Pihole + Unbound = reply error is SERVFAIL

Rar9 · January 23, 2021, 1:07pm

Hi
I`m having trouble with getting pihole to use the 127.0.01#5335 dns. If I use pihile google dns for ip4 and custom Ip6 ( ..1#5335) I get now errors so, something with ip4 is on conflict.

As soon as I disable the all pihole dns to the custom 127.0.0.1#5335 dns I get

12:33:37: query[A] www.google.com from (device IP)
12:33:37: forwarded www.google.com to 127.0.0.1
12:33:37: forwarded www.google.com to ::1
12:33:37: forwarded www.google.com to 127.0.0.1
12:33:37: reply error is SERVFAIL

I installed via pihole unbound guide only added the autorenewal to cron as described here.. https://hoerli.net/pi-hole-mit-unbound-betreiben . Dont know auto renewal if this still is required?

From another guide if I read to disable the Ubuntu systemd-resolved as DNS Cache Daemon so unbound one is used. Is this actually required?

My CONFIG is a Khadas Vim3 with running Ubuntu 20.04 focal with nginx in a unifi network where only ports 80/443 are open to the world:

Pi-hole [v5.2.4] on Port 90 / Web Interface [v5.3.1] / FTL[v5.5.1]
Unbound 1.9.4. on port 5335 + ip6 enabled

/etc/hosts
127.0.0.1 localhost Khadas
::1 localhost Khadas ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

/etc/systemd/resolved.conf
[Resolve]
DNS=127.0.0.1
#FallbackDNS=
#Domains=
#LLMNR=no
#MulticastDNS=no
#DNSSEC=no
#DNSOverTLS=no
#Cache=no-negative
DNSStubListener=no
#ReadEtcHosts=yes

sudo unbound -d -vvvv
[1611405476] unbound[6303:0] notice: Start of unbound 1.9.4.
[1611405476] unbound[6303:0] debug: increased limit(open files) from 1024 to 16458
[1611405476] unbound[6303:0] debug: creating udp4 socket 127.0.0.1 5335
[1611405476] unbound[6303:0] debug: creating tcp4 socket 127.0.0.1 5335
[1611405476] unbound[6303:0] debug: creating udp4 socket 127.0.0.1 5335
[1611405476] unbound[6303:0] debug: creating tcp4 socket 127.0.0.1 5335
[1611405476] unbound[6303:0] debug: switching log to syslog

What am still doing wrong, as I would like to use UNBOUND the correct way.

deHakkelaar · January 23, 2021, 4:37pm

Dont need to have a cron job updating the root.hints.
When install unbound via the APT packaging system, it already comes with root.hints:

pi@ph5:~ $ apt depends unbound
[..]
  Depends: dns-root-data
[..]

pi@ph5:~ $ dpkg -L dns-root-data
[..]
/usr/share/dns/root.hints
[..]

root.hints doesn't change that often so you just have to keep your distro updated to also update the root.hints:

sudo apt update && sudo apt upgrade

Also opening 80/443 to the public is not recommended for security reasons.
While the Pi-hole web GUI is safe to run at home, it isnt hardened against attacks etc when exposed to the Internet.

Yes is required.
Not because of unbound but because systemd-resolved is also a caching DNS forwarder same as Pi-hole.
The two would conflict fighting over ports 53 UDP + TCP if dont disable systemd-resolved:

pi@ph5:~ $ sudo netstat -nltup | grep 'Proto\|pihole-FTL '
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:53              0.0.0.0:*               LISTEN      2207/pihole-FTL
tcp        0      0 127.0.0.1:4711          0.0.0.0:*               LISTEN      2207/pihole-FTL
tcp6       0      0 :::53                   :::*                    LISTEN      2207/pihole-FTL
tcp6       0      0 ::1:4711                :::*                    LISTEN      2207/pihole-FTL
udp        0      0 0.0.0.0:53              0.0.0.0:*                           2207/pihole-FTL
udp6       0      0 :::53                   :::*                                2207/pihole-FTL

Did you alter /etc/systemd/resolved.conf and why ?

Is date/time in sync/not too far of ?

timedatectl

What do below two output from the official unbound guide ?

dig +noall +comments @127.0.0.1 -p 5335 sigfail.verteiltesysteme.net

dig +noall +comments +answer @127.0.0.1 -p 5335 sigok.verteiltesysteme.net

To up verbosity for the loggings and display on screen, you could stop unbound:

sudo service unbound stop

Run here manually with below:

sudo /usr/sbin/unbound -ddd -vvv -c /etc/unbound/unbound.conf

Run the two dig commands again posted above and take note of any errors/warnings.

You can stop unbound again by pressing CTRL-C.
And start here up again using systemd:

sudo service unbound start

Rar9 · January 23, 2021, 7:19pm

Thanks for the quick feedback:

For MY CRON Job ... This run only every 4 months once to pull in the latest root list via

#!/bin/bash
     wget -O root.hints https://www.internic.net/domain/named.root &&
     (
      mv -fv root.hints /var/lib/unbound/
      service unbound restart
     )

So this ROOT Data gets updated when running sudo apt upgrade when ever there is a new version???

For port 80/443 this is only for Nginx Reverse proxy, so pihole run on a different port.

For systemd-resolved I already thought it would make sense to disable it and add (nodns.conf) in "/etc/NetworkManager/conf.d/"

For /etc/systemd/resolved.conf The above is what is configuered for the Khadas Image.

sudo netstat -nltup | grep 'Proto|pihole-FTL ..... looks the same as yours

My Time is not off and its synced

Here the out out of the digs for me they look ok

[20:10:26] root@Khadas:~# dig +noall +comments @127.0.0.1 -p 5335 sigfail.verteiltesysteme.net
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 21940
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1472
[20:10:37] root@Khadas:~# dig +noall +comments +answer @127.0.0.1 -p 5335 sigok.verteiltesysteme.net
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24970
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1472
;; ANSWER SECTION:
sigok.verteiltesysteme.net. 60  IN      A       134.91.78.139

When running in in debug mode what should i look out for?

[1611429037] unbound[25575:1] info: verify rrset sigfail.verteiltesysteme.net. A IN
[1611429037] unbound[25575:1] debug: verify sig 30665 5
[1611429037] unbound[25575:1] debug: verify: signature mismatch
[1611429037] unbound[25575:1] debug: rrset failed to verify: no valid signatures
[1611429037] unbound[25575:1] debug: verify result: sec_status_bogus
[1611429037] unbound[25575:1] info: validator: response has failed ANSWER rrset: sigfail.verteiltesysteme.net. A IN
[1611429037] unbound[25575:1] info: Validate: message contains bad rrsets
[1611429037] unbound[25575:1] debug: val handle processing q with state VAL_FINISHED_STATE
[1611429037] unbound[25575:1] debug: validation failed, blacklist and retry to fetch data
[1611429037] unbound[25575:1] debug: blacklist ip4 134.91.78.139 port 53 (len 16)

So again I believe unbound is running fine.

But pihole -t will cause the reply error is SERVFAIL when I set the custom IP4 to 127.0.0.1#5335
With pihile eg google dns the pihole -t doesn't show errors

deHakkelaar · January 23, 2021, 7:42pm

The dig output looks ok.
Your debug output is slightly different from mine when do the same.
I dont have a "rrset failed to verify" message for example.
This might indicate some faulty configuration or maybe not.

Have you enabled the DNSSEC setting in Pi-hole ?
Try disable that one and see if improves.
You dont need DNSSEC between pihole-FTL and unbound plus in the past, DNSSEC caused troubles for the embedded dnsmasq.

Else if no one else comes up with suggestions, I would try start fresh again:

EDIT:

Not the file at that particular location /var/lib/unbound/root.hints
Only the ones at:

pi@ph5:~ $ dpkg -S root.hints
dns-root-data: /usr/share/dns/root.hints
dns-root-data: /usr/share/dns/root.hints.sig

unbound should pick this one up if I remeber correctly.

EDIT2: ow and when purge unbound, take note of any messages about apt not removing particular files or folders.
Those files left behind could also cause issues.

Rar9 · January 23, 2021, 9:40pm

Thanks for the update

I have installed ubuntu multiple times first with pihole the unbound or the other way around and followed different guides.

Unfortunately it must be something else like /etc hosts or resolve.

E.G. If i use the sbc ip4#5335 instead of 127.0.0.1#5335 - pihole - t outputs fine, but if i then change the router to use it my WiFi shows not Internet.

With the default pihole dns all works but without unbound.

Rar9 · January 25, 2021, 11:41am

I did further tests
It looks like a Sudo Update that is changing /etc/systemd/resolved.conf

FINALL I got it working.

Thanks for the mental support.

system · February 15, 2021, 11:41am

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.