Here is the output of test:
dig @127.0.0.1 cloud.maniarfamily.com -p 6000
; <<>> DiG 9.10.3-P4-Raspbian <<>> @127.0.0.1 cloud.maniarfamily.com -p 6000
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached
I am definitely lost, sorry for that:
Here is the configuration for the pi-hole conf for unbound
server:
# If no logfile is specified, syslog is used
# logfile: "/var/log/unbound/unbound.log"
verbosity: 0
port: 6001
do-ip4: yes
do-udp: yes
do-tcp: yes
# May be set to yes if you have IPv6 connectivity
do-ip6: no
# Use this only when you downloaded the list of primary root servers!
root-hints: "/var/lib/unbound/root.hints"
# Trust glue only if it is within the servers authority
harden-glue: yes
# Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS
harden-dnssec-stripped: yes
# Don't use Capitalization randomization as it known to cause DNSSEC issues sometimes
# see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 for further details
use-caps-for-id: no
# Reduce EDNS reassembly buffer size.
# Suggested by the unbound man page to reduce fragmentation reassembly problems
edns-buffer-size: 1472
# TTL bounds for cache
cache-min-ttl: 3600
cache-max-ttl: 86400
# Perform prefetching of close to expired message cache entries
# This only applies to domains that have been frequently queried
prefetch: yes
# One thread should be sufficient, can be increased on beefy machines
num-threads: 1
# Ensure kernel buffer is large enough to not lose messages in traffic spikes
so-rcvbuf: 1m
# Ensure privacy of local IP ranges
private-address: 192.168.0.0/16
private-address: 169.254.0.0/16
private-address: 172.16.0.0/12
private-address: 10.0.0.0/8
private-address: fd00::/8
private-address: fe80::/10
Here is the output of netstat
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 615/lighttpd
tcp 0 0 0.0.0.0:53 0.0.0.0:* LISTEN 923/pihole-FTL
tcp 0 0 127.0.0.1:4711 0.0.0.0:* LISTEN 923/pihole-FTL
tcp6 0 0 :::80 :::* LISTEN 615/lighttpd
tcp6 0 0 :::53 :::* LISTEN 923/pihole-FTL
tcp6 0 0 ::1:4711 :::* LISTEN 923/pihole-FTL
udp 0 0 0.0.0.0:60888 0.0.0.0:* 385/avahi-daemon: r
udp 0 0 0.0.0.0:53 0.0.0.0:* 923/pihole-FTL
udp 0 0 0.0.0.0:68 0.0.0.0:* 580/dhcpcd
udp 0 0 0.0.0.0:5353 0.0.0.0:* 385/avahi-daemon: r
udp6 0 0 :::53 :::* 923/pihole-FTL
udp6 0 0 :::41181 :::* 385/avahi-daemon: r
udp6 0 0 :::5353 :::* 385/avahi-daemon: r
Here is the output of unbound -d -vvvv
[1555873942] unbound[1142:0] notice: Start of unbound 1.6.0.
[1555873942] unbound[1142:0] debug: increased limit(open files) from 1024 to 4140
[1555873942] unbound[1142:0] debug: creating udp4 socket 127.0.0.1 6001
[1555873942] unbound[1142:0] debug: creating tcp4 socket 127.0.0.1 6001
[1555873942] unbound[1142:0] debug: creating tcp4 socket 127.0.0.1 8953
[1555873942] unbound[1142:0] debug: switching log to syslog
Here is the output of dig @127.0.0.1 cloud.maniarfamily.com -p 6001
; <<>> DiG 9.10.3-P4-Raspbian <<>> @127.0.0.1 cloud.maniarfamily.com -p 6001
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached
Where am I going wrong?
I think it's working, here is the output for
dig cloud.maniarfamily.com @127.0.0.1 -p 5353
; <<>> DiG 9.10.3-P4-Raspbian <<>> cloud.maniarfamily.com @127.0.0.1 -p 5353
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14877
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1472
;; QUESTION SECTION:
;cloud.maniarfamily.com. IN A
;; ANSWER SECTION:
cloud.maniarfamily.com. 3600 IN CNAME maniarfamily.com.
maniarfamily.com. 3600 IN A 116.72.137.140
;; AUTHORITY SECTION:
maniarfamily.com. 3600 IN NS ns16.domaincontrol.com.
maniarfamily.com. 3600 IN NS ns15.domaincontrol.com.
;; Query time: 705 msec
;; SERVER: 127.0.0.1#5353(127.0.0.1)
;; WHEN: Mon Apr 22 01:00:08 IST 2019
;; MSG SIZE rcvd: 133```Should I configure Pi-Hole to use this?
In the configuration page: Redirecting...
I tried following two tests but they don't seem to go as expected on the page:
**dig sigok.verteiltesysteme.net @127.0.0.1 -p 5353**
; <<>> DiG 9.10.3-P4-Raspbian <<>> sigok.verteiltesysteme.net @127.0.0.1 -p 5353
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18075
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 5
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1472
;; QUESTION SECTION:
;sigok.verteiltesysteme.net. IN A
;; ANSWER SECTION:
sigok.verteiltesysteme.net. 3600 IN A 134.91.78.139
;; AUTHORITY SECTION:
verteiltesysteme.net. 3600 IN NS ns2.verteiltesysteme.net.
verteiltesysteme.net. 3600 IN NS ns1.verteiltesysteme.net.
;; ADDITIONAL SECTION:
ns1.verteiltesysteme.net. 2987 IN A 134.91.78.139
ns1.verteiltesysteme.net. 2987 IN AAAA 2001:638:501:8efc::139
ns2.verteiltesysteme.net. 2987 IN A 134.91.78.141
ns2.verteiltesysteme.net. 2987 IN AAAA 2001:638:501:8efc::141
;; Query time: 292 msec
;; SERVER: 127.0.0.1#5353(127.0.0.1)
;; WHEN: Mon Apr 22 01:10:03 IST 2019
;; MSG SIZE rcvd: 195
**dig sigfail.verteiltesysteme.net @127.0.0.1 -p 5353**
; <<>> DiG 9.10.3-P4-Raspbian <<>> sigfail.verteiltesysteme.net @127.0.0.1 -p 5353
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3338
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 5
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1472
;; QUESTION SECTION:
;sigfail.verteiltesysteme.net. IN A
;; ANSWER SECTION:
sigfail.verteiltesysteme.net. 2903 IN A 134.91.78.139
;; AUTHORITY SECTION:
verteiltesysteme.net. 2903 IN NS ns2.verteiltesysteme.net.
verteiltesysteme.net. 2903 IN NS ns1.verteiltesysteme.net.
;; ADDITIONAL SECTION:
ns1.verteiltesysteme.net. 2903 IN A 134.91.78.139
ns1.verteiltesysteme.net. 2903 IN AAAA 2001:638:501:8efc::139
ns2.verteiltesysteme.net. 2903 IN A 134.91.78.141
ns2.verteiltesysteme.net. 2903 IN AAAA 2001:638:501:8efc::141
;; Query time: 0 msec
;; SERVER: 127.0.0.1#5353(127.0.0.1)
;; WHEN: Mon Apr 22 01:11:27 IST 2019
;; MSG SIZE rcvd: 197
Is the security part working?
No. Per the Pi-Hole user guide, the sigfail address should return SERVFAIL and no IP address.
Just as I thought. Any clues on how to diagnose this part?
Do you have the trust anchor file?
/etc/unbound/unbound.conf.d $ ls -lh
total 12K
-rw-r--r-- 1 root root 2.0K Dec 28 07:52 pi-hole.conf
-rw-r--r-- 1 root root 302 Feb 19 2017 qname-minimisation.conf
-rw-r--r-- 1 root root 190 Feb 19 2017 root-auto-trust-anchor-file.conf
pi@Pi-3B-DEV:/etc/unbound/unbound.conf.d $ cat root-auto-trust-anchor-file.conf
server:
# The following line will configure unbound to perform cryptographic
# DNSSEC validation using the root trust anchor.
auto-trust-anchor-file: "/var/lib/unbound/root.key"
Yes I downloaded the anchor file as part of the help page. I did not have the root-auto-trust-anchor-file.conf I suppose.
In my frustration as I have to submit this as part of my dissertation, I have formatted the card and rebuilding the system. Hopefully, it will be smoother next time. 
Thank you for your assistance, be back in sometime.
Hello! I've finally managed to get the system to work as desired:
dig sigfail.verteiltesysteme.net @127.0.0.1 -p 5353
; <<>> DiG 9.10.3-P4-Raspbian <<>> sigfail.verteiltesysteme.net @127.0.0.1 -p 5353
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 49084
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1472
;; QUESTION SECTION:
;sigfail.verteiltesysteme.net. IN A
;; Query time: 1793 msec
;; SERVER: 127.0.0.1#5353(127.0.0.1)
;; WHEN: Mon Apr 22 05:07:57 IST 2019
;; MSG SIZE rcvd: 57
dig sigok.verteiltesysteme.net @127.0.0.1 -p 5353
; <<>> DiG 9.10.3-P4-Raspbian <<>> sigok.verteiltesysteme.net @127.0.0.1 -p 5353
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28918
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 5
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1472
;; QUESTION SECTION:
;sigok.verteiltesysteme.net. IN A
;; ANSWER SECTION:
sigok.verteiltesysteme.net. 3600 IN A 134.91.78.139
;; AUTHORITY SECTION:
verteiltesysteme.net. 3600 IN NS ns1.verteiltesysteme.net.
verteiltesysteme.net. 3600 IN NS ns2.verteiltesysteme.net.
;; ADDITIONAL SECTION:
ns1.verteiltesysteme.net. 3480 IN A 134.91.78.139
ns1.verteiltesysteme.net. 3480 IN AAAA 2001:638:501:8efc::139
ns2.verteiltesysteme.net. 3480 IN A 134.91.78.141
ns2.verteiltesysteme.net. 3480 IN AAAA 2001:638:501:8efc::141
;; Query time: 296 msec
;; SERVER: 127.0.0.1#5353(127.0.0.1)
;; WHEN: Mon Apr 22 05:09:56 IST 2019
;; MSG SIZE rcvd: 195
With this working,
-
do I need to switch on "use DNSSEC" in Web GUI for Pi-hole?
-
I know the root hint file would keep the servers to the most fundamental ones.
-
Do i need to specify using of SSL to encrypt the queries?
Happy Monday morning! It is 0515 here
No, this is not recommended Unbound is handling the DNSSEC in this setup.
No. The authoritative servers do not support SSL - they are plain text between themselves and resolvers. With DNSSEC, the replies are validated as authentic and unaltered, but not encrypted.
The root hints just point unbound to the TLD servers - essentially a bootstrap. From there, the TLD servers provide addresses for lower level servers, which then get to the next level down, etc. Once unbound loads root hints and and queries the TLDs, the addresses of the TLD's are kept in cache for a lengthy period. They return a TTL of 3600000 seconds (1,000 hours). The unbound configuration file sets cache-max-TTL to 86,400 seconds, which is still 24 hours. So, the TLDs aren't queried very frequently by unbound.
Wooohooo.. A moment of happiness. 
Now to stage 2: I need to have this set-up provide DNS over TLS.
I can get a letsencrypt certificate for hostname dns.maniarfamily.com.
What changes will I need in Pi-Hole to provide DNS server over the internet to clients in an encrypted form (I can take care of networking part such as UFW rules, port forwarding and getting certificate).
Just to confirm, I do not see DNSSEC authentication events in the Pi-Hole reporting page, I reckon that is because DNSSEC is handled by Unbound.
Just want to confirm.
You will not see these with DNSSEC disabled in Pi-Hole.
no worries, I did the test as per the guidance page and I will keep the DNSSEC in my Web GUI off as you've recommended.
Hi I want to retain unbound logs. I have tried adding following in both unbound.conf and pi-hole.conf but i don't seem to be getting the queries and responses.
logfile: "/mnt/dns_logs/unbound.log"
verbosity: 1
I have created unbound.log and provided user unbound access via sudo chown unbound.unbound unbound.log
What am I doing wrong here?
using ps aux
unbound 5197 0.0 1.3 22144 13424 ? Ss 11:51 0:10 /usr/sbin/unbound -d
Hence I used the command:
sudo chown unbound.unbound /mnt/dns_logs/unbound.log
to make sure the unbound user has access:
-rw-r--r-- 1 unbound unbound 2901 Apr 22 11:51 /mnt/dns_logs/unbound.log
Here is the configuration file:
server:
#If no logfile is specified, syslog is used
logfile: /mnt/dns_logs/unbound.log
verbosity: 2 (2 is working)
Thank you for all your help.
For anyone reading the thread, I have created a logrotate entry in /etc/logrotate.d/unbound
/mnt/dns_logs/unbound.log
{
rotate 10
daily
missingok
notifempty
compress
delaycompress
sharedscripts
postrotate
invoke-rc.d rsyslog rotate >/dev/null 2>&1 || true
endscript
}
This will help rotate the logs.
logrotate works like a charm
If you are looking to have your pihole respond to dns over tls queries, checkout the following links:
- Tutorial to setup your own DNS-over-HTTPS (DoH) server - Antoine Aflalo
- DNS-over-HTTPS with Pi-Hole - Antoine Aflalo
- Tutorial to setup DNS-over-TLS (DoT) - Antoine Aflalo
Since you already have a pihole running and probably don't want dns over https, the basic steps should be to:
- disable lighttpd
- install php
- install and config nginx
- install certbot and setup letsencrypt
- configure nginx to proxy tcp to pihole
This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.