Pi-hole fails to connect to Unbound DNS

The issue I am facing:
Pi-hole cannot connect to Unbound DNS

Details about my system:

╰─>$ neofetch
                   -`                    mika@Luna 
                  .o+`                   --------- 
                 `ooo/                   OS: Arch Linux x86_64 
                `+oooo:                  Host: VivoBook_ASUSLaptop X515EA_X515EA 1.0 
               `+oooooo:                 Kernel: 5.18.3-arch1-1 
               -+oooooo+:                Uptime: 6 hours, 50 mins 
             `/:-:++oooo+:               Packages: 983 (pacman), 10 (flatpak) 
            `/++++/+++++++:              Shell: fish 3.4.1 
           `/++++++++++++++:             Resolution: 1920x1080 
          `/+++ooooooooooooo/`           WM: i3 
         ./ooosssso++osssssso+`          Theme: Adwaita [GTK2/3] 
        .oossssso-````/ossssss+`         Icons: Adwaita [GTK2/3] 
       -osssssso.      :ssssssso.        Terminal: xfce4-terminal 
      :osssssss/        osssso+++.       Terminal Font: Monospace 12 
     /ossssssss/        +ssssooo/-       CPU: 11th Gen Intel i3-1115G4 (4) @ 3.000GHz 
   `/ossssso+/:-        -:/+osssso+-     GPU: Intel Device 9a78 
  `+sso+:-`                 `.-/+oso:    Memory: 8440MiB / 11667MiB 
 `++:.                           `-/+/
 .`                                 `/                           


Pi-hole was installted via Docker

╰─>$ sudo docker ps
[sudo] password for mika: 
CONTAINER ID   IMAGE                  COMMAND      CREATED       STATUS                 PORTS                                                                                                             NAMES
fd54d6c0a3fa   pihole/pihole:latest   "/s6-init"   4 hours ago   Up 4 hours (healthy)>53/tcp, :::53->53/tcp,>80/tcp,>53/udp, :::80->80/tcp, :::53->53/udp, 67/udp   pihole

╰─>$ cat docker-compose.yml
version: "3"

# More info at https://github.com/pi-hole/docker-pi-hole/ and https://docs.pi-hole.net/
    container_name: pihole
    image: pihole/pihole:latest
    # For DHCP it is recommended to remove these ports and instead add: network_mode: "host"
      - "53:53/tcp"
      - "53:53/udp"
      - "80:80/tcp"
      TZ: 'America/Chicago'
      # WEBPASSWORD: 'set a secure password here or it will be random'
    # Volumes store your data between container upgrades
      - './etc-pihole:/etc/pihole'
      - './etc-dnsmasq.d:/etc/dnsmasq.d'    
    #   https://github.com/pi-hole/docker-pi-hole#note-on-capabilities
      - NET_ADMIN # Required if you are using Pi-hole as your DHCP server, else not needed
    restart: unless-stopped

Unbound was installed via pacman

    # If no logfile is specified, syslog is used
    logfile: /var/log/unbound/unbound.log
    verbosity: 0

    port: 5335
    do-ip4: yes
    do-udp: yes
    do-tcp: yes

    # May be set to yes if you have IPv6 connectivity
    do-ip6: no

    # You want to leave this to no unless you have *native* IPv6. With 6to4 and
    # Terredo tunnels your web browser should favor IPv4 for the same reasons
    prefer-ip6: no

    # Use this only when you downloaded the list of primary root servers!
    # If you use the default dns-root-data package, unbound will find it automatically
    #root-hints: /var/lib/unbound/root.hints

    # Trust glue only if it is within the server's authority
    harden-glue: yes

    # Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS
    harden-dnssec-stripped: yes

    # Don't use Capitalization randomization as it known to cause DNSSEC issues sometimes
    # see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 for further details
    use-caps-for-id: no

    # Reduce EDNS reassembly buffer size.
    # IP fragmentation is unreliable on the Internet today, and can cause
    # transmission failures when large DNS messages are sent via UDP. Even
    # when fragmentation does work, it may not be secure; it is theoretically
    # possible to spoof parts of a fragmented DNS message, without easy
    # detection at the receiving end. Recently, there was an excellent study
    # >>> Defragmenting DNS - Determining the optimal maximum UDP response size for DNS <<<
    # by Axel Koolhaas, and Tjeerd Slokker (https://indico.dns-oarc.net/event/36/contributions/776/)
    # in collaboration with NLnet Labs explored DNS using real world data from the
    # the RIPE Atlas probes and the researchers suggested different values for
    # IPv4 and IPv6 and in different scenarios. They advise that servers should
    # be configured to limit DNS messages sent over UDP to a size that will not
    # trigger fragmentation on typical network links. DNS servers can switch
    # from UDP to TCP when a DNS response is too big to fit in this limited
    # buffer size. This value has also been suggested in DNS Flag Day 2020.
    edns-buffer-size: 1232

    # Perform prefetching of close to expired message cache entries
    # This only applies to domains that have been frequently queried
    prefetch: yes

    # One thread should be sufficient, can be increased on beefy machines. In reality for most users running on small networks or on a single machine, it should be unnecessary to seek performance enhancement by increasing num-threads above 1.
    num-threads: 1

    # Ensure kernel buffer is large enough to not lose messages in traffic spikes
    so-rcvbuf: 1m

    # Ensure privacy of local IP ranges
    private-address: fd00::/8
    private-address: fe80::/10

	do-not-query-localhost: no
	tls-system-cert: yes

# control which clients are allowed to make (recursive) queries
access-control: allow_snoop
access-control: ::1 allow_snoop
access-control: allow
access-control: allow

# Upstream Servers
  name: "."
  forward-tls-upstream: yes
  forward-addr: 2a07:a8c0::#[redacted].dns1.nextdns.io
  forward-addr: 2a07:a8c1::#[redacted].dns2.nextdns.io

Unbound DNS seems working when digging websites

╰─>$ dig sigok.verteiltesysteme.net @ -p 5335

; <<>> DiG 9.18.3 <<>> sigok.verteiltesysteme.net @ -p 5335
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23492
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

; EDNS: version: 0, flags:; udp: 1232
;sigok.verteiltesysteme.net.	IN	A

sigok.verteiltesysteme.net. 30	IN	A

;; Query time: 2073 msec
;; WHEN: Fri Jun 17 01:24:05 +08 2022
;; MSG SIZE  rcvd: 71

╰─>$ dig sigfail.verteiltesysteme.net @ -p 5335

; <<>> DiG 9.18.3 <<>> sigfail.verteiltesysteme.net @ -p 5335
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 51854
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

; EDNS: version: 0, flags:; udp: 1232
;sigfail.verteiltesysteme.net.	IN	A

;; Query time: 2766 msec
;; WHEN: Fri Jun 17 01:24:22 +08 2022
;; MSG SIZE  rcvd: 57

Status of Unbound

╰─>$ systemctl status unbound
● unbound.service - Validating, recursive, and caching DNS resolver
     Loaded: loaded (/usr/lib/systemd/system/unbound.service; enabled; vendor preset: disabled)
     Active: active (running) since Thu 2022-06-16 23:08:16 +08; 2h 21min ago
       Docs: man:unbound(8)
   Main PID: 208332 (unbound)
      Tasks: 1 (limit: 13976)
     Memory: 2.4M
        CPU: 64ms
     CGroup: /system.slice/unbound.service
             └─208332 /usr/bin/unbound -d -p

What I have changed since installing Pi-hole:
I changed my DNS server to to use Unbound DNS

But I fail to load any website until I enable other DNS resolvers (Quad9)

Any ideas how to fix this? Thanks

1 Like

What does the query log look like when you use unbound and when you use a remote upstream?

1 Like

The localhost interface points to the same machine.
In your case, that is the Pi-hole container within Docker, and that's not where unbound is installed and listening on port 5335.

If I understood your setup correctly, you'd have to point your Pi-hole to the private range IP of the machine that is hosting both your unbound and Docker with your Pi-hole container.