NB - I haven't used the template, as don't believe it would help in this case. However, I can, of course, supply all details as necessary
I've recently revamped my network setup, and am testing various elements. Today I thought I'd test my IPV6 implementation, but am experiencing some errors.
If I connect to the default test-ipv6.com site, I get errors (DNS server possibly not configured to use IPV6). However, if I use the mirror ams2.test-ipv6.com site, I get no errors. Therefore, I thought I'd check my Pi-hole log for any clues.
The default site connects to http://www.noroutetohost.net/. My Pi-hole logs clearly show SERVFAIL (BOGUS (refused upstream)).
I'm using Pi-hole with Unbound. I believe that using Unbound as upstream resolver won't provide reasons for rejection, but that I can enable validation inside Pi-hole by enabling permissive mode? However, I'm aware this can void the DNSSEC protection for devices querying Unbound directly without using the Pi-hole. What I don't understand though is whether this applies in my case, as all devices should be using the Pi-hole, as I have the Pi-hole set as DNS server at router level. Therefore, am I OK to enable permissive mode?
I have no errors so far on both sites. 10/10 and full support on IPv6.
My system: Pi-Hole 5.x + Unbound on a Pi 2B.
System works in IPv4 and IPv6 although IPv6 is not a must.
Please post the debug information as URL for the support.
So if unbound won't use IPv6, why does it report OK (i.e. that the DNS server is set up for IPv6) on the ams2.test-ipv6.com site, but fail on the test-ipv6.com site?
(I understand that I'm not actually stuffed in terms of IPv6, as it'll still return IPv6 AAAA records when asked via IPv4)
Also, why would @wd9895 get 10/10 and full support on IPv6 using the same set-up (assuming it's a standard config)? I feel I'm missing something obvious, but can't see what it is
That would really be a question for the maintainers of those sites.
That said, both of those sites report my DNS server as having no access to the IPv6 Internet (wrongly claiming that would "restrict your ability to reach IPv6-only sites").
As explained, that is the expected outcome, as I am running unbound as my Pi-hole's upstream.
When assuming your results by those sites would be correct, they may indicate that your Pi-hole may be by-passed via an IPv6 DNS server address. This could also apply to wd9895's results (or they would have altered their unbound configuration to allow for IPv6).
server:
# If no logfile is specified, syslog is used
# logfile: "/var/log/unbound/unbound.log"
verbosity: 0
interface: 127.0.0.1
port: 5335
do-ip4: yes
do-udp: yes
do-tcp: yes
# May be set to yes if you have IPv6 connectivity
do-ip6: yes
# You want to leave this to no unless you have *native* IPv6. With 6to4 and
# Terredo tunnels your web browser should favor IPv4 for the same reasons
prefer-ip6: no
# Use this only when you downloaded the list of primary root servers!
# If you use the default dns-root-data package, unbound will find it automatically
# root-hints: "/var/lib/unbound/root.hints"
# Trust glue only if it is within the server's authority
harden-glue: yes
# Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS
harden-dnssec-stripped: yes
# Don't use Capitalization randomization as it known to cause DNSSEC issues sometimes
# see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 for further details
use-caps-for-id: no
# Reduce EDNS reassembly buffer size.
# Suggested by the unbound man page to reduce fragmentation reassembly problems
edns-buffer-size: 1472
# Perform prefetching of close to expired message cache entries
# This only applies to domains that have been frequently queried
prefetch: yes
# One thread should be sufficient, can be increased on beefy machines. In reality for most users running on small n>
num-threads: 2
# Ensure kernel buffer is large enough to not lose messages in traffic spikes
so-rcvbuf: 2m
# Ensure privacy of local IP ranges
private-address: 192.168.0.0/16
private-address: 169.254.0.0/16
private-address: 172.16.0.0/12
private-address: 10.0.0.0/8
private-address: fd00::/8
private-address: fe80::/10
#Nachträge ++++++++++++++++++++++++++++
#increase cache size to utilize more RAM
msg-cache-size: 128m
rrset-cache-size: 256m
#Cache-sizes
#cache-max-ttl: 86400
#cache-min-ttl: 0
#cache-max-negative-ttl:3600
#root-servers
auth-zone:
name: "."
master: 198.41.0.4 # a.root-servers.net
master: 170.247.170.2 # b.root-servers.net
master: 192.33.4.12 # c.root-servers.net
master: 199.7.91.13 # d.root-servers.net
master: 192.203.230.10 # e.root-servers.net
master: 192.5.5.241 # f.root-servers.net
master: 192.112.36.4 # g.root-servers.net
master: 198.97.190.53 # h.root-servers.net
master: 192.36.148.17 # i.root-servers.net
master: 192.58.128.30 # j.root-servers.net
master: 193.0.14.129 # k.root-servers.net
master: 199.7.83.42 # l.root-servers.net
master: 202.12.27.33 # m.root-servers.net
master: 2001:503:ba3e::2:30 # a.root-servers.net
master: 2801:1b8:10::b # b.root-servers.net
master: 2001:500:2::c # c.root-servers.net
master: 2001:500:2d::d # d.root-servers.net
master: 2001:500:a8::e # e.root-servers.net
master: 2001:500:2f::f # f.root-servers.net
master: 2001:500:12::d0d # g.root-servers.net
master: 2001:500:1::53 # h.root-servers.net
master: 2001:7fe::53 # i.root-servers.net
master: 2001:503:c27::2:30 # j.root-servers.net
master: 2001:7fd::1 # k.root-servers.net
master: 2001:500:9f::42 # l.root-servers.net
master: 2001:dc3::35 # m.root-servers.net
fallback-enabled: yes
for-downstream: no
for-upstream: yes
zonefile: "/var/lib/unbound/root.zone"
