6 servers were found when I ran the standard test on https://www.dnsleaktest.com. All of them were Google IP addresses even though I already unchecked Google in the Upstream DNS Servers setting and only put 127.0.0.1#5335 as Upstream DNS Server.
I had also installed unbound according to the pihole documentation and it passed the DNSSEC validations.
This is your problem. Bullseye (at least the native version posted by Raspberry Pi at the end of October 2021) installs this, without you knowing it. The solution is to remove openresolv and the installed files.
I ran the command sudo grep -v '#\|^$' -R /etc/unbound/unbound.conf* again and resolvconf_resolvers.conf is gone. DNS leak test only shows my ISP's IP address now. Thank you so much!
I dont think its a smart move removing the openresolv package?
Most network managers address openresolv to populate /etc/resolv.conf.
Better comment out below line:
Above will prevent that resolvconf_resolvers.conf file being created in the first place.
And make sure that file doesnt exist (delete it and restart unbound):
pi@ph5b:~ $ sudo stat /etc/unbound/unbound.conf.d/resolvconf_resolvers.conf
stat: cannot statx '/etc/unbound/unbound.conf.d/resolvconf_resolvers.conf': No such file or directory
Or remove the openresolv package and replace it with resolvconf instead which wont create above config file:
pi@ph5b:~ $ sudo unbound-control list_forwards
. IN forward 10.0.0.1
home.dehakkelaar.nl. IN forward 10.0.0.1
pi@ph5b:~ $ sudo unbound-control lookup pi-hole.net
The following name servers are used for lookup of pi-hole.net.
forwarding request:
Delegation with 0 names, of which 0 can be examined to query further addresses.
It provides 1 IP addresses.
10.0.0.1 not in infra cache.
pi@ph5b:~ $ sudo unbound-control lookup pi-hole.net
The following name servers are used for lookup of pi-hole.net.
;rrset 2853 4 1 11 5
pi-hole.net. 2853 IN NS ns1.pi-hole.net.
pi-hole.net. 2853 IN NS ns3.pi-hole.net.
pi-hole.net. 2853 IN NS ns2.pi-hole.net.
pi-hole.net. 2853 IN NS ns4.pi-hole.net.
[..]
All network managers/stacks I know (including dhcpcd) can work pretty well without resolvconf and then do edit /etc/resolv.conf directly instead. Basically, if you do not actively use the features that resolvconf allows, like setting a fixed default and/or a fallback nameserver entry, local domain/search entries etc, which you want to stay even when e.g. the DHCP client provides different info, then resolvconf is usually not required. Especially when using the system as server with a then static/reserved IP, you most likely do not want nameservers to change at all. And if there is really any package depending on resolvconf, then apt will warn you and allow you to confirm or abort.
But indeed as a general recommendation, as we cannot know users individual systems and people come here and copy&paste commands they may not fully understand, in the other thread I suggested to replace the openresolv with the resolvconf package, both providing the same core feature (resolvconf command), but the resolvconf package without the harmful magic around:
if dpkg-query -s 'openresolv' &> /dev/null
then
apt -y install resolvconf
apt -y purge openresolv
rm -f /etc/unbound/unbound.conf.d/resolvconf_resolvers.conf
fi
@deHakkelaar
Do you think such would be feasible for: unbound - Pi-hole documentation
All Raspberry Pi OS Bullseye users have this issue OOTB now. Not sure how much details make sense, all three solutions (purge package, replace package, comment setting) or, to not confuse readers, only one that we find most compatible?
In the specific case of Raspbian Bullseye (may extend to other Debian flavors of Bullseye as well, I haven't tested), in the absence of openresolv, file /etc/resolv.conf is properly populated by dhcpcd.
The simple fix for the problem that was described is to remove openresolv. The optional step (should you decide you want a replacement package) is to install resolvconf.
Edit - although commenting out the offending line in /etc/resolvconf.conf does not change the underlying OS install, which may be desirable to some users.