I have set up a pihole server with ubuntu. It is working well out of the box however I wanted to try unbound with pi-hole aswell for the dns tls support/possibility to run recursive dns.
The initial set up went fine and unbound seems to be working with pi-hole however some domains dont seem to resolve on my setup for example isc.org and cmdns.dev.dns-oarc.net -
pi-hole@pi-hole:/var/lib/unbound$ dig isc.org @127.0.0.1 -p 5353
; <<>> DiG 9.11.5-P1-1ubuntu2.5-Ubuntu <<>> isc.org @127.0.0.1 -p 5353
;; global options: +cmd
;; connection timed out; no servers could be reached
The connection for this lookup is timing out while 80/90% of other requests are working fine, unbound is installed as default settings provided by the guide: (Redirecting...), with no additional settings set.
Could this be dnssec related ? If so, how do I check/test this ?
Sure, this is a likely possibility. Is your time set up correctly on the machine you run unbound on?
Can you run
dig sigok.verteiltesysteme.net @127.0.0.1 -p 5353 # should return A record
dig sigfail.verteiltesysteme.net @127.0.0.1 -p 5353 # should return SERVFAIL status
?
Also, you can enable logging in unbound to see what it is doing.
I did both tests, they both resolved fine. The timeout seems to be happening mostly with .org domains.
Have enabled logging (verbosity 2) but not sure what to make of the result, tried to resolve calomel.org and got the error "connection timed out; no servers could be reached". unbound log says it did resolve ? :
[1562501542] unbound[7013:0] info: resolving calomel.org. A IN
[1562501543] unbound[7013:0] info: response for calomel.org. A IN
[1562501543] unbound[7013:0] info: reply from <org.> 199.19.57.1#53
[1562501543] unbound[7013:0] info: query response was REFERRAL
[1562501543] unbound[7013:0] info: resolving ns-cloud-b3.googledomains.com. A IN
[1562501543] unbound[7013:0] info: query response was REFERRAL
[1562501543] unbound[7013:0] info: resolving ns-cloud-b4.googledomains.com. A IN
[1562501543] unbound[7013:0] info: resolving ns-cloud-b1.googledomains.com. A IN
[1562501543] unbound[7013:0] info: response for ns-cloud-b1.googledomains.com. A IN
[1562501543] unbound[7013:0] info: reply from <com.> 192.41.162.30#53
[1562501543] unbound[7013:0] info: query response was REFERRAL
[1562501543] unbound[7013:0] info: response for ns-cloud-b4.googledomains.com. A IN
[1562501543] unbound[7013:0] info: reply from <com.> 192.41.162.30#53
[1562501543] unbound[7013:0] info: query response was REFERRAL
[1562501543] unbound[7013:0] info: response for ns-cloud-b3.googledomains.com. A IN
[1562501543] unbound[7013:0] info: reply from <com.> 192.31.80.30#53
[1562501543] unbound[7013:0] info: query response was REFERRAL
[1562501543] unbound[7013:0] info: response for ns-cloud-b1.googledomains.com. A IN
[1562501543] unbound[7013:0] info: reply from <googledomains.com.> 216.239.38.10#53
[1562501543] unbound[7013:0] info: query response was ANSWER
[1562501543] unbound[7013:0] info: resolving ns-cloud-b2.googledomains.com. A IN
[1562501543] unbound[7013:0] info: response for ns-cloud-b3.googledomains.com. A IN
[1562501543] unbound[7013:0] info: reply from <googledomains.com.> 216.239.38.10#53
[1562501543] unbound[7013:0] info: query response was ANSWER
[1562501543] unbound[7013:0] info: response for ns-cloud-b4.googledomains.com. A IN
[1562501543] unbound[7013:0] info: reply from <googledomains.com.> 216.239.34.10#53
[1562501543] unbound[7013:0] info: query response was ANSWER
[1562501543] unbound[7013:0] info: response for calomel.org. A IN
[1562501543] unbound[7013:0] info: reply from <calomel.org.> 216.239.32.107#53
[1562501543] unbound[7013:0] info: query response was ANSWER
[1562501543] unbound[7013:0] info: validated DS org. DS IN
[1562501543] unbound[7013:0] info: response for ns-cloud-b2.googledomains.com. A IN
[1562501543] unbound[7013:0] info: reply from <googledomains.com.> 216.239.34.10#53
[1562501543] unbound[7013:0] info: query response was ANSWER
[1562501547] unbound[7013:0] info: resolving calomel.org. A IN
[1562501547] unbound[7013:0] info: validated DS org. DS IN
[1562501552] unbound[7013:0] info: resolving calomel.org. A IN
[1562501552] unbound[7013:0] info: validated DS org. DS IN
Checked my firewall, the pi hole is in a seperate vlan. The log showed the pihole server was not able to connect to all interfaces/ports needed (53/tcp). Made some changes to the firewall, and now most sites seem to resolve OK.
Switched over to dns-tls and noticed a specific website still not resolves 100% of the time: https://cmdns.dev.dns-oarc.net/ sometimes generates a "bogus" dns entry in the query log (?) Not sure what this means but maybe that is why this website isnt resolving correctly ? The site doesnt resolve for a while after seeing a "bogus" entry in the pi hole log, then 15 minutes later I try again and then its OK again for a while..