Pihole+Unbound not resolving some domains

efex92 · October 12, 2020, 6:28pm

Please follow the below template, it will help us to help you!

If you are Experiencing issues with a Pi-hole install that has non-standard elements (e.g you are using `nginx` instead of `lighttpd`, or there is some other aspect of your install that is customised) - please use the Community Help category.

Expected Behaviour:

Recursive calls to Unbound(127.0.0.1 or localhost) from Pihole is not resolving some domains. One of the observed domains is "jobbank.gc.ca" with any other recursive DNS configured on Pi-hole this domain is resolved and web opens normally. But as soon as I change it the recursive DNS to unbound it just stops working. Rest everything till now has been observed to be working normally.

Dig output with both 8.8.8.8 and unbound localhost ip is shared below

Actual Behaviour:

Pihole is not resolving some domains. Tested domain is "jobbank.gc.ca"

Dig output with both 8.8.8.8 and unbound localhost ip is shared below

**dig output with Unbound**

user@raspberrypi:/var/log $ dig jobbank.gc.ca @127.0.0.1 -p 5353

; <<>> DiG 9.10.3-P4-Raspbian <<>> jobbank.gc.ca @127.0.0.1 -p 5353
;; global options: +cmd
;; connection timed out; no servers could be reached

**dig output with Public Google DNS**

user@raspberrypi:/var/log $ dig jobbank.gc.ca @8.8.8.8

; <<>> DiG 9.10.3-P4-Raspbian <<>> jobbank.gc.ca @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63948
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;jobbank.gc.ca.                 IN      A

;; ANSWER SECTION:
jobbank.gc.ca.          899     IN      A       142.236.70.140
jobbank.gc.ca.          899     IN      A       167.227.38.140

;; Query time: 294 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Mon Oct 12 23:54:49 IST 2020
;; MSG SIZE  rcvd: 74

Debug Token:

https://tricorder.pi-hole.net/v7pxdy9pnn

jfb · October 12, 2020, 6:57pm

The problem appears to be with your unbound instance. You queried unbound directly, so the query did not go through Pi-hole. Unbound did not respond to the request.

Your debug log shows that unbound is configured to listen at that port.

Are you able to resolve any domain names with direct queries to unbound?

HvdW · October 12, 2020, 7:55pm

Latest PiHole with unbound uses port 5335

In my setup port 5353 refuses whilst port 5335 and no port given result in a swift response.

jfb · October 12, 2020, 8:04pm

The OP doesn't have their unbound instance setup on this port. They are using port 5353.

127.0.0.1:5353 unbound (IPv4)

PIHOLE_DNS_1=127.0.0.1#5353

efex92 · October 14, 2020, 4:42pm

Heads-up a bit lengthy post as multiple dig outputs are present.

Hi, Yes i am able to query and resolve other domains too. Please find the dig output when queried through Pi-Hole and then forwarded to unbound. and other domains dig output via pi-hole ip address and unbound ip.

Domains tested through unbound and Pi-hole.

google.com
yahoo.com
onedrive.com
discourse.pi-hole.net
jobbank.gc.ca

Pi-Hole Dig output for Domain: google.com

user@raspberrypi:~ $ dig google.com @10.10.10.12

; <<>> DiG 9.10.3-P4-Raspbian <<>> google.com @10.10.10.12
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1436
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1472
;; QUESTION SECTION:
;google.com.                    IN      A

;; ANSWER SECTION:
google.com.             300     IN      A       172.217.160.206

;; Query time: 109 msec
;; SERVER: 10.10.10.12#53(10.10.10.12)
;; WHEN: Wed Oct 14 22:07:00 IST 2020
;; MSG SIZE  rcvd: 55

Pi-Hole Dig output for Domain: yahoo.com

user@raspberrypi:~ $ dig yahoo.com @10.10.10.12

; <<>> DiG 9.10.3-P4-Raspbian <<>> yahoo.com @10.10.10.12
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22109
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 5, ADDITIONAL: 10

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1472
;; QUESTION SECTION:
;yahoo.com.                     IN      A

;; ANSWER SECTION:
yahoo.com.              1800    IN      A       74.6.231.20
yahoo.com.              1800    IN      A       74.6.231.21
yahoo.com.              1800    IN      A       74.6.143.26
yahoo.com.              1800    IN      A       98.137.11.163
yahoo.com.              1800    IN      A       74.6.143.25
yahoo.com.              1800    IN      A       98.137.11.164

;; AUTHORITY SECTION:
yahoo.com.              172800  IN      NS      ns3.yahoo.com.
yahoo.com.              172800  IN      NS      ns1.yahoo.com.
yahoo.com.              172800  IN      NS      ns5.yahoo.com.
yahoo.com.              172800  IN      NS      ns2.yahoo.com.
yahoo.com.              172800  IN      NS      ns4.yahoo.com.

;; ADDITIONAL SECTION:
ns1.yahoo.com.          1209600 IN      A       68.180.131.16
ns2.yahoo.com.          1209600 IN      A       68.142.255.16
ns3.yahoo.com.          1800    IN      A       27.123.42.42
ns4.yahoo.com.          1209600 IN      A       98.138.11.157
ns5.yahoo.com.          86400   IN      A       202.165.97.53
ns1.yahoo.com.          86400   IN      AAAA    2001:4998:130::1001
ns2.yahoo.com.          86400   IN      AAAA    2001:4998:140::1002
ns3.yahoo.com.          1800    IN      AAAA    2406:8600:f03f:1f8::1003
ns5.yahoo.com.          86400   IN      AAAA    2406:2000:ff60::53

;; Query time: 195 msec
;; SERVER: 10.10.10.12#53(10.10.10.12)
;; WHEN: Wed Oct 14 22:07:45 IST 2020
;; MSG SIZE  rcvd: 416

Pi-Hole Dig output for Domain: onedrive.com

user@raspberrypi:~ $ dig onedrive.com @10.10.10.12

; <<>> DiG 9.10.3-P4-Raspbian <<>> onedrive.com @10.10.10.12
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40986
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1472
;; QUESTION SECTION:
;onedrive.com.                  IN      A

;; ANSWER SECTION:
onedrive.com.           488     IN      A       13.81.118.91

;; Query time: 4 msec
;; SERVER: 10.10.10.12#53(10.10.10.12)
;; WHEN: Wed Oct 14 22:08:21 IST 2020
;; MSG SIZE  rcvd: 57

Pi-Hole Dig output for Domain: discourse.pi-hole.net

user@raspberrypi:~ $ dig discourse.pi-hole.net @10.10.10.12

; <<>> DiG 9.10.3-P4-Raspbian <<>> discourse.pi-hole.net @10.10.10.12
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61108
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 9

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1472
;; QUESTION SECTION:
;discourse.pi-hole.net.         IN      A

;; ANSWER SECTION:
discourse.pi-hole.net.  20626   IN      A       159.203.95.226

;; AUTHORITY SECTION:
pi-hole.net.            2626    IN      NS      ns3.pi-hole.net.
pi-hole.net.            2626    IN      NS      ns4.pi-hole.net.
pi-hole.net.            2626    IN      NS      ns1.pi-hole.net.
pi-hole.net.            2626    IN      NS      ns2.pi-hole.net.

;; ADDITIONAL SECTION:
ns1.pi-hole.net.        2626    IN      A       185.136.96.96
ns2.pi-hole.net.        2626    IN      A       185.136.97.96
ns3.pi-hole.net.        2626    IN      A       185.136.98.96
ns4.pi-hole.net.        2626    IN      A       185.136.99.96
ns1.pi-hole.net.        2626    IN      AAAA    2a06:fb00:1::1:96
ns2.pi-hole.net.        2626    IN      AAAA    2a06:fb00:1::2:96
ns3.pi-hole.net.        2626    IN      AAAA    2a06:fb00:1::3:96
ns4.pi-hole.net.        2626    IN      AAAA    2a06:fb00:1::4:96

;; Query time: 4 msec
;; SERVER: 10.10.10.12#53(10.10.10.12)
;; WHEN: Wed Oct 14 22:08:49 IST 2020
;; MSG SIZE  rcvd: 314

Pi-Hole Dig output for Domain: jobbank.gc.ca

user@raspberrypi:~ $ dig jobbank.gc.ca @10.10.10.12

; <<>> DiG 9.10.3-P4-Raspbian <<>> jobbank.gc.ca @10.10.10.12
;; global options: +cmd
;; connection timed out; no servers could be reached

Unbound Dig output for Domain: google.com

user@raspberrypi:~ $ dig google.com @127.0.0.1 -p 5353

; <<>> DiG 9.10.3-P4-Raspbian <<>> google.com @127.0.0.1 -p 5353
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51092
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1472
;; QUESTION SECTION:
;google.com.                    IN      A

;; ANSWER SECTION:
google.com.             117     IN      A       172.217.160.206

;; Query time: 0 msec
;; SERVER: 127.0.0.1#5353(127.0.0.1)
;; WHEN: Wed Oct 14 22:10:03 IST 2020
;; MSG SIZE  rcvd: 55

Unbound Dig output for Domain: yahoo.com

user@raspberrypi:~ $ dig yahoo.com @127.0.0.1 -p 5353

; <<>> DiG 9.10.3-P4-Raspbian <<>> yahoo.com @127.0.0.1 -p 5353
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2245
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 5, ADDITIONAL: 10

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1472
;; QUESTION SECTION:
;yahoo.com.                     IN      A

;; ANSWER SECTION:
yahoo.com.              1631    IN      A       74.6.231.20
yahoo.com.              1631    IN      A       74.6.231.21
yahoo.com.              1631    IN      A       74.6.143.26
yahoo.com.              1631    IN      A       98.137.11.163
yahoo.com.              1631    IN      A       74.6.143.25
yahoo.com.              1631    IN      A       98.137.11.164

;; AUTHORITY SECTION:
yahoo.com.              86231   IN      NS      ns5.yahoo.com.
yahoo.com.              86231   IN      NS      ns4.yahoo.com.
yahoo.com.              86231   IN      NS      ns2.yahoo.com.
yahoo.com.              86231   IN      NS      ns1.yahoo.com.
yahoo.com.              86231   IN      NS      ns3.yahoo.com.

;; ADDITIONAL SECTION:
ns1.yahoo.com.          1209431 IN      A       68.180.131.16
ns2.yahoo.com.          1209431 IN      A       68.142.255.16
ns3.yahoo.com.          1631    IN      A       27.123.42.42
ns4.yahoo.com.          1209431 IN      A       98.138.11.157
ns5.yahoo.com.          86231   IN      A       202.165.97.53
ns1.yahoo.com.          86231   IN      AAAA    2001:4998:130::1001
ns2.yahoo.com.          86231   IN      AAAA    2001:4998:140::1002
ns3.yahoo.com.          1631    IN      AAAA    2406:8600:f03f:1f8::1003
ns5.yahoo.com.          86231   IN      AAAA    2406:2000:ff60::53

;; Query time: 0 msec
;; SERVER: 127.0.0.1#5353(127.0.0.1)
;; WHEN: Wed Oct 14 22:10:34 IST 2020
;; MSG SIZE  rcvd: 416

Unbound Dig output for Domain: onedrive.com

user@raspberrypi:~ $ dig onedrive.com @127.0.0.1 -p 5353

; <<>> DiG 9.10.3-P4-Raspbian <<>> onedrive.com @127.0.0.1 -p 5353
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40938
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1472
;; QUESTION SECTION:
;onedrive.com.                  IN      A

;; ANSWER SECTION:
onedrive.com.           317     IN      A       13.81.118.91

;; Query time: 0 msec
;; SERVER: 127.0.0.1#5353(127.0.0.1)
;; WHEN: Wed Oct 14 22:11:12 IST 2020
;; MSG SIZE  rcvd: 57

Unbound Dig output for Domain: discourse.pi-hole.net

user@raspberrypi:~ $ dig discourse.pi-hole.net @127.0.0.1 -p 5353

; <<>> DiG 9.10.3-P4-Raspbian <<>> discourse.pi-hole.net @127.0.0.1 -p 5353
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30979
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 9

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1472
;; QUESTION SECTION:
;discourse.pi-hole.net.         IN      A

;; ANSWER SECTION:
discourse.pi-hole.net.  20458   IN      A       159.203.95.226

;; AUTHORITY SECTION:
pi-hole.net.            2458    IN      NS      ns3.pi-hole.net.
pi-hole.net.            2458    IN      NS      ns4.pi-hole.net.
pi-hole.net.            2458    IN      NS      ns1.pi-hole.net.
pi-hole.net.            2458    IN      NS      ns2.pi-hole.net.

;; ADDITIONAL SECTION:
ns1.pi-hole.net.        2458    IN      A       185.136.96.96
ns2.pi-hole.net.        2458    IN      A       185.136.97.96
ns3.pi-hole.net.        2458    IN      A       185.136.98.96
ns4.pi-hole.net.        2458    IN      A       185.136.99.96
ns1.pi-hole.net.        2458    IN      AAAA    2a06:fb00:1::1:96
ns2.pi-hole.net.        2458    IN      AAAA    2a06:fb00:1::2:96
ns3.pi-hole.net.        2458    IN      AAAA    2a06:fb00:1::3:96
ns4.pi-hole.net.        2458    IN      AAAA    2a06:fb00:1::4:96

;; Query time: 0 msec
;; SERVER: 127.0.0.1#5353(127.0.0.1)
;; WHEN: Wed Oct 14 22:11:37 IST 2020
;; MSG SIZE  rcvd: 314

Unbound Dig output for Domain: jobbank.gc.ca

user@raspberrypi:~ $ dig jobbank.gc.ca @127.0.0.1 -p 5353

; <<>> DiG 9.10.3-P4-Raspbian <<>> jobbank.gc.ca @127.0.0.1 -p 5353
;; global options: +cmd
;; connection timed out; no servers could be reached

efex92 · October 14, 2020, 4:45pm

As far i know the port depends on the configuration that you have done in the unbound.conf so if you have set unbound to listen on 5335 then it should be using 5335 instead of 5353

jfb · October 14, 2020, 6:37pm

They are using port 5353. See the second to last dig to unbound using that port.

jfb · October 14, 2020, 6:40pm

This is odd. I don't think there is a problem with the nameserver for the jobbank domain - here is output from my dig using recursive unbound (mine is on port 5335, that should be the only difference).

dig jobbank.gc.ca @127.0.0.1 -p 5335
; <<>> DiG 9.11.5-P4-5.1+deb10u2-Debian <<>> jobbank.gc.ca @127.0.0.1 -p 5335
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24497
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1472
;; QUESTION SECTION:
;jobbank.gc.ca. IN A

;; ANSWER SECTION:
jobbank.gc.ca. 3600 IN A 142.236.70.140
jobbank.gc.ca. 3600 IN A 167.227.38.140
;; Query time: 224 msec
;; SERVER: 127.0.0.1#5335(127.0.0.1)
;; WHEN: Wed Oct 14 13:35:54 CDT 2020
;; MSG SIZE rcvd: 74

My recommendation would be to change the verbosity in your unbound pi-hole.conf file to 5, restart unbound and repeat the dig. Then open the unbound log and see the details of the query. This may show the point of failure.

efex92 · October 14, 2020, 8:08pm

I just did that.

See the pastebin logs for debug. I guess it is resolving to wrong IP address.

https://pastebin.com/gECwQ5bR

jfb · October 15, 2020, 12:13am

Let's take a look at your unbound configuration. Please post the output of this command from the Pi terminal (paste the text output directly into a reply):

sudo grep -v '#\|^$' -R /etc/unbound/unbound.conf*

efex92 · October 16, 2020, 12:26am

Here is the output of the command.

user@raspberrypi:~ $ sudo grep -v '#\|^$' -R /etc/unbound/unbound.conf*
/etc/unbound/unbound.conf:include: "/etc/unbound/unbound.conf.d/*.conf"
/etc/unbound/unbound.conf:server:
/etc/unbound/unbound.conf:    chroot: ""
/etc/unbound/unbound.conf:    logfile: /var/log/unbound.log
/etc/unbound/unbound.conf:    verbosity: 1
/etc/unbound/unbound.conf:    log-queries: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:server:
/etc/unbound/unbound.conf.d/pi-hole.conf:    verbosity: 2
/etc/unbound/unbound.conf.d/pi-hole.conf:
/etc/unbound/unbound.conf.d/pi-hole.conf:    interface: 127.0.0.1
/etc/unbound/unbound.conf.d/pi-hole.conf:    port: 5353
/etc/unbound/unbound.conf.d/pi-hole.conf:    do-ip4: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:    do-udp: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:    do-tcp: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:    do-ip6: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:    root-hints: "/var/lib/unbound/root.                                                                                                                                                             hints"
/etc/unbound/unbound.conf.d/pi-hole.conf:    harden-glue: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:    harden-dnssec-stripped: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:    use-caps-for-id: no
/etc/unbound/unbound.conf.d/pi-hole.conf:    edns-buffer-size: 1472
/etc/unbound/unbound.conf.d/pi-hole.conf:    prefetch: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:    num-threads: 1
/etc/unbound/unbound.conf.d/pi-hole.conf:    so-rcvbuf: 1m
/etc/unbound/unbound.conf.d/pi-hole.conf:    private-address: 192.168.0.0/16
/etc/unbound/unbound.conf.d/pi-hole.conf:    private-address: 169.254.0.0/16
/etc/unbound/unbound.conf.d/pi-hole.conf:    private-address: 172.16.0.0/12
/etc/unbound/unbound.conf.d/pi-hole.conf:    private-address: 10.0.0.0/8
/etc/unbound/unbound.conf.d/pi-hole.conf:    private-address: fd00::/8
/etc/unbound/unbound.conf.d/pi-hole.conf:    private-address: fe80::/10
/etc/unbound/unbound.conf.d/qname-minimisation.conf:server:
/etc/unbound/unbound.conf.d/qname-minimisation.conf:    qname-minimisation: yes
/etc/unbound/unbound.conf.d/root-auto-trust-anchor-file.conf:server:
/etc/unbound/unbound.conf.d/root-auto-trust-anchor-file.conf:    auto-trust-anch                                                                                                                                                             or-file: "/var/lib/unbound/root.key"
/etc/unbound/unbound.conf.save:include: "/etc/unbound/unbound.conf.d/*.conf"
/etc/unbound/unbound.conf.save:server:
/etc/unbound/unbound.conf.save:    chroot: ""
/etc/unbound/unbound.conf.save:    logfile: /var/log/unbound.log
/etc/unbound/unbound.conf.save:    verbosity: 1
/etc/unbound/unbound.conf.save:    lg-queries: yes
/etc/unbound/unbound.conf.save:    ...
/etc/unbound/unbound.conftouch:chown unbound:unbound /var/log/unbound.log

jfb · October 16, 2020, 12:35am

A few items noted:

(1) File /etc/unbound/unbound.conf should have only the following line (other than the commented lines in the file). Delete the additional lines in your file or move them to /etc/unbound/unbound.conf.d/pi-hole.conf

include: "/etc/unbound/unbound.conf.d/*.conf"

(2) Delete this unneeded file:

/etc/unbound/unbound.conf.save

(3) This looks like an attempt to change ownership on the unbound log?

/etc/unbound/unbound.conftouch:chown unbound:unbound /var/log/unbound.log

Delete this file - `/etc/unbound/unbound.conftouch

(4) Eliminate the empty line here:

/etc/unbound/unbound.conf.d/pi-hole.conf:

I don't know if these changes will fix your problem, but the configuration will be clean.

efex92 · October 17, 2020, 1:35pm

I had recently changed the ownership as the unbound logs were not enabled in my setup.
Hence this line was present

/etc/unbound/unbound.conftouch:chown unbound:unbound /var/log/unbound.log

Apart from this everything is done for all 4 points. I still cant figure out why that domain is not being resolved by unbound.

Also, to add maybe this issue was there since start i might not have noticed it as recently i had changed the DHCP configuration of my setup (as my router had crashed and had to rebuild its configuration). Earlier i had kept my primary DNS as pi-hole and secondary as ISP DNS for backup. Now its just Pi-hole IP address that i have configured. Maybe earlier it used to resolve it through there.
But on Pi-Hole there was not secondary dns configured.

efex92 · October 17, 2020, 1:37pm

After making this changes, now these are the logs in am getting.

user@raspberrypi:/etc/unbound $ tail -f /var/log/unbound.log
[1602941367] unbound[4142:0] info:    0.262144    0.524288 5549
[1602941367] unbound[4142:0] info:    0.524288    1.000000 2436
[1602941367] unbound[4142:0] info:    1.000000    2.000000 781
[1602941367] unbound[4142:0] info:    2.000000    4.000000 161
[1602941367] unbound[4142:0] info:    4.000000    8.000000 36
[1602941367] unbound[4142:0] info:    8.000000   16.000000 23
[1602941367] unbound[4142:0] info:   16.000000   32.000000 24
[1602941367] unbound[4142:0] info:   32.000000   64.000000 4
[1602941367] unbound[4142:0] info:  128.000000  256.000000 13
[1602941367] unbound[4142:0] info:  512.000000 1024.000000 1

efex92 · October 17, 2020, 1:38pm

Also i have generated the new output for the unbound conf file.

user@raspberrypi:/etc/unbound $ sudo grep -v '#|^$' -R /etc/unbound/unbound.conf*
/etc/unbound/unbound.conf:# Unbound configuration file for Debian.
/etc/unbound/unbound.conf:#
/etc/unbound/unbound.conf:# See the unbound.conf(5) man page.
/etc/unbound/unbound.conf:#
/etc/unbound/unbound.conf:# See /usr/share/doc/unbound/examples/unbound.conf for a commented
/etc/unbound/unbound.conf:# reference config file.
/etc/unbound/unbound.conf:#
/etc/unbound/unbound.conf:# The following line includes additional configuration files from the
/etc/unbound/unbound.conf:# /etc/unbound/unbound.conf.d directory.
/etc/unbound/unbound.conf:include: "/etc/unbound/unbound.conf.d/*.conf"
/etc/unbound/unbound.conf.d/pi-hole.conf:server:
/etc/unbound/unbound.conf.d/pi-hole.conf:    # If no logfile is specified, syslog is used
/etc/unbound/unbound.conf.d/pi-hole.conf:    logfile: "/var/log/unbound/unbound.log"
/etc/unbound/unbound.conf.d/pi-hole.conf:    verbosity: 1
/etc/unbound/unbound.conf.d/pi-hole.conf:    interface: 127.0.0.1
/etc/unbound/unbound.conf.d/pi-hole.conf:    port: 5353
/etc/unbound/unbound.conf.d/pi-hole.conf:    do-ip4: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:    do-udp: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:    do-tcp: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:    # log-queries: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:
/etc/unbound/unbound.conf.d/pi-hole.conf:    # May be set to yes if you have IPv6 connectivity
/etc/unbound/unbound.conf.d/pi-hole.conf:    do-ip6: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:
/etc/unbound/unbound.conf.d/pi-hole.conf:    # Use this only when you downloaded the list of primary root servers!
/etc/unbound/unbound.conf.d/pi-hole.conf:    root-hints: "/var/lib/unbound/root.hints"
/etc/unbound/unbound.conf.d/pi-hole.conf:
/etc/unbound/unbound.conf.d/pi-hole.conf:    # Trust glue only if it is within the servers authority
/etc/unbound/unbound.conf.d/pi-hole.conf:    harden-glue: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:
/etc/unbound/unbound.conf.d/pi-hole.conf:    # Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS
/etc/unbound/unbound.conf.d/pi-hole.conf:    harden-dnssec-stripped: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:
/etc/unbound/unbound.conf.d/pi-hole.conf:    # Don't use Capitalization randomization as it known to cause DNSSEC issues sometimes
/etc/unbound/unbound.conf.d/pi-hole.conf:    # see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 for further details
/etc/unbound/unbound.conf.d/pi-hole.conf:    use-caps-for-id: no
/etc/unbound/unbound.conf.d/pi-hole.conf:
/etc/unbound/unbound.conf.d/pi-hole.conf:    # Reduce EDNS reassembly buffer size.
/etc/unbound/unbound.conf.d/pi-hole.conf:    # Suggested by the unbound man page to reduce fragmentation reassembly problems
/etc/unbound/unbound.conf.d/pi-hole.conf:    edns-buffer-size: 1472
/etc/unbound/unbound.conf.d/pi-hole.conf:
/etc/unbound/unbound.conf.d/pi-hole.conf:    # Perform prefetching of close to expired message cache entries
/etc/unbound/unbound.conf.d/pi-hole.conf:    # This only applies to domains that have been frequently queried
/etc/unbound/unbound.conf.d/pi-hole.conf:    prefetch: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:
/etc/unbound/unbound.conf.d/pi-hole.conf:    # One thread should be sufficient, can be increased on beefy machines. In reality for most users running on small networks or on a single machine it should be unnecessary to seek performance enhancement by increasing num-threads above 1.
/etc/unbound/unbound.conf.d/pi-hole.conf:    num-threads: 1
/etc/unbound/unbound.conf.d/pi-hole.conf:
/etc/unbound/unbound.conf.d/pi-hole.conf:    # Ensure kernel buffer is large enough to not lose messages in traffic spikes
/etc/unbound/unbound.conf.d/pi-hole.conf:    so-rcvbuf: 1m
/etc/unbound/unbound.conf.d/pi-hole.conf:
/etc/unbound/unbound.conf.d/pi-hole.conf:    # Ensure privacy of local IP ranges
/etc/unbound/unbound.conf.d/pi-hole.conf:    private-address: 192.168.0.0/16
/etc/unbound/unbound.conf.d/pi-hole.conf:    private-address: 169.254.0.0/16
/etc/unbound/unbound.conf.d/pi-hole.conf:    private-address: 172.16.0.0/12
/etc/unbound/unbound.conf.d/pi-hole.conf:    private-address: 10.0.0.0/8
/etc/unbound/unbound.conf.d/pi-hole.conf:    private-address: fd00::/8
/etc/unbound/unbound.conf.d/pi-hole.conf:    private-address: fe80::/10
/etc/unbound/unbound.conf.d/qname-minimisation.conf:server:
/etc/unbound/unbound.conf.d/qname-minimisation.conf:    # Send minimum amount of information to upstream servers to enhance
/etc/unbound/unbound.conf.d/qname-minimisation.conf:    # privacy. Only sends minimum required labels of the QNAME and sets
/etc/unbound/unbound.conf.d/qname-minimisation.conf:    # QTYPE to NS when possible.
/etc/unbound/unbound.conf.d/qname-minimisation.conf:
/etc/unbound/unbound.conf.d/qname-minimisation.conf:    # See RFC 7816 "DNS Query Name Minimisation to Improve Privacy" for
/etc/unbound/unbound.conf.d/qname-minimisation.conf:    # details.
/etc/unbound/unbound.conf.d/qname-minimisation.conf:
/etc/unbound/unbound.conf.d/qname-minimisation.conf:    qname-minimisation: yes
/etc/unbound/unbound.conf.d/root-auto-trust-anchor-file.conf:server:
/etc/unbound/unbound.conf.d/root-auto-trust-anchor-file.conf:    # The following line will configure unbound to perform cryptographic
/etc/unbound/unbound.conf.d/root-auto-trust-anchor-file.conf:    # DNSSEC validation using the root trust anchor.
/etc/unbound/unbound.conf.d/root-auto-trust-anchor-file.conf:    auto-trust-anchor-file: "/var/lib/unbound/root.key"

efex92 · October 26, 2020, 6:44pm

Thanks for this. Will help me out a lot to troubleshoot in future too.

The log size is just too huge for me to go through it and analyze what is wrong with unbound. What I have settled on right now is resetting my setup of Pi-Hole and Unbound and install it from scratch.

efex92 · November 2, 2020, 10:43am

@ msatter / @ jfb

I completely reinstalled Pi-Hole and Unbound yet the same thing is observed.

Here the is the pastebin for the latest unbound log with verbosity set to 3.

https://pastebin.com/TraewtLY

I see this messages constantly.

debug: iterator[module 2] operate: extstate:module_wait_reply event:module_event_noreply

[1604272848] unbound[1177:0] debug: out of query targets -- returning SERVFAIL
[1604272848] unbound[1177:0] debug: return error response SERVFAIL

Is believe this is the root to the issue, also i have seen various fail to resolve nowadays.

Is my public IP address being blacklisted where the domains are failing to resolve.?

DL6ER · November 2, 2020, 12:10pm

This is indeed a possibility. Two questions in this direction:

Do you have a fixed IP address or can you toggle your address by, e.g., forcing a reconnection of your modem?
Are you using a VPN provider for Internet access? It would not be the first time that parts of the Internet block certain origins (terrorism prevention, etc.)

efex92 · November 4, 2020, 5:09am

Do you have a fixed IP address or can you toggle your address by, e.g., forcing a reconnection of your modem?

My plan has dynamic IP assignment, forcing a reconnection does change the Public IP but i have done that many a times since the start of the post.

Are you using a VPN provider for Internet access? It would not be the first time that parts of the Internet block certain origins (terrorism prevention, etc.)

I haven't given VPN a try yet. I do not use VPN due to few reasons. I will give VPN a try once. Any recommendations? or should i just go with recommendations provided by privacytools [dot] io
But there is this thing where my ISP DNS is able to resolve it so and also this website is used by many Indians who are migrating to Canada which makes me think Geo-Blocking is not the possibility over here.

efex92 · November 5, 2020, 1:15pm

I guess this problem is resolved somehow. There is nothing I did apart from reinstalling Pi-Hole and unbound from scratch event then it did not show any good signs. But suddenly it has come back to normal and the page i was facing issues with is resolving now.