Private DNS Hostname

What happens if you dig directly:

dig @8.8.8.8 cloud.maniarfamily.com

I think it’s working, here is the output for

dig cloud.maniarfamily.com @127.0.0.1 -p 5353

; <<>> DiG 9.10.3-P4-Raspbian <<>> cloud.maniarfamily.com @127.0.0.1 -p 5353
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14877
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1472
;; QUESTION SECTION:
;cloud.maniarfamily.com.                IN      A

;; ANSWER SECTION:
cloud.maniarfamily.com. 3600    IN      CNAME   maniarfamily.com.
maniarfamily.com.       3600    IN      A       116.72.137.140

;; AUTHORITY SECTION:
maniarfamily.com.       3600    IN      NS      ns16.domaincontrol.com.
maniarfamily.com.       3600    IN      NS      ns15.domaincontrol.com.

;; Query time: 705 msec
;; SERVER: 127.0.0.1#5353(127.0.0.1)
;; WHEN: Mon Apr 22 01:00:08 IST 2019
;; MSG SIZE  rcvd: 133```

Should I configure Pi-Hole to use this?

In the configuration page: https://docs.pi-hole.net/guides/unbound/

I tried following two tests but they don’t seem to go as expected on the page:

**dig sigok.verteiltesysteme.net @127.0.0.1 -p 5353**

; <<>> DiG 9.10.3-P4-Raspbian <<>> sigok.verteiltesysteme.net @127.0.0.1 -p 5353
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18075
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 5

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1472
;; QUESTION SECTION:
;sigok.verteiltesysteme.net.    IN      A

;; ANSWER SECTION:
sigok.verteiltesysteme.net. 3600 IN     A       134.91.78.139

;; AUTHORITY SECTION:
verteiltesysteme.net.   3600    IN      NS      ns2.verteiltesysteme.net.
verteiltesysteme.net.   3600    IN      NS      ns1.verteiltesysteme.net.

;; ADDITIONAL SECTION:
ns1.verteiltesysteme.net. 2987  IN      A       134.91.78.139
ns1.verteiltesysteme.net. 2987  IN      AAAA    2001:638:501:8efc::139
ns2.verteiltesysteme.net. 2987  IN      A       134.91.78.141
ns2.verteiltesysteme.net. 2987  IN      AAAA    2001:638:501:8efc::141

;; Query time: 292 msec
;; SERVER: 127.0.0.1#5353(127.0.0.1)
;; WHEN: Mon Apr 22 01:10:03 IST 2019
;; MSG SIZE  rcvd: 195

**dig sigfail.verteiltesysteme.net @127.0.0.1 -p 5353**

; <<>> DiG 9.10.3-P4-Raspbian <<>> sigfail.verteiltesysteme.net @127.0.0.1 -p 5353
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3338
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 5

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1472
;; QUESTION SECTION:
;sigfail.verteiltesysteme.net.  IN      A

;; ANSWER SECTION:
sigfail.verteiltesysteme.net. 2903 IN   A       134.91.78.139

;; AUTHORITY SECTION:
verteiltesysteme.net.   2903    IN      NS      ns2.verteiltesysteme.net.
verteiltesysteme.net.   2903    IN      NS      ns1.verteiltesysteme.net.

;; ADDITIONAL SECTION:
ns1.verteiltesysteme.net. 2903  IN      A       134.91.78.139
ns1.verteiltesysteme.net. 2903  IN      AAAA    2001:638:501:8efc::139
ns2.verteiltesysteme.net. 2903  IN      A       134.91.78.141
ns2.verteiltesysteme.net. 2903  IN      AAAA    2001:638:501:8efc::141

;; Query time: 0 msec
;; SERVER: 127.0.0.1#5353(127.0.0.1)
;; WHEN: Mon Apr 22 01:11:27 IST 2019
;; MSG SIZE  rcvd: 197

Is the security part working?

No. Per the Pi-Hole user guide, the sigfail address should return SERVFAIL and no IP address.

Just as I thought. Any clues on how to diagnose this part?

Do you have the trust anchor file?

/etc/unbound/unbound.conf.d $ ls -lh
total 12K
-rw-r--r-- 1 root root 2.0K Dec 28 07:52 pi-hole.conf
-rw-r--r-- 1 root root  302 Feb 19  2017 qname-minimisation.conf
-rw-r--r-- 1 root root  190 Feb 19  2017 root-auto-trust-anchor-file.conf
pi@Pi-3B-DEV:/etc/unbound/unbound.conf.d $ cat root-auto-trust-anchor-file.conf
server:
    # The following line will configure unbound to perform cryptographic
    # DNSSEC validation using the root trust anchor.
    auto-trust-anchor-file: "/var/lib/unbound/root.key"

Yes I downloaded the anchor file as part of the help page. I did not have the root-auto-trust-anchor-file.conf I suppose.

In my frustration as I have to submit this as part of my dissertation, I have formatted the card and rebuilding the system. Hopefully, it will be smoother next time. :slight_smile:

Thank you for your assistance, be back in sometime.

Hello! I’ve finally managed to get the system to work as desired:

dig sigfail.verteiltesysteme.net @127.0.0.1 -p 5353

; <<>> DiG 9.10.3-P4-Raspbian <<>> sigfail.verteiltesysteme.net @127.0.0.1 -p 5353
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 49084
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1472
;; QUESTION SECTION:
;sigfail.verteiltesysteme.net.  IN      A

;; Query time: 1793 msec
;; SERVER: 127.0.0.1#5353(127.0.0.1)
;; WHEN: Mon Apr 22 05:07:57 IST 2019
;; MSG SIZE  rcvd: 57

dig sigok.verteiltesysteme.net @127.0.0.1 -p 5353

; <<>> DiG 9.10.3-P4-Raspbian <<>> sigok.verteiltesysteme.net @127.0.0.1 -p 5353
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28918
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 5

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1472
;; QUESTION SECTION:
;sigok.verteiltesysteme.net.    IN      A

;; ANSWER SECTION:
sigok.verteiltesysteme.net. 3600 IN     A       134.91.78.139

;; AUTHORITY SECTION:
verteiltesysteme.net.   3600    IN      NS      ns1.verteiltesysteme.net.
verteiltesysteme.net.   3600    IN      NS      ns2.verteiltesysteme.net.

;; ADDITIONAL SECTION:
ns1.verteiltesysteme.net. 3480  IN      A       134.91.78.139
ns1.verteiltesysteme.net. 3480  IN      AAAA    2001:638:501:8efc::139
ns2.verteiltesysteme.net. 3480  IN      A       134.91.78.141
ns2.verteiltesysteme.net. 3480  IN      AAAA    2001:638:501:8efc::141

;; Query time: 296 msec
;; SERVER: 127.0.0.1#5353(127.0.0.1)
;; WHEN: Mon Apr 22 05:09:56 IST 2019
;; MSG SIZE  rcvd: 195

With this working,

  • do I need to switch on “use DNSSEC” in Web GUI for Pi-hole?

  • I know the root hint file would keep the servers to the most fundamental ones.

  • Do i need to specify using of SSL to encrypt the queries?

Happy Monday morning! It is 0515 here :slight_smile:

No, this is not recommended Unbound is handling the DNSSEC in this setup.

No. The authoritative servers do not support SSL - they are plain text between themselves and resolvers. With DNSSEC, the replies are validated as authentic and unaltered, but not encrypted.

The root hints just point unbound to the TLD servers - essentially a bootstrap. From there, the TLD servers provide addresses for lower level servers, which then get to the next level down, etc. Once unbound loads root hints and and queries the TLDs, the addresses of the TLD’s are kept in cache for a lengthy period. They return a TTL of 3600000 seconds (1,000 hours). The unbound configuration file sets cache-max-TTL to 86,400 seconds, which is still 24 hours. So, the TLDs aren’t queried very frequently by unbound.

Wooohooo… A moment of happiness. :smile:

Now to stage 2: I need to have this set-up provide DNS over TLS.

I can get a letsencrypt certificate for hostname dns.maniarfamily.com.

What changes will I need in Pi-Hole to provide DNS server over the internet to clients in an encrypted form (I can take care of networking part such as UFW rules, port forwarding and getting certificate).

Just to confirm, I do not see DNSSEC authentication events in the Pi-Hole reporting page, I reckon that is because DNSSEC is handled by Unbound.

Just want to confirm.

You will not see these with DNSSEC disabled in Pi-Hole.

no worries, I did the test as per the guidance page and I will keep the DNSSEC in my Web GUI off as you’ve recommended.

Hi I want to retain unbound logs. I have tried adding following in both unbound.conf and pi-hole.conf but i don’t seem to be getting the queries and responses.

logfile: "/mnt/dns_logs/unbound.log"
    verbosity: 1

I have created unbound.log and provided user unbound access via sudo chown unbound.unbound unbound.log

What am I doing wrong here?

Unbound is probally running root mode so you need:

chroot: /mnt/dns_logs/unbound.log

using ps aux

unbound   5197  0.0  1.3  22144 13424 ?        Ss   11:51   0:10 /usr/sbin/unbound -d

Hence I used the command:

sudo chown unbound.unbound /mnt/dns_logs/unbound.log

to make sure the unbound user has access:

-rw-r--r-- 1 unbound unbound 2901 Apr 22 11:51 /mnt/dns_logs/unbound.log

Here is the configuration file:

server:
    #If no logfile is specified, syslog is used
    logfile: /mnt/dns_logs/unbound.log
    verbosity: 2 (2 is working)

Thank you for all your help. :slight_smile:

For anyone reading the thread, I have created a logrotate entry in /etc/logrotate.d/unbound

/mnt/dns_logs/unbound.log
{
        rotate 10
        daily
        missingok
        notifempty
        compress
        delaycompress
        sharedscripts
        postrotate
                invoke-rc.d rsyslog rotate >/dev/null 2>&1 || true
        endscript
}

This will help rotate the logs.

logrotate works like a charm :slight_smile:

If you are looking to have your pihole respond to dns over tls queries, checkout the following links:

Since you already have a pihole running and probably don’t want dns over https, the basic steps should be to:

  • disable lighttpd
  • install php
  • install and config nginx
  • install certbot and setup letsencrypt
  • configure nginx to proxy tcp to pihole

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.