Hi, I'm trying to configure Pi-Hole and Unbound in Debian 12.. I'm getting millions of queries from undefined domain, in the query log tab, the reply description say they are NXDOMAIN.. I'm not too much familiar with this terminology, I just make the configuration following some internet tutorials..
I connect to the internet through a Wi-Fi connection to a router that is used by several devices and since I don't have a server machine for the Pi-Hole, I only want my computer running Debian 12 to use Pi-Hole/Unbound leaving all other devices on the network to continuing using the default router DNS server (the ISP DNS).
I use 127.0.0.1#5335 as the only DNS address in the Pi-Hole configuration and in the Debian Network Manager tool as well.. I get my computer (192.168.1.9) with RATE_LIMIT in the Pi-hole diagnosis tap all the time.. Reading some post in this forum I disabled Conditional forwarding with no effect.. What can I do to try to fix this? Sorry for bad English and Thank You in advance! Greetings
Please upload a debug log and post just the token URL that is generated after the log is uploaded by running the following command from the Pi-hole host terminal:
Hi, thanks for the response. Before the run of the pihole -d command I noticed through the web interface that all was working ok so I started to think there might be a website wich is causing the problem, yesterday I had some taps opened in the browser while creating this topic.. So I opened pluto.tv in a new tab to try it out and the massive amount of queries started again..
Now I'm trying to post the content printed by the pihole -d command and the website tell me that as a new user I can't mention other users in my post.. It's ok but I'm not mentioning anyone.. Anyway, how can I upload the content I want to upload and not the url of the whole content? is this possible? Thanks!
This would suggest you've configured some sort of DNS loop on the machine hosting your Pi-hole, and this in turn has been reported to happen for some older unbound packages.
Let's check your unbound configuration.
What's the output of:
Your observation is not tied to conflicts from unbound package configuration, but your unbound has extra configuration options, added manually to those from unbound - Pi-hole documentation, some of them repeating in different config files.
In particular, your pihole.conf contains a whole bunch of additional lines:
I suspect your forward-zone entries to cause your observation.
Try removing or commenting those three lines, restart the unbound service and verify whether your still see excessive queries from 127.0.0.1.
What's your motivation for adding those lines anyway?
Hi Bucking_H, I guess is a misunderstanding from my part on how all this works.. I'll try this solution and will post the result later..
Yes, as you said, I use the configuration from the Pi-Hole documentation and then added the forward-zone lines, from another tutorial, for Unbound to use a D-o-T service to resolve the queries. I guess this is causing this unwanted behaviour.
Hey guys, I applied the Bucking_Horn's recomendation and I've been using the web browser with a pluto.tv tab opened for about 2 hours and all is working as expected and there are no more excessive queries happening.
These are the lines I had to comment in the Unbound configuration file for the system to work properly:
I'm still wondering if the first 5 lines I leave commented out are useful/recommended for something important like enhance privacy for example and if is it worth to leave them active. What do you think?
Then your configuration is missing a DoT target server, as usually defined by a forward-host option (or less common, a forward-addr).
Those lines were missing from the grep output, indicating that they have been commented out all the time.
If you still want to use unbound as a DoT forwarder rather than a recursive resolver, you could consider to comment your forward-zone section back in.
Just make sure you include the forward-addr with the IPv4 address, and that that IPv4 is actually the correct one for using Mullvad's DoT server.
Hey Bucking_H. Thanks for your help, now I'm a little confused because all the lines I posted as commented had been commented out (active) all the time until you suggested me to change it, so I have no idea why they were missing from the grep command output. Actually these Mullvad servers were the only ones detected by DNS leaks web sites when I tested them many times.
To use Unbound as a D-o-T forwarder rather than a recursive resolver is not a big deal for me, I selected the D-o-T forwarder for learning purposes and to get additional encryption capabilities as well as potential snooping protection. Would be great if I can continue to use it but without the excessive queries behaviour of course. Do you want me to post the whole unbound.conf file content to see if something might be creating conflicts?
I do - my grep is too eager to exclude comments, which would be preceeded by #.
However, the # in 194.242.2.4@853#base.dns.mullvad.net is preventing the line from being matched.
which just ignores lines with # preceeded by arbitrary counts of whitespace (\s*).
You don't get encryption in addition to recursion, but only instead of it.
It's either a decision for recursion (ensuring that no one single party has your full DNS history) or for a DoT server (that you'd thus entrust with your complete DNS history).
This is really interesting. I'm about to create a new topic in the Off-Topic room to deal with another thing that now I think may be related to this one.
As usual, what I want is some privacy and security. What I understand you are telling me is that is better for privacy that the DNS history doesn't leave the computer and since the configuration suggested by the Pi-Hole documentation is cached and recursive, there are less chances for the queries to be snooped (or attacked). Please correct me if I misunderstand something. I will use the configuration that you recommend as "the best" (or at least a very good one) for my goals.
In the other hand, I can't access some websites if I use a regular connection and if I try it using some free VPN service for testing then I can access any website normally. I don't see any blocked domain in the Pi-Hole web interface that lead me to think it can be a Pi-Hole/Unbound problem. Let's say the problem is with the Wikipedia website, if I use the dig tool with the current Unbound configuration (all working as I think is the way it should) I get an output like this:
Despite this I cannot access to the website through the web browser (without a VPN) and this only happens with some random websites. Do you think this can be some DNS side block by the ISP? This also happened before the changes applied today to the Unbound configuration, so the idea was always to start trying to solve the excessive amount of queries and then to ask for this problem. Lastly, I like to think I'm always in a safe environment, however, if there is an "attack" it is most likely to come from the ISP.