ip4 202.12.27.33 port 53 (len 16)
[1764023461] unbound[80468:0] debug:    ip6 2001:503:ba3e::2:30 port 53 (len 28)
[1764023461] unbound[80468:0] debug:    ip6 2801:1b8:10::b port 53 (len 28)
[1764023461] unbound[80468:0] debug:    ip6 2001:500:2::c port 53 (len 28)
[1764023461] unbound[80468:0] debug:    ip6 2001:500:2d::d port 53 (len 28)
[1764023461] unbound[80468:0] debug:    ip6 2001:500:a8::e port 53 (len 28)
[1764023461] unbound[80468:0] debug:    ip6 2001:500:2f::f port 53 (len 28)
[1764023461] unbound[80468:0] debug:    ip6 2001:500:12::d0d port 53 (len 28)
[1764023461] unbound[80468:0] debug:    ip6 2001:500:1::53 port 53 (len 28)
[1764023461] unbound[80468:0] debug:    ip6 2001:7fe::53 port 53 (len 28)
[1764023461] unbound[80468:0] debug:    ip6 2001:503:c27::2:30 port 53 (len 28)
[1764023461] unbound[80468:0] debug:    ip6 2001:7fd::1 port 53 (len 28)
[1764023461] unbound[80468:0] debug:    ip6 2001:500:9f::42 port 53 (len 28)
[1764023461] unbound[80468:0] debug:    ip6 2001:dc3::35 port 53 (len 28)
[1764023461] unbound[80468:0] debug: rpz: iterator module callback: have_rpz=0
[1764023461] unbound[80468:0] debug: servselect ip6 2001:dc3::35 port 53 (len 28)
[1764023461] unbound[80468:0] debug:    rtt=376
[1764023461] unbound[80468:0] debug: servselect ip6 2001:500:9f::42 port 53 (len 28)
[1764023461] unbound[80468:0] debug: servselect ip6 2001:7fd::1 port 53 (len 28)
[1764023461] unbound[80468:0] debug:    rtt=376
[1764023461] unbound[80468:0] debug: servselect ip6 2001:7fe::53 port 53 (len 28)
[1764023461] unbound[80468:0] debug:    rtt=376
[1764023461] unbound[80468:0] debug: servselect ip6 2001:500:2f::f port 53 (len 28)
[1764023461] unbound[80468:0] debug:    rtt=376
[1764023461] unbound[80468:0] debug: servselect ip6 2001:500:a8::e port 53 (len 28)
[1764023461] unbound[80468:0] debug:    rtt=376
[1764023461] unbound[80468:0] debug: servselect ip6 2801:1b8:10::b port 53 (len 28)
[1764023461] unbound[80468:0] debug:    rtt=376
[1764023461] unbound[80468:0] debug: servselect ip6 2001:503:ba3e::2:30 port 53 (len 28)
[1764023461] unbound[80468:0] debug:    rtt=376
[1764023461] unbound[80468:0] debug: servselect ip4 199.7.83.42 port 53 (len 16)
[1764023461] unbound[80468:0] debug:    rtt=288
[1764023461] unbound[80468:0] debug: servselect ip4 193.0.14.129 port 53 (len 16)
[1764023461] unbound[80468:0] debug:    rtt=284
[1764023461] unbound[80468:0] debug: servselect ip4 192.58.128.30 port 53 (len 16)
[1764023461] unbound[80468:0] debug:    rtt=164
[1764023461] unbound[80468:0] debug: servselect ip4 192.36.148.17 port 53 (len 16)
[1764023461] unbound[80468:0] debug:    rtt=216
[1764023461] unbound[80468:0] debug: servselect ip4 198.97.190.53 port 53 (len 16)
[1764023461] unbound[80468:0] debug:    rtt=284
[1764023461] unbound[80468:0] debug: servselect ip4 192.112.36.4 port 53 (len 16)
[1764023461] unbound[80468:0] debug:    rtt=284
[1764023461] unbound[80468:0] debug: servselect ip4 199.7.91.13 port 53 (len 16)
[1764023461] unbound[80468:0] debug:    rtt=284
[1764023461] unbound[80468:0] debug: servselect ip4 192.33.4.12 port 53 (len 16)
[1764023461] unbound[80468:0] debug:    rtt=284
[1764023461] unbound[80468:0] debug: servselect ip4 170.247.170.2 port 53 (len 16)
[1764023461] unbound[80468:0] debug:    rtt=164
[1764023461] unbound[80468:0] debug: servselect ip4 198.41.0.4 port 53 (len 16)
[1764023461] unbound[80468:0] debug:    rtt=124
[1764023461] unbound[80468:0] debug: selrtt 124
[1764023461] unbound[80468:0] info: sending query: . NS IN
[1764023461] unbound[80468:0] debug: sending to target: <.> 2001:500:a8::e#53
[1764023461] unbound[80468:0] debug: dnssec status: not expected
[1764023461] unbound[80468:0] debug: mesh_run: iterator module exit state is module_wait_reply
[1764023461] unbound[80468:0] info: mesh_run: end 2 recursion states (1 with reply, 0 detached), 1 waiting replies, 0 recursion replies sent, 0 replies dropped, 0 states jostled out
[1764023461] unbound[80468:0] info: 0pvCD mod2  . NS IN
[1764023461] unbound[80468:0] info: 1RDdc mod2 rep pi-hole.net. A IN
[1764023461] unbound[80468:0] debug: cache memory msg=66104 rrset=66104 infra=13570 val=66400 subnet=74536
[1764023461] unbound[80468:0] debug: svcd callbacks end
[1764023461] unbound[80468:0] debug: close of port 60979
[1764023461] unbound[80468:0] debug: close fd 11
[1764023461] unbound[80468:0] debug: serviced send timer
[1764023461] unbound[80468:0] debug: EDNS lookup known=0 vs=0
[1764023461] unbound[80468:0] debug: serviced query UDP timeout=376 msec
[1764023461] unbound[80468:0] debug: inserted new pending reply id=dacf
[1764023461] unbound[80468:0] debug: opened UDP if=0 port=52487
[1764023461] unbound[80468:0] error: udp connect failed: Network is unreachable for 2001:500:a8::e port 53 (len 28)
1764023461] unbound[80468:0] debug: svcd callbacks start
[1764023461] unbound[80468:0] debug: worker svcd callback for qstate 0x5555c9d4db10
[1764023461] unbound[80468:0] debug: mesh_run: start
[1764023461] unbound[80468:0] debug: iterator[module 2] operate: extstate:module_wait_reply event:module_event_noreply
[1764023461] unbound[80468:0] info: iterator operate: query . NS IN
[1764023461] unbound[80468:0] debug: process_response: new external response event
[1764023461] unbound[80468:0] debug: iter_handle processing q with state QUERY RESPONSE STATE
[1764023461] unbound[80468:0] debug: query response was timeout
[1764023461] unbound[80468:0] debug: iter_handle processing q with state QUERY TARGETS STATE
[1764023461] unbound[80468:0] info: processQueryTargets: . NS IN
[1764023461] unbound[80468:0] debug: processQueryTargets: targetqueries 0, currentqueries 0 sentcount 33
[1764023461] unbound[80468:0] debug: request has exceeded the maximum number of sends with 33
[1764023461] unbound[80468:0] debug: store error response in message cache
[1764023461] unbound[80468:0] debug: return error response SERVFAIL
[1764023461] unbound[80468:0] debug: mesh_run: iterator module exit state is module_finished
[1764023461] unbound[80468:0] debug: validator[module 1] operate: extstate:module_state_initial event:module_event_moddone
[1764023461] unbound[80468:0] info: validator operate: query . NS IN
[1764023461] unbound[80468:0] debug: validator: nextmodule returned
[1764023461] unbound[80468:0] debug: not validating response, is valrec(validation recursion lookup)
[1764023461] unbound[80468:0] debug: mesh_run: validator module exit state is module_finished
[1764023461] unbound[80468:0] debug: subnetcache[module 0] operate: extstate:module_state_initial event:module_event_moddone
[1764023461] unbound[80468:0] info: subnetcache operate: query . NS IN
[1764023461] unbound[80468:0] debug: mesh_run: subnetcache module exit state is module_finished
[1764023461] unbound[80468:0] debug: iterator[module 2] operate: extstate:module_wait_subquery event:module_event_pass
[1764023461] unbound[80468:0] info: iterator operate: query pi-hole.net. A IN
[1764023461] unbound[80468:0] debug: iter_handle processing q with state QUERY TARGETS STATE
[1764023461] unbound[80468:0] info: processQueryTargets: pi-hole.net. A IN
[1764023461] unbound[80468:0] debug: processQueryTargets: targetqueries 0, currentqueries 0 sentcount 0
[1764023461] unbound[80468:0] debug: Failed to get a delegation, giving up
[1764023461] unbound[80468:0] debug: return error response SERVFAIL
[1764023461] unbound[80468:0] debug: mesh_run: iterator module exit state is module_finished
[1764023461] unbound[80468:0] debug: validator[module 1] operate: extstate:module_wait_module event:module_event_moddone
[1764023461] unbound[80468:0] info: validator operate: query pi-hole.net. A IN
[1764023461] unbound[80468:0] debug: validator: nextmodule returned
[1764023461] unbound[80468:0] debug: cannot validate non-answer, rcode SERVFAIL
[1764023461] unbound[80468:0] debug: mesh_run: validator module exit state is module_finished
[1764023461] unbound[80468:0] debug: subnetcache[module 0] operate: extstate:module_wait_module event:module_event_moddone
[1764023461] unbound[80468:0] info: subnetcache operate: query pi-hole.net. A IN
[1764023461] unbound[80468:0] debug: mesh_run: subnetcache module exit state is module_finished
[1764023461] unbound[80468:0] debug: query took 0.022258 sec
[1764023461] unbound[80468:0] info: mesh_run: end 0 recursion states (0 with reply, 0 detached), 0 waiting replies, 1 recursion replies sent, 0 replies dropped, 0 states jostled out
[1764023461] unbound[80468:0] info: average recursion processing time 0.022258 sec
[1764023461] unbound[80468:0] info: histogram of recursion processing times
[1764023461] unbound[80468:0] info: [25%]=0 median[50%]=0 [75%]=0
[1764023461] unbound[80468:0] info: lower(secs) upper(secs) recursions
[1764023461] unbound[80468:0] info:    0.016384    0.032768 1
[1764023461] unbound[80468:0] debug: cache memory msg=66337 rrset=66104 infra=13570 val=66400 subnet=74536
[1764023461] unbound[80468:0] debug: svcd callbacks end

Any ideas for the next steps?

6

A few things I note in your logs, it seems that all attempts via IPv6 are failing.

connect to 2600:1402:1400:15::17d1:bcd8
connect: Network is unreachable
connect to 2600:1402:1400:15::17d1:bcc5
connect: Network is unreachable

[1764023461] unbound[80468:0] error: udp connect failed: Network is unreachable for 2001:500:a8::e port 53 (len 28)

I would suggest disabling IPv6 in unbound for the time being to assist with diagnosis.

Also this:

Could this be source of your actual problem?

As pointed out above by deHakkelaar, your VPN is likely taking your DNS queries and sending them to its own servers to help prevent DNS leaks, but also Spectrum/Charter are noted on Wikipedia as having engaged in hijacking DNS requests, even those bound for other servers.

This can go unnoticed with regular DNS queries, but if the Spectrum/Charter are refusing to answer non-recursive queries (of the type sent by Unbound) then this might explain what is happening here.

It might be worth confirming that your queries are actually able to reach the root servers unhindered, and likewise for their replies to you.

You could please query one of the root servers directly:

dig www.google.com @170.247.170.2

Your response header should read something like the following, containing the WARNING line:

; <<>> DiG 9.18.41-1~deb12u1-Debian <<>> www.google.com @170.247.170.2
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33508
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 27
;; WARNING: recursion requested but not available

I would recommend confirming this with your vpn both on and off.

7

You're missing below directives:

$ sudo rgrep -v '^ *\(#\|$\)' /etc/unbound/unbound.conf*
[..]
/etc/unbound/unbound.conf.d/root-auto-trust-anchor-file.conf:server:
/etc/unbound/unbound.conf.d/root-auto-trust-anchor-file.conf:    auto-trust-anchor-file: "/var/lib/unbound/root.key"

Can restore with below two:

sudo rm /etc/unbound/unbound.conf.d/root-auto-trust-anchor-file.conf

sudo apt -o Dpkg::Options::="--force-confmiss" install --reinstall unbound

Ps. I dont recommend leaving above directive active.
There is no log-rotate in place to maintain/archive that log file.

EDIT: Oh and yes disable do-ip6: yes ?

8

Thank you both for the help.

EDIT: Forgot to mention, I’m running unbound version: 1.22.0.

I’m looking in my configs and see that ipv6 is already off. I noticed it and kept troubleshooting last night. I can confirm that when I run queries now the Network is unreachable for IPV6 addresses are no longer in the logs

Here is the updated configs with the additional files recreated

/etc/unbound/unbound.conf:include-toplevel: "/etc/unbound/unbound.conf.d/*.conf"
/etc/unbound/unbound.conf.d/remote-control.conf:remote-control:
/etc/unbound/unbound.conf.d/remote-control.conf:  control-enable: yes
/etc/unbound/unbound.conf.d/remote-control.conf:  control-interface: /run/unbound.ctl
/etc/unbound/unbound.conf.d/pi-hole.conf:server:
/etc/unbound/unbound.conf.d/pi-hole.conf:    logfile: "/var/log/unbound/unbound.log"
/etc/unbound/unbound.conf.d/pi-hole.conf:    verbosity: 4
/etc/unbound/unbound.conf.d/pi-hole.conf:    interface: 127.0.0.1
/etc/unbound/unbound.conf.d/pi-hole.conf:    port: 5335
/etc/unbound/unbound.conf.d/pi-hole.conf:    do-ip4: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:    do-udp: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:    do-tcp: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:    do-ip6: no
/etc/unbound/unbound.conf.d/pi-hole.conf:    prefer-ip6: no
/etc/unbound/unbound.conf.d/pi-hole.conf:    harden-glue: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:    harden-dnssec-stripped: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:    use-caps-for-id: no
/etc/unbound/unbound.conf.d/pi-hole.conf:    edns-buffer-size: 1232
/etc/unbound/unbound.conf.d/pi-hole.conf:    prefetch: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:    num-threads: 1
/etc/unbound/unbound.conf.d/pi-hole.conf:    so-rcvbuf: 1m
/etc/unbound/unbound.conf.d/pi-hole.conf:    private-address: 192.168.0.0/16
/etc/unbound/unbound.conf.d/pi-hole.conf:    private-address: 169.254.0.0/16
/etc/unbound/unbound.conf.d/pi-hole.conf:    private-address: 172.16.0.0/12
/etc/unbound/unbound.conf.d/pi-hole.conf:    private-address: 10.0.0.0/8
/etc/unbound/unbound.conf.d/pi-hole.conf:    private-address: fd00::/8
/etc/unbound/unbound.conf.d/pi-hole.conf:    private-address: fe80::/10
/etc/unbound/unbound.conf.d/pi-hole.conf:    private-address: 192.0.2.0/24
/etc/unbound/unbound.conf.d/pi-hole.conf:    private-address: 198.51.100.0/24
/etc/unbound/unbound.conf.d/pi-hole.conf:    private-address: 203.0.113.0/24
/etc/unbound/unbound.conf.d/pi-hole.conf:    private-address: 255.255.255.255/32
/etc/unbound/unbound.conf.d/pi-hole.conf:    private-address: 2001:db8::/32
/etc/unbound/unbound.conf.d/root-auto-trust-anchor-file.conf:server:
/etc/unbound/unbound.conf.d/root-auto-trust-anchor-file.conf:    auto-trust-anchor-file: "/var/lib/unbound/root.key"

Trying your dig WITH NordVPN on:

Resolv.conf shows these DNS servers

# Generated by NordVPN
nameserver 1.1.1.1
nameserver 8.8.8.8

the dig command - does not show the WARNING

pi@void:/etc/unbound $ dig www.google.com @170.247.170.2

; <<>> DiG 9.20.15-1~deb13u1-Debian <<>> www.google.com @170.247.170.2
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50630
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;www.google.com.                        IN      A

;; ANSWER SECTION:
www.google.com.         60      IN      A       192.0.0.88

;; Query time: 28 msec
;; SERVER: 170.247.170.2#53(170.247.170.2) (UDP)
;; WHEN: Tue Nov 25 08:49:38 EST 2025
;; MSG SIZE  rcvd: 59

Now I disabled VPN

Resolv.conf going to Cloudflare

# Generated by NetworkManager
#nameserver 192.168.1.1
nameserver 1.1.1.1

pi@void:/etc/unbound $ dig www.google.com @170.247.170.2

; <<>> DiG 9.20.15-1~deb13u1-Debian <<>> www.google.com @170.247.170.2
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14592
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;www.google.com.                        IN      A

;; ANSWER SECTION:
www.google.com.         1       IN      A       142.251.40.36

;; Query time: 32 msec
;; SERVER: 170.247.170.2#53(170.247.170.2) (UDP)
;; WHEN: Tue Nov 25 08:54:12 EST 2025
;; MSG SIZE  rcvd: 59

Log after querying dig www.google.com @127.0.0.1 -p 5335

1764079081] unbound[126343:0] debug: iter_handle processing q with state QUERY RESPONSE STATE
[1764079081] unbound[126343:0] info: query response was THROWAWAY
[1764079081] unbound[126343:0] debug: iter_handle processing q with state QUERY TARGETS STATE
[1764079081] unbound[126343:0] info: processQueryTargets: . NS IN
[1764079081] unbound[126343:0] debug: processQueryTargets: targetqueries 0, currentqueries 0 sentcount 32
[1764079081] unbound[126343:0] info: DelegationPoint<.>: 13 names (0 missing), 13 addrs (11 result, 0 avail) parentNS
[1764079081] unbound[126343:0] info:   A.ROOT-SERVERS.NET. * A
[1764079081] unbound[126343:0] info:   B.ROOT-SERVERS.NET. * A
[1764079081] unbound[126343:0] info:   C.ROOT-SERVERS.NET. * A
[1764079081] unbound[126343:0] info:   D.ROOT-SERVERS.NET. * A
[1764079081] unbound[126343:0] info:   E.ROOT-SERVERS.NET. * A
[1764079081] unbound[126343:0] info:   F.ROOT-SERVERS.NET. * A
[1764079081] unbound[126343:0] info:   G.ROOT-SERVERS.NET. * A
[1764079081] unbound[126343:0] info:   H.ROOT-SERVERS.NET. * A
[1764079081] unbound[126343:0] info:   I.ROOT-SERVERS.NET. * A
[1764079081] unbound[126343:0] info:   J.ROOT-SERVERS.NET. * A
[1764079081] unbound[126343:0] info:   K.ROOT-SERVERS.NET. * A
[1764079081] unbound[126343:0] info:   L.ROOT-SERVERS.NET. * A
[1764079081] unbound[126343:0] info:   M.ROOT-SERVERS.NET. * A
[1764079081] unbound[126343:0] debug:    ip4 198.41.0.4 port 53 (len 16)
[1764079081] unbound[126343:0] debug:    ip4 170.247.170.2 port 53 (len 16)
[1764079081] unbound[126343:0] debug:    ip4 192.33.4.12 port 53 (len 16)
[1764079081] unbound[126343:0] debug:    ip4 199.7.91.13 port 53 (len 16)
[1764079081] unbound[126343:0] debug:    ip4 192.203.230.10 port 53 (len 16)
[1764079081] unbound[126343:0] debug:    ip4 192.5.5.241 port 53 (len 16)
[1764079081] unbound[126343:0] debug:    ip4 192.112.36.4 port 53 (len 16)
[1764079081] unbound[126343:0] debug:    ip4 198.97.190.53 port 53 (len 16)
[1764079081] unbound[126343:0] debug:    ip4 192.36.148.17 port 53 (len 16)
[1764079081] unbound[126343:0] debug:    ip4 192.58.128.30 port 53 (len 16)
[1764079081] unbound[126343:0] debug:    ip4 193.0.14.129 port 53 (len 16)
[1764079081] unbound[126343:0] debug:    ip4 199.7.83.42 port 53 (len 16)
[1764079081] unbound[126343:0] debug:    ip4 202.12.27.33 port 53 (len 16)
[1764079081] unbound[126343:0] debug: rpz: iterator module callback: have_rpz=0
[1764079081] unbound[126343:0] debug: servselect ip4 202.12.27.33 port 53 (len 16)
[1764079081] unbound[126343:0] debug:    rtt=60
[1764079081] unbound[126343:0] debug: servselect ip4 199.7.83.42 port 53 (len 16)
[1764079081] unbound[126343:0] debug:    rtt=68
[1764079081] unbound[126343:0] debug: servselect ip4 193.0.14.129 port 53 (len 16)
[1764079081] unbound[126343:0] debug:    rtt=61
[1764079081] unbound[126343:0] debug: servselect ip4 192.58.128.30 port 53 (len 16)
[1764079081] unbound[126343:0] debug:    rtt=55
[1764079081] unbound[126343:0] debug: servselect ip4 192.36.148.17 port 53 (len 16)
[1764079081] unbound[126343:0] debug:    rtt=76
[1764079081] unbound[126343:0] debug: servselect ip4 198.97.190.53 port 53 (len 16)
[1764079081] unbound[126343:0] debug:    rtt=62
[1764079081] unbound[126343:0] debug: servselect ip4 192.5.5.241 port 53 (len 16)
[1764079081] unbound[126343:0] debug:    rtt=78
[1764079081] unbound[126343:0] debug: servselect ip4 192.203.230.10 port 53 (len 16)
[1764079081] unbound[126343:0] debug:    rtt=70
[1764079081] unbound[126343:0] debug: servselect ip4 199.7.91.13 port 53 (len 16)
[1764079081] unbound[126343:0] debug:    rtt=65
[1764079081] unbound[126343:0] debug: servselect ip4 192.33.4.12 port 53 (len 16)
[1764079081] unbound[126343:0] debug:    rtt=59
[1764079081] unbound[126343:0] debug: servselect ip4 198.41.0.4 port 53 (len 16)
[1764079081] unbound[126343:0] debug:    rtt=81
[1764079081] unbound[126343:0] debug: selrtt 55
[1764079081] unbound[126343:0] info: sending query: . NS IN
[1764079081] unbound[126343:0] debug: sending to target: <.> 198.97.190.53#53
[1764079081] unbound[126343:0] debug: dnssec status: expected
[1764079081] unbound[126343:0] debug: mesh_run: iterator module exit state is module_wait_reply
[1764079081] unbound[126343:0] info: mesh_run: end 2 recursion states (1 with reply, 0 detached), 1 waiting replies, 4 recursion replies sent, 0 replies dropped, 0 states jostled out
[1764079081] unbound[126343:0] info: average recursion processing time 0.386242 sec
[1764079081] unbound[126343:0] info: histogram of recursion processing times
[1764079081] unbound[126343:0] info: [25%]=0.024576 median[50%]=0.032768 [75%]=0.762144
[1764079081] unbound[126343:0] info: lower(secs) upper(secs) recursions
[1764079081] unbound[126343:0] info:    0.016384    0.032768 2
[1764079081] unbound[126343:0] info:    0.524288    1.000000 2
[1764079081] unbound[126343:0] info: 0pvCD mod2  . NS IN
[1764079081] unbound[126343:0] info: 1RDdc mod2 rep www.google.com. A IN
[1764079081] unbound[126343:0] debug: cache memory msg=66337 rrset=66104 infra=12085 val=66400 subnet=74536
[1764079081] unbound[126343:0] debug: svcd callbacks end
[1764079081] unbound[126343:0] debug: close of port 12383
[1764079081] unbound[126343:0] debug: close fd 12
[1764079081] unbound[126343:0] debug: serviced send timer
[1764079081] unbound[126343:0] debug: EDNS lookup known=1 vs=0
[1764079081] unbound[126343:0] debug: serviced query UDP timeout=62 msec
[1764079081] unbound[126343:0] debug: inserted new pending reply id=c904
[1764079081] unbound[126343:0] debug: opened UDP if=0 port=50168
[1764079081] unbound[126343:0] debug: comm point start listening 12 (-1 msec)
[1764079081] unbound[126343:0] debug: answer cb
[1764079081] unbound[126343:0] debug: Incoming reply id = c904
[1764079081] unbound[126343:0] debug: Incoming reply addr = ip4 198.97.190.53 port 53 (len 16)
[1764079081] unbound[126343:0] debug: lookup size is 1 entries
[1764079081] unbound[126343:0] debug: received udp reply.
[1764079081] unbound[126343:0] debug: udp message[28:0] C90480950001000000000001000002000100002904D0000080000000
[1764079081] unbound[126343:0] debug: outnet handle udp reply
[1764079081] unbound[126343:0] debug: measured roundtrip at 21 msec
[1764079081] unbound[126343:0] debug: svcd callbacks start
[1764079081] unbound[126343:0] debug: worker svcd callback for qstate 0x5555c8f95200
[1764079081] unbound[126343:0] debug: mesh_run: start
[1764079081] unbound[126343:0] debug: iterator[module 2] operate: extstate:module_wait_reply event:module_event_reply
[1764079081] unbound[126343:0] info: iterator operate: query . NS IN
[1764079081] unbound[126343:0] debug: process_response: new external response event
[1764079081] unbound[126343:0] info: scrub for . NS IN
[1764079081] unbound[126343:0] info: response for . NS IN
[1764079081] unbound[126343:0] info: reply from <.> 198.97.190.53#53
[1764079081] unbound[126343:0] info: incoming scrubbed packet: ;; ->>HEADER<<- opcode: QUERY, rcode: REFUSED, id: 0
;; flags: qr ra ; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
.       IN      NS

;; ANSWER SECTION:

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:
;; MSG SIZE  rcvd: 17

[1764079081] unbound[126343:0] debug: iter_handle processing q with state QUERY RESPONSE STATE
[1764079081] unbound[126343:0] info: query response was THROWAWAY
[1764079081] unbound[126343:0] debug: iter_handle processing q with state QUERY TARGETS STATE
[1764079081] unbound[126343:0] info: processQueryTargets: . NS IN
[1764079081] unbound[126343:0] debug: processQueryTargets: targetqueries 0, currentqueries 0 sentcount 33
[1764079081] unbound[126343:0] debug: request has exceeded the maximum number of sends with 33
[1764079081] unbound[126343:0] debug: store error response in message cache
[1764079081] unbound[126343:0] debug: return error response SERVFAIL
[1764079081] unbound[126343:0] debug: mesh_run: iterator module exit state is module_finished
[1764079081] unbound[126343:0] debug: validator[module 1] operate: extstate:module_state_initial event:module_event_moddone
[1764079081] unbound[126343:0] info: validator operate: query . NS IN
[1764079081] unbound[126343:0] debug: validator: nextmodule returned
[1764079081] unbound[126343:0] debug: not validating response, is valrec(validation recursion lookup)
[1764079081] unbound[126343:0] debug: mesh_run: validator module exit state is module_finished
[1764079081] unbound[126343:0] debug: subnetcache[module 0] operate: extstate:module_state_initial event:module_event_moddone
[1764079081] unbound[126343:0] info: subnetcache operate: query . NS IN
[1764079081] unbound[126343:0] debug: mesh_run: subnetcache module exit state is module_finished
[1764079081] unbound[126343:0] debug: iterator[module 2] operate: extstate:module_wait_subquery event:module_event_pass
[1764079081] unbound[126343:0] info: iterator operate: query www.google.com. A IN
[1764079081] unbound[126343:0] debug: iter_handle processing q with state QUERY TARGETS STATE
[1764079081] unbound[126343:0] info: processQueryTargets: www.google.com. A IN
[1764079081] unbound[126343:0] debug: processQueryTargets: targetqueries 0, currentqueries 0 sentcount 0
[1764079081] unbound[126343:0] debug: Failed to get a delegation, giving up
[1764079081] unbound[126343:0] debug: return error response SERVFAIL
[1764079081] unbound[126343:0] debug: mesh_run: iterator module exit state is module_finished
[1764079081] unbound[126343:0] debug: validator[module 1] operate: extstate:module_wait_module event:module_event_moddone
[1764079081] unbound[126343:0] info: validator operate: query www.google.com. A IN
[1764079081] unbound[126343:0] debug: validator: nextmodule returned
[1764079081] unbound[126343:0] debug: cannot validate non-answer, rcode SERVFAIL
[1764079081] unbound[126343:0] debug: mesh_run: validator module exit state is module_finished
[1764079081] unbound[126343:0] debug: subnetcache[module 0] operate: extstate:module_wait_module event:module_event_moddone
[1764079081] unbound[126343:0] info: subnetcache operate: query www.google.com. A IN
[1764079081] unbound[126343:0] debug: mesh_run: subnetcache module exit state is module_finished
[1764079081] unbound[126343:0] debug: query took 0.740233 sec
[1764079081] unbound[126343:0] info: mesh_run: end 0 recursion states (0 with reply, 0 detached), 0 waiting replies, 5 recursion replies sent, 0 replies dropped, 0 states jostled out
[1764079081] unbound[126343:0] info: average recursion processing time 0.457040 sec
[1764079081] unbound[126343:0] info: histogram of recursion processing times
[1764079081] unbound[126343:0] info: [25%]=0.026624 median[50%]=0.603573 [75%]=0.801787
[1764079081] unbound[126343:0] info: lower(secs) upper(secs) recursions
[1764079081] unbound[126343:0] info:    0.016384    0.032768 2
[1764079081] unbound[126343:0] info:    0.524288    1.000000 3
[1764079081] unbound[126343:0] debug: cache memory msg=66337 rrset=66104 infra=12085 val=66400 subnet=74536
[1764079081] unbound[126343:0] debug: svcd callbacks end
[1764079081] unbound[126343:0] debug: close of port 50168
[1764079081] unbound[126343:0] debug: close fd 12
9

OK, so those two together (no WARNING in the header) confirm that your your DNS requests are unable to reach the root servers, either when connecting directly via your ISP, or through the VPN.

Unless they provide you with a configuration option to not do this (check if there is also any related setting in your router), then I do not think you will be able to use unbound with your current provider or VPN.

10

Above you see below equivalent query going out of the door:

$ dig +norecurse @198.97.190.53 . ns

; <<>> DiG 9.18.33-1~deb12u2-Debian <<>> +norecurse @198.97.190.53 . ns
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36956
;; flags: qr aa; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 27

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;.                              IN      NS

;; ANSWER SECTION:
.                       518400  IN      NS      a.root-servers.net.
.                       518400  IN      NS      b.root-servers.net.
.                       518400  IN      NS      c.root-servers.net.
.                       518400  IN      NS      d.root-servers.net.
.                       518400  IN      NS      e.root-servers.net.
.                       518400  IN      NS      f.root-servers.net.
.                       518400  IN      NS      g.root-servers.net.
.                       518400  IN      NS      h.root-servers.net.
.                       518400  IN      NS      i.root-servers.net.
.                       518400  IN      NS      j.root-servers.net.
.                       518400  IN      NS      k.root-servers.net.
.                       518400  IN      NS      l.root-servers.net.
.                       518400  IN      NS      m.root-servers.net.

;; ADDITIONAL SECTION:
a.root-servers.net.     518400  IN      A       198.41.0.4
b.root-servers.net.     518400  IN      A       170.247.170.2
c.root-servers.net.     518400  IN      A       192.33.4.12
d.root-servers.net.     518400  IN      A       199.7.91.13
e.root-servers.net.     518400  IN      A       192.203.230.10
f.root-servers.net.     518400  IN      A       192.5.5.241
g.root-servers.net.     518400  IN      A       192.112.36.4
h.root-servers.net.     518400  IN      A       198.97.190.53
i.root-servers.net.     518400  IN      A       192.36.148.17
j.root-servers.net.     518400  IN      A       192.58.128.30
k.root-servers.net.     518400  IN      A       193.0.14.129
l.root-servers.net.     518400  IN      A       199.7.83.42
m.root-servers.net.     518400  IN      A       202.12.27.33
a.root-servers.net.     518400  IN      AAAA    2001:503:ba3e::2:30
b.root-servers.net.     518400  IN      AAAA    2801:1b8:10::b
c.root-servers.net.     518400  IN      AAAA    2001:500:2::c
d.root-servers.net.     518400  IN      AAAA    2001:500:2d::d
e.root-servers.net.     518400  IN      AAAA    2001:500:a8::e
f.root-servers.net.     518400  IN      AAAA    2001:500:2f::f
g.root-servers.net.     518400  IN      AAAA    2001:500:12::d0d
h.root-servers.net.     518400  IN      AAAA    2001:500:1::53
i.root-servers.net.     518400  IN      AAAA    2001:7fe::53
j.root-servers.net.     518400  IN      AAAA    2001:503:c27::2:30
k.root-servers.net.     518400  IN      AAAA    2001:7fd::1
l.root-servers.net.     518400  IN      AAAA    2001:500:9f::42
m.root-servers.net.     518400  IN      AAAA    2001:dc3::35

;; Query time: 23 msec
;; SERVER: 198.97.190.53#53(198.97.190.53) (UDP)
;; WHEN: Tue Nov 25 22:33:36 CET 2025
;; MSG SIZE  rcvd: 811

But your Unbound gets below REFUSED reply from root server 198.97.190.53 instead:

Indicating something upstream is interfering/censoring/mangling DNS traffic.
Another test below:

$ awk '/ A / {print "@"$4}' /usr/share/dns/root.hints | xargs -n1 dig +norecurse +short version.bind chaos txt
"ATLAS"
"knot 3.x"
"c-root"
"NSD 4"
"2025.11.1"
"2025.11.1"
"NSD 4.x"
"contact info@netnod.se"
"NSD"
"NSD"
"NSD 4"
"9.16"

Ask your ISP if they apply CGNAT for their customers and if they offer an alternative?
CGNAT doesnt work well when want to run a recursive DNS resolver like Unbound at home:

11

Thank you both for your help.
I think you’ve solved it with CGNAT and Spectrum does apply it. I hope this helps others.

12

I believe you're the first one to confirm here on Discourse that CGNAT is causing problems for Unbound.
Thanks for the feedback!

EDIT: Oh dont forget below one!

And set verbosity to zero again.

EDIT2: Next time we can go for the throat directly asking for the WAN IP of the router (or a traceroute):