Dns queries slow/timeout from localhost - fast when direct to dns server

Pi-hole v5.13 (467,000 domains in blocklist)
FTL v5.18.2
Web Interface v5.16
Unbound version: 1.13.1
Stubby version: 0.3.0
Debian 11

I'm making a new pi-hole lxc and I was testing some queries, and it appears that non-cached queries are extremely slow, or timeout all together. I'm doing all my testing using nslookup and dig from the pi-hole container itself.
Queries direct to 1.1.1.1 are extremely fast and come back immediately, so I have an issue somewhere in the pihole/unbound/stubby chain that is slowing down the new query process. If dig is timing out, then there is an unacceptable level of latency in the system even if the query eventually returns.

The way I have this setup is pihole configured to use unbound (query addr is 127.0.0.1:5335), and then unbound has a forward-addr configured for stubby (127.0.0.1:8053). Then stubby is configured to do DNS over TLS to 1.0.0.1 and 1.1.1.1.

/etc/unbound/unbound.conf.d/stubby.conf

server:
    do-not-query-localhost: no
forward-zone:
  name: "."
    forward-addr: 127.0.0.1@8053

stubby.yml

#
# This is a yaml version of the stubby configuration file (it replaces the 
# json based stubby.conf file used in earlier versions of getdns/stubby).
#
# For more information see
# https://dnsprivacy.org/wiki/display/DP/Configuring+Stubby
#
# This format does not fully support all yaml features - the restrictions are:
#   - the outer-most data structure must be a yaml mapping
#   - mapping keys must be yaml scalars
#   - plain scalars will be converted to json unchanged
#   - non-plain scalars (quoted, double-quoted, wrapped) will be interpreted
#     as json strings, i.e. double quoted. 
#   - yaml tags are not supported
#   - IPv6 addresses ending in :: are not yet supported (use ::0)
#
# Note that we plan to introduce a more compact format for defining upstreams
# in future: https://github.com/getdnsapi/stubby/issues/79

# Logging is currently configured at runtime using command line arguments. See
# > stubby -h
# for details.

# Specifies whether to run as a recursive or stub resolver 
# For stubby this MUST be set to GETDNS_RESOLUTION_STUB
resolution_type: GETDNS_RESOLUTION_STUB

# Ordered list composed of one or more transport protocols: 
# GETDNS_TRANSPORT_UDP, GETDNS_TRANSPORT_TCP or GETDNS_TRANSPORT_TLS
# If only one transport value is specified it will be the only transport used. 
# Should it not be available basic resolution will fail.
# Fallback transport options are specified by including multiple values in the
# list.  Strict mode (see below) should use only GETDNS_TRANSPORT_TLS.
dns_transport_list:
  - GETDNS_TRANSPORT_TLS

# Selects Strict or Opportunistic Usage profile as described in
# https://datatracker.ietf.org/doc/draft-ietf-dprive-dtls-and-tls-profiles/
# Strict mode requires that authentication information for the upstreams is
# specified below. Opportunistic may fallback to clear text DNS if UDP or TCP
# is included in the transport list above.
# For Strict use        GETDNS_AUTHENTICATION_REQUIRED
# For Opportunistic use GETDNS_AUTHENTICATION_NONE
tls_authentication: GETDNS_AUTHENTICATION_REQUIRED

# EDNS0 option to pad the size of the DNS query to the given blocksize
# 128 is currently recommended by 
# https://tools.ietf.org/html/draft-ietf-dprive-padding-policy-03
tls_query_padding_blocksize: 128

# EDNS0 option for ECS client privacy as described in Section 7.1.2 of
# https://tools.ietf.org/html/rfc7871
edns_client_subnet_private : 1

# EDNS0 option for keepalive idle timeout in ms as specified in
# https://tools.ietf.org/html/rfc7828
# This keeps idle TLS connections open to avoid the overhead of opening a new 
# connection for every query.
idle_timeout: 10000

# Set the listen addresses for the stubby DAEMON. This specifies localhost IPv4
# and IPv6. It will listen on port 53 by default. Use <IP_address>@<port> to 
# specify a different port
listen_addresses:
  - 127.0.0.1@8053

# Instructs stubby to distribute queries across all available name servers. 
# Set to 0 to treat the upstreams below as an ordered list and use a single
# upstream until it becomes unavailable, then use the next one.
round_robin_upstreams: 1

# Require DNSSEC validation. For releases earlier than 1.2 a trust anchor must
# be configured configured manually. This can be done with unbound-anchor.
dnssec_return_status: GETDNS_EXTENSION_TRUE

# Specify the location of the installed trust anchor file (leave commented out
# for zero configuration DNSSEC)
# dnssec_trust_anchors: "/etc/unbound/getdns-root.key"
dnssec_trust_anchors: "/var/lib/unbound/root.key"

# Specify the list of upstream recursive name servers to send queries to
# In Strict mode upstreams need either a tls_auth_name or a tls_pubkey_pinset
# so the upstream can be authenticated.
# The list below includes all the available test servers but only has the subset
# operated the stubby/getdns developers enabled. You can enable any of the
# others you want to use by uncommenting the relevant section. See:
# https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Test+Servers
# If you don't have IPv6 then comment then out those upstreams.
# In Opportunistic mode they only require an IP address in address_data.
# The information for an upstream can include the following:
# - address_data: IPv4 or IPv6 address of the upstream
#   port: Port for UDP/TCP (default is 53)
#   tls_auth_name: Authentication domain name checked against the server
#                  certificate
#   tls_pubkey_pinset: An SPKI pinset verified against the keys in the server
#                      certificate
#     - digest: Only "sha256" is currently supported
#       value: Base64 encoded value of the sha256 fingerprint of the public
#              key
#   tls_port: Port for TLS (default is 853)
upstream_recursive_servers:
# IPv4 addresses
# The 1.1.1.1 Cloudflare Servers
  - address_data: 1.1.1.1
    tls_auth_name: "cloudflare-dns.com"
  - address_data: 1.0.0.1
    tls_auth_name: "cloudflare-dns.com"

root@DNS:/# tail -n20 /var/log/pihole.log 
Nov 11 16:20:26 dnsmasq[1420]: query[A] facebook.com from 172.20.5.2
Nov 11 16:20:26 dnsmasq[1420]: forwarded facebook.com to 127.0.0.1#5335
Nov 11 16:20:31 dnsmasq[1420]: query[A] facebook.com from 172.20.5.2
Nov 11 16:20:31 dnsmasq[1420]: forwarded facebook.com to 127.0.0.1#5335
Nov 11 16:20:36 dnsmasq[1420]: query[A] facebook.com from 172.20.5.2
Nov 11 16:20:36 dnsmasq[1420]: forwarded facebook.com to 127.0.0.1#5335
Nov 11 16:20:46 dnsmasq[1420]: query[A] facebook.com from 172.20.5.2
Nov 11 16:20:46 dnsmasq[1420]: forwarded facebook.com to 127.0.0.1#5335
Nov 11 16:20:51 dnsmasq[1420]: query[A] facebook.com from 172.20.5.2
Nov 11 16:20:51 dnsmasq[1420]: forwarded facebook.com to 127.0.0.1#5335
Nov 11 16:20:56 dnsmasq[1420]: query[A] facebook.com from 172.20.5.2
Nov 11 16:20:56 dnsmasq[1420]: forwarded facebook.com to 127.0.0.1#5335
Nov 11 16:21:03 dnsmasq[1420]: query[A] facebook.com from 172.20.5.2
Nov 11 16:21:03 dnsmasq[1420]: forwarded facebook.com to 127.0.0.1#5335
Nov 11 16:21:08 dnsmasq[1420]: query[A] facebook.com from 172.20.5.2
Nov 11 16:21:08 dnsmasq[1420]: forwarded facebook.com to 127.0.0.1#5335
Nov 11 16:21:11 dnsmasq[1420]: validation result is INSECURE
Nov 11 16:21:11 dnsmasq[1420]: reply facebook.com is 157.240.241.35
Nov 11 16:22:12 dnsmasq[1420]: query[A] facebook.com from 172.20.5.2
Nov 11 16:22:12 dnsmasq[1420]: cached facebook.com is 157.240.241.35

root@DNS:/# tail -n50 /var/log/unbound.log 
Nov 11 21:20:56 unbound[1869:1] info: query response was THROWAWAY
Nov 11 21:20:56 unbound[1869:1] info: 127.0.0.1 facebook.com. A IN
Nov 11 21:20:56 unbound[1869:1] info: resolving facebook.com. A IN
Nov 11 21:21:01 unbound[1869:1] info: response for facebook.com. DS IN
Nov 11 21:21:01 unbound[1869:1] info: reply from <.> 127.0.0.1#8053
Nov 11 21:21:01 unbound[1869:1] info: query response was THROWAWAY
Nov 11 21:21:01 unbound[1869:1] info: DS response was error, thus bogus
Nov 11 21:21:01 unbound[1869:1] info: DS response was error, thus bogus
Nov 11 21:21:01 unbound[1869:1] info: DS response was error, thus bogus
Nov 11 21:21:01 unbound[1869:1] info: DS response was error, thus bogus
Nov 11 21:21:01 unbound[1869:1] info: DS response was error, thus bogus
Nov 11 21:21:01 unbound[1869:1] info: DS response was error, thus bogus
Nov 11 21:21:01 unbound[1869:1] info: resolving facebook.com. DS IN
Nov 11 21:21:03 unbound[1869:1] info: 127.0.0.1 facebook.com. A IN
Nov 11 21:21:03 unbound[1869:1] info: resolving facebook.com. A IN
Nov 11 21:21:06 unbound[1869:1] info: response for facebook.com. DS IN
Nov 11 21:21:06 unbound[1869:1] info: reply from <.> 127.0.0.1#8053
Nov 11 21:21:06 unbound[1869:1] info: query response was THROWAWAY
Nov 11 21:21:08 unbound[1869:1] info: 127.0.0.1 facebook.com. A IN
Nov 11 21:21:08 unbound[1869:1] info: resolving facebook.com. A IN
Nov 11 21:21:11 unbound[1869:1] info: response for facebook.com. DS IN
Nov 11 21:21:11 unbound[1869:1] info: reply from <.> 127.0.0.1#8053
Nov 11 21:21:11 unbound[1869:1] info: query response was THROWAWAY
Nov 11 21:21:11 unbound[1869:1] info: response for facebook.com. DS IN
Nov 11 21:21:11 unbound[1869:1] info: reply from <.> 127.0.0.1#8053
Nov 11 21:21:11 unbound[1869:1] info: query response was nodata ANSWER
Nov 11 21:21:11 unbound[1869:1] info: NSEC3s for the referral proved no DS.
Nov 11 21:21:11 unbound[1869:1] info: NSEC3s for the referral proved no DS.
Nov 11 21:21:11 unbound[1869:1] info: NSEC3s for the referral proved no DS.
Nov 11 21:21:11 unbound[1869:1] info: NSEC3s for the referral proved no DS.
Nov 11 21:21:11 unbound[1869:1] info: NSEC3s for the referral proved no DS.
Nov 11 21:21:11 unbound[1869:1] info: NSEC3s for the referral proved no DS.
Nov 11 21:21:11 unbound[1869:1] info: NSEC3s for the referral proved no DS.
Nov 11 21:21:11 unbound[1869:1] info: NSEC3s for the referral proved no DS.
Nov 11 21:21:11 unbound[1869:1] info: Verified that unsigned response is INSECURE
Nov 11 21:21:11 unbound[1869:1] info: 127.0.0.1 facebook.com. A IN NOERROR 45.143035 0 57
Nov 11 21:21:11 unbound[1869:1] info: Verified that unsigned response is INSECURE
Nov 11 21:21:11 unbound[1869:1] info: 127.0.0.1 facebook.com. A IN NOERROR 35.147836 0 57
Nov 11 21:21:11 unbound[1869:1] info: Verified that unsigned response is INSECURE
Nov 11 21:21:11 unbound[1869:1] info: 127.0.0.1 facebook.com. A IN NOERROR 19.683813 0 57
Nov 11 21:21:11 unbound[1869:1] info: Verified that unsigned response is INSECURE
Nov 11 21:21:11 unbound[1869:1] info: 127.0.0.1 facebook.com. A IN NOERROR 24.684877 0 57
Nov 11 21:21:11 unbound[1869:1] info: Verified that unsigned response is INSECURE
Nov 11 21:21:11 unbound[1869:1] info: 127.0.0.1 facebook.com. A IN NOERROR 8.101218 0 57
Nov 11 21:21:11 unbound[1869:1] info: Verified that unsigned response is INSECURE
Nov 11 21:21:11 unbound[1869:1] info: 127.0.0.1 facebook.com. A IN NOERROR 14.682845 0 57
Nov 11 21:21:11 unbound[1869:1] info: Verified that unsigned response is INSECURE
Nov 11 21:21:11 unbound[1869:1] info: 127.0.0.1 facebook.com. A IN NOERROR 40.148779 0 57
Nov 11 21:21:11 unbound[1869:1] info: Verified that unsigned response is INSECURE
Nov 11 21:21:11 unbound[1869:1] info: 127.0.0.1 facebook.com. A IN NOERROR 3.100717 0 57

Those logs are when I tried using dig @172.20.5.2 facebook.com a couple times in a row, all of which timed out ;; connection timed out; no servers could be reached
After waiting a full minute and trying the dig again, it came back immediately. I assumed the original query finally made it back to pihole and got cached though.

What are some other ways to troubleshoot this and find where exactly is causing this slow down?

Any off-the-cuff ideas for what could be wrong?

What's your motivation for injecting unbound into your resolution chain?

By the configuration you've shared, it would seem that all that unbound does for you is forwarding all DNS requests to stubby.

This would suggest you could configure Pi-hole to use stubby directly as ist only upstream DNS resolver, eliminating unbound completely.

I was just copying my existing pihole configuration. It was setup a while ago, but if I recall correctly, I was following a tutorial that integrated some sanitization/privacy options in unbound.

Here is the full configuration of unbound:

root@DNS:/# cat /etc/unbound/unbound.conf.d/pi-hole-dot.conf 
server:
    # Network settings
    interface: 127.0.0.1
    port: 5335
    do-ip4: yes
    do-udp: yes
    do-tcp: no

    # May be set to yes if you have IPv6 connectivity
    do-ip6: no

    # You want to leave this to no unless you have *native* IPv6. With 6to4 and
    # Terredo tunnels your web browser should favor IPv4 for the same reasons
    prefer-ip6: no

    # Use this only when you downloaded the list of primary root servers!
    # If you use the default dns-root-data package, unbound will find it automatically
    #root-hints: "/var/lib/unbound/root.hints"

    # Trust glue only if it is within the server's authority
    harden-glue: yes

    # Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS
    harden-dnssec-stripped: yes

    # Don't use Capitalization randomization as it known to cause DNSSEC issues sometimes
    # see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 for further details
    use-caps-for-id: no

    # Reduce EDNS reassembly buffer size.
    # Suggested by the unbound man page to reduce fragmentation reassembly problems
    edns-buffer-size: 1472

    # Perform prefetching of close to expired message cache entries
    # This only applies to domains that have been frequently queried
    prefetch: yes

    # One thread should be sufficient, can be increased on beefy machines. In reality for most users running on small networks or on a single machine, it should be unnecessary to seek performance enhancement by increasing num-threads above 1.
    num-threads: 2

    # Ensure kernel buffer is large enough to not lose messages in traffic spikes
    #so-rcvbuf: 1m

    # Ensure privacy of local IP ranges
    private-address: 192.168.0.0/16
    private-address: 169.254.0.0/16
    private-address: 172.16.0.0/12
    private-address: 10.0.0.0/8
root@DNS:/# cat /etc/unbound/unbound.conf.d/privacy.conf 
server:
    minimal-responses: yes
    hide-identity: yes
    hide-version: yes
root@DNS:/# cat /etc/unbound/unbound.conf.d/qname-minimisation.conf 
server:
    # Send minimum amount of information to upstream servers to enhance
    # privacy. Only sends minimum required labels of the QNAME and sets
    # QTYPE to NS when possible.

    # See RFC 7816 "DNS Query Name Minimisation to Improve Privacy" for
    # details.

    qname-minimisation: yes

If the privacy options can be implemented in stubby/pihole then I am all for eliminating the extra step.

The configuration from our unbound guide is targeting to configure unbound as a recursive resolver.

Forwarding all requests to an upstream resolver instead means you are giving up on that target completely.

Did you decide to switch from recursive resolver to DNS-over-TLS (DoT) instead?

In that case, you could also eliminate stubby and keep unbound and use it as a forwarding DoT resolver instead, see e.g. Recursive DNS server on pihole when using Public recursive name server - #3 by jfb.

Sounds good to me. I'll switch the DNS over TLS to unbound and eliminate stubby.

I'll report back with speed results.

Since you stick with unbound:
If you'd run an OS of the Debian Bullseye variety, you may want to check for potential DNS loops caused by an unlucky combination of unbound's and openresolv's package defaults.

Check your unbound configuration for potentially unwanted references to resolvconf_resolvers.conf

sudo grep -v '#\|^$' -R /etc/unbound/unbound.conf*

1. Edit file /etc/resolvconf.conf and comment out the last line which should then read:

#unbound_conf=/etc/unbound/unbound.conf.d/resolvconf_resolvers.conf

2. Delete the unwanted unbound configuration file:

sudo rm /etc/unbound/unbound.conf.d/resolvconf_resolvers.conf

3. Restart unbound:

sudo service unbound restart

Changed unbound over to DNSoverTLS and removed stubby.

It seems unbound may or may not be the problem here. dig lookups directly to unbound result in an immediate SERVFAIL

This is all the configs for unbound:

/etc/unbound/unbound.conf:include-toplevel: "/etc/unbound/unbound.conf.d/*.conf"
/etc/unbound/unbound.conf.d/dnsovertls.conf:server:
/etc/unbound/unbound.conf.d/dnsovertls.conf:    do-not-query-localhost: no
/etc/unbound/unbound.conf.d/dnsovertls.conf:forward-zone:
/etc/unbound/unbound.conf.d/dnsovertls.conf:  name: "."
/etc/unbound/unbound.conf.d/dnsovertls.conf:    forward-ssl-upstream: yes
/etc/unbound/unbound.conf.d/dnsovertls.conf:    forward-addr: 1.1.1.1@853
/etc/unbound/unbound.conf.d/dnsovertls.conf:    forward-addr: 1.0.0.1@853
/etc/unbound/unbound.conf.d/dnsovertls.conf:    forward-addr: 8.8.8.8@853
/etc/unbound/unbound.conf.d/root-auto-trust-anchor-file.conf:server:
/etc/unbound/unbound.conf.d/root-auto-trust-anchor-file.conf:    auto-trust-anchor-file: "/var/lib/unbound/root.key"
/etc/unbound/unbound.conf.d/pi-hole-dot.conf:server:
/etc/unbound/unbound.conf.d/pi-hole-dot.conf:    interface: 127.0.0.1
/etc/unbound/unbound.conf.d/pi-hole-dot.conf:    port: 5335
/etc/unbound/unbound.conf.d/pi-hole-dot.conf:    do-ip4: yes
/etc/unbound/unbound.conf.d/pi-hole-dot.conf:    do-udp: yes
/etc/unbound/unbound.conf.d/pi-hole-dot.conf:    do-tcp: no
/etc/unbound/unbound.conf.d/pi-hole-dot.conf:    do-ip6: no
/etc/unbound/unbound.conf.d/pi-hole-dot.conf:    prefer-ip6: no
/etc/unbound/unbound.conf.d/pi-hole-dot.conf:    harden-glue: yes
/etc/unbound/unbound.conf.d/pi-hole-dot.conf:    harden-dnssec-stripped: yes
/etc/unbound/unbound.conf.d/pi-hole-dot.conf:    use-caps-for-id: no
/etc/unbound/unbound.conf.d/pi-hole-dot.conf:    edns-buffer-size: 1472
/etc/unbound/unbound.conf.d/pi-hole-dot.conf:    prefetch: yes
/etc/unbound/unbound.conf.d/pi-hole-dot.conf:    num-threads: 4
/etc/unbound/unbound.conf.d/pi-hole-dot.conf:    private-address: 192.168.0.0/16
/etc/unbound/unbound.conf.d/pi-hole-dot.conf:    private-address: 169.254.0.0/16
/etc/unbound/unbound.conf.d/pi-hole-dot.conf:    private-address: 172.16.0.0/12
/etc/unbound/unbound.conf.d/pi-hole-dot.conf:    private-address: 10.0.0.0/8
/etc/unbound/unbound.conf.d/privacy.conf:server:
/etc/unbound/unbound.conf.d/privacy.conf:    minimal-responses: yes
/etc/unbound/unbound.conf.d/privacy.conf:    hide-identity: yes
/etc/unbound/unbound.conf.d/privacy.conf:    hide-version: yes
/etc/unbound/unbound.conf.d/logs.conf:server:
/etc/unbound/unbound.conf.d/logs.conf:    logfile: "/var/log/unbound.log"
/etc/unbound/unbound.conf.d/logs.conf:    log-time-ascii: yes
/etc/unbound/unbound.conf.d/logs.conf:    log-queries: yes
/etc/unbound/unbound.conf.d/logs.conf:    log-replies: yes
/etc/unbound/unbound.conf.d/logs.conf:    verbosity: 2
/etc/unbound/unbound.conf.d/qname-minimisation.conf:server:
/etc/unbound/unbound.conf.d/qname-minimisation.conf:    qname-minimisation: yes
/etc/unbound/unbound.conf.d/netdata.conf:server:
/etc/unbound/unbound.conf.d/netdata.conf:    statistics-interval: 0
/etc/unbound/unbound.conf.d/netdata.conf:    extended-statistics: yes
/etc/unbound/unbound.conf.d/netdata.conf:    statistics-cumulative: yes
/etc/unbound/unbound.conf.d/netdata.conf:remote-control:
/etc/unbound/unbound.conf.d/netdata.conf:    control-enable: no

No matter what domain:

root@DNS:/# dig @127.0.0.1 -p 5335 facebook.com 

; <<>> DiG 9.16.33-Debian <<>> @127.0.0.1 -p 5335 facebook.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 13894
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1472
;; QUESTION SECTION:
;facebook.com.                  IN      A

;; Query time: 0 msec
;; SERVER: 127.0.0.1#5335(127.0.0.1)
;; WHEN: Fri Nov 11 17:42:04 EST 2022
;; MSG SIZE  rcvd: 41

root@DNS:/# dig @127.0.0.1 -p 5335 debian.org

; <<>> DiG 9.16.33-Debian <<>> @127.0.0.1 -p 5335 debian.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 47111
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1472
;; QUESTION SECTION:
;debian.org.                    IN      A

;; Query time: 0 msec
;; SERVER: 127.0.0.1#5335(127.0.0.1)
;; WHEN: Fri Nov 11 17:42:15 EST 2022
;; MSG SIZE  rcvd: 39

Unbound Log:

Nov 11 17:42:04 unbound[18445:1] info: 127.0.0.1 facebook.com. A IN
Nov 11 17:42:04 unbound[18445:1] info: resolving facebook.com. A IN
Nov 11 17:42:04 unbound[18445:1] info: 127.0.0.1 facebook.com. A IN SERVFAIL 0.000000 0 41
Nov 11 17:42:15 unbound[18445:0] info: 127.0.0.1 debian.org. A IN
Nov 11 17:42:15 unbound[18445:0] info: resolving debian.org. A IN
Nov 11 17:42:15 unbound[18445:0] info: 127.0.0.1 debian.org. A IN SERVFAIL 0.000000 0 39

I can't seem to find any solutions online for the unbound SERVFAIL.

NTP is functioning:

root@DNS:/# timedatectl
               Local time: Fri 2022-11-11 18:16:37 EST
           Universal time: Fri 2022-11-11 23:16:37 UTC
                 RTC time: n/a
                Time zone: America/New_York (EST, -0500)
System clock synchronized: yes
              NTP service: n/a
          RTC in local TZ: no

Sometimes the query times out, but immediately afterwards will SERVFAIL

root@DNS:/# dig @127.0.0.1 -p 5335 debian.org

; <<>> DiG 9.16.33-Debian <<>> @127.0.0.1 -p 5335 debian.org
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached

root@DNS:/# tail -n10 /var/log/unbound.log 
Nov 11 18:01:57 unbound[105:2] info: resolving debian.org. A IN
Nov 11 18:01:57 unbound[105:2] info: 127.0.0.1 debian.org. A IN SERVFAIL 0.000000 0 39
Nov 11 18:01:57 unbound[105:2] info: 127.0.0.1 debian.org. A IN
Nov 11 18:01:57 unbound[105:2] info: 127.0.0.1 debian.org. A IN SERVFAIL 0.000000 1 39
Nov 11 18:18:19 unbound[105:1] info: 127.0.0.1 debian.org. A IN
Nov 11 18:18:19 unbound[105:1] info: resolving debian.org. A IN
Nov 11 18:18:24 unbound[105:1] info: 127.0.0.1 debian.org. A IN
Nov 11 18:18:24 unbound[105:1] info: resolving debian.org. A IN
Nov 11 18:18:29 unbound[105:1] info: 127.0.0.1 debian.org. A IN
Nov 11 18:18:29 unbound[105:1] info: resolving debian.org. A IN
root@DNS:/# dig @127.0.0.1 -p 5335 debian.org

; <<>> DiG 9.16.33-Debian <<>> @127.0.0.1 -p 5335 debian.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 18754
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1472
;; QUESTION SECTION:
;debian.org.                    IN      A

;; Query time: 0 msec
;; SERVER: 127.0.0.1#5335(127.0.0.1)
;; WHEN: Fri Nov 11 18:19:09 EST 2022
;; MSG SIZE  rcvd: 39

root@DNS:/# tail -n10 /var/log/unbound.log 
Nov 11 18:01:57 unbound[105:2] info: 127.0.0.1 debian.org. A IN SERVFAIL 0.000000 1 39
Nov 11 18:18:19 unbound[105:1] info: 127.0.0.1 debian.org. A IN
Nov 11 18:18:19 unbound[105:1] info: resolving debian.org. A IN
Nov 11 18:18:24 unbound[105:1] info: 127.0.0.1 debian.org. A IN
Nov 11 18:18:24 unbound[105:1] info: resolving debian.org. A IN
Nov 11 18:18:29 unbound[105:1] info: 127.0.0.1 debian.org. A IN
Nov 11 18:18:29 unbound[105:1] info: resolving debian.org. A IN
Nov 11 18:19:09 unbound[105:0] info: 127.0.0.1 debian.org. A IN
Nov 11 18:19:09 unbound[105:0] info: resolving debian.org. A IN
Nov 11 18:19:09 unbound[105:0] info: 127.0.0.1 debian.org. A IN SERVFAIL 0.000000 0 39

It seems you are violating the required format for configuring unbound's forward-addr for DoT servers.
Please try with the suggestions from the linked post exactly as posted, i.e.

     forward-addr: 9.9.9.9@853#dns.quad9.net

Specifically note that the name of the DoT server is signifcant here.

Added the names, but its saying SERVFAIL

root@DNS:/etc/unbound/unbound.conf.d# dig @127.0.0.1 -p 5335 debian.org

; <<>> DiG 9.16.33-Debian <<>> @127.0.0.1 -p 5335 debian.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 4608
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1472
;; QUESTION SECTION:
;debian.org.                    IN      A

;; Query time: 0 msec
;; SERVER: 127.0.0.1#5335(127.0.0.1)
;; WHEN: Fri Nov 11 18:36:59 EST 2022
;; MSG SIZE  rcvd: 39

root@DNS:/etc/unbound/unbound.conf.d# dig @127.0.0.1 -p 5335 debian.org

; <<>> DiG 9.16.33-Debian <<>> @127.0.0.1 -p 5335 debian.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 42472
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1472
;; QUESTION SECTION:
;debian.org.                    IN      A

;; Query time: 0 msec
;; SERVER: 127.0.0.1#5335(127.0.0.1)
;; WHEN: Fri Nov 11 18:37:01 EST 2022
;; MSG SIZE  rcvd: 39

Full config:

/etc/unbound/unbound.conf:include-toplevel: "/etc/unbound/unbound.conf.d/*.conf"
/etc/unbound/unbound.conf.d/dnsovertls.conf:server:
/etc/unbound/unbound.conf.d/dnsovertls.conf:    do-not-query-localhost: no
/etc/unbound/unbound.conf.d/dnsovertls.conf:    tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
/etc/unbound/unbound.conf.d/dnsovertls.conf:forward-zone:
/etc/unbound/unbound.conf.d/dnsovertls.conf:    name: "."
/etc/unbound/unbound.conf.d/dnsovertls.conf:        forward-ssl-upstream: yes
/etc/unbound/unbound.conf.d/dnsovertls.conf:        forward-addr: 1.1.1.1@853#cloudflare-dns.com
/etc/unbound/unbound.conf.d/dnsovertls.conf:        forward-addr: 1.0.0.1@853#cloudflare-dns.com
/etc/unbound/unbound.conf.d/dnsovertls.conf:        forward-addr: 9.9.9.9@853#dns.quad9.net
/etc/unbound/unbound.conf.d/root-auto-trust-anchor-file.conf:server:
/etc/unbound/unbound.conf.d/root-auto-trust-anchor-file.conf:    auto-trust-anchor-file: "/var/lib/unbound/root.key"
/etc/unbound/unbound.conf.d/pi-hole-dot.conf:server:
/etc/unbound/unbound.conf.d/pi-hole-dot.conf:    interface: 127.0.0.1
/etc/unbound/unbound.conf.d/pi-hole-dot.conf:    port: 5335
/etc/unbound/unbound.conf.d/pi-hole-dot.conf:    do-ip4: yes
/etc/unbound/unbound.conf.d/pi-hole-dot.conf:    do-udp: yes
/etc/unbound/unbound.conf.d/pi-hole-dot.conf:    do-tcp: no
/etc/unbound/unbound.conf.d/pi-hole-dot.conf:    do-ip6: no
/etc/unbound/unbound.conf.d/pi-hole-dot.conf:    prefer-ip6: no
/etc/unbound/unbound.conf.d/pi-hole-dot.conf:    harden-glue: yes
/etc/unbound/unbound.conf.d/pi-hole-dot.conf:    harden-dnssec-stripped: yes
/etc/unbound/unbound.conf.d/pi-hole-dot.conf:    use-caps-for-id: no
/etc/unbound/unbound.conf.d/pi-hole-dot.conf:    edns-buffer-size: 1472
/etc/unbound/unbound.conf.d/pi-hole-dot.conf:    prefetch: yes
/etc/unbound/unbound.conf.d/pi-hole-dot.conf:    num-threads: 4
/etc/unbound/unbound.conf.d/pi-hole-dot.conf:    private-address: 192.168.0.0/16
/etc/unbound/unbound.conf.d/pi-hole-dot.conf:    private-address: 169.254.0.0/16
/etc/unbound/unbound.conf.d/pi-hole-dot.conf:    private-address: 172.16.0.0/12
/etc/unbound/unbound.conf.d/pi-hole-dot.conf:    private-address: 10.0.0.0/8
/etc/unbound/unbound.conf.d/privacy.conf:server:
/etc/unbound/unbound.conf.d/privacy.conf:    minimal-responses: yes
/etc/unbound/unbound.conf.d/privacy.conf:    hide-identity: yes
/etc/unbound/unbound.conf.d/privacy.conf:    hide-version: yes
/etc/unbound/unbound.conf.d/privacy.conf:    qname-minimisation: yes
/etc/unbound/unbound.conf.d/logs.conf:server:
/etc/unbound/unbound.conf.d/logs.conf:    logfile: "/var/log/unbound.log"
/etc/unbound/unbound.conf.d/logs.conf:    log-time-ascii: yes
/etc/unbound/unbound.conf.d/logs.conf:    log-queries: yes
/etc/unbound/unbound.conf.d/logs.conf:    log-replies: yes
/etc/unbound/unbound.conf.d/logs.conf:    verbosity: 2
/etc/unbound/unbound.conf.d/netdata.conf:server:
/etc/unbound/unbound.conf.d/netdata.conf:    statistics-interval: 0
/etc/unbound/unbound.conf.d/netdata.conf:    extended-statistics: yes
/etc/unbound/unbound.conf.d/netdata.conf:    statistics-cumulative: yes
/etc/unbound/unbound.conf.d/netdata.conf:remote-control:
/etc/unbound/unbound.conf.d/netdata.conf:    control-enable: no

I ran unbound in foreground with verbosity, and the debug logs don't reveal much.
The line that is somewhat interesting:
debug: dnssec status: not expected

No clue what that means, and basically zero google results.

Just to cover my bases (just a wild thought), but nope:

root@DNS:/# sudo -u unbound ncat -nvvz 1.1.1.1 853
Ncat: Version 7.80 ( https://nmap.org/ncat )
NCAT DEBUG: Using system default trusted CA certificates and those in /etc/ssl/certs/ca-certificates.crt.
libnsock nsock_iod_new2(): nsock_iod_new (IOD #1)
libnsock nsock_connect_tcp(): TCP connection requested to 1.1.1.1:853 (IOD #1) EID 8
libnsock nsock_trace_handler_callback(): Callback: CONNECT SUCCESS for EID 8 [1.1.1.1:853]
Ncat: Connected to 1.1.1.1:853.
libnsock nsock_iod_new2(): nsock_iod_new (IOD #2)
Ncat: 0 bytes sent, 0 bytes received in 0.02 seconds.
libnsock nsock_iod_delete(): nsock_iod_delete (IOD #1)
libnsock nsock_iod_delete(): nsock_iod_delete (IOD #2)

I'm afraid this is going to have to be a bug report directly to unbound, I have no clue how to solve this.

Full journal output from dig command:

Nov 11 19:44:03 DNS unbound[2159]: [2159:1] debug: cache memory msg=66300 rrset=66072 infra=8699 val=66352 subnet=74504
Nov 11 19:44:03 DNS unbound[2159]: [2159:1] info: 2RDd mod2 rep reddit.com. A IN
Nov 11 19:44:03 DNS unbound[2159]: [2159:1] info: 1RDd mod2 rep reddit.com. A IN
Nov 11 19:44:03 DNS unbound[2159]: [2159:1] info: 0RDd mod2 rep reddit.com. A IN
Nov 11 19:44:03 DNS unbound[2159]: [2159:1] info:   32.000000   64.000000 3
Nov 11 19:44:03 DNS unbound[2159]: [2159:1] info:    8.000000   16.000000 1
Nov 11 19:44:03 DNS unbound[2159]: [2159:1] info:    4.000000    8.000000 1
Nov 11 19:44:03 DNS unbound[2159]: [2159:1] info:    0.000000    0.000001 1
Nov 11 19:44:03 DNS unbound[2159]: [2159:1] info: lower(secs) upper(secs) recursions
Nov 11 19:44:03 DNS unbound[2159]: [2159:1] info: [25%]=6 median[50%]=16 [75%]=48
Nov 11 19:44:03 DNS unbound[2159]: [2159:1] info: histogram of recursion processing times
Nov 11 19:44:03 DNS unbound[2159]: [2159:1] info: average recursion processing time 24.420072 sec
Nov 11 19:44:03 DNS unbound[2159]: [2159:1] info: mesh_run: end 3 recursion states (3 with reply, 0 detached), 3 waiting replies, 6 recursion replies sent, 0 replies dropped, 0 states jostled out
Nov 11 19:44:03 DNS unbound[2159]: [2159:1] debug: mesh_run: iterator module exit state is module_wait_reply
Nov 11 19:44:03 DNS unbound[2159]: [2159:1] debug: pending_tcp_query: queue to wait
Nov 11 19:44:03 DNS unbound[2159]: [2159:1] debug: reuse_tcp_close_oldest
Nov 11 19:44:03 DNS unbound[2159]: [2159:1] debug: reuse_tcp_find: num reuse streams 0
Nov 11 19:44:03 DNS unbound[2159]: [2159:1] debug: reuse_tcp_find
Nov 11 19:44:03 DNS unbound[2159]: [2159:1] debug: pending_tcp_query
Nov 11 19:44:03 DNS unbound[2159]: [2159:1] debug: dnssec status: not expected
Nov 11 19:44:03 DNS unbound[2159]: [2159:1] debug: sending to target: <.> 1.0.0.1#853
Nov 11 19:44:03 DNS unbound[2159]: [2159:1] info: sending query: reddit.com. A IN
Nov 11 19:44:03 DNS unbound[2159]: [2159:1] debug: selrtt 24064
Nov 11 19:44:03 DNS unbound[2159]: [2159:1] debug:    rtt=120000
Nov 11 19:44:03 DNS unbound[2159]: [2159:1] debug: servselect ip4 9.9.9.9 port 853 (len 16)
Nov 11 19:44:03 DNS unbound[2159]: [2159:1] debug:    rtt=24064
Nov 11 19:44:03 DNS unbound[2159]: [2159:1] debug: servselect ip4 1.0.0.1 port 853 (len 16)
Nov 11 19:44:03 DNS unbound[2159]: [2159:1] debug:    rtt=120000
Nov 11 19:44:03 DNS unbound[2159]: [2159:1] debug: servselect ip4 1.1.1.1 port 853 (len 16)
Nov 11 19:44:03 DNS unbound[2159]: [2159:1] debug: attempt to get extra 3 targets
Nov 11 19:44:03 DNS unbound[2159]: [2159:1] debug:   [cloudflare-dns.com] ip4 1.1.1.1 port 853 (len 16)
Nov 11 19:44:03 DNS unbound[2159]: [2159:1] debug:   [cloudflare-dns.com] ip4 1.0.0.1 port 853 (len 16)
Nov 11 19:44:03 DNS unbound[2159]: [2159:1] debug:   [dns.quad9.net] ip4 9.9.9.9 port 853 (len 16)
Nov 11 19:44:03 DNS unbound[2159]: [2159:1] info: DelegationPoint<.>: 0 names (0 missing), 3 addrs (0 result, 3 avail) parentNS
Nov 11 19:44:03 DNS unbound[2159]: [2159:1] debug: processQueryTargets: targetqueries 0, currentqueries 0 sentcount 0
Nov 11 19:44:03 DNS unbound[2159]: [2159:1] info: processQueryTargets: reddit.com. A IN
Nov 11 19:44:03 DNS unbound[2159]: [2159:1] debug: iter_handle processing q with state QUERY TARGETS STATE
Nov 11 19:44:03 DNS unbound[2159]: [2159:1] debug: forwarding request
Nov 11 19:44:03 DNS unbound[2159]: [2159:1] debug: request has dependency depth of 0
Nov 11 19:44:03 DNS unbound[2159]: [2159:1] info: resolving reddit.com. A IN
Nov 11 19:44:03 DNS unbound[2159]: [2159:1] debug: iter_handle processing q with state INIT REQUEST STATE
Nov 11 19:44:03 DNS unbound[2159]: [2159:1] debug: process_request: new external request event
Nov 11 19:44:03 DNS unbound[2159]: [2159:1] debug: iterator[module 2] operate: extstate:module_state_initial event:module_event_pass
Nov 11 19:44:03 DNS unbound[2159]: [2159:1] debug: mesh_run: validator module exit state is module_wait_module
Nov 11 19:44:03 DNS unbound[2159]: [2159:1] debug: validator: pass to next module
Nov 11 19:44:03 DNS unbound[2159]: [2159:1] info: validator operate: query reddit.com. A IN
Nov 11 19:44:03 DNS unbound[2159]: [2159:1] debug: validator[module 1] operate: extstate:module_state_initial event:module_event_pass
Nov 11 19:44:03 DNS unbound[2159]: [2159:1] debug: mesh_run: subnet module exit state is module_wait_module
Nov 11 19:44:03 DNS unbound[2159]: [2159:1] debug: subnet: not found in cache. pass to next module
Nov 11 19:44:03 DNS unbound[2159]: [2159:1] info: subnet operate: query reddit.com. A IN
Nov 11 19:44:03 DNS unbound[2159]: [2159:1] debug: subnet[module 0] operate: extstate:module_state_initial event:module_event_new
Nov 11 19:44:03 DNS unbound[2159]: [2159:1] debug: mesh_run: start
Nov 11 19:44:03 DNS unbound[2159]: [2159:1] debug: udp request from ip4 127.0.0.1 port 42411 (len 16)
Nov 11 19:44:03 DNS unbound[2159]: [2159:1] debug: answer from the cache failed
Nov 11 19:43:58 DNS unbound[2159]: [2159:1] debug: cache memory msg=66300 rrset=66072 infra=8699 val=66352 subnet=74504
Nov 11 19:43:58 DNS unbound[2159]: [2159:1] info: 1RDd mod2 rep reddit.com. A IN
Nov 11 19:43:58 DNS unbound[2159]: [2159:1] info: 0RDd mod2 rep reddit.com. A IN
Nov 11 19:43:58 DNS unbound[2159]: [2159:1] info:   32.000000   64.000000 3
Nov 11 19:43:58 DNS unbound[2159]: [2159:1] info:    8.000000   16.000000 1
Nov 11 19:43:58 DNS unbound[2159]: [2159:1] info:    4.000000    8.000000 1
Nov 11 19:43:58 DNS unbound[2159]: [2159:1] info:    0.000000    0.000001 1
Nov 11 19:43:58 DNS unbound[2159]: [2159:1] info: lower(secs) upper(secs) recursions
Nov 11 19:43:58 DNS unbound[2159]: [2159:1] info: [25%]=6 median[50%]=16 [75%]=48
Nov 11 19:43:58 DNS unbound[2159]: [2159:1] info: histogram of recursion processing times
Nov 11 19:43:58 DNS unbound[2159]: [2159:1] info: average recursion processing time 24.420072 sec
Nov 11 19:43:58 DNS unbound[2159]: [2159:1] info: mesh_run: end 2 recursion states (2 with reply, 0 detached), 2 waiting replies, 6 recursion replies sent, 0 replies dropped, 0 states jostled out
Nov 11 19:43:58 DNS unbound[2159]: [2159:1] debug: mesh_run: iterator module exit state is module_wait_reply
Nov 11 19:43:58 DNS unbound[2159]: [2159:1] debug: pending_tcp_query: queue to wait
Nov 11 19:43:58 DNS unbound[2159]: [2159:1] debug: reuse_tcp_close_oldest
Nov 11 19:43:58 DNS unbound[2159]: [2159:1] debug: reuse_tcp_find: num reuse streams 0
Nov 11 19:43:58 DNS unbound[2159]: [2159:1] debug: reuse_tcp_find
Nov 11 19:43:58 DNS unbound[2159]: [2159:1] debug: pending_tcp_query
Nov 11 19:43:58 DNS unbound[2159]: [2159:1] debug: dnssec status: not expected
Nov 11 19:43:58 DNS unbound[2159]: [2159:1] debug: sending to target: <.> 9.9.9.9#853
Nov 11 19:43:58 DNS unbound[2159]: [2159:1] info: sending query: reddit.com. A IN
Nov 11 19:43:58 DNS unbound[2159]: [2159:1] debug: selrtt 24064
Nov 11 19:43:58 DNS unbound[2159]: [2159:1] debug:    rtt=24064
Nov 11 19:43:58 DNS unbound[2159]: [2159:1] debug: servselect ip4 9.9.9.9 port 853 (len 16)
Nov 11 19:43:58 DNS unbound[2159]: [2159:1] debug:    rtt=24064
Nov 11 19:43:58 DNS unbound[2159]: [2159:1] debug: servselect ip4 1.0.0.1 port 853 (len 16)
Nov 11 19:43:58 DNS unbound[2159]: [2159:1] debug:    rtt=120000
Nov 11 19:43:58 DNS unbound[2159]: [2159:1] debug: servselect ip4 1.1.1.1 port 853 (len 16)
Nov 11 19:43:58 DNS unbound[2159]: [2159:1] debug: attempt to get extra 3 targets
Nov 11 19:43:58 DNS unbound[2159]: [2159:1] debug:   [cloudflare-dns.com] ip4 1.1.1.1 port 853 (len 16)
Nov 11 19:43:58 DNS unbound[2159]: [2159:1] debug:   [cloudflare-dns.com] ip4 1.0.0.1 port 853 (len 16)
Nov 11 19:43:58 DNS unbound[2159]: [2159:1] debug:   [dns.quad9.net] ip4 9.9.9.9 port 853 (len 16)
Nov 11 19:43:58 DNS unbound[2159]: [2159:1] info: DelegationPoint<.>: 0 names (0 missing), 3 addrs (0 result, 3 avail) parentNS
Nov 11 19:43:58 DNS unbound[2159]: [2159:1] debug: processQueryTargets: targetqueries 0, currentqueries 0 sentcount 0
Nov 11 19:43:58 DNS unbound[2159]: [2159:1] info: processQueryTargets: reddit.com. A IN
Nov 11 19:43:58 DNS unbound[2159]: [2159:1] debug: iter_handle processing q with state QUERY TARGETS STATE
Nov 11 19:43:58 DNS unbound[2159]: [2159:1] debug: forwarding request
Nov 11 19:43:58 DNS unbound[2159]: [2159:1] debug: request has dependency depth of 0
Nov 11 19:43:58 DNS unbound[2159]: [2159:1] info: resolving reddit.com. A IN
Nov 11 19:43:58 DNS unbound[2159]: [2159:1] debug: iter_handle processing q with state INIT REQUEST STATE
Nov 11 19:43:58 DNS unbound[2159]: [2159:1] debug: process_request: new external request event
Nov 11 19:43:58 DNS unbound[2159]: [2159:1] debug: iterator[module 2] operate: extstate:module_state_initial event:module_event_pass
Nov 11 19:43:58 DNS unbound[2159]: [2159:1] debug: mesh_run: validator module exit state is module_wait_module
Nov 11 19:43:58 DNS unbound[2159]: [2159:1] debug: validator: pass to next module
Nov 11 19:43:58 DNS unbound[2159]: [2159:1] info: validator operate: query reddit.com. A IN
Nov 11 19:43:58 DNS unbound[2159]: [2159:1] debug: validator[module 1] operate: extstate:module_state_initial event:module_event_pass
Nov 11 19:43:58 DNS unbound[2159]: [2159:1] debug: mesh_run: subnet module exit state is module_wait_module
Nov 11 19:43:58 DNS unbound[2159]: [2159:1] debug: subnet: not found in cache. pass to next module
Nov 11 19:43:58 DNS unbound[2159]: [2159:1] info: subnet operate: query reddit.com. A IN
Nov 11 19:43:58 DNS unbound[2159]: [2159:1] debug: subnet[module 0] operate: extstate:module_state_initial event:module_event_new
Nov 11 19:43:58 DNS unbound[2159]: [2159:1] debug: mesh_run: start
Nov 11 19:43:58 DNS unbound[2159]: [2159:1] debug: udp request from ip4 127.0.0.1 port 42411 (len 16)
Nov 11 19:43:58 DNS unbound[2159]: [2159:1] debug: answer from the cache failed
Nov 11 19:43:53 DNS unbound[2159]: [2159:1] debug: cache memory msg=66300 rrset=66072 infra=8699 val=66352 subnet=74504
Nov 11 19:43:53 DNS unbound[2159]: [2159:1] info: 0RDd mod2 rep reddit.com. A IN
Nov 11 19:43:53 DNS unbound[2159]: [2159:1] info:   32.000000   64.000000 3
Nov 11 19:43:53 DNS unbound[2159]: [2159:1] info:    8.000000   16.000000 1
Nov 11 19:43:53 DNS unbound[2159]: [2159:1] info:    4.000000    8.000000 1
Nov 11 19:43:53 DNS unbound[2159]: [2159:1] info:    0.000000    0.000001 1
Nov 11 19:43:53 DNS unbound[2159]: [2159:1] info: lower(secs) upper(secs) recursions
Nov 11 19:43:53 DNS unbound[2159]: [2159:1] info: [25%]=6 median[50%]=16 [75%]=48
Nov 11 19:43:53 DNS unbound[2159]: [2159:1] info: histogram of recursion processing times
Nov 11 19:43:53 DNS unbound[2159]: [2159:1] info: average recursion processing time 24.420072 sec
Nov 11 19:43:53 DNS unbound[2159]: [2159:1] info: mesh_run: end 1 recursion states (1 with reply, 0 detached), 1 waiting replies, 6 recursion replies sent, 0 replies dropped, 0 states jostled out
Nov 11 19:43:53 DNS unbound[2159]: [2159:1] debug: mesh_run: iterator module exit state is module_wait_reply
Nov 11 19:43:53 DNS unbound[2159]: [2159:1] debug: pending_tcp_query: queue to wait
Nov 11 19:43:53 DNS unbound[2159]: [2159:1] debug: reuse_tcp_close_oldest
Nov 11 19:43:53 DNS unbound[2159]: [2159:1] debug: reuse_tcp_find: num reuse streams 0
Nov 11 19:43:53 DNS unbound[2159]: [2159:1] debug: reuse_tcp_find
Nov 11 19:43:53 DNS unbound[2159]: [2159:1] debug: pending_tcp_query
Nov 11 19:43:53 DNS unbound[2159]: [2159:1] debug: dnssec status: not expected
Nov 11 19:43:53 DNS unbound[2159]: [2159:1] debug: sending to target: <.> 1.1.1.1#853
Nov 11 19:43:53 DNS unbound[2159]: [2159:1] info: sending query: reddit.com. A IN
Nov 11 19:43:53 DNS unbound[2159]: [2159:1] debug: selrtt 24064
Nov 11 19:43:53 DNS unbound[2159]: [2159:1] debug:    rtt=24064
Nov 11 19:43:53 DNS unbound[2159]: [2159:1] debug: servselect ip4 9.9.9.9 port 853 (len 16)
Nov 11 19:43:53 DNS unbound[2159]: [2159:1] debug:    rtt=24064
Nov 11 19:43:53 DNS unbound[2159]: [2159:1] debug: servselect ip4 1.0.0.1 port 853 (len 16)
Nov 11 19:43:53 DNS unbound[2159]: [2159:1] debug:    rtt=24064
Nov 11 19:43:53 DNS unbound[2159]: [2159:1] debug: servselect ip4 1.1.1.1 port 853 (len 16)
Nov 11 19:43:53 DNS unbound[2159]: [2159:1] debug: attempt to get extra 3 targets
Nov 11 19:43:53 DNS unbound[2159]: [2159:1] debug:   [cloudflare-dns.com] ip4 1.1.1.1 port 853 (len 16)
Nov 11 19:43:53 DNS unbound[2159]: [2159:1] debug:   [cloudflare-dns.com] ip4 1.0.0.1 port 853 (len 16)
Nov 11 19:43:53 DNS unbound[2159]: [2159:1] debug:   [dns.quad9.net] ip4 9.9.9.9 port 853 (len 16)
Nov 11 19:43:53 DNS unbound[2159]: [2159:1] info: DelegationPoint<.>: 0 names (0 missing), 3 addrs (0 result, 3 avail) parentNS
Nov 11 19:43:53 DNS unbound[2159]: [2159:1] debug: processQueryTargets: targetqueries 0, currentqueries 0 sentcount 0
Nov 11 19:43:53 DNS unbound[2159]: [2159:1] info: processQueryTargets: reddit.com. A IN
Nov 11 19:43:53 DNS unbound[2159]: [2159:1] debug: iter_handle processing q with state QUERY TARGETS STATE
Nov 11 19:43:53 DNS unbound[2159]: [2159:1] debug: forwarding request
Nov 11 19:43:53 DNS unbound[2159]: [2159:1] debug: request has dependency depth of 0
Nov 11 19:43:53 DNS unbound[2159]: [2159:1] info: resolving reddit.com. A IN
Nov 11 19:43:53 DNS unbound[2159]: [2159:1] debug: iter_handle processing q with state INIT REQUEST STATE
Nov 11 19:43:53 DNS unbound[2159]: [2159:1] debug: process_request: new external request event
Nov 11 19:43:53 DNS unbound[2159]: [2159:1] debug: iterator[module 2] operate: extstate:module_state_initial event:module_event_pass
Nov 11 19:43:53 DNS unbound[2159]: [2159:1] debug: mesh_run: validator module exit state is module_wait_module
Nov 11 19:43:53 DNS unbound[2159]: [2159:1] debug: validator: pass to next module
Nov 11 19:43:53 DNS unbound[2159]: [2159:1] info: validator operate: query reddit.com. A IN
Nov 11 19:43:53 DNS unbound[2159]: [2159:1] debug: validator[module 1] operate: extstate:module_state_initial event:module_event_pass
Nov 11 19:43:53 DNS unbound[2159]: [2159:1] debug: mesh_run: subnet module exit state is module_wait_module
Nov 11 19:43:53 DNS unbound[2159]: [2159:1] debug: subnet: not found in cache. pass to next module
Nov 11 19:43:53 DNS unbound[2159]: [2159:1] info: subnet operate: query reddit.com. A IN
Nov 11 19:43:53 DNS unbound[2159]: [2159:1] debug: subnet[module 0] operate: extstate:module_state_initial event:module_event_new
Nov 11 19:43:53 DNS unbound[2159]: [2159:1] debug: mesh_run: start
Nov 11 19:43:53 DNS unbound[2159]: [2159:1] debug: udp request from ip4 127.0.0.1 port 42411 (len 16)
Nov 11 19:43:53 DNS unbound[2159]: [2159:1] debug: answer from the cache failed

Answer was here:

do-tcp: yes

Apparently the upstream TLS connection needs that setting to work. I originally thought it was just for the listening part.

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.