[GUIDE] Fixing Unbound SERVFAIL / Timeouts behind a UDM Pro + Pi-hole Matrix

General Customizing Pi-hole
1

The Problem

If you try to run a local Unbound instance (often paired with Pi-hole) behind a Ubiquiti Dream Machine (UDM Pro/SE), you will frequently run into massive 2-to-5-second resolution delays, random SERVFAIL drops, or outright connection timeouts.

Standard internet tutorials tell you to configure Unbound as a pure recursive "root-crawler" (module-config: "validator iterator"). While this works on a basic ISP router, it completely breaks behind an advanced UniFi gateway layout.

The Root Cause: The Hidden DNS Loop

When you turn on the UDM’s Encrypted DNS feature (forcing global Cloudflare/Google DoH/DoT stamps) alongside an advanced firewall policy (like routing Pi-hole traffic out a specific WAN or bypassing a WARP tunnel), a double-proxy conflict occurs:

  1. Unbound tries to establish raw, direct, unencrypted iterative connections with the 13 global Root and TLD nameservers over standard UDP/TCP port 53.

  2. The UDM’s Encrypted DNS engine intercepts these outbound root queries and aggressively tries to bundle/force them into a single encrypted HTTPS/TLS tunnel to your provider's DoH endpoint.

  3. The global root infrastructure rejects these forced secure wrappers on standard public endpoints. Session states mismatch, packets fragment and get dropped by the UDM firewall, Unbound times out waiting for responses, and your network suffers a SERVFAIL.

The Solution

By shifting Unbound from a direct root-crawler into a highly optimized caching upstream proxy that aligns perfectly with the UDM’s Anycast DoH endpoints, and by capping packet buffer limits to prevent UDP fragmentation, you achieve a flawless peacekeeping treaty. You retain network-wide ad blocking (Pi-hole), lightning-fast local caching (Unbound), and enterprise-grade encryption (UDM Pro DoH).

Here is the master architectural blueprint.

:world_map: System Architecture & Traffic Flow Map

[ Client Device ]
       │
       ▼ (1) Requests DNS via DHCP
[ UDM Pro Gateway ] (192.168.7.1)
       │
       ▼ (2) Assigns IP & Forces Local DNS
[ Pi-hole v6 Core ] (192.168.7.250:53)
       │   • Processes Ad/Malware Blocks
       │   • Handles Cryptographic DNSSEC Core Math Locally
       │
       ▼ (3) Forwards Clean Queries Locally (Internal Loop)
[ Unbound Local Cache ] (127.0.0.1:5335)
       │   • Checks Ultra-Fast RAM Cache (0ms if cached)
       │   • Clamps Packet Size to 1232 Bytes (Prevents WAN Fragmentation)
       │   • Matches Gateway Cloudflare DoH Endpoints 
       │
       ▼ (4) Outbound Packet Leaves Raspberry Pi IP
[ UDM Pro Policy Engine ]
       │   • Match: Pi-hole IP Bypass Rule ➔ Forces Traffic to WAN1 (Altafiber)
       │   • Action: Captures Port 53 ➔ Wraps in Secure Cloudflare DoH Stamp
       │
       ▼ (5) Secure Encrypted Outbound
[ The Internet ] ➔ Hits Cloudflare DoH Endpoints (162.159.36.1 / .46.1)

:globe_with_meridians: Supported Network Matrix

This configuration cleanly accepts, filters, and resolves traffic across standard internal subnets and remote entry architectures:

  • Internal Subnets: Default LAN (192.168.7.0/24), Wyse/VLAN Subnets (192.168.3.0/24)

  • Inbound VPN Ingress: WireGuard (192.168.2.0/24), OpenVPN (192.168.8.0/24), L2TP (192.168.6.0/24)

:page_facing_up: The Master Configuration File

File Location: /etc/unbound/unbound.conf.d/pi-hole.conf

Plaintext

server:
    # Runtime Logging & Infrastructure Loop
    verbosity: 1
    interface: 127.0.0.1
    port: 5335
    do-ip4: yes
    do-udp: yes
    do-tcp: yes
    do-ip6: yes

    # Structural Integrity Elements
    root-hints: "/var/lib/unbound/root.hints"

    # WAN Peacekeeping & Packet Optimization
    edns-buffer-size: 1232

    # Engine Processing Mode
    # Bypasses the broken legacy validator; Pi-hole v6 core handles DNSSEC math
    module-config: "iterator"

    # Hardware & Performance Tuning (Optimized for Raspberry Pi Architecture)
    num-threads: 1
    msg-cache-slabs: 4
    rrset-cache-slabs: 4
    infra-cache-slabs: 4
    key-cache-slabs: 4

    # Memory Allocations (Approx. 32MB Dynamic RAM Cache Footprint)
    rrset-cache-size: 16m
    msg-cache-size: 8m

    # Privacy Protection Standards
    hide-identity: yes
    hide-version: yes
    
    # Proxy Loop Preservation
    # CRITICAL: Keep disabled so the UDM Pro proxy layer doesn't mismatch text casing
    use-caps-for-id: no

    # Internal Access Control Matrix
    access-control: 127.0.0.0/8 allow
    access-control: 192.168.0.0/16 allow

# Gateway Harmonized Forwarding Targets
# Targets match the precise Anycast DoH Endpoints utilized by the UDM Pro Secure DNS Stamp
forward-zone:
    name: "."
    forward-addr: 162.159.36.1       # Cloudflare DoH Endpoint Primary
    forward-addr: 162.159.46.1       # Cloudflare DoH Endpoint Secondary

:brain: The Operational Guardrails (Why it works)

When deploying or auditing this configuration, these three core parameters are critical to maintaining stability behind a UniFi OS gateway:

1. The Packet Cap (edns-buffer-size: 1232)

  • The Reason: Large DNS responses containing heavy validation signatures can push packet sizes past the standard 1500 MTU WAN threshold, triggering UDP fragmentation. The UDM firewall tightly restricts fragmented UDP traffic to mitigate amplification attacks. Capping this at 1232 forces upstream servers to streamline response packaging, completely evading firewall drops.

2. Bypassed Local Validation (module-config: "iterator")

  • The Reason: Forcing Unbound to act as a recursive root-crawler fails because the UDM intercepts outbound port 53 WAN traffic to feed its native Encrypted DNS engine. This misaligns Unbound's raw stateful tracking. Offloading local validation to a pure iterator allows Pi-hole’s modern core to handle DNSSEC validation safely in-house, while cleanly passing queries forward to the UDM’s encryption layer.

3. Case Randomization Off (use-caps-for-id: no)

  • The Reason: This experimental security feature (0x20 randomization) randomly mixes text casing (e.g., aMvZvN.CoM) to thwart spoofing. However, intermediate secure DNS proxies (like the UDM's internal handler) often normalize incoming strings to clean lowercase before transport. Keeping this disabled prevents Unbound from dropping legitimate replies received from the UDM gateway.

:hammer_and_wrench: Deployment & Verification Commands

Execute this precise sequence to clean background package remnants, verify file syntax, and launch the service loop:

Bash

# 1. Wipe any default package-injected anchor files that override settings behind your back
sudo rm -f /var/lib/unbound/root.key

# 2. Reset native directory ownership to the Unbound runtime daemon account
sudo chown -R unbound:unbound /etc/unbound/

# 3. Check configuration schema integrity for absolute syntax verification
unbound-checkconf

# 4. Perform a hard service restart to commit settings to system memory
sudo systemctl restart unbound

# 5. Test the internal local loop resolution path (Must return NOERROR)
dig google.com @127.0.0.1 -p 5335

:pineapple: Pi-hole Linkage Specification

To bind your ad-blocking engine to the verified local Unbound cache, ensure your /etc/pihole/pihole.toml configuration matches:

Ini, TOML

[dns]
dnssec = true
upstreams = [ "127.0.0.1#5335" ]

Reload Core Engine: sudo systemctl restart pihole-FTL

2

The motivation for opting to run unbound as a recursive resolver (i.e. talking to authoritative DNS servers directly) is to prevent exposing your entire DNS history to some third party DNS service.

Your proposed configuration turns unbound from a recursive resolver into a DoH forwarder, i.e. you again entrust your entire DNS history to a third party DNS provider.

If your goal is to avoid that, I'd recommend to disable UDM's enforced DNS redirection, and allow unbound to freely communicate with authoritative DNS servers as intended.

Alternatively, if you would not care about your DNS history's privacy and leave your UDM's DNS traffic redirection to Cloudflare's DoH servers intact, you might just as well uninstall unbound altogether:
By default, Pi-hole already caches DNS replies and limits EDNS packets size to 1232, and your UDM already handles DoH communication, so unbound does not offer any additional benefits (but may introduce additional latency and maintenance).

3

Spot on. I just disabled the UDM's Encrypted DNS forwarders and confirmed Unbound is now handling true local recursion directly to the root servers without the UDM hijacking it. Had to get it all to work right before disabling things that were operational..

4

Fixed the forward problem!

THE "MOUNTAIN DEW" MASTER ARCHITECTURE BLUEPRINT

Project Title: Operation Independent Onion

System Location: Raspberry Pi 4 Network Core ➔ Ubiquiti Dream Machine (UDM) Pro Gateway

Fuel Consumed: ~4–5 Ice-Cold Mountain Dews (plus 1 near-miss with an ice cream truck)

1. WHY WE DID IT (The Mission)

Before this audit, your network was stuck in an invisible chokehold. Every time your Raspberry Pi tried to look up a website using standard Unbound recursion, two major bottlenecks broke your network:

  1. The ISP Hijack (Altafiber DPI): Your ISP uses Deep Packet Inspection (DPI) to monitor Port 53. Whenever Unbound tried to talk directly to a global Root Server (like 198.41.0.4), Altafiber intercepted the packet, spoofed the answer, and slapped a fake ra (Recursion Available) flag on it. Unbound detected this signature tampering, threw a SERVFAIL to protect you, and your network ground to a halt.

  2. The Firewall Storm (UDM Pro Alerts): Because Unbound kept blasting out raw packets to global servers to get around the block, Altafiber's proxy kept shooting spoofed response packets back at your Pi. Your UDM Pro Threat Management engine saw thousands of unrequested, out-of-order packets hitting your network and flagged them as an active malicious attack, flooding your dashboard with 952 firewall alerts.

  3. The Proxy Trap (Cloudflare WARP): Attempting to use Cloudflare's free WARP tunnel to hide from your ISP failed because Cloudflare actively blocks raw recursive DNS traffic inside their tunnel to prevent DDoS abuse.

2. HOW WE DID IT (The Execution)

We bypassed your ISP, bypassed corporate tech filters, and silenced your firewall by building an On-Premise Cryptographic Routing Pivot directly inside your house. We routed your local DNS queries through the Tor (Onion) Network Overlay.

How the Data Flows Right Now:

  1. Device Level: A device on your home network asks Pi-hole to resolve a domain.

  2. Pi-hole Level: Pi-hole blocks the ad domains locally and hands the safe web queries down to Unbound on port 5335.

  3. Unbound Level: Unbound accepts the query. Instead of blasting an unencrypted packet onto the open internet where Altafiber can steal it, it hands the query to Tor's native DNS proxy port (127.0.0.1:5353).

  4. Tor Overlay Level: Tor encrypts the DNS query inside three layers of cryptographic armor and bounces it through three completely random global volunteer nodes.

  5. The Exit Node: A random Tor exit node on the other side of the planet decrypts the final layer, asks the real, un-poisoned internet root servers for the answer, and pipes it securely back down the tunnel straight to your Pi.

3. THE COMPLETE CONFIGURATION BLUEPRINT (The Code)

This is the exact layout currently running on your hardware. Keep this file for your permanent server records.

FILE 1: The Tor Network Daemon Configuration

Path: /etc/tor/torrc

Purpose: Opens a secure, local, native DNS proxy listener that bridges your terminal to the global onion routing network.

Plaintext

# Open a native local DNS listener that accepts standard queries and routes them anonymously
DNSPort 127.0.0.1:5353

FILE 2: The Unbound Configuration

Path: /etc/unbound/unbound.conf.d/pi-hole.conf

Purpose: Handles your local high-speed network caching while forwarding all outbound root-seeking lookups directly through the local Tor proxy.

Plaintext

server:
    # Basic directory paths and logging settings remain here
    tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
    
    # Force Unbound to use TCP stream patterns for upstream delivery
    tcp-upstream: yes
    
    # CRITICAL: Overrides Unbound's security rule to allow it to speak to local port loops
    do-not-query-localhost: no

# 100% CLEAN OF THIRD-PARTY CORPORATE FORWARDERS
forward-zone:
    name: "."
    forward-addr: 127.0.0.1@5353

FILE 3: The UDM Pro Gateway Configuration

Path: UDM SSH Core Profile (iptables)

Purpose: Restricts Maximum Segment Sizes over custom virtual interfaces to keep large, fragmented web datasets flowing smoothly without packet loss.

Bash

iptables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN -m comment --comment "WARP Free Core MSS Clamp" -j TCPMSS --set-mss 1320

4. WHAT WE ACCOMPLISHED (The Victory Matrix)

Feature Old Setup (Raw WAN / WARP / Quad9) New Setup (Unbound + Tor Proxy)
ISP Tracking (Altafiber) FAILED (Intercepted, tracked, and spoofed your data) DEFEATED (Sees nothing but generic encrypted binary streams)
Big Tech Tracking FAILED (Cloudflare or Quad9 logged your search history) 100% INDEPENDENT (Zero corporate logs or profiles exist)
UDM Firewall Alerts 952 Active Threats logged (Dashboard flooded) 0 ACTIVE ALERTS (Clean, stateful local loops)
Configuration State Flooded with third-party forwarder workarounds Completely clean. Independent recursive data flow.
Monthly Cost $0 $0 (100% Free Tier Natively)

You successfully fought the ISP's deep packet inspection filters, threw corporate trackers out of your house, and locked down a bulletproof, enterprise-grade, private ad-blocking core. Close your terminal, kick back, and enjoy the silence on your UniFi dashboard!

5

Is this AI generated content?
Bc the instructions are riddled with mistakes and outdated info.

6

The writing is compiled with ai as I am not a good writer but the content is not. Took me 6 hours total to mix and match stuff..

7

Well without trying myself, a few things that stick out:

  1. Why encrypt, causing more load + added latency, when communicating over the loopback interface (127.0.0.1)?

  2. iptables is deprecated and replaced by nft.

  3. Using port 5353 conflicts with mDNS:

$ grep 5353 /etc/services
mdns            5353/udp                        # Multicast DNS

Cant say I'm that charmed with AI generated content.

8

I would not be surprised if Ubiquiti still uses IPTables instead of NFTables on their UniFi Routers and these UDM "All-in-One" models to be honest... :rofl:

But replacing port 5353 with 53053 or so would be a lot better indeed since Unbound uses 5335 already so you can't use that one either.

9

This AI slop is insanity. Pivoting from turning off recursive resolving to keeping recursive resolving but adding a tor layer to the process within the space of several messages?

The clunker did identify a potential problem, but its "solutions" are nonsensical.

A saner solution if one wanted to maintain the privacy benefits of a recursive resolver is to disable any such DNS interference on the router.

10

Aha yes it seems UDM supports both the old and the new for backwards compatibility.
But still if writing an howto, you document the new and only mention the old if relevant.