Pihole Unbound Questions

Help
1

Hi all,

I finally set up unbound on my pihole server using the following guide:

First of all I have to say after searching through youtube videos and the internet that guide was the best in explaining what unbound does. Good job on the well written guide (everything on this site is top notch).

I'm assuming my unbound is working properly from the following lines I copied and pasted below using command sudo pihole -t:

17:59:20: query[A] discourse.pi-hole.net from 192.168.1.109
17:59:20: forwarded discourse.pi-hole.net to 127.0.0.1#5335
17:59:20: query[AAAA] discourse.pi-hole.net from 192.168.1.109
17:59:20: forwarded discourse.pi-hole.net to 127.0.0.1#5335
17:59:20: reply discourse.pi-hole.net is 52.14.183.198
17:59:20: reply discourse.pi-hole.net is NODATA-IPv6
17:59:21: query[A] discourse.pi-hole.net from 192.168.1.109
17:59:21: forwarded discourse.pi-hole.net to 127.0.0.1#5335
17:59:21: query[AAAA] discourse.pi-hole.net from 192.168.1.109
17:59:21: forwarded discourse.pi-hole.net to 127.0.0.1#5335
17:59:21: query[A] discourse.pi-hole.net from 192.168.1.109
17:59:21: forwarded discourse.pi-hole.net to 127.0.0.1#5335
17:59:21: query[AAAA] discourse.pi-hole.net from 192.168.1.109
17:59:21: forwarded discourse.pi-hole.net to 127.0.0.1#5335
17:59:21: reply discourse.pi-hole.net is <CNAME>
17:59:21: reply piholediscourse.b-cdn.net is 138.199.40.58
17:59:21: reply discourse.pi-hole.net is <CNAME>
17:59:21: reply discourse.b-cdn.net is 109.61.86.193
17:59:22: reply discourse.pi-hole.net is <CNAME>
17:59:22: reply discourse.b-cdn.net is 2a02:6ea0:f904::1163:1
17:59:22: reply discourse.pi-hole.net is <CNAME>
17:59:22: reply piholediscourse.b-cdn.net is NODATA-IPv6
17:59:24: query[A] discourse.pi-hole.net from 192.168.1.109
17:59:24: cached discourse.pi-hole.net is <CNAME>
17:59:24: cached piholediscourse.b-cdn.net is 138.199.40.58
17:59:24: query[AAAA] discourse.pi-hole.net from 192.168.1.109
17:59:24: cached discourse.pi-hole.net is <CNAME>
17:59:24: cached piholediscourse.b-cdn.net is NODATA-IPv6
18:00:00: query[PTR] 1.1.168.192.in-addr.arpa from 127.0.0.1
18:00:00: config 192.168.1.1 is NXDOMAIN
18:00:00: query[PTR] 109.1.168.192.in-addr.arpa from 127.0.0.1
18:00:00: config 109.1.168.192.in-addr.arpa is <PTR>
18:00:00: query[PTR] 1.0.0.1.in-addr.arpa from 127.0.0.1
18:00:00: cached 1.0.0.1 is one.one.one.one
18:00:00: query[PTR] 1.1.1.1.in-addr.arpa from 127.0.0.1
18:00:00: cached 1.1.1.1 is one.one.one.one
18:00:00: query[PTR] 9.9.9.9.in-addr.arpa from 127.0.0.1
18:00:00: cached 9.9.9.9 is dns9.quad9.net
18:00:00: query[PTR] 112.112.112.149.in-addr.arpa from 127.0.0.1
18:00:00: cached 149.112.112.112 is dns.quad9.net

I have two questions though which I wasn't sure about. I run the latest version of Debian 12 and when I ran the following command it shows it is inactive.

systemctl is-active unbound-resolvconf.service

Do I have to do anything else regarding the section "Disable resolvconf.conf entry for unbound" in the guide (near the end of the guide)?

The second question involves the following section of the guide:

If you are installing unbound from a package manager, it should install the root.hints file automatically with the dependency dns-root-data. The root hints will then be automatically updated by your package manager.

Optional: Download the current root hints file (the list of primary root servers which are serving the domain "." - the root domain). Update it roughly every six months. Note that this file changes infrequently. This is only necessary if you are not installing unbound from a package manager. If you do this optional step, you will need to uncomment the root-hints: configuration line in the suggested config file.

wget https://www.internic.net/domain/named.root -qO- | sudo tee /var/lib/unbound/root.hints

How do I know if the roots.hint file is installed on my system? My understanding is that if the file is not installed then I have to run the wget command above every 6 months or so (which I can put in my crontab file if I need to). Any feedback would be greatly appreciated.

2

It looks like you've done everything you need there and the service is correctly not running.

If you installed Unbound using apt, then it automatically installs everything needed including a package called dns-root-data. You can see that it is installed with the command:

apt list --installed dns-root-data

The actual root hints file is in /usr/share/dns, created by that package.

1 Like
3

You probably should disable the service anyway, just to be sure that it wasn't only inactive by chance.

Your unbound answering DNS requests would suggest that root.hints would be present, so I assume you have installed unbound via a package manager, which would have installed dns-root-data.

If you wish, you can verify that by querying your package manager, e.g. by running apt list --installed dns-root-data.

1 Like
4

Thank you for the feeback.

I ran the command apt list --installed dns-root-data and got the following output:

dns-root-data/stable,now 2024041801~deb12u1 all [installed,automatic]

I'm assuming there is nothing else I need to do regarding that.

I ran the command sudo systemctl disable --now unbound-resolvconf.service and got the following output:

Removed "/etc/systemd/system/unbound.service.wants/unbound-resolvconf.service".

Then I ran these commands sudo sed -Ei 's/^unbound_conf=/#unbound_conf=/ /etc/resolvconf.conf and sudo rm /etc/unbound/unbound.conf.d/resolvconf_resolvers.conf and got the following output:

sed: can't read /etc/resolvconf.conf: No such file or directory
rm: cannot remove '/etc/unbound/unbound.conf.d/resolvconf_resolvers.conf': No such file or directory

Should that be all?

5

That all looks good. If you like, feel free to create a Pi-hole debug log (pihole -d) and post the token URL here and I'll have a look and see if anything stands out. And run the command below and post the output here, it shows all the Unbound config without the comments, so any stray stuff can be identified.

sudo grep -v '#\|^$' -R /etc/unbound/unbound.conf*
1 Like
6

I ran sudo grep -v '#\|^$' -R /etc/unbound/unbound.conf and here is the output:

/etc/unbound/unbound.conf:include-toplevel: "/etc/unbound/unbound.conf.d/*.conf"
/etc/unbound/unbound.conf.d/root-auto-trust-anchor-file.conf:server:
/etc/unbound/unbound.conf.d/root-auto-trust-anchor-file.conf:    auto-trust-anchor-file: "/var/lib/unbound/root.key"
/etc/unbound/unbound.conf.d/remote-control.conf:remote-control:
/etc/unbound/unbound.conf.d/remote-control.conf:  control-enable: yes
/etc/unbound/unbound.conf.d/remote-control.conf:  control-interface: /run/unbound.ctl
/etc/unbound/unbound.conf.d/pi-hole.conf:server:
/etc/unbound/unbound.conf.d/pi-hole.conf:    verbosity: 0
/etc/unbound/unbound.conf.d/pi-hole.conf:    interface: 127.0.0.1
/etc/unbound/unbound.conf.d/pi-hole.conf:    port: 5335
/etc/unbound/unbound.conf.d/pi-hole.conf:    do-ip4: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:    do-udp: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:    do-tcp: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:    do-ip6: no
/etc/unbound/unbound.conf.d/pi-hole.conf:    prefer-ip6: no
/etc/unbound/unbound.conf.d/pi-hole.conf:    harden-glue: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:    harden-dnssec-stripped: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:    use-caps-for-id: no
/etc/unbound/unbound.conf.d/pi-hole.conf:    edns-buffer-size: 1232
/etc/unbound/unbound.conf.d/pi-hole.conf:    prefetch: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:    num-threads: 1
/etc/unbound/unbound.conf.d/pi-hole.conf:    so-rcvbuf: 1m
/etc/unbound/unbound.conf.d/pi-hole.conf:    private-address: 192.168.0.0/16
/etc/unbound/unbound.conf.d/pi-hole.conf:    private-address: 169.254.0.0/16
/etc/unbound/unbound.conf.d/pi-hole.conf:    private-address: 172.16.0.0/12
/etc/unbound/unbound.conf.d/pi-hole.conf:    private-address: 10.0.0.0/8
/etc/unbound/unbound.conf.d/pi-hole.conf:    private-address: fd00::/8
/etc/unbound/unbound.conf.d/pi-hole.conf:    private-address: fe80::/10
7

Sorry I didn't see the part to post the token URL. Here it is:
https://tricorder.pi-hole.net/PiEwISgi/

8

Thanks, there are a few things to mention

Unbound

The Unbound config looks good. There is a note in the guide which says:

You should also consider adding

edns-packet-max=1232

to a config file like /etc/dnsmasq.d/99-edns.conf to signal FTL to adhere to this limit.

If you've not done that, might be worth adding it too.

The debug log shows a few problems which can be sorted out.

Local resolver

The OS is using Pi-hole, installed on itself, as the DNS resolver. You have rules which include various GitHub domains. This means Pi-hole could encounter a situation which a not-quite-correct rule setup stops Pi-hole itself from working and being able to fetch adlists or application updates.

It would be 'safer 'to have the OS resolver not using Pi-hole for DNS, and instead switch to using something else. An example might be using your router instead, or your ISP's DNS or an external one such as Quad9.

You can make this change using Network Manager, eg using the interactive user-interface with

sudo nmtui

Network interface

The OS is using enp2s0 as the network interface name. However Pi-hole is trying to use a non-existent eno1 interface. As a result it has no IP address assigned. To fix this run

pihole -r

and select Reconfigure. Go through the install again and assign it the correct interface name. Don't worry, you won't lose your groups or adlists, etc settings.

Block all

One of your groups blocks everything and has a regex rule (*.*) assigned to do that. The correct regex syntax for that entry is

.*
1 Like
9

Hi Chris,

Thank you for taking the time to look through my log file. I'll start with the easiest first. I was using *.* to block all domains and it was working fine. Actually I just entered it into pihole as . and it came out as *.*. However I changed it to .* and it is also working by blocking all websites.

I ran pihole -r to reconfigure my interface but there was no such option to select an interface. I ran pihole -r a few more times to make sure I hadn't skipped over it but I didn't see such option. However it seems to have resolved itself even before I ran pihole -r. I did install openvpn (using Proton VPN) on my openwrt router after I installed unbound so it may have been messing with the settings. I copied and pasted a portion of pihole -d below:

*** [ DIAGNOSING ]: Network routing table
   default via 192.168.1.1 dev enp2s0 
   192.168.1.0/24 dev enp2s0 proto kernel scope link src 192.168.1.109 

*** [ DIAGNOSING ]: Networking
[✓] IPv4 address(es) bound to the enp2s0 interface:
    192.168.1.109/24

[✓] IPv6 address(es) bound to the enp2s0 interface:
    fe80::6600:6aff:fe81:832c/64

I noticed after I installed my VPN some sites would take longer to load such as mail.proton.me and other sites such as www.youtube.com do not load at all. I came across the following post which mentions edns may be the issue:

So I did add edns-packet-max=1232 to file /etc/dnsmasq.d/99-edns.conf but the thing is I had to create the file and enter that one line into the file. Is that correct or should that file already have existed and I am just adding that line in there. It didn't fix the problem with the VPN by the way so I had deleted the file to be safe.

Finally (if I haven't missed anything else you pointed out), you lost me with OS resolver not using Pi-hole for DNS. Would you be able to copy and paste the section from my log which has this issue so hopefully I can better understand this issue?

I uploaded a new log and the token is:
https://tricorder.pi-hole.net/4QPzzL70/

Again thanks for the help.

10

Yes, that's correct, the file isn't there, you create it and add that line.

Sure, near the end of the log is this part:

-rw-r--r-- 1 root root 47 Aug 11 05:22 /etc/resolv.conf
   domain lan
   search lan
   nameserver 192.168.1.109

That file tells the OS what DNS to use. It will be used for things like OS updates, application updates, and if the OS has a desktop, for normal desktop use such as web browsing. It would typically be the IP of your router, or maybe an external service like Google's 8.8.8.8.

You can see it is telling the OS to use that IP for DNS. That IP is the network address for Pi-hole, which is actually running on this same OS. So this OS is using Pi-hole for DNS, just like all the other machines on your network.

If the OS does have a desktop and is being used for browsing the web, that's probably useful; you'll get all the usual blocking and nice Pi-hole features. But if your Pi-hole is blocking, say, GitHub (accidentally or otherwise), then Pi-hole won't be able to perform many adlist updates or version checks because it needs to reach GitHub and it's blocking itself from doing that. If there is a fix for a bug, it might be that the buggy Pi-hole prevents itself from getting the fix.

So it's a good idea for all the other machines to use Pi-hole's IP for DNS, but for the OS on which Pi-hole itself is running, to use something other than itself. A good choice might be Quad9's 9.9.9.9 service which is free and privacy focused.

Back in the day you would just edit that file directly and edit the nameserver line to make the change, which is instant. In more recent times it's usual for that file to be under the management of a service which makes the changes for you. Debian 12 uses Network Manager for that. So if you make the change in Network Manager, it should update that file with the new non-Pi-hole IP for you.

Network Manager is command line and needs a bit of reading up, but there's a handy interactive interface called nmtui which makes it much easier. You can invoke that with sudo nmtui.

By the way your network interface issue is indeed fixed now.

From the original log, no IP and not blocking (ad domains are resolving):

*** [ DIAGNOSING ]: Networking
[✗] No IPv4 address(es) found on the eno1 interface.

*** [ DIAGNOSING ]: Name resolution (IPv4) using a random blocked domain and a known ad-serving domain
[✓] montrneze.0lx.net is 199.59.243.226 on lo (127.0.0.1)
[✓] montrneze.0lx.net is 199.59.243.226 on enp2s0 (192.168.1.109)

From this new log, IP now sorted and correctly blocking (ad domains return 0.0.0.0):

*** [ DIAGNOSING ]: Networking
[✓] IPv4 address(es) bound to the enp2s0 interface:
    192.168.1.109/24

*** [ DIAGNOSING ]: Name resolution (IPv4) using a random blocked domain and a known ad-serving domain
[✓] animi2.com is 0.0.0.0 on lo (127.0.0.1)
[✓] animi2.com is 0.0.0.0 on enp2s0 (192.168.1.109)
1 Like
11

Thanks for clarifying that. I have created the file and entered that line into it.

Ok now I understand. I had added 9.9.9.9 earlier as you said and it was bypassing the pihole so I wasn't sure what the purpose was but I guess you thought my pihole was a stand alone server. The machine the pihole is installed on is my main computer which I use for web browsing, etc. My daily driver machine in other words and I want the pihole to fully function on it so I think its best to keep it the way it is setup. I forgot to address the github issue you brought up in an earlier post. I use ." to block all websites so the github entries you saw where those I whitelisted in which includes the ones my pihole needs to do its updates. Everything is fine as far as that goes. I haven't had any issues running my pihole machine using its own ip address as the dns server thus far.

Thanks for all your help. I appreciate the time you took to look through everything for me. As mentioned earlier with the success of the unbound install I went ahead and gave another shot at trying to get VPN to work with pihole (I had tried a year ago and failed) and it is working for the most part. A few sites don't work (they seem to timeout). I will create another thread for this though maybe later today or when I get some time.

1 Like
12

Just a quick update. I had to restart my computer because it froze. Now the VPN is working with no issues and all websites so far working. I forgot how effective a simple restart can be :D.

13

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.