That unit configures resolv.conf to point to the own host 127.0.0.1 for DNS resolution:
pi@ph5a:~ $ systemctl cat unbound-resolvconf.service
# /lib/systemd/system/unbound-resolvconf.service
[Unit]
Description=Unbound DNS server via resolvconf
Expecting that Unbound is default listening on 127.0.0.1 port 53.
But its not bc the guide has changed the default 53 port into 5335 instead.
So the whole purpose of that unit is broken if change the default.
Yes.
Can be your router IP if it doesnt close a DNS loop, your ISP provided DNS servers or public DNS providers like Google Cloudflare, Quad9 etc.
Reason, if you break Unbound or Pi-hole while tweaking/updating etc, you wont break DNS resolution for the processes on the Pi-hole host.
If you break Unbound or Pi-hole, you wouldn't even be able to upload a Pi-hole debug log.
1). By doing this, will it no longer use Unbound for DNS resolving and begin using the different upstream provider or will it just use the different upstream provider as a secondary DNS?
Currently, my setup looks like this: Unifi controller is set as DHCP > Pihole is set as DNS > Using Unbound > And then I have conditional forwarding in the Pihole pointing back to my router - the Unifi controller (not sure if that matters in this conversation)
2). In my Pihole, the DNS is set to 127.0.0.1#5335. How can I tell if Unbound is currently listening on port 53 or on port 5335? I followed the latest guide for installing Unbound, so the settings from there are what I have. The "customizations" in the config file I added today based on others saying they helped with the "sluggishness" of Unbound. But honestly, I can't tell if they're doing anything.
If you disable that unbound-resolvconf.service, DNS settings will revert back to those that were configured before installing Unbound (might need a reboot).
I deleted the "extra" config file unbound.conf that was in /etc/unbound/unbound.conf.d and now the only config file being read in /etc/unbound/unbound.conf.d is the pi-hole.conf.
The last thing I'm struggling with was getting logging set up when following the official guide.
Part of the guide here:
"On modern Debian/Ubuntu-based Linux systems, you'll also have to add an AppArmor exception for this new file so unbound can write into it.
Create (or edit if existing) the file /etc/apparmor.d/local/usr.sbin.unbound and append
/var/log/unbound/unbound.log rw,
to the end (make sure this value is the same as above). Then reload AppArmor using
sudo apparmor_parser -r /etc/apparmor.d/usr.sbin.unbound sudo service unbound restart"
The issue here is AppArmor. I keep getting:
Warning: unable to find a suitable fs in /proc/mounts, is it mounted? Use --subdomainfs to override.
When I run sudo apparmor_parser -r /etc/apparmor.d/usr.sbin.unbound
I've created the directories, the files, got the permissions set, I've installed apparmor and apparmor-utils. I tried googling this issue but keep getting 'compile a new kernel" results and that doesn't seem right when the official guide says this should just work out of the box with a default install of Unbound.
Any thoughts on this one? After this, I'll leave you alone Thank you very much for all of your help so far.
Client query logging can be looked up in the Pi-hole logs and long term database.
If its for diagnosing, you only have to up verbosity to the level that you desire and loopup the logs with journalctl:
Yes 53 UDP & TCP only for DNS.
Dont need a rule for 5335 bc this traffic is all happening on the isolated loopback interface named lo that cant be accessed from your LAN:
pi@ph5b:~ $ ip -br link show lo
lo UNKNOWN 00:00:00:00:00:00 <LOOPBACK,UP,LOWER_UP>
pi@ph5b:~ $ ip -br address show lo
lo UNKNOWN 127.0.0.1/8 ::1/128
Thank you very much for all of your help so far.