Random DNS resolution fails with unbound

Expected Behaviour:

I'm using unbound for DNS and seems to get occasional interruptions on devices where things briefly fail to load ... Running pihole diagnostics in the domain resolution tests, each time I run diagnostics there will be a different fail - sometimes ipv6 and sometimes ipv4, sometimes on lo and sometimes eth0 ...

I'm not sure where to start debugging something like this, hoping someone here can point me in a likely direction?

Actual Behaviour:

[replace this text with what is actually happening]

Debug Token:

https://tricorder.pi-hole.net/rBDIwBPM/

It looks like you are running Pi-hole and unbound on the same server. You don't need to use IPv6 localhost ( PIHOLE_DNS_2=::1#5335). Did you follow a guide for setting up unbound? Remove that IPv6 localhost and I think you'll fix the issue.

Additional observations:

How is your network configured? It looks like there is a DHCP lease for the Pi-hole server, that's not a great configuration, a DNS server should be statically addressed.

*** [ DIAGNOSING ]: Discovering active DHCP servers (takes 10 seconds)
   Scanning all your interfaces for DHCP servers
   Timeout: 10 seconds
   
   * Received 300 bytes from eth0:192.168.1.1
     Offered IP address: 192.168.1.99
     Server IP address: 192.168.1.1

It also looks like there is a static default route and a DHCP assigned default route:

*** [ DIAGNOSING ]: Network routing table
   default via 192.168.1.1 dev eth0 proto static 
   default via 192.168.1.1 dev eth0 proto dhcp src 192.168.1.99 metric 100 

Thanks, since that last post I think I overdid the trial and error approach to networking and might need to take everything back to stock and start again ... I've spent most of the weekend without any reliable connection and I think the problems are mostly upstream from pihole. Disabling ipv6 on the router and in unbound.conf has got me back up and running for now.

I was so close to perfect though, not sure exactly why it stopped working ... I've used pihole for years but thought as a bit of a challenge let's get ipv6 fully working ... I had 10/10 on test-ipv6.com, with wireguard clients able to connect remotely and get the same ipv6 connection over ipv4, unbound was giving generally good performance - just a few anomalies in the diagnostic test and my attempts to fix that seem to have sent it all tumbling down.

I'm running pihole on a pi with ubuntu, and couldn't find any clear guide on how to set static ip for that, so have always had the 192.168.1.99 ip manually assigned in the router dhcp.

Not sure about the duplicate static and DHCP assigned default route - I am using an asus AiMesh setup (RT-AX92U / Merlin firmware) with two nodes so maybe that's why it's showing two default routes with the same ip?

I think I followed the guide here for unbound originally, but then went rogue for ipv6 setup: unbound - Pi-hole documentation

IPv6 can be a steep learning curve to get it implemented. As a quick and helpful hint, you don't need an IPv6 address for a DNS resolver, if you are running dual-stack (IPv4 and IPv6) then you can leave the DNS on IPv4. Any DNS server will resolve any address, you don't have to use IPv6 to get IPv6 addresses. Then only difference is in the type of DNS record. A records are IPv4, AAAA records are IPv6.

dan@Columbia:~$ dig +short AAAA google.com @1.1.1.1
2607:f8b0:4007:809::200e

dan@Columbia:~$ dig +short A google.com @1.1.1.1
142.250.68.46

So you can still try for that IPv6 10/10 score and leave DNS IPv4. And since you are running unbound on the same host as Pi-hole you don't need anything more than 127.0.0.1:5335, localhost is purely a socket/psuedo-interface that doesn't really even need a protocol.

I can help you with the static IP addressing. Your debug log shows Ubuntu 22.04 so I'll go off of that.

Can you check and see if sudo nmcli nm status and/or sudo netplan status shows any output? This will help find out if you have NetworkManager or netplan set up to manage IP addressing.

I can help you with the unbound setup to let it use IPv6 upstream hosts as well, and let it listen on an IPv6 address:port for clients also.

I 'think' I'm all sorted now, thanks - with a combination of your advice and (I'd already started and was keen for a fresh start anyway) a complete factory reset on my router and fresh pihole installation, ipv6 is 10/10 again locally and away from home via wireguard on the asus router.

Starting from scratch I think one thing I noticed as I was being more methodical, was a misconfigured wireguard tunnel on my router, when enabled, was breaking ipv6 for the whole network. I just hadn't suspected that and I think is what sent me down many rabbit holes. I'd been trying to put an ipv6 address range in the 'Tunnel IPv4 and / or IPv6 Address' field in the asus wireguard configuration when it turns out that wasn't needed at all.

I went back to basic Raspberry PI OS lite this time for pihole, and used nmtui to get the static IP sorted.

For the unbound ipv6 setup I've followed the pihole guide and just changed do-ip6 and prefer-ip6 to yes. That should be all right?

Running the diagnostics a few more times it's looking good - no more fails in the name resolution section :slight_smile:

1 Like