First Pihole check + why is unbound not working (Manjaro)

Help Community Help
1

Hi there,

This is my first Pihole install.
Its a docker on my nomad Laptop, not on a server.
I'd like to acertain I did it well and to understand why unbound doen's want my .conf.
(This is also one of my first containers^^)
I don't shouldn't DHCP as I depend on the various boxes I connect to : my goal is to have Pihole replace the NextDNS I was using in giving me non cheating DNS, ad, trackers, scripts protection.

I'd also like to une DoH, but Unbound doen't want my .conf :confused:

Thank ou for your insights !

PC

➜  pihole inxi -z -MSC; free ; swapon -s 

System:
  Kernel: 6.9.9-1-MANJARO arch: x86_64 bits: 64
  Desktop: Xfce v: 4.18.1 Distro: Manjaro Linux
Machine:
  Type: Laptop System: HP product: Victus by HP Laptop 16-e0xxx v: N/A
    serial: <superuser required>
  Mobo: HP model: 8934 v: 80.73 serial: <superuser required> UEFI: AMI
    v: F.19 date: 10/17/2023
CPU:
  Info: 6-core model: AMD Ryzen 5 5600H with Radeon Graphics bits: 64
    type: MT MCP cache: L2: 3 MiB
  Speed (MHz): avg: 1403 min/max: 400/4280 cores: 1: 1449 2: 400 3: 400
    4: 400 5: 1984 6: 1746 7: 1916 8: 400 9: 2092 10: 2019 11: 1703 12: 2331
               total       utilisé      libre     partagé tamp/cache   disponible
Mem:           15322       12753         368         658        3187        2569
Échange:       32767        4953       27814
Nom fichier				Type		Taille		Utilisé		Priorité
/swapfile                               file		33554428	5072384		-2
➜  pihole
  • .env
WEBPASSWORD=super123456
TZ=Europe/Paris
PIHOLE_DNS_=91.239.100.100;89.233.43.71;9.9.9.9  # Uncensored DNS & fallback & Quad9

*docker-compose.yml

services:
  pihole:
    container_name: pihole
    image: pihole/pihole:latest
    ports:
      - "5354:53/tcp"
      - "5354:53/udp"
      - "80:80/tcp"
    env_file:
      - .env
    volumes:
      - './etc-pihole:/etc/pihole'
      - './etc-dnsmasq.d:/etc/dnsmasq.d'
    cap_add:
      - NET_ADMIN
    restart: unless-stopped
    deploy:
      resources:
        limits:
          cpus: '0.5'
          memory: 512M
        reservations:
          cpus: '0.2'
          memory: 256M

networks:
  default:
    name: pihole_network

debug token : https://tricorder.pi-hole.net/LbXThv21/

For unbound.conf

➜  ~ cat /etc/unbound/unbound.conf
server:
    interface: 127.0.0.1
    port: 5335
    do-ip4: yes
    do-udp: yes
    do-tcp: yes

    auto-trust-anchor-file: "/var/lib/unbound/root.key"

    msg-cache-size: 128m
    rrset-cache-size: 256m

    edns-buffer-size: 1472

    prefetch: yes
    prefetch-key: yes
    qname-minimisation: yes

    statistics-interval: 0
    extended-statistics: yes

    hide-identity: yes
    hide-version: yes

forward-zone:
    name: "."
    forward-tls-upstream: yes
    # UncensoredDNS
    forward-addr: 89.233.43.71@853#unicast.censurfridns.dk
    forward-addr: 91.239.100.100@853#anycast.censurfridns.dk
    forward-addr: 2a01:3a0:53:53::@853#unicast.censurfridns.dk
    # Quad9
    forward-addr: 9.9.9.9@853#dns.quad9.net
    forward-addr: 2620:fe::fe@853#dns.quad9.net

➜  ~ 

➜  ~ sudo unbound-checkconf
[sudo] Mot de passe de sum : 
/etc/unbound/var/lib/unbound/root.key: No such file or directory
[1721635472] unbound-checkconf[83349:0] fatal error: auto-trust-anchor-file: "/var/lib/unbound/root.key" does not exist in chrootdir /etc/unbound
➜  ~
2

I answer to myself.
Partial culprit is here:

Unbound is chrooted on Arch (thus on Manjaro)

The proper and complete setup seems to be:

 root-hints: root.hints
    trust-anchor-file: trusted-key.key
    tls-cert-bundle: "/etc/ssl/certs/ca-certificates.crt"
    tls-ciphersuites: "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256"
    tls-ciphers: "HIGH:!aNULL:!MD5:!3DES"

well at least it's working.

For the DNS resolver I dropped Quad9 and replaced it by OpenNIC (and kept Uncensored DNS)

3

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.