Expected Behaviour:
Up to date pihole install running on a RapPi3B - up to date. Unbound configured via loopback and working correctly w/ IPv4 only - Unifi Network IPv4 local network and internet w/ IPv6 disabled everywhere.
Actual Behaviour:
Enabled IPv6 Static on 2 of my 4 VLAN's. Pihole has valid IPv6 static and self assigned address. DNS resolution stops.
Disabled Custom loopback DNS and enabled CloudFlare IPv4 traffic only - DNS now resolving
Removed and Reinstalled Unbound - IPv6 pihole fe80 address now showing in unbound config file. Dig's directly to Unbound resolve both DNSSEC and normal.
PiHole user interface - Redirecting traffic back to Unbound loopback address DNS resolution fails everywhere.
When I run
cat /etc/unbound/unbound.conf.d/resolvconf_resolvers.conf
# Generated by resolvconf
forward-zone:
name: "."
forward-addr: fd00:10::e004:4747:b0ad:5b2d
The IPv6 fwd address is the IPv6 of the Pihole and not sure if that is causing a loop. If it is I havent been able to figure out how to remove it as it keeps coming back.
Debug taken when pihole was configured to point to cloudflare to allow my network to work while I debug.
Debug Token:
https://tricorder.pi-hole.net/i4J4nY5v/
pi@raspberrypi:~ $ sudo cat /etc/unbound/unbound.conf.d/pi-hole.conf
server:
# If no logfile is specified, syslog is used
logfile: "/var/log/unbound/unbound.log"
verbosity: 1
interface: 127.0.0.1
interface: fe80::238a:6f19:4c8f:23b8
port: 5335
do-ip4: yes
do-udp: yes
do-tcp: yes
# May be set to no if you don't have IPv6 connectivity
do-ip6: yes
# You want to leave this to no unless you have *native* IPv6. With 6to4 and
# Terredo tunnels your web browser should favor IPv4 for the same reasons
prefer-ip6: no
# Use this only when you downloaded the list of primary root servers!
# If you use the default dns-root-data package, unbound will find it automatically
# root-hints: "/var/lib/unbound/root.hints"
# auto-trust-anchor-file: "/var/lib/unbound/root.key"
# Trust glue only if it is within the server's authority
harden-glue: yes
# Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS
harden-dnssec-stripped: yes
# Don't use Capitalization randomization as it known to cause DNSSEC issues sometimes
# see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 for further details
use-caps-for-id: no
# Reduce EDNS reassembly buffer size.
# IP fragmentation is unreliable on the Internet today, and can cause
# transmission failures when large DNS messages are sent via UDP. Even
# when fragmentation does work, it may not be secure; it is theoretically
# possible to spoof parts of a fragmented DNS message, without easy
# detection at the receiving end. Recently, there was an excellent study
# >>> Defragmenting DNS - Determining the optimal maximum UDP response size for DNS <<<
# by Axel Koolhaas, and Tjeerd Slokker (https://indico.dns-oarc.net/event/36/contributions/776/)
# in collaboration with NLnet Labs explored DNS using real world data from the
# the RIPE Atlas probes and the researchers suggested different values for
# IPv4 and IPv6 and in different scenarios. They advise that servers should
# be configured to limit DNS messages sent over UDP to a size that will not
# trigger fragmentation on typical network links. DNS servers can switch
# from UDP to TCP when a DNS response is too big to fit in this limited
# buffer size. This value has also been suggested in DNS Flag Day 2020.
edns-buffer-size: 1232
# Perform prefetching of close to expired message cache entries
# This only applies to domains that have been frequently queried
prefetch: yes
# One thread should be sufficient, can be increased on beefy machines. In reality for most users running on small networks or on a single machine, it should be unnecessary to seek performance enhancement by increasing num-threads above 1.
num-threads: 1
# Ensure kernel buffer is large enough to not lose messages in traffic spikes
so-rcvbuf: 1m
# Ensure privacy of local IP ranges
private-address: 192.168.0.0/16
private-address: 169.254.0.0/16
private-address: 172.16.0.0/12
private-address: 10.0.0.0/8
private-address: fd00::/8
private-address: fe80::/10
# Ensure no reverse queries to non-public IP ranges (RFC6303 4.2)
private-address: 192.0.2.0/24
private-address: 198.51.100.0/24
private-address: 203.0.113.0/24
private-address: 255.255.255.255/32
private-address: 2001:db8::/32
pi@raspberrypi:~ $ dig www.microsoft.com @127.0.0.1 -p 5335
; <<>> DiG 9.16.50-Raspbian <<>> www.microsoft.com @127.0.0.1 -p 5335
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25654
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;www.microsoft.com. IN A
;; ANSWER SECTION:
www.microsoft.com. 3074 IN CNAME www.microsoft.com-c-3.edgekey.net.
www.microsoft.com-c-3.edgekey.net. 374 IN CNAME www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net.
www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net. 374 IN CNAME e13678.dscb.akamaiedge.net.
e13678.dscb.akamaiedge.net. 0 IN A 23.78.9.173
;; Query time: 60 msec
;; SERVER: 127.0.0.1#5335(127.0.0.1)
;; WHEN: Thu Jul 17 12:51:08 EDT 2025
;; MSG SIZE rcvd: 213
If you want unbound to work via IPv4 only, why did change your unbound's pi-hole.conf
to include IPv6 details?
Did you Disable resolvconf.conf
entry for unbound
yet?
Thank! Disabled resolvconf.conf entry in unbound which got it working and removed the IPv6 details in unbound/pi-hole.conf for good measure as I added them while trying other troubleshooting steps.