Pihole+Unbound not resolving some domains

Please follow the below template, it will help us to help you!

If you are Experiencing issues with a Pi-hole install that has non-standard elements (e.g you are using nginx instead of lighttpd, or there is some other aspect of your install that is customised) - please use the Community Help category.

Expected Behaviour:

Recursive calls to Unbound(127.0.0.1 or localhost) from Pihole is not resolving some domains. One of the observed domains is "jobbank.gc.ca" with any other recursive DNS configured on Pi-hole this domain is resolved and web opens normally. But as soon as I change it the recursive DNS to unbound it just stops working. Rest everything till now has been observed to be working normally.

Dig output with both 8.8.8.8 and unbound localhost ip is shared below

Actual Behaviour:

Pihole is not resolving some domains. Tested domain is "jobbank.gc.ca"

Dig output with both 8.8.8.8 and unbound localhost ip is shared below

**dig output with Unbound**

user@raspberrypi:/var/log $ dig jobbank.gc.ca @127.0.0.1 -p 5353

; <<>> DiG 9.10.3-P4-Raspbian <<>> jobbank.gc.ca @127.0.0.1 -p 5353
;; global options: +cmd
;; connection timed out; no servers could be reached
**dig output with Public Google DNS**

user@raspberrypi:/var/log $ dig jobbank.gc.ca @8.8.8.8

; <<>> DiG 9.10.3-P4-Raspbian <<>> jobbank.gc.ca @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63948
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;jobbank.gc.ca.                 IN      A

;; ANSWER SECTION:
jobbank.gc.ca.          899     IN      A       142.236.70.140
jobbank.gc.ca.          899     IN      A       167.227.38.140

;; Query time: 294 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Mon Oct 12 23:54:49 IST 2020
;; MSG SIZE  rcvd: 74

Debug Token:

https://tricorder.pi-hole.net/v7pxdy9pnn

The problem appears to be with your unbound instance. You queried unbound directly, so the query did not go through Pi-hole. Unbound did not respond to the request.

Your debug log shows that unbound is configured to listen at that port.

Are you able to resolve any domain names with direct queries to unbound?

Latest PiHole with unbound uses port 5335

In my setup port 5353 refuses whilst port 5335 and no port given result in a swift response.

The OP doesn't have their unbound instance setup on this port. They are using port 5353.

127.0.0.1:5353 unbound (IPv4)

PIHOLE_DNS_1=127.0.0.1#5353

Heads-up a bit lengthy post as multiple dig outputs are present.

Hi, Yes i am able to query and resolve other domains too. Please find the dig output when queried through Pi-Hole and then forwarded to unbound. and other domains dig output via pi-hole ip address and unbound ip.

Domains tested through unbound and Pi-hole.


Pi-Hole Dig output for Domain: google.com

user@raspberrypi:~ $ dig google.com @10.10.10.12

; <<>> DiG 9.10.3-P4-Raspbian <<>> google.com @10.10.10.12
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1436
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1472
;; QUESTION SECTION:
;google.com.                    IN      A

;; ANSWER SECTION:
google.com.             300     IN      A       172.217.160.206

;; Query time: 109 msec
;; SERVER: 10.10.10.12#53(10.10.10.12)
;; WHEN: Wed Oct 14 22:07:00 IST 2020
;; MSG SIZE  rcvd: 55

Pi-Hole Dig output for Domain: yahoo.com

user@raspberrypi:~ $ dig yahoo.com @10.10.10.12

; <<>> DiG 9.10.3-P4-Raspbian <<>> yahoo.com @10.10.10.12
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22109
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 5, ADDITIONAL: 10

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1472
;; QUESTION SECTION:
;yahoo.com.                     IN      A

;; ANSWER SECTION:
yahoo.com.              1800    IN      A       74.6.231.20
yahoo.com.              1800    IN      A       74.6.231.21
yahoo.com.              1800    IN      A       74.6.143.26
yahoo.com.              1800    IN      A       98.137.11.163
yahoo.com.              1800    IN      A       74.6.143.25
yahoo.com.              1800    IN      A       98.137.11.164

;; AUTHORITY SECTION:
yahoo.com.              172800  IN      NS      ns3.yahoo.com.
yahoo.com.              172800  IN      NS      ns1.yahoo.com.
yahoo.com.              172800  IN      NS      ns5.yahoo.com.
yahoo.com.              172800  IN      NS      ns2.yahoo.com.
yahoo.com.              172800  IN      NS      ns4.yahoo.com.

;; ADDITIONAL SECTION:
ns1.yahoo.com.          1209600 IN      A       68.180.131.16
ns2.yahoo.com.          1209600 IN      A       68.142.255.16
ns3.yahoo.com.          1800    IN      A       27.123.42.42
ns4.yahoo.com.          1209600 IN      A       98.138.11.157
ns5.yahoo.com.          86400   IN      A       202.165.97.53
ns1.yahoo.com.          86400   IN      AAAA    2001:4998:130::1001
ns2.yahoo.com.          86400   IN      AAAA    2001:4998:140::1002
ns3.yahoo.com.          1800    IN      AAAA    2406:8600:f03f:1f8::1003
ns5.yahoo.com.          86400   IN      AAAA    2406:2000:ff60::53

;; Query time: 195 msec
;; SERVER: 10.10.10.12#53(10.10.10.12)
;; WHEN: Wed Oct 14 22:07:45 IST 2020
;; MSG SIZE  rcvd: 416

Pi-Hole Dig output for Domain: onedrive.com

user@raspberrypi:~ $ dig onedrive.com @10.10.10.12

; <<>> DiG 9.10.3-P4-Raspbian <<>> onedrive.com @10.10.10.12
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40986
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1472
;; QUESTION SECTION:
;onedrive.com.                  IN      A

;; ANSWER SECTION:
onedrive.com.           488     IN      A       13.81.118.91

;; Query time: 4 msec
;; SERVER: 10.10.10.12#53(10.10.10.12)
;; WHEN: Wed Oct 14 22:08:21 IST 2020
;; MSG SIZE  rcvd: 57

Pi-Hole Dig output for Domain: discourse.pi-hole.net

user@raspberrypi:~ $ dig discourse.pi-hole.net @10.10.10.12

; <<>> DiG 9.10.3-P4-Raspbian <<>> discourse.pi-hole.net @10.10.10.12
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61108
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 9

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1472
;; QUESTION SECTION:
;discourse.pi-hole.net.         IN      A

;; ANSWER SECTION:
discourse.pi-hole.net.  20626   IN      A       159.203.95.226

;; AUTHORITY SECTION:
pi-hole.net.            2626    IN      NS      ns3.pi-hole.net.
pi-hole.net.            2626    IN      NS      ns4.pi-hole.net.
pi-hole.net.            2626    IN      NS      ns1.pi-hole.net.
pi-hole.net.            2626    IN      NS      ns2.pi-hole.net.

;; ADDITIONAL SECTION:
ns1.pi-hole.net.        2626    IN      A       185.136.96.96
ns2.pi-hole.net.        2626    IN      A       185.136.97.96
ns3.pi-hole.net.        2626    IN      A       185.136.98.96
ns4.pi-hole.net.        2626    IN      A       185.136.99.96
ns1.pi-hole.net.        2626    IN      AAAA    2a06:fb00:1::1:96
ns2.pi-hole.net.        2626    IN      AAAA    2a06:fb00:1::2:96
ns3.pi-hole.net.        2626    IN      AAAA    2a06:fb00:1::3:96
ns4.pi-hole.net.        2626    IN      AAAA    2a06:fb00:1::4:96

;; Query time: 4 msec
;; SERVER: 10.10.10.12#53(10.10.10.12)
;; WHEN: Wed Oct 14 22:08:49 IST 2020
;; MSG SIZE  rcvd: 314

Pi-Hole Dig output for Domain: jobbank.gc.ca

user@raspberrypi:~ $ dig jobbank.gc.ca @10.10.10.12

; <<>> DiG 9.10.3-P4-Raspbian <<>> jobbank.gc.ca @10.10.10.12
;; global options: +cmd
;; connection timed out; no servers could be reached

Unbound Dig output for Domain: google.com

user@raspberrypi:~ $ dig google.com @127.0.0.1 -p 5353

; <<>> DiG 9.10.3-P4-Raspbian <<>> google.com @127.0.0.1 -p 5353
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51092
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1472
;; QUESTION SECTION:
;google.com.                    IN      A

;; ANSWER SECTION:
google.com.             117     IN      A       172.217.160.206

;; Query time: 0 msec
;; SERVER: 127.0.0.1#5353(127.0.0.1)
;; WHEN: Wed Oct 14 22:10:03 IST 2020
;; MSG SIZE  rcvd: 55

Unbound Dig output for Domain: yahoo.com

user@raspberrypi:~ $ dig yahoo.com @127.0.0.1 -p 5353

; <<>> DiG 9.10.3-P4-Raspbian <<>> yahoo.com @127.0.0.1 -p 5353
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2245
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 5, ADDITIONAL: 10

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1472
;; QUESTION SECTION:
;yahoo.com.                     IN      A

;; ANSWER SECTION:
yahoo.com.              1631    IN      A       74.6.231.20
yahoo.com.              1631    IN      A       74.6.231.21
yahoo.com.              1631    IN      A       74.6.143.26
yahoo.com.              1631    IN      A       98.137.11.163
yahoo.com.              1631    IN      A       74.6.143.25
yahoo.com.              1631    IN      A       98.137.11.164

;; AUTHORITY SECTION:
yahoo.com.              86231   IN      NS      ns5.yahoo.com.
yahoo.com.              86231   IN      NS      ns4.yahoo.com.
yahoo.com.              86231   IN      NS      ns2.yahoo.com.
yahoo.com.              86231   IN      NS      ns1.yahoo.com.
yahoo.com.              86231   IN      NS      ns3.yahoo.com.

;; ADDITIONAL SECTION:
ns1.yahoo.com.          1209431 IN      A       68.180.131.16
ns2.yahoo.com.          1209431 IN      A       68.142.255.16
ns3.yahoo.com.          1631    IN      A       27.123.42.42
ns4.yahoo.com.          1209431 IN      A       98.138.11.157
ns5.yahoo.com.          86231   IN      A       202.165.97.53
ns1.yahoo.com.          86231   IN      AAAA    2001:4998:130::1001
ns2.yahoo.com.          86231   IN      AAAA    2001:4998:140::1002
ns3.yahoo.com.          1631    IN      AAAA    2406:8600:f03f:1f8::1003
ns5.yahoo.com.          86231   IN      AAAA    2406:2000:ff60::53

;; Query time: 0 msec
;; SERVER: 127.0.0.1#5353(127.0.0.1)
;; WHEN: Wed Oct 14 22:10:34 IST 2020
;; MSG SIZE  rcvd: 416

Unbound Dig output for Domain: onedrive.com

user@raspberrypi:~ $ dig onedrive.com @127.0.0.1 -p 5353

; <<>> DiG 9.10.3-P4-Raspbian <<>> onedrive.com @127.0.0.1 -p 5353
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40938
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1472
;; QUESTION SECTION:
;onedrive.com.                  IN      A

;; ANSWER SECTION:
onedrive.com.           317     IN      A       13.81.118.91

;; Query time: 0 msec
;; SERVER: 127.0.0.1#5353(127.0.0.1)
;; WHEN: Wed Oct 14 22:11:12 IST 2020
;; MSG SIZE  rcvd: 57

Unbound Dig output for Domain: discourse.pi-hole.net

user@raspberrypi:~ $ dig discourse.pi-hole.net @127.0.0.1 -p 5353

; <<>> DiG 9.10.3-P4-Raspbian <<>> discourse.pi-hole.net @127.0.0.1 -p 5353
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30979
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 9

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1472
;; QUESTION SECTION:
;discourse.pi-hole.net.         IN      A

;; ANSWER SECTION:
discourse.pi-hole.net.  20458   IN      A       159.203.95.226

;; AUTHORITY SECTION:
pi-hole.net.            2458    IN      NS      ns3.pi-hole.net.
pi-hole.net.            2458    IN      NS      ns4.pi-hole.net.
pi-hole.net.            2458    IN      NS      ns1.pi-hole.net.
pi-hole.net.            2458    IN      NS      ns2.pi-hole.net.

;; ADDITIONAL SECTION:
ns1.pi-hole.net.        2458    IN      A       185.136.96.96
ns2.pi-hole.net.        2458    IN      A       185.136.97.96
ns3.pi-hole.net.        2458    IN      A       185.136.98.96
ns4.pi-hole.net.        2458    IN      A       185.136.99.96
ns1.pi-hole.net.        2458    IN      AAAA    2a06:fb00:1::1:96
ns2.pi-hole.net.        2458    IN      AAAA    2a06:fb00:1::2:96
ns3.pi-hole.net.        2458    IN      AAAA    2a06:fb00:1::3:96
ns4.pi-hole.net.        2458    IN      AAAA    2a06:fb00:1::4:96

;; Query time: 0 msec
;; SERVER: 127.0.0.1#5353(127.0.0.1)
;; WHEN: Wed Oct 14 22:11:37 IST 2020
;; MSG SIZE  rcvd: 314

Unbound Dig output for Domain: jobbank.gc.ca

user@raspberrypi:~ $ dig jobbank.gc.ca @127.0.0.1 -p 5353

; <<>> DiG 9.10.3-P4-Raspbian <<>> jobbank.gc.ca @127.0.0.1 -p 5353
;; global options: +cmd
;; connection timed out; no servers could be reached

As far i know the port depends on the configuration that you have done in the unbound.conf so if you have set unbound to listen on 5335 then it should be using 5335 instead of 5353

They are using port 5353. See the second to last dig to unbound using that port.

This is odd. I don't think there is a problem with the nameserver for the jobbank domain - here is output from my dig using recursive unbound (mine is on port 5335, that should be the only difference).

dig jobbank.gc.ca @127.0.0.1 -p 5335
; <<>> DiG 9.11.5-P4-5.1+deb10u2-Debian <<>> jobbank.gc.ca @127.0.0.1 -p 5335
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24497
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1472
;; QUESTION SECTION:
;jobbank.gc.ca. IN A

;; ANSWER SECTION:
jobbank.gc.ca. 3600 IN A 142.236.70.140
jobbank.gc.ca. 3600 IN A 167.227.38.140
;; Query time: 224 msec
;; SERVER: 127.0.0.1#5335(127.0.0.1)
;; WHEN: Wed Oct 14 13:35:54 CDT 2020
;; MSG SIZE rcvd: 74

My recommendation would be to change the verbosity in your unbound pi-hole.conf file to 5, restart unbound and repeat the dig. Then open the unbound log and see the details of the query. This may show the point of failure.

I just did that.

See the pastebin logs for debug. I guess it is resolving to wrong IP address.

https://pastebin.com/gECwQ5bR

Let's take a look at your unbound configuration. Please post the output of this command from the Pi terminal (paste the text output directly into a reply):

sudo grep -v '#\|^$' -R /etc/unbound/unbound.conf*

Here is the output of the command.

user@raspberrypi:~ $ sudo grep -v '#\|^$' -R /etc/unbound/unbound.conf*
/etc/unbound/unbound.conf:include: "/etc/unbound/unbound.conf.d/*.conf"
/etc/unbound/unbound.conf:server:
/etc/unbound/unbound.conf:    chroot: ""
/etc/unbound/unbound.conf:    logfile: /var/log/unbound.log
/etc/unbound/unbound.conf:    verbosity: 1
/etc/unbound/unbound.conf:    log-queries: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:server:
/etc/unbound/unbound.conf.d/pi-hole.conf:    verbosity: 2
/etc/unbound/unbound.conf.d/pi-hole.conf:
/etc/unbound/unbound.conf.d/pi-hole.conf:    interface: 127.0.0.1
/etc/unbound/unbound.conf.d/pi-hole.conf:    port: 5353
/etc/unbound/unbound.conf.d/pi-hole.conf:    do-ip4: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:    do-udp: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:    do-tcp: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:    do-ip6: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:    root-hints: "/var/lib/unbound/root.                                                                                                                                                             hints"
/etc/unbound/unbound.conf.d/pi-hole.conf:    harden-glue: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:    harden-dnssec-stripped: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:    use-caps-for-id: no
/etc/unbound/unbound.conf.d/pi-hole.conf:    edns-buffer-size: 1472
/etc/unbound/unbound.conf.d/pi-hole.conf:    prefetch: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:    num-threads: 1
/etc/unbound/unbound.conf.d/pi-hole.conf:    so-rcvbuf: 1m
/etc/unbound/unbound.conf.d/pi-hole.conf:    private-address: 192.168.0.0/16
/etc/unbound/unbound.conf.d/pi-hole.conf:    private-address: 169.254.0.0/16
/etc/unbound/unbound.conf.d/pi-hole.conf:    private-address: 172.16.0.0/12
/etc/unbound/unbound.conf.d/pi-hole.conf:    private-address: 10.0.0.0/8
/etc/unbound/unbound.conf.d/pi-hole.conf:    private-address: fd00::/8
/etc/unbound/unbound.conf.d/pi-hole.conf:    private-address: fe80::/10
/etc/unbound/unbound.conf.d/qname-minimisation.conf:server:
/etc/unbound/unbound.conf.d/qname-minimisation.conf:    qname-minimisation: yes
/etc/unbound/unbound.conf.d/root-auto-trust-anchor-file.conf:server:
/etc/unbound/unbound.conf.d/root-auto-trust-anchor-file.conf:    auto-trust-anch                                                                                                                                                             or-file: "/var/lib/unbound/root.key"
/etc/unbound/unbound.conf.save:include: "/etc/unbound/unbound.conf.d/*.conf"
/etc/unbound/unbound.conf.save:server:
/etc/unbound/unbound.conf.save:    chroot: ""
/etc/unbound/unbound.conf.save:    logfile: /var/log/unbound.log
/etc/unbound/unbound.conf.save:    verbosity: 1
/etc/unbound/unbound.conf.save:    lg-queries: yes
/etc/unbound/unbound.conf.save:    ...
/etc/unbound/unbound.conftouch:chown unbound:unbound /var/log/unbound.log

A few items noted:

(1) File /etc/unbound/unbound.conf should have only the following line (other than the commented lines in the file). Delete the additional lines in your file or move them to /etc/unbound/unbound.conf.d/pi-hole.conf

include: "/etc/unbound/unbound.conf.d/*.conf"

(2) Delete this unneeded file:

/etc/unbound/unbound.conf.save

(3) This looks like an attempt to change ownership on the unbound log?

/etc/unbound/unbound.conftouch:chown unbound:unbound /var/log/unbound.log

Delete this file - `/etc/unbound/unbound.conftouch

(4) Eliminate the empty line here:

/etc/unbound/unbound.conf.d/pi-hole.conf:

I don't know if these changes will fix your problem, but the configuration will be clean.

I had recently changed the ownership as the unbound logs were not enabled in my setup.
Hence this line was present

/etc/unbound/unbound.conftouch:chown unbound:unbound /var/log/unbound.log

Apart from this everything is done for all 4 points. I still cant figure out why that domain is not being resolved by unbound.

Also, to add maybe this issue was there since start i might not have noticed it as recently i had changed the DHCP configuration of my setup (as my router had crashed and had to rebuild its configuration). Earlier i had kept my primary DNS as pi-hole and secondary as ISP DNS for backup. Now its just Pi-hole IP address that i have configured. Maybe earlier it used to resolve it through there.
But on Pi-Hole there was not secondary dns configured.

After making this changes, now these are the logs in am getting.

user@raspberrypi:/etc/unbound $ tail -f /var/log/unbound.log
[1602941367] unbound[4142:0] info:    0.262144    0.524288 5549
[1602941367] unbound[4142:0] info:    0.524288    1.000000 2436
[1602941367] unbound[4142:0] info:    1.000000    2.000000 781
[1602941367] unbound[4142:0] info:    2.000000    4.000000 161
[1602941367] unbound[4142:0] info:    4.000000    8.000000 36
[1602941367] unbound[4142:0] info:    8.000000   16.000000 23
[1602941367] unbound[4142:0] info:   16.000000   32.000000 24
[1602941367] unbound[4142:0] info:   32.000000   64.000000 4
[1602941367] unbound[4142:0] info:  128.000000  256.000000 13
[1602941367] unbound[4142:0] info:  512.000000 1024.000000 1

Also i have generated the new output for the unbound conf file.

user@raspberrypi:/etc/unbound $ sudo grep -v '#|^$' -R /etc/unbound/unbound.conf*
/etc/unbound/unbound.conf:# Unbound configuration file for Debian.
/etc/unbound/unbound.conf:#
/etc/unbound/unbound.conf:# See the unbound.conf(5) man page.
/etc/unbound/unbound.conf:#
/etc/unbound/unbound.conf:# See /usr/share/doc/unbound/examples/unbound.conf for a commented
/etc/unbound/unbound.conf:# reference config file.
/etc/unbound/unbound.conf:#
/etc/unbound/unbound.conf:# The following line includes additional configuration files from the
/etc/unbound/unbound.conf:# /etc/unbound/unbound.conf.d directory.
/etc/unbound/unbound.conf:include: "/etc/unbound/unbound.conf.d/*.conf"
/etc/unbound/unbound.conf.d/pi-hole.conf:server:
/etc/unbound/unbound.conf.d/pi-hole.conf:    # If no logfile is specified, syslog is used
/etc/unbound/unbound.conf.d/pi-hole.conf:    logfile: "/var/log/unbound/unbound.log"
/etc/unbound/unbound.conf.d/pi-hole.conf:    verbosity: 1
/etc/unbound/unbound.conf.d/pi-hole.conf:    interface: 127.0.0.1
/etc/unbound/unbound.conf.d/pi-hole.conf:    port: 5353
/etc/unbound/unbound.conf.d/pi-hole.conf:    do-ip4: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:    do-udp: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:    do-tcp: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:    # log-queries: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:
/etc/unbound/unbound.conf.d/pi-hole.conf:    # May be set to yes if you have IPv6 connectivity
/etc/unbound/unbound.conf.d/pi-hole.conf:    do-ip6: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:
/etc/unbound/unbound.conf.d/pi-hole.conf:    # Use this only when you downloaded the list of primary root servers!
/etc/unbound/unbound.conf.d/pi-hole.conf:    root-hints: "/var/lib/unbound/root.hints"
/etc/unbound/unbound.conf.d/pi-hole.conf:
/etc/unbound/unbound.conf.d/pi-hole.conf:    # Trust glue only if it is within the servers authority
/etc/unbound/unbound.conf.d/pi-hole.conf:    harden-glue: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:
/etc/unbound/unbound.conf.d/pi-hole.conf:    # Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS
/etc/unbound/unbound.conf.d/pi-hole.conf:    harden-dnssec-stripped: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:
/etc/unbound/unbound.conf.d/pi-hole.conf:    # Don't use Capitalization randomization as it known to cause DNSSEC issues sometimes
/etc/unbound/unbound.conf.d/pi-hole.conf:    # see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 for further details
/etc/unbound/unbound.conf.d/pi-hole.conf:    use-caps-for-id: no
/etc/unbound/unbound.conf.d/pi-hole.conf:
/etc/unbound/unbound.conf.d/pi-hole.conf:    # Reduce EDNS reassembly buffer size.
/etc/unbound/unbound.conf.d/pi-hole.conf:    # Suggested by the unbound man page to reduce fragmentation reassembly problems
/etc/unbound/unbound.conf.d/pi-hole.conf:    edns-buffer-size: 1472
/etc/unbound/unbound.conf.d/pi-hole.conf:
/etc/unbound/unbound.conf.d/pi-hole.conf:    # Perform prefetching of close to expired message cache entries
/etc/unbound/unbound.conf.d/pi-hole.conf:    # This only applies to domains that have been frequently queried
/etc/unbound/unbound.conf.d/pi-hole.conf:    prefetch: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:
/etc/unbound/unbound.conf.d/pi-hole.conf:    # One thread should be sufficient, can be increased on beefy machines. In reality for most users running on small networks or on a single machine it should be unnecessary to seek performance enhancement by increasing num-threads above 1.
/etc/unbound/unbound.conf.d/pi-hole.conf:    num-threads: 1
/etc/unbound/unbound.conf.d/pi-hole.conf:
/etc/unbound/unbound.conf.d/pi-hole.conf:    # Ensure kernel buffer is large enough to not lose messages in traffic spikes
/etc/unbound/unbound.conf.d/pi-hole.conf:    so-rcvbuf: 1m
/etc/unbound/unbound.conf.d/pi-hole.conf:
/etc/unbound/unbound.conf.d/pi-hole.conf:    # Ensure privacy of local IP ranges
/etc/unbound/unbound.conf.d/pi-hole.conf:    private-address: 192.168.0.0/16
/etc/unbound/unbound.conf.d/pi-hole.conf:    private-address: 169.254.0.0/16
/etc/unbound/unbound.conf.d/pi-hole.conf:    private-address: 172.16.0.0/12
/etc/unbound/unbound.conf.d/pi-hole.conf:    private-address: 10.0.0.0/8
/etc/unbound/unbound.conf.d/pi-hole.conf:    private-address: fd00::/8
/etc/unbound/unbound.conf.d/pi-hole.conf:    private-address: fe80::/10
/etc/unbound/unbound.conf.d/qname-minimisation.conf:server:
/etc/unbound/unbound.conf.d/qname-minimisation.conf:    # Send minimum amount of information to upstream servers to enhance
/etc/unbound/unbound.conf.d/qname-minimisation.conf:    # privacy. Only sends minimum required labels of the QNAME and sets
/etc/unbound/unbound.conf.d/qname-minimisation.conf:    # QTYPE to NS when possible.
/etc/unbound/unbound.conf.d/qname-minimisation.conf:
/etc/unbound/unbound.conf.d/qname-minimisation.conf:    # See RFC 7816 "DNS Query Name Minimisation to Improve Privacy" for
/etc/unbound/unbound.conf.d/qname-minimisation.conf:    # details.
/etc/unbound/unbound.conf.d/qname-minimisation.conf:
/etc/unbound/unbound.conf.d/qname-minimisation.conf:    qname-minimisation: yes
/etc/unbound/unbound.conf.d/root-auto-trust-anchor-file.conf:server:
/etc/unbound/unbound.conf.d/root-auto-trust-anchor-file.conf:    # The following line will configure unbound to perform cryptographic
/etc/unbound/unbound.conf.d/root-auto-trust-anchor-file.conf:    # DNSSEC validation using the root trust anchor.
/etc/unbound/unbound.conf.d/root-auto-trust-anchor-file.conf:    auto-trust-anchor-file: "/var/lib/unbound/root.key"

You can always run Unbound directly and easily adapt the verbosity and first stop the current running Unbound:

sudo systemctl stop unbound

Then start unbound in debug mode:

sudo unbound -d -vv

Keep that SSH window open and you see the request you make in a second serion coming in being resolved or not. The more v used the more debuging is display and two v is a good starting point.

When ready just press CTRL-c and it will terminate. Then you can start again unbound by:

sudo systemctl start unbound