Possible dnsleak with pihole and unbound

peste · December 4, 2025, 1:15am

The issue I am facing:

I have been a long time user of pihole and unbound however my microsd card died so I had to start over.

I followed the instructions to install it and copied the unbound config file from pihole docs and made a small edit by changing

do-ip6: yes

to

do-ip6: no

and when I run dnsleaktest.com, i see numerous dns servers and not my ip which I believe unbound should be doing

Details about my system:

I have a asus router which than I point the dns server to my raspberry pi 2b with Raspberry PI OS lite trixie to resolve.

I left the dns 2 empty so the router wouldnt try to resolve a blocked entry from pihole

What I have changed since installing Pi-hole:

I only edied the property of unbound.conf from pihole docs from do-ip6: yes

to

do-ip6: no

and set the custom dns to 127.0.0.1:53

robgill · December 4, 2025, 6:56am

On what browser / operating system ?
Have you ensured the browser is not using DNS over HTTPS ?

Which? Your ISP? Google? Someone else?

Some routers advertise their own IP as another server if there are not two DNS servers specified. In a lot of cases this will be faster than a fresh install of unbound (before its cache has been built up for common domains) and systems will favour it for queries.

Check from clients on your network what DNS servers have been specified by DHCP.

peste · December 4, 2025, 3:04pm

I am using windows 11 and chrome, I do have the option secure dns disabled (DNS over HTTPS)

They all have my ISP hostname so I am assume they are my ISP

My clients are using the default, they dont have any dns hardcoded, regarding the router, this is how it was configured before and how its recommended here

I did notice something weird, if I enable IPV6 on the unbound config, when run the dnsleaktest, it only shows 1 ip which is my own however a lot of websites fail to load with the error DNS_PROBE_FINISHED_BAD_CONFIG which I believe is due to my ISP not supporting IPV6?

robgill · December 4, 2025, 7:35pm

In powershell (not regular terminal/command prompt) on your windows system can you please check the output of the following two commands:

Get-DnsClientServerAddress

Get-DNSClientDohServerAddress

peste · December 4, 2025, 9:52pm

Here is the output, I am currently using the Wifi

Get-DnsClientServerAddress

InterfaceAlias               Interface Address ServerAddresses
Index     Family

Ethernet                             9 IPv4    {192.168.1.1}
Ethernet                             9 IPv6    {}
vEthernet (Default Switch)          41 IPv4    {}
vEthernet (Default Switch)          41 IPv6    {fec0:0:0:ffff::1, fec0:0:0:ffff::2, fec0:0:0:ffff::3}
Ethernet 2                          16 IPv4    {}
Ethernet 2                          16 IPv6    {fec0:0:0:ffff::1, fec0:0:0:ffff::2, fec0:0:0:ffff::3}
Wi-Fi                               17 IPv4    {192.168.2.1}
Wi-Fi                               17 IPv6    {}
Loopback Pseudo-Interface 1          1 IPv4    {}
Loopback Pseudo-Interface 1          1 IPv6    {fec0:0:0:ffff::1, fec0:0:0:ffff::2, fec0:0:0:ffff::3}

Get-DNSClientDohServerAddress

ServerAddress        AllowFallbackToUdp AutoUpgrade DohTemplate
-------------        ------------------ ----------- -----------
149.112.112.112      False              False       https://dns.quad9.net/dns-query
9.9.9.9              False              False       https://dns.quad9.net/dns-query
8.8.8.8              False              False       https://dns.google/dns-query
8.8.4.4              False              False       https://dns.google/dns-query
1.1.1.1              False              False       https://cloudflare-dns.com/dns-query
1.0.0.1              False              False       https://cloudflare-dns.com/dns-query
2001:4860:4860::8844 False              False       https://dns.google/dns-query
2001:4860:4860::8888 False              False       https://dns.google/dns-query
2606:4700:4700::1001 False              False       https://cloudflare-dns.com/dns-query
2606:4700:4700::1111 False              False       https://cloudflare-dns.com/dns-query
2620:fe::9           False              False       https://dns.quad9.net/dns-query
2620:fe::fe          False              False       https://dns.quad9.net/dns-query

robgill · December 4, 2025, 11:01pm

That all looks good. The change when enabling ipv6 is odd indeed. At this point it might be time to enable unbound's logging to see if anything stands out in there.

peste · December 4, 2025, 11:04pm

So enable unbounds logging and run Dnsleaktest and post the output here or should I do something additional?

robgill · December 6, 2025, 10:19am

I'd suggest trying both with ipv6 enabled and without to see what's going on here.

system · December 27, 2025, 10:20am

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.