Pi-hole and Unbound DNS on separate VM`s

The issue I am facing:
I have pihole running on ubuntu 20.04 in a docker container and thats not the issue. I have test bench running and am trying to work out if i can offload DNS queries to unbound running on a vm on the same hypervisor. Essentially what im testing is if i can have pihole use the unbound DNS server at another ip address in the same subnet. Unbound is running on the other VM with ubuntu 20.04 and i have configured the conf file as per here Redirecting... and i suspect this is where my issue lies. I have tested ports that are open and can see 5335 is open and listening on the unbound server but when i change my DNS to point to the pihole server and then the pihole server has my upstream DNS server as unbound it fails to navigate to web pages.

I suspect the issue is on the unbound side and am trying to understand what could be the issue. Unbound itself is running and dig pi-hole.net @127.0.0.1 -p 5335 returns an answer.

You will need to change this line and have unbound listen on the outward facing IP for that VM

interface: 127.0.0.1

Hi jfb, Are you referring to the external IP address or the static IP of the pihole server?

The Pi-hole Unbound guide is configuring Unbound to only listen on the local loopback interface named lo with IP 127.0.0.1.
The guide also configures unbound to listen on port 5335.
If you want the Unbound VM to listen on IP's from the other interfaces like for example eth0, first figure out the IP for this Unbound host with below:

ip -br -4 a

And configure unbound to listen on that eth0 interface IP (or whatever interface IP you want it to listen on) in /etc/unbound/unbound.conf.d/pi-hole.conf with below:

Restart:

sudo service unbound restart

Below one should show unbound listening on the changed IP:

sudo netstat -nltup | grep 'Proto\|unbound'

Test with below (replace <CHANGED_IP> with actual IP):

dig +short chaos txt version.bind -p 5335 @<CHANGED_IP>

If the dig above shows the unbound version, you can configure custom upstream DNS server for Pi-hole to be:

<CHANGED_IP>#5335

And make sure no firewall is blocking on the Unbound host!

sudo iptables -nL

Thanks for the detailed response @deHakkelaar. I had to install net-tools as i forgot when i built the VM. I checked the IP address unbound is using and it is correct. When i tested with the dig it failed, so something must be up with my config somewhere

administrator@unbound:~$ dig +short chaos txt version.bind -p 5335 10...101 (Edited IP out)
;; connection timed out; no servers could be reached

;; connection timed out; no servers could be reached

Is she running ?

EDIT: you dont have to edit out/redact private IPv4 addresses.
They are common to all of us and you wont give away allot.
And please enclose the code output with the </> button before posting here ?

EDIT2: you might have omited the @ sign before the IP eg:

dig +short chaos txt version.bind -p 5335 @10.*.*.101

She appears to be listening

 Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
 tcp 0 0 10.31.27.101:5335 0.0.0.0:* LISTEN 3538/unbound
 udp 0 0 10.31.27.101:5335 0.0.0.0:* 3538/unbound

Dig with @ returns nothing
administrator@unbound:~$ dig +short chaos txt version.bind -p 5335 @10.31.27.101
administrator@unbound:~$

And what if you query for a public domain:

dig pi-hole.net -p 5335 @10.31.27.101

administrator@unbound:~$ dig pi-hole.net -p 5335 @10.31.27.101

; <<>> DiG 9.16.1-Ubuntu <<>> pi-hole.net -p 5335 @10.31.27.101
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 41081
;; flags: qr rd ad; QUERY: 0, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; Query time: 0 msec
;; SERVER: 10.31.27.101#5335(10.31.27.101)
;; WHEN: Sat Sep 05 10:23:28 UTC 2020
;; MSG SIZE  rcvd: 12

Sounds as if you miss configured something else somewhere.
Purge/uninstall unbound including config files with below:

sudo apt purge unbound

And follow the guide fresh again:

Test first with the dig commands provided in the guide before you make alterations to the pi-hole.conf file with the interface directive.

Its in snapshot so i`ll revert back to before in install Unbound and let you know. Thanks for taking the time to assist

Odd, I rolled back to the snapshot before i installed and configured unbound and have re-installed unbound with the guide provided.

When using dig with @127.0.0.1 it works. But with my VM`s IP of 10.31.27.101 it fails

administrator@unbound:~$ dig sigok.verteiltesysteme.net @127.0.0.1 -p 5335

; <<>> DiG 9.16.1-Ubuntu <<>> sigok.verteiltesysteme.net @127.0.0.1 -p 5335
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51691
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1472
;; QUESTION SECTION:
;sigok.verteiltesysteme.net.    IN      A

;; ANSWER SECTION:
sigok.verteiltesysteme.net. 60  IN      A       134.91.78.139

;; Query time: 268 msec
;; SERVER: 127.0.0.1#5335(127.0.0.1)
;; WHEN: Fri Sep 04 23:58:50 UTC 2020
;; MSG SIZE  rcvd: 71

administrator@unbound:~$ dig sigok.verteiltesysteme.net @10.31.27.101 -p 5335

; <<>> DiG 9.16.1-Ubuntu <<>> sigok.verteiltesysteme.net @10.31.27.101 -p 5335
;; global options: +cmd
;; connection timed out; no servers could be reached

Firewall ?

Are you referring to UFW?

administrator@unbound:~$ sudo iptables -nL
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

administrator@unbound:~$ sudo ufw disable
Firewall stopped and disabled on system startup

administrator@unbound:~$ sudo ufw status
Status: inactive
administrator@unbound:~$ dig sigok.verteiltesysteme.net @10.31.27.101 -p 5335

; <<>> DiG 9.16.1-Ubuntu <<>> sigok.verteiltesysteme.net @10.31.27.101 -p 5335
;; global options: +cmd
;; connection timed out; no servers could be reached

Could you post netstat again ?

sudo netstat -nltup | grep 'Proto\|unbound'

Sure can

administrator@unbound:~$ sudo netstat -nltup | grep 'Proto\|unbound'
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 127.0.0.1:5335          0.0.0.0:*               LISTEN      2657/unbound
udp        0      0 127.0.0.1:5335          0.0.0.0:*                           2657/unbound

Silly me,

Hadnt restarted Unbound after changing the interface ip in the config

administrator@unbound:~$ sudo netstat -nltup | grep 'Proto\|unbound'
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 10.31.27.101:5335       0.0.0.0:*               LISTEN      3328/unbound
udp        0      0 10.31.27.101:5335       0.0.0.0:*                           3328/unbound
administrator@unbound:~$ dig sigok.verteiltesysteme.net @10.31.27.101 -p 5335

; <<>> DiG 9.16.1-Ubuntu <<>> sigok.verteiltesysteme.net @10.31.27.101 -p 5335
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 39521
;; flags: qr rd ad; QUERY: 0, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; Query time: 0 msec
;; SERVER: 10.31.27.101#5335(10.31.27.101)
;; WHEN: Sat Sep 05 11:46:40 UTC 2020
;; MSG SIZE  rcvd: 12

She is still configured to only listen on that 127.0.0.1 address.
Go ahaead and change IP on that interface line in /etc/unbound/unbound.conf.d/pi-hole.conf.

Restart:

sudo service unbound restart

And check with netstat and dig again.

EDIT: our postings crossed

Still not working. oddly enough the log shows im getting refused

->>HEADER<<- opcode: QUERY, status: REFUSED, id: 20704

Ok you have the REFUSED status again.
If the dig worked before the interface IP change and not after, you have something else going on and I dont know what.
Whats output for below ?

sudo grep -v '^\s*#\|^\s*$' -R /etc/unbound/ --include=*.conf