Strange one
pi@pi-hole:/var/lib $ sudo unbound-anchor -vvvvv
/var/lib/unbound/root.key has content
success: the anchor is ok
Does this mean it should now work if inset pihole upstream as 127.0.0.1#5353
And start unbound with sudo service unbound start
I've left chroot: "" in the unbound config, see how it runs.
pi@pi-hole:~ $ sudo unbound -d -vvvvv
[1556870384] unbound[3246:0] notice: Start of unbound 1.6.0.
[1556870384] unbound[3246:0] debug: increased limit(open files) from 1024 to 4140
[1556870384] unbound[3246:0] debug: creating udp4 socket 127.0.0.1 5353
[1556870384] unbound[3246:0] debug: creating tcp4 socket 127.0.0.1 5353
[1556870384] unbound[3246:0] debug: creating tcp4 socket 127.0.0.1 8953
[1556870384] unbound[3246:0] debug: switching log to syslog
So im really not sure what's happening here, I still seem to be getting the SERVFAIL reply, for some domains, and not others.
May 3 17:32:56 dnsmasq[4003]: query[A] xboxapi.com from 192.168.0.133
May 3 17:32:56 dnsmasq[4003]: forwarded xboxapi.com to 127.0.0.1
May 3 17:32:56 dnsmasq[4003]: forwarded xboxapi.com to 127.0.0.1
May 3 17:32:56 dnsmasq[4003]: reply error is SERVFAIL
May 3 17:33:01 dnsmasq[4003]: query[A] xboxapi.com from 192.168.0.133
May 3 17:33:01 dnsmasq[4003]: forwarded xboxapi.com to 127.0.0.1
May 3 17:33:01 dnsmasq[4003]: forwarded xboxapi.com to 127.0.0.1
May 3 17:33:01 dnsmasq[4003]: reply error is SERVFAIL
May 3 17:33:01 dnsmasq[4003]: query[A] www.google-analytics.com from 192.168.0.128 May 3 17:33:01 dnsmasq[4003]: /etc/pihole/gravity.list www.google-analytics.com is 0.0.0.0
May 3 17:33:06 dnsmasq[4003]: query[A] xboxapi.com.local from 192.168.0.133
May 3 17:33:06 dnsmasq[4003]: cached xboxapi.com.local is NXDOMAIN
May 3 17:33:06 dnsmasq[4003]: query[AAAA] xboxapi.com.local from 192.168.0.133
May 3 17:33:06 dnsmasq[4003]: cached xboxapi.com.local is NODATA-IPv6
Unless I'm misinterpreting the log, xboxapi.com returns servfail and then doesn't?
In the query log in the GUI, they appear as green and forwarded, but the reply is N/A?
@jfb would you mind casting your eye on the debug log please? I'm not sure if this is an unbound issue, or a pihole issue, or a config error (i.e my doing)
https://tricorder.pi-hole.net/3sbtjg2dpj!
I don't see any problems in the debug log. Using my local install of unbound, I can dig for xboxapi.com with no problems.
In your log output, xboxapi.com is resulting in SERVFAIL, but the domain with .local appended does not, but it doesn't exist on the internet so there is nothing to authenticate.
I think the problem is with your unbound install.
What is the output of this command from the Pi terminal:
dig xboxapi.com -p5353
Thanks for taking a look.
pi@pi-hole:~ $ dig xboxapi.com -p5353
; <<>> DiG 9.10.3-P4-Raspbian <<>> xboxapi.com -p5353
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 34003
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1472
;; QUESTION SECTION:
;xboxapi.com. IN A
;; Query time: 36 msec
;; SERVER: 127.0.0.1#5353(127.0.0.1)
;; WHEN: Fri May 03 18:10:11 BST 2019
;; MSG SIZE rcvd: 40
I'm still at a loss as to why it literally just stopped working. I made absolutely no changes to any config.
And a reinstall of unbound results in the same behaviour.
This is related to DNSSEC difficulties, which typically leads to either time or your local key.
How can I be absolutely sure time is correct on the pi?
Could it be linked to daylight savings?
I'm in the UK, where it is BTS - British summer time
pi@pi-hole:~ $ date
Fri 3 May 18:47:53 BST 2019
pi@pi-hole:~ $ timedatectl
Local time: Fri 2019-05-03 18:47:57 BST
Universal time: Fri 2019-05-03 17:47:57 UTC
RTC time: n/a
Time zone: Europe/London (BST, +0100)
Network time on: yes
NTP synchronized: yes
RTC in local TZ: no
Run the time command on the Pi and compare it to the time on your phone or watch.
Yeah, they match.
No, my setup is as instructed by the unbound guide
pi@pi-hole:~ $ sudo netstat -tulpn | grep :53
tcp 0 0 0.0.0.0:53 0.0.0.0:* LISTEN 28719/pihole-FTL
tcp 0 0 127.0.0.1:5353 0.0.0.0:* LISTEN 8772/unbound
tcp6 0 0 :::53 :::* LISTEN 28719/pihole-FTL
udp 0 0 127.0.0.1:5353 0.0.0.0:* 8772/unbound
udp 0 0 0.0.0.0:5353 0.0.0.0:* 271/avahi-daemon: r
udp 0 0 0.0.0.0:53 0.0.0.0:* 28719/pihole-FTL
udp6 0 0 :::5353 :::* 271/avahi-daemon: r
udp6 0 0 :::53 :::* 28719/pihole-FTL
You have
but then also
so avahi-daemon is taking your queries.
Try
sudo service avahi-daemon stop
sudo service unbound restart
and see if this solves your issue.
Thanks.
What is avahi-daemon? I haven't knowingly installed this.
Ran the commands above and still see the problem?
pi@pi-hole:~ $ sudo netstat -tulpn | grep :53
tcp 0 0 0.0.0.0:53 0.0.0.0:* LISTEN 6365/pihole-FTL
tcp 0 0 127.0.0.1:5353 0.0.0.0:* LISTEN 8772/unbound
tcp6 0 0 :::53 :::* LISTEN 6365/pihole-FTL
udp 0 0 127.0.0.1:5353 0.0.0.0:* 8772/unbound
udp 0 0 0.0.0.0:53 0.0.0.0:* 6365/pihole-FTL
udp6 0 0 :::53 :::* 6365/pihole-FTL
pi@pi-hole:~ $ dig xboxapi.com -p5353
; <<>> DiG 9.10.3-P4-Raspbian <<>> xboxapi.com -p5353
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 58470
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1472
;; QUESTION SECTION:
;xboxapi.com. IN A
;; Query time: 265 msec
;; SERVER: 127.0.0.1#5353(127.0.0.1)
;; WHEN: Sun May 05 09:51:30 BST 2019
;; MSG SIZE rcvd: 40
See https://linux.die.net/man/8/avahi-daemon
Your unbound seems to be only binding to 127.0.0.1. This is very strange. If you unbound.conf is still exactly as on out guide, you may want try explicitly adding
server:
interface: 0.0.0.0
(add interface somewhere under the already existing server category)
followed by a
sudo service unbound restart
Well, the fix for that was simple, at least if you have only extensions you trust and disabled auto updates:
Yeah, but eliminating avahi-daemon out of the equations doesn't hurt.
@Valiceemo Next step would be to set
server:
logfile: "/etc/unbound/unbound.log"
verbosity: 4
and then checking again the content of the logfile after running
dig xboxapi.com -p5353
if you haven't done this already.
Sorry for the slow response.
I've tried the above and still get servfail.
I've done this too, yet no log file is created at /etc/unbound the folder does not exist. Nor is it created
Should root be the owner of /etc/unbound
pi@pi-hole:~ $ ls /etc/unbound/
total 40K
drwxr-xr-x 3 root root 4.0K Apr 27 10:28 .
drwxr-xr-x 107 root root 12K May 3 19:04 ..
-rw-r--r-- 1 root root 332 Feb 28 2018 unbound.conf
drwxr-xr-x 2 root root 4.0K Apr 27 10:32 unbound.conf.d
-rw------- 1 root root 2.4K Apr 27 10:28 unbound_control.key
-rw-r----- 1 root root 1.3K Apr 27 10:28 unbound_control.pem
-rw------- 1 root root 2.5K Apr 27 10:28 unbound_server.key
-rw-r----- 1 root root 1.3K Apr 27 10:28 unbound_server.pem
Nothing apparently?
pi@pi-hole:~ $ ls /usr/local/etc/unbound
ls: cannot access '/usr/local/etc/unbound': No such file or directory
Just the one, that defines the ...conf.d/ folder
pi@pi-hole:~ $ sudo find / -name unbound.conf
/usr/share/doc/unbound/examples/unbound.conf
/etc/unbound/unbound.conf
No log file is created. It seems to defualt to syslog, irrespective of what I pun in the .conf file
Ah ok, as what user? Unbound?
If so how?
Thanks
Check what user unbound is running on:
ps -C unbound -o user
EDIT: if its the unbound user, try below from the instruction link:
sudo touch /var/log/unbound.log
sudo chown unbound:unbound /var/log/unbound.log