PiHole + Unbound: no connection for OS

Please follow the below template, it will help us to help you!

Hey Guys,
i just set up a fresh Raspbian Stretch (latest June 2018)/Raspberry Pi 3B+ and installed Pi-Hole. After that i followed the guide
https://docs.pi-hole.net/guides/unbound/
to install unbound with Pi-Hole.

Expected Behaviour:

PiHole just resolves urls with the root servers and builds its own cache. Secured with DNSSEC, but maybe slower (its okay for first visit of a uncached site)

Actual Behaviour:

Pi-Hole itself works fine. I can browse without ads like usually (without unbound).
But the OS (Raspbian Stretch) cant establish an internet connection/ resolve urls. Ping does work (ping 1.1.1.1 for example). But resolving urls like for update blacklists "pihole -g" or even "sudo update" or "wget" does not work.

Does anyone know what to do?

I already had a look at “/etc/resolv.conf”. The Nameserver/DNS in there is “127.0.0.1” (without an Port, Unbound is normally 5353 in the guide, right? Maybe i have to change that?).

Hey,

i love Pi-Hole and just read the Blog-Post about the "All-Around DNS Solution" with PiHole so i directly want to check that out.

After a total clean installation of Raspbian Stretch (latest 2018-06-27) and a clean installation of Pi-Hole i followed the guide on GitHub for the "All-Around DNS Solution" with unbound:
https://docs.pi-hole.net/guides/unbound/

The Test

dig sigfail.verteiltesysteme.net @127.0.0.1 -p 5353
dig sigok.verteiltesysteme.net @127.0.0.1 -p 5353

already works fine in commandline and i can browse with and device like without unbound and use Pi-Hole as normal.

The big problem: Raspbian itself can't establish any connection to urls like for "pihole -g", "sudo update" and "sudo upgrade" or "wget".
I think it cant resolve the urls.

I already had a look at "/etc/resolv.conf". The Nameserver/DNS in there is "127.0.0.1" (without an Port, Unbound is normally 5353 in the guide, right? Maybe i have to change that?).

  • How do i change the DNS to match the right one? Or let resolv know to use port 5353?

I already tried to add another nameserver via "/etc/dhcpcd.conf" couse since Stretch, this should be the way to change the DNS (resolv gets overwritten every reboot). After reboot and "resolvconf -u", nothing changed.

I also tried to add another nameserver to the "resolv.conf" via "resolve.tail". It seens to work, now the OS can resolve urls, but also first uses 127.0.0.1 and therefore its very slow to update or use like "wget". I assume it first tries and tries 127.0.0.1 to resolve the url and finally tries my newly added nameserver.

Does anyone know how to fix that? I would appreciate it a lot. :slight_smile:
Does anyone else have the same problem?

@DL6ER Hast du eventuell eine Idee oder einen Tipp?

Thanks, and keep up this awesome work!

This is supposed to be here and it looks OK.
It relies on port 53 to be open/answered by a DNS resolver (in this case, Pi-hole's FTLDNS).

Unbound looks like it's installed properly based on your dig commands.

What happens if you run

sudo lsof -i :53 +c 0 | awk 'FNR==2{ print $1 }'

Does it return anything ?

1 Like

That is the correct address in that file.

Please obtain and upload a debug token (either run pihole -d or from the admin dashboard - /tools / generate debug log).

1 Like

what Branch of Pi-hole are you on?

if you are on master unbound will not work correctly try pihole checkout dev

Hey Guys,

thanks for your quick answers. Shortly after i asked this, i decided to flush my sd-card another time and try to complete reinstall Raspbian, PiHole and Unbound.

Now finally it works like charme! Very nice!
It seems like there is no more time needed to resolve the urls compared to a normal dns from my isp.
And the cache works very well and quick.

Another cool thing in the FTLDNS is the possibility to "Conditional Forwarding" so the device names in my network are shown. Really cool!

-> All around solution for everyone! Big thumbs up!! :slight_smile:

I don't know what was wrong the other times i tried. Maybe the Raspberry did something wrong. I had an issue with the respository of raspbian ( Index of /raspbian ). Sometimes it says its unavailable (down). When i opened the url in the webbrowser it says something like "We expecting high traffic right now ..."
So i changed to another mirror nearby my location and now it works.

Maybe this was the problem, if someoneelse runs into this. -> Try to change to a mirror :slight_smile:

@technicalpyro Im on

Pi-hole Version vDev (FTLDNS, v3.3-186-g76c5b4a)
Web Interface Version vDev (FTLDNS, v3.2.1-195-g4355bde2)
FTL Version vDev (FTLDNS, vDev-5ecab0a)

Via:

echo "FTLDNS" | sudo tee /etc/pihole/ftlbranch
pihole checkout core FTLDNS
pihole checkout web FTLDNS

Should i change to "dev"? I guess "FTLDNS" is more up-to-date than dev, isnt it?
Like: master -> dev -> FTLDNS

BTW: If there is an moderator, you can tag this issue as solved (for me). Thanks :wink:

not really a need for the last little while FTLDNS is the first step once it is stable there is gets merged into development. I have personally been pointing users towards the dev branch as it includes everything from the FTLDNS branches so unless you need a specific feature found in one of the tweak find it a better option but that is all a personal choice

I'm glad everything is working for you now

1 Like

Thanks for the advice. Its already disabled.
If someone who can edit the guide on GitHub is reading this, he can give an advice for other users :slight_smile:

Redirecting...
Maybe a bigger screenshot to see it.

you can have it set either way when running unbound. if it is not DNSSEC compliant unbound will reject it anyway so you will always see either unknown or OK in that collumn within Pi-hole

I just ticked the DNSSEC Box to try it. Mostly to be able to see the DNSSEC Validation in the Query Log, but this got me curious:
DNSSEC

Unbound actually seems to work like in the command line:

dig sigfail.verteiltesysteme.net @127.0.0.1 -p 5353
dig sigok.verteiltesysteme.net @127.0.0.1 -p 5353

And if im on https://rootcanary.org/test.html i got this like @anon55913113

Also the other Tests on:
https://dnssec.vs.uni-due.de/
http://www.dnssec-or-not.com/
work perfectly fine...

Why does the Query Log says "Insecure"?

Because one link or more in the DNSSEC chain is showing it as insecure. You wont see any BOGUS as those will be rejected by unbound So from that we can infer that it is dnsmasq causing it and it really is a non issue as insecure does not prevent access

1 Like

So from that we can infer that it is dnsmasq causing it

When FTLDNS is activated, then dnsmasq will be deactivated, right? i just checked it with

sudo systemctl status dnsmasq

It says its deactivated.
Or do you mean dnsmasq at all, because i think FTLDNS is based on it, right?

If this "Insecure" Warning is not an issue and unbound and the DNSSEC Chain is ok, then i'm happy. Just a little bit confusing for not so advanced users :smiley:

Yes.

From the FTLDNS beta web page (Help Us Beta Test FTLDNS):

"FTLDNS™ is Pi-hole’s Faster Than Light (FTL) daemon combined with a DNS/DHCP server (our fork of dnsmasq). So instead of installing dnsmasq as a dependency, we will be distributing all services in a single binary. This will allow us to hook into dnsmasq’s functionality at a code- level, as well as ensuring that you are using the latest stable version of the resolver and receive, e.g., important bug fixes early on."

1 Like

All right.

So this insecure warning is just a little dnsmasq bug. Thank you :wink:

Insecure just means that the domain does not have any DNSSEC information.

It's telling you that it's not validated as secure, thus may be insecure.

Think of it like HTTP vs HTTPS

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.