Latest update not working

CanadianLuke · April 7, 2025, 3:58am

The issue I am facing:

Slow DNS resolution, including NXDOMAIN even though Unbound resolves it fine
Debug: https://tricorder.pi-hole.net/6JFM6Dxz/

Details about my system:

Two RPis, one running unbound (yes, interface: 0.0.0.0), one running PiHole
PiHole (and other Debian instances) can dig through to Unbound and receive an answer. After the answer, PiHole is able to do the lookup
The Windows computer that I use PiHole for is VERY SLOW since the upgrade this morning (To Raspbian Bookworm and latest PiHole). Names are not resolving until after I clear the DNS cache. It works for a few minutes, then it goes back to not resolving

What I have changed since installing Pi-hole:

Updated OS to 12.10; piHole to 6.0.6, FTL 6.1
Unbound OS to 12.10; unbound to 1.17.1
Restarting PiHole works for a few minutes; after that, sites stop loading external resources (i.e. Reddit thumbnails)
maxDB setting already set to 91 as per other threads
Disabled DNSSEC for testing

Example output from unbound:

root@donatello:/home/pi# dig b.thumbs.redditmedia.com. @127.0.0.1 -p 5353

; <<>> DiG 9.18.33-1~deb12u2-Raspbian <<>> b.thumbs.redditmedia.com. @127.0.0.1 -p 5353
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 59153
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;b.thumbs.redditmedia.com.      IN      A

;; AUTHORITY SECTION:
redditmedia.com.        882     IN      SOA     ns-1340.awsdns-39.org. awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400

;; Query time: 109 msec
;; SERVER: 127.0.0.1#5353(127.0.0.1) (UDP)
;; WHEN: Sun Apr 06 19:47:43 PDT 2025
;; MSG SIZE  rcvd: 135

From PiHole:

root@raphael:/home/pi# dig b.thumbs.redditmedia.com @127.0.0.1

; <<>> DiG 9.18.33-1~deb12u2-Debian <<>> b.thumbs.redditmedia.com @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11699
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;b.thumbs.redditmedia.com.      IN      A

;; ANSWER SECTION:
b.thumbs.redditmedia.com. 206   IN      CNAME   dualstack.reddit.map.fastly.net.
dualstack.reddit.map.fastly.net. 36 IN  A       151.101.21.140

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Sun Apr 06 19:48:23 PDT 2025
;; MSG SIZE  rcvd: 114

DanSchaper · April 8, 2025, 8:02pm

Seems like unbound is the one returning NXDOMAIN?

;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 59153
;; SERVER: 127.0.0.1#5353(127.0.0.1) (UDP)

While Pi-hole is replying (from cache)

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11699
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)

What is the ipconfig /all output for the DNS Servers on that computer?

CanadianLuke · April 9, 2025, 11:58pm

You're right, I didn't notice that one was NOERROR and the other was NXDOMAIN.

Another domain that PiHole can't access:

$ dig @192.168.128.6 api.production.wealthsimple.com.

; <<>> DiG 9.18.30-0ubuntu0.24.04.2-Ubuntu <<>> @192.168.128.6 api.production.wealthsimple.com.
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 26547
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

From Unbound:

$ dig production.wealthsimple.com. @127.0.0.1 -p 5353

; <<>> DiG 9.18.33-1~deb12u2-Raspbian <<>> production.wealthsimple.com. @127.0.0.1 -p 5353
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 64378
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

As for DNS Servers:

ipconfig /all
...
   DNS Servers . . . . . . . . . . . : 2604:3d08:a57f:ebd0::7305
                                       192.168.128.6
...

(The above is for both my Ethernet connection and my Wi-Fi, both on the same network). I don't use IPv6 on purpose, but my ISP's router hands out IPv6 addresses.

DanSchaper · April 10, 2025, 12:59am

Those are two different domains. One is api.production. and the other is just production..

Neither resolved, the both show NXDOMAIN so I'm not sure what you meant to show there.

CanadianLuke · April 18, 2025, 2:45am

You're right, I assumed that if production. failed, it wouldn't have even tried api.production..

Here are the current dig commands going to the same domain name:

$ dig api.production.wealthsimple.com. @127.0.0.1 -p 5353

; <<>> DiG 9.18.33-1~deb12u2-Raspbian <<>> api.production.wealthsimple.com. @127.0.0.1 -p 5353
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62332
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;api.production.wealthsimple.com. IN    A

;; ANSWER SECTION:
api.production.wealthsimple.com. 243 IN CNAME   api.production.wealthsimple.com.cdn.cloudflare.net.
api.production.wealthsimple.com.cdn.cloudflare.net. 243 IN A 172.64.148.42
api.production.wealthsimple.com.cdn.cloudflare.net. 243 IN A 104.18.39.214

;; Query time: 189 msec
;; SERVER: 127.0.0.1#5353(127.0.0.1) (UDP)
;; WHEN: Thu Apr 17 19:41:11 PDT 2025
;; MSG SIZE  rcvd: 156

Then when querying the PiHole:

$ dig api.production.wealthsimple.com @192.168.128.6

; <<>> DiG 9.18.30-0ubuntu0.24.04.2-Ubuntu <<>> api.production.wealthsimple.com @192.168.128.6
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 55699
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;api.production.wealthsimple.com. IN    A

;; AUTHORITY SECTION:
wealthsimple.com.       710     IN      SOA     ns-1489.awsdns-58.org. awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400

;; Query time: 10 msec
;; SERVER: 192.168.128.6#53(192.168.128.6) (UDP)
;; WHEN: Thu Apr 17 19:43:24 PDT 2025
;; MSG SIZE  rcvd: 161

I do appreciate any insight that can be given

DanSchaper · April 18, 2025, 3:50am

Please post a new debug token URL.

CanadianLuke · April 18, 2025, 4:19am

https://tricorder.pi-hole.net/4Ehh2Y0q/

DanSchaper · April 18, 2025, 4:56pm

Thanks,

First thing, let's remove that IPv6 link-local upstream, there's no need for IPv6 on the local lan segment:

   [dns]
     upstreams = [
       "192.168.128.8#5353",
       "fe80::1f24:2be4:b3d5:48da#5353"
     ] ### CHANGED, default = []

Next, the successful dig is to 127.0.0.1#5353, is that dig from the server hosting Pi-hole itself? If so, why do you have an upstream to 192.168.128.8#5353 instead of 127.0.0.1#5353? I see that the port 5353 is being used by avahi-daemon on the Pi-hole server.

You have a number of DHCP servers offering DNS services that are not Pi-hole. Any client getting offered a DNS server that is not Pi-hole can and will use that non-Pi-hole server and bypass any blocking you have set up.

*** [ DIAGNOSING ]: Discovering active DHCP servers (takes 6 seconds)
   Scanning all your interfaces for DHCP servers and IPv6 routers
   Timeout: 6 seconds
   
   * Received 120 bytes from fe80::1256:11ff:fe90:cb08 @ enxb827ebe394cc
     Hop limit: 64
     Stateful address conf.: Yes
     Stateful other conf.: Yes
     Mobile home agent: No
     Router preference: Medium
     Neighbor discovery proxy: No
     Router lifetime: 180 s
     Reachable time: N/A
     Retransmit time: N/A
     Recursive DNS server 1/2: 2001:4e8:0:400d::11
     Recursive DNS server 2/2: 2001:4e8:0:400a::11
     DNS server lifetime:180 sec
     - Prefix: 2604:3d08:a57f:ebd0::/64
       Valid lifetime: 300 sec
       Preferred lifetime: 300 sec
       On-link: Yes
       Autonomous address conf.: Yes
     - Route: ::/0
       Route preference: Medium
       Route lifetime: 180 sec
     Source link-layer address: 10:56:11:90:CB:08
   
   * Received 314 bytes from 192.168.128.1 @ enxb827ebe394cc
     Offered IP address: 192.168.128.6
     Server IP address: 192.168.128.1
     Relay-agent IP address: N/A
     BOOTP server: (empty)
     BOOTP file: (empty)
     DHCP options:
      Message type: DHCPOFFER (2)
      server-identifier: 192.168.128.1
      lease-time: 172800 ( 2d )
      renewal-time: 86400 ( 1d )
      rebinding-time: 151200 ( 1d 18h )
      netmask: 255.255.255.0
      broadcast: 192.168.128.255
      router: 192.168.128.1
      domain-name: "ca.shawcable.net"
      dns-server: 64.59.168.13
      dns-server: 64.59.174.84
      --- end of options ---
   
   * Received 120 bytes from fe80::1256:11ff:fe90:cb08 @ enxb827ebe394cc
     Hop limit: 64
     Stateful address conf.: Yes
     Stateful other conf.: Yes
     Mobile home agent: No
     Router preference: Medium
     Neighbor discovery proxy: No
     Router lifetime: 180 s
     Reachable time: N/A
     Retransmit time: N/A
     Recursive DNS server 1/2: 2001:4e8:0:400d::11
     Recursive DNS server 2/2: 2001:4e8:0:400a::11
     DNS server lifetime:180 sec
     - Prefix: 2604:3d08:a57f:ebd0::/64
       Valid lifetime: 300 sec
       Preferred lifetime: 300 sec
       On-link: Yes
       Autonomous address conf.: Yes
     - Route: ::/0
       Route preference: Medium
       Route lifetime: 180 sec
     Source link-layer address: 10:56:11:90:CB:08
   
   * Received 120 bytes from fe80::1256:11ff:fe90:cb08 @ enxb827ebe394cc
     Hop limit: 64
     Stateful address conf.: Yes
     Stateful other conf.: Yes
     Mobile home agent: No
     Router preference: Medium
     Neighbor discovery proxy: No
     Router lifetime: 180 s
     Reachable time: N/A
     Retransmit time: N/A
     Recursive DNS server 1/2: 2001:4e8:0:400d::11
     Recursive DNS server 2/2: 2001:4e8:0:400a::11
     DNS server lifetime:180 sec
     - Prefix: 2604:3d08:a57f:ebd0::/64
       Valid lifetime: 300 sec
       Preferred lifetime: 300 sec
       On-link: Yes
       Autonomous address conf.: Yes
     - Route: ::/0
       Route preference: Medium
       Route lifetime: 180 sec
     Source link-layer address: 10:56:11:90:CB:08
   
   Received 1 DHCP (IPv4) and 3 RA (IPv6) answers on enxb827ebe394cc

Again, there's really no need for IPv6 on a LAN segment. A DNS server will reply to A and AAAA record queries no matter what the protocol used (IPv4 or IPv6).

Try disabling DNSSEC and enabling Query Logging so we can get see some logs of why NXDOMAIN is being returned. DNSSEC is often misconfigured by the zone owners and hurts more than it helps.

     dnssec = true ### CHANGED, default = false
     interface = "enxb827ebe394cc" ### CHANGED, default = ""
     hostRecord = ""
     listeningMode = "ALL" ### CHANGED, default = "LOCAL"
     queryLogging = false ### CHANGED, default = true

Changing the rate limit often indicates that there is a configuration or routing issue, the default is more than enough to handle a large client base.

       count = 10000 ### CHANGED, default = 1000

CanadianLuke · April 18, 2025, 9:15pm

Thanks, I'll answer these in order:

I believe I've now removed all the IPv6 info, at least from the DNS Upstream Servers.
The dig going to port 5353 is on another RPi hosting Unbound. Unbound is hosted at 192.168.128.8, while the PiHole is 192.168.128.6.
As I cannot alter the DNS Server settings from the router I have, I program it in manually to the clients that I want to have it (mainly, my devices). The servers do not use the PiHole for DNS, but my phone and computer do.
Disabled DNSSEC
Reset the cache to 1000

I'll monitor for the weekend and see if things improve. I appreciate your help!

DanSchaper · April 18, 2025, 9:34pm

Okay, well get there!!

We can add IPv6 back into the mix once we know that IPv4 is working without issues, if you want.

Can you do a dig from the Pi-hole server to the remote unbound? Just for another data point to see what the response is.

Let us know how things go.

CanadianLuke · April 19, 2025, 4:36pm

OK, I think it's starting to get narrowed down. Again, something that should have been resolved isn't:

Unbound:

# dig b.thumbs.redditmedia.com. @127.0.0.1 -p 5353

; <<>> DiG 9.18.33-1~deb12u2-Raspbian <<>> b.thumbs.redditmedia.com. @127.0.0.1 -p 5353
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3753
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;b.thumbs.redditmedia.com.      IN      A

;; ANSWER SECTION:
b.thumbs.redditmedia.com. 177   IN      CNAME   dualstack.reddit.map.fastly.net.
dualstack.reddit.map.fastly.net. 53 IN  A       151.101.213.140

;; Query time: 109 msec
;; SERVER: 127.0.0.1#5353(127.0.0.1) (UDP)
;; WHEN: Sat Apr 19 09:33:34 PDT 2025
;; MSG SIZE  rcvd: 114

PiHole to Unbound:

$ dig b.thumbs.redditmedia.com. @192.168.128.8 -p 5353

; <<>> DiG 9.18.33-1~deb12u2-Debian <<>> b.thumbs.redditmedia.com. @192.168.128.8 -p 5353
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5598
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;b.thumbs.redditmedia.com.      IN      A

;; ANSWER SECTION:
b.thumbs.redditmedia.com. 280   IN      CNAME   dualstack.reddit.map.fastly.net.
dualstack.reddit.map.fastly.net. 37 IN  A       151.101.213.140

;; Query time: 123 msec
;; SERVER: 192.168.128.8#5353(192.168.128.8) (UDP)
;; WHEN: Sat Apr 19 09:31:51 PDT 2025
;; MSG SIZE  rcvd: 114

PiHole to itself:

$ dig b.thumbs.redditmedia.com. @127.0.0.1

; <<>> DiG 9.18.33-1~deb12u2-Debian <<>> b.thumbs.redditmedia.com. @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 47862
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;b.thumbs.redditmedia.com.      IN      A

;; AUTHORITY SECTION:
redditmedia.com.        46      IN      SOA     ns-1340.awsdns-39.org. awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400

;; Query time: 3 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Sat Apr 19 09:35:25 PDT 2025
;; MSG SIZE  rcvd: 153

Client to PiHole:

$ dig b.thumbs.redditmedia.com. @192.168.128.6

; <<>> DiG 9.18.30-0ubuntu0.24.04.2-Ubuntu <<>> b.thumbs.redditmedia.com. @192.168.128.6
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 19850
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;b.thumbs.redditmedia.com.      IN      A

;; AUTHORITY SECTION:
redditmedia.com.        151     IN      SOA     ns-1340.awsdns-39.org. awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400

;; Query time: 10 msec
;; SERVER: 192.168.128.6#53(192.168.128.6) (UDP)
;; WHEN: Sat Apr 19 09:33:40 PDT 2025
;; MSG SIZE  rcvd: 153

DanSchaper · April 19, 2025, 7:20pm

Can you post your Unbound config?

If you have re-enabled query logging on Pi-hole then a grep for the domain b.thumbs.redditmedia.com. in the logs could reveal some more information about why NXDOMAIN is being returned. I'm looking for the chain of queries that Pi-hole is trying to do.

You can live tail the pihole.log file via the web interface, or with the command tail -F /var/log/pihole/pihole.log.

Output should look something like:

2025-04-19 12:18:30.043 query[A] b.thumbs.redditmedia.com.lan from 192.168.1.100
2025-04-19 12:18:30.043 config b.thumbs.redditmedia.com.lan is NXDOMAIN
2025-04-19 12:18:30.044 query[AAAA] b.thumbs.redditmedia.com.lan from 192.168.1.100
2025-04-19 12:18:30.044 config b.thumbs.redditmedia.com.lan is NXDOMAIN
2025-04-19 12:18:30.045 query[A] b.thumbs.redditmedia.com from 192.168.1.100
2025-04-19 12:18:30.045 forwarded b.thumbs.redditmedia.com to 8.8.4.4
2025-04-19 12:18:30.051 reply b.thumbs.redditmedia.com is <CNAME>
2025-04-19 12:18:30.052 reply dualstack.reddit.map.fastly.net is 151.101.65.140
2025-04-19 12:18:30.052 reply dualstack.reddit.map.fastly.net is 151.101.193.140
2025-04-19 12:18:30.052 reply dualstack.reddit.map.fastly.net is 151.101.1.140
2025-04-19 12:18:30.052 reply dualstack.reddit.map.fastly.net is 151.101.129.140
2025-04-19 12:18:30.054 query[AAAA] b.thumbs.redditmedia.com from 192.168.1.100
2025-04-19 12:18:30.054 cached b.thumbs.redditmedia.com is <CNAME>
2025-04-19 12:18:30.054 forwarded b.thumbs.redditmedia.com to 8.8.4.4
2025-04-19 12:18:30.060 reply b.thumbs.redditmedia.com is <CNAME>
2025-04-19 12:18:30.060 reply dualstack.reddit.map.fastly.net is 2a04:4e42:200::396
2025-04-19 12:18:30.060 reply dualstack.reddit.map.fastly.net is 2a04:4e42:400::396
2025-04-19 12:18:30.061 reply dualstack.reddit.map.fastly.net is 2a04:4e42:600::396
2025-04-19 12:18:30.061 reply dualstack.reddit.map.fastly.net is 2a04:4e42::396

CanadianLuke · April 20, 2025, 3:07am

Enabled logging, here is the output when checking for thumbs.redditmedia.com (including both a. and b.):

# tail -F /var/log/pihole/pihole.log | grep "thumbs\.redditmedia\.com"
Apr 19 20:02:47 dnsmasq[710]: query[A] b.thumbs.redditmedia.com from 192.168.128.151
Apr 19 20:02:48 dnsmasq[710]: forwarded b.thumbs.redditmedia.com to 192.168.128.8#5353
Apr 19 20:02:48 dnsmasq[710]: query[HTTPS] b.thumbs.redditmedia.com from 192.168.128.151
Apr 19 20:02:48 dnsmasq[710]: forwarded b.thumbs.redditmedia.com to 192.168.128.8#5353
Apr 19 20:02:48 dnsmasq[710]: reply b.thumbs.redditmedia.com is NXDOMAIN
Apr 19 20:02:48 dnsmasq[710]: reply b.thumbs.redditmedia.com is NXDOMAIN
Apr 19 20:02:48 dnsmasq[710]: query[A] b.thumbs.redditmedia.com from 192.168.128.202
Apr 19 20:02:48 dnsmasq[710]: cached b.thumbs.redditmedia.com is NXDOMAIN
Apr 19 20:02:48 dnsmasq[710]: query[A] b.thumbs.redditmedia.com from 192.168.128.151
Apr 19 20:02:48 dnsmasq[710]: cached b.thumbs.redditmedia.com is NXDOMAIN
Apr 19 20:02:48 dnsmasq[710]: query[A] b.thumbs.redditmedia.com from 192.168.128.151
Apr 19 20:02:48 dnsmasq[710]: cached b.thumbs.redditmedia.com is NXDOMAIN
Apr 19 20:02:48 dnsmasq[710]: query[HTTPS] b.thumbs.redditmedia.com from 192.168.128.151
Apr 19 20:02:48 dnsmasq[710]: cached b.thumbs.redditmedia.com is NXDOMAIN
Apr 19 20:02:48 dnsmasq[710]: query[A] b.thumbs.redditmedia.com from 192.168.128.151
Apr 19 20:02:48 dnsmasq[710]: cached b.thumbs.redditmedia.com is NXDOMAIN
Apr 19 20:02:48 dnsmasq[710]: query[HTTPS] b.thumbs.redditmedia.com from 192.168.128.151
Apr 19 20:02:48 dnsmasq[710]: cached b.thumbs.redditmedia.com is NXDOMAIN
Apr 19 20:02:48 dnsmasq[710]: query[A] b.thumbs.redditmedia.com from 192.168.128.151
Apr 19 20:02:48 dnsmasq[710]: cached b.thumbs.redditmedia.com is NXDOMAIN
Apr 19 20:02:48 dnsmasq[710]: query[HTTPS] b.thumbs.redditmedia.com from 192.168.128.151
Apr 19 20:02:48 dnsmasq[710]: cached b.thumbs.redditmedia.com is NXDOMAIN
Apr 19 20:02:48 dnsmasq[710]: query[A] b.thumbs.redditmedia.com from 192.168.128.151
Apr 19 20:02:48 dnsmasq[710]: cached b.thumbs.redditmedia.com is NXDOMAIN
Apr 19 20:02:48 dnsmasq[710]: query[HTTPS] b.thumbs.redditmedia.com from 192.168.128.151
Apr 19 20:02:48 dnsmasq[710]: cached b.thumbs.redditmedia.com is NXDOMAIN
Apr 19 20:02:48 dnsmasq[710]: query[A] a.thumbs.redditmedia.com from 192.168.128.151
Apr 19 20:02:48 dnsmasq[710]: forwarded a.thumbs.redditmedia.com to 192.168.128.8#5353
Apr 19 20:02:48 dnsmasq[710]: query[HTTPS] a.thumbs.redditmedia.com from 192.168.128.151
Apr 19 20:02:48 dnsmasq[710]: forwarded a.thumbs.redditmedia.com to 192.168.128.8#5353
Apr 19 20:02:48 dnsmasq[710]: query[A] b.thumbs.redditmedia.com from 192.168.128.151
Apr 19 20:02:48 dnsmasq[710]: cached b.thumbs.redditmedia.com is NXDOMAIN
Apr 19 20:02:48 dnsmasq[710]: query[HTTPS] b.thumbs.redditmedia.com from 192.168.128.151
Apr 19 20:02:48 dnsmasq[710]: cached b.thumbs.redditmedia.com is NXDOMAIN
Apr 19 20:02:48 dnsmasq[710]: reply a.thumbs.redditmedia.com is <CNAME>
Apr 19 20:02:48 dnsmasq[710]: reply a.thumbs.redditmedia.com is <CNAME>

Unbound config:

include-toplevel: "/etc/unbound/unbound.conf.d/*.conf"
# Contents of conf.d folder: pi-hole.conf, root-auto-trust-anchor-file.conf, remote-control.conf
# pi-hole.conf
server:
  logfile: "/var/log/unbound/unbound.log"
  verbosity: 0
  interface: 0.0.0.0
#  interface: ::0
  port: 5353
  do-ip4: yes
  do-udp: yes
  do-tcp: yes
  do-ip6: no
  root-hints: "/var/lib/unbound/root.hints"
  harden-glue: yes
  harden-dnssec-stripped: yes
  use-caps-for-id: no
  edns-buffer-size: 1232
  prefetch: yes
  num-threads: 10
  so-rcvbuf: 1m
    private-address: 192.168.0.0/16
    private-address: 169.254.0.0/16
    private-address: 172.16.0.0/12
    private-address: 10.0.0.0/8
#    private-address: fd00::/8
#    private-address: fe80::/10
#  access-control: 192.168.0.0/16 allow
#  access-control: 10.252.0.0/16 allow
#  access-control: fe80::/10 allow
  access-control: 0.0.0.0/0 allow
#  access-control: ::/0 allow
  do-not-query-localhost: no
#  access-control: 2001:DB8/64 allow
#  access-control: 0::0/64 allow

# cat /etc/unbound/unbound.conf.d/root-auto-trust-anchor-file.conf
server:
    # The following line will configure unbound to perform cryptographic
    # DNSSEC validation using the root trust anchor.
    auto-trust-anchor-file: "/var/lib/unbound/root.key"

# cat /etc/unbound/unbound.conf.d/remote-control.conf
remote-control:
  control-enable: yes
  # by default the control interface is is 127.0.0.1 and ::1 and port 8953
  # it is possible to use a unix socket too
  control-interface: /run/unbound.ctl