I am using Pi-Hole with Unbound and all seems to work well. I can see the request being processed in the "Tail pi-hole.log" and sites are blocked when needed. But by looking at the network traffic in my LAN I discovered that the Raspberry I am using with the Pi-Hole keep reaching the OpenDNS server and I can't understand why. At the beginning I was using them with the Pi-Hole but then I switched to Unbound so I would expect that no more traffic are sent to OpenDNS.
I remember that on the Pi-Hole documentation, it is said that when using Unbound the resolution of some address could take several seconds the first time it is reached, but I've never witnessed this delay. It is possible that the Raspberry is sending the requests to both Unbound and OpenDNS at the same time but resolving only with the latest and this is why the resolution is so fast? I remember (quite sure but I can be wrong) that months ago I was able to see the Raspberry reaching for the TLD for the DNS resolutions and now I can't anymore.
Here are some of my resolv.conf configuration:
cat /etc/resolv.conf
# Generated by resolvconf
nameserver 127.0.0.1
cat /etc/resolvconf.conf
# Configuration for resolvconf(8)
# See resolvconf.conf(5) for details
resolv_conf=/etc/resolv.conf
# If you run a local name server, you should uncomment the below line and
# configure your subscribers configuration files below.
#name_servers=127.0.0.1
# Mirror the Debian package defaults for the below resolvers
# so that resolvconf integrates seemlessly.
dnsmasq_resolv=/var/run/dnsmasq/resolv.conf
pdnsd_conf=/etc/pdnsd.conf
unbound_conf=/etc/unbound/unbound.conf.d/resolvconf_resolvers.conf
dnsmasq_resolv=/var/run/dnsmasq/resolv.conf
# Generated by resolvconf
nameserver 208.67.222.222
nameserver 208.67.220.220
The intention is to have unbound as a recursive resolver, not a forwarding one.
At the moment i tried to comment out the static domain_name_servers= in /etc/dhcpcd.conf and the OpenDNS servers disappeared and are no more propagated to the other files. Indeed I can see the traffic going again to the TLDs.
Do I have done this correctly? Or it's better to remove the resolvconf_resolvers.conf file?
Also, in the documentation I read this:
The unbound package can come with a systemd service called unbound-resolvconf.service and default enabled. It instructs resolvconf to write unbound 's own DNS service at nameserver 127.0.0.1 , but without the 5335 port, into the file /etc/resolv.conf . That /etc/resolv.conf file is used by local services/processes to determine DNS servers configured. If you configured /etc/dhcpcd.conf with a static domain_name_servers= line, these DNS server(s) will be ignored/overruled by this service.
So the static domain_name_servers= in /etc/dhcpcd.conf override the servers in resolv.conf? I had understood the contrary.
There are many networking tools that potentially try to control your system's DNS resolution. dhcpcd is just one of them, and while it's considered the default with Raspberry Pi OS, other OS distributions may favour different tools, sometimes even for different OS purposes (e.g. server vs. desktop) - NetworkManager, netplan, systemd-networkd, etc. etc..
If dhcpcd.conf is in control, then its static DNS settings would be reflected in resolv.conf.
If you instead allow dhcpcd to configure your network dynamically via DHCP, resolv.conf would be populated with the values as distributed by your router. EDIT: This would also include the IPv4 address, so make sure your router is configured to hand out a fixed IP address (DHCP lease reservation) for your Pi-hole host machine.
But whatever DNS servers your Pi-hole host machine's resolv.conf would be pointing to:
It is used only by your Pi-hole host.
Pi-hole itself would forward DNS requests to its configured upstreams.
You state that to be unbound in your case - and your unbound in turn is currently configured to use 208.67.222.222 and 208.67.220.220 as its upstreams via extra configuration from /etc/unbound/unbound.conf.d/resolvconf_resolvers.conf.
You should remove that file if you don't want to use those upstreams.
It doesn't sound like you've added that configuration yourself - did you install your unbound only recently on some Bullseye OS distribution?
Thank you for the clear explanation! I still need to learn how those services are linked each other.
About the configuration, initially I installed Pi-Hole on a Buster OS one year ago using OpenDNS server as first setup. Then after some weeks I installed Unbound and at that time I was sure that Unbound was working as a recursive resolver. After some months I upgraded the OS from Buster to Bullseye. Maybe it was at this time that the configuration have been added? I would really like to figure it out.