🧠 How I Added Fallback DNS to My Pi-hole + Unbound Setup (Without Sacrificing Security)

Bucking_Horn · April 17, 2025, 8:15pm

ordor2k:

  forward-zone:
    name: "."
    forward-first: yes
    forward-addr: 1.1.1.1
    forward-addr: 8.8.8.8
(…)

How It Works

Unbound first tries full DNS recursion (using root servers)

If that fails (timeout, broken delegation, etc.), it falls back to 1.1.1.1 or 8.8.8.8

No, it's the other way round:
While defining a forward zone will turn off recursion in general, setting forward-first: yes instructs unbound to resolve DNS requests first by forwarding to 1.1.1.1 or 8.8.8.8, and only if that fails, it would fall back to recursive resolution.

Quoting unbound.conf documentation:

forward-first: <yes or no>
If a forwarded query is met with a SERVFAIL error, and this option is enabled, Unbound will fall back to normal recursive resolution for this query as if no query forwarding had been specified.
Default: no

EDIT:

Setting val-permissive-mode: yes would have unbound serve replies that failed DNSSEC validation, i.e. Pi-hole would receive invalid replies.
It only makes sense to use that if you did configure Pi-hole to do DNSSEC validation:

Understanding DNSSEC validation using Pi-hole's Query Log

To enable the full validation inside Pi-hole, you have to add
# Does not actually turn off DNSSEC, but stops the resolver from 
# withholding bogus answers from clients. 
val-permissive-mode: yes
to the server section of your config file. However, be aware that this can void the protection provided by DNSSEC for devices querying unbound directly without using your Pi-hole. Hence, we do not recommend enabling permissive mode in production systems.