Rasberry Pi 4 4GB unbound/Pi Hole no internet using Unbound

Bazza_R · November 17, 2019, 1:09pm

Please follow the below template, it will help us to help you!

Expected Behaviour: Unbound and Pi hole access to internet working in conjunction.

Actual Behaviour:

using only Pi hole with cloudflare internet connection working when changed over to use Unbound internet stops working.

Debug Token:

Debug token using only pi hole Cloud Flare no Unbound
(i can post full debug information if relevant)

https://tricorder.pi-hole.net/xwy2kb37cg

Debug token trying to use Unbound custome ipv4 127.0.0.1#5353

[✓] ** FINISHED DEBUGGING! **

* The debug log can be uploaded to tricorder.pi-hole.net for sharing with developers only.
* For more information, see: https://pi-hole.net/2016/11/07/crack-our-medical-tricorder-win-a-raspberry-pi-3/
* If available, we'll use openssl to upload the log, otherwise it will fall back to netcat.

[i] Debug script running in automated mode
* Using curl for transmission.
[✗] There was an error uploading your debug log.

Please try again or contact the Pi-hole team for assistance.
A local copy of the debug log can be found at: /var/log/pihole_debug.log

jfb · November 17, 2019, 1:35pm

What are the outputs of the following commands from the Pi terminal:

sudo service unbound status

journalctl -e --unit unbound

unbound-checkconf

sudo grep -v '#\|^$' -R /etc/unbound/unbound.conf.d

Bazza_R · November 17, 2019, 11:35pm

Hello thanks for the assistance!!

* unbound.service - Unbound DNS server
Loaded: loaded (/lib/systemd/system/unbound.service; enabled; vendor preset:
Active: active (running) since Sat 2019-11-16 21:51:55 AWST; 1 day 9h ago
Docs: man:unbound(8)

Process: 527 ExecStartPre=/usr/lib/unbound/package-helper chroot_setup (code=e
Process: 565 ExecStartPre=/usr/lib/unbound/package-helper root_trust_anchor_up
Main PID: 596 (unbound)
Tasks: 4 (limit: 4915)
Memory: 17.2M
CGroup: /system.slice/unbound.service
+-596 /usr/sbin/unbound -d
Nov 16 21:51:54 raspberrypi systemd[1]: Starting Unbound DNS server...
Nov 16 21:51:54 raspberrypi package-helper[565]: /var/lib/unbound/root.key has c
Nov 16 21:51:54 raspberrypi package-helper[565]: fail: the anchor is NOT ok and
Nov 16 21:51:55 raspberrypi systemd[1]: Started Unbound DNS server.
~

-- Logs begin at Sat 2019-11-16 21:17:01 AWST, end at Mon 2019-11-18 07:24:41

AWST.

Nov 16 21:51:54 raspberrypi systemd[1]: Starting Unbound DNS server...
Nov 16 21:51:54 raspberrypi package-helper[565]: /var/lib/unbound/root.key has
cont
Nov 16 21:51:54 raspberrypi package-helper[565]: fail: the anchor is NOT ok and
cou

Nov 16 21:51:55 raspberrypi
unbound-checkconf: no errors in /etc/unbound/unbound.conf

grep: invalid option -- '/'
Usage: grep [OPTION]... PATTERNS [FILE]...
Try 'grep --help' for more information.

Bazza_R · November 17, 2019, 11:53pm

This was taken with the raspberry pi running over wifi and using CloudFlare as the DNS not unbound. I have not made modem use this pi at moment until unit is working correctly. If you need anything further please let me know. I can run the commands again if you like with unbound ticked for DNS?

DanSchaper · November 17, 2019, 11:59pm

Unbound is not set up with the root anchor correctly.

What is ~~sudo sysetmctl --full --no-pager unbound.service~~ sudo systemctl status --full --no-pager showing for the package-helper checks on the root.key file?

Bazza_R · November 18, 2019, 12:33am

Thanks you for your help.
I will reply when I get home from work later today

Bazza_R · November 18, 2019, 10:34am

Hello,
The following command produced the below.

pi@raspberrypi:~ $ sudo sysetmctl --full --no-pager unbound.service sudo sysetmctl --full --no-pager unbound.service
sudo: sysetmctl: command not found

pi@raspberrypi:~ $ package-helper
-bash: package-helper: command not found

pi@raspberrypi:~ $ root.key
-bash: root.key: command not found

i have the below link
https://www.internic.net/domain/named.root
in the following file
sudo vi /var/lib/unbound/root.hints

jfb · November 18, 2019, 11:53am

Apologies. The provided command had an error. Please post the full output of the command below.

sudo systemctl --full --no-pager unbound.service

Bazza_R · November 18, 2019, 11:59am

no worries. Didnt get the response i think you need?

pi@raspberrypi:~ $ sudo systemctl --full --no-pager unbound.service
Unknown operation unbound.service.

jfb · November 18, 2019, 2:45pm

Try this command:

sudo systemctl status --full --no-pager unbound.service

The output should look something like this:

sudo systemctl status --full --no-pager unbound.service
● unbound.service - Unbound DNS server
   Loaded: loaded (/lib/systemd/system/unbound.service; enabled; vendor preset: enabled)
   Active: active (running) since Thu 2019-11-07 08:17:08 CST; 1 weeks 4 days ago
     Docs: man:unbound(8)
  Process: 549 ExecStartPre=/usr/lib/unbound/package-helper chroot_setup (code=exited, status=0/SUCCESS)
  Process: 580 ExecStartPre=/usr/lib/unbound/package-helper root_trust_anchor_update (code=exited, status=0/SUCCESS)
 Main PID: 596 (unbound)
    Tasks: 1 (limit: 2077)
   Memory: 13.7M
   CGroup: /system.slice/unbound.service
           └─596 /usr/sbin/unbound -d
 ...

DanSchaper · November 18, 2019, 4:28pm

Sorry, my command was wrong:

sudo systemctl --full --no-pager status unbound

and

sudo cat /var/lib/unbound/root.hints

Seketh · November 18, 2019, 5:31pm

Check if port #5353 is being used by anything else:

sudo netstat -tulpn | grep :5353

Bazza_R · November 18, 2019, 11:25pm

pi@raspberrypi:~ $ sudo netstat -tulpn | grep :5353
tcp        0      0 127.0.0.1:5353          0.0.0.0:*               LISTEN      583/unbound
tcp        0      0 127.0.0.1:5353          0.0.0.0:*               LISTEN      583/unbound
tcp        0      0 127.0.0.1:5353          0.0.0.0:*               LISTEN      583/unbound
tcp        0      0 127.0.0.1:5353          0.0.0.0:*               LISTEN      583/unbound
udp        0      0 127.0.0.1:5353          0.0.0.0:*                           583/unbound
udp        0      0 127.0.0.1:5353          0.0.0.0:*                           583/unbound
udp        0      0 127.0.0.1:5353          0.0.0.0:*                           583/unbound
udp        0      0 127.0.0.1:5353          0.0.0.0:*                           583/unbound
udp        0      0 0.0.0.0:5353            0.0.0.0:*                           354/avahi-daemon: r
udp6       0      0 :::5353                 :::*                                354/avahi-daemon: r

pi@raspberrypi:~ $ sudo systemctl status --full --no-pager unbound.service
● unbound.service - Unbound DNS server
   Loaded: loaded (/lib/systemd/system/unbound.service; enabled; vendor preset: enabled)
   Active: active (running) since Mon 2019-11-18 18:45:54 AWST; 12h ago
     Docs: man:unbound(8)
  Process: 458 ExecStartPre=/usr/lib/unbound/package-helper chroot_setup (code=exited, status=0/SUCCESS)
  Process: 545 ExecStartPre=/usr/lib/unbound/package-helper root_trust_anchor_update (code=exited, status=0/SUCCESS)
 Main PID: 583 (unbound)
    Tasks: 4 (limit: 4915)
   Memory: 17.5M
   CGroup: /system.slice/unbound.service
           └─583 /usr/sbin/unbound -d

Nov 18 18:45:53 raspberrypi systemd[1]: Starting Unbound DNS server...
Nov 18 18:45:54 raspberrypi package-helper[545]: /var/lib/unbound/root.key has content
Nov 18 18:45:54 raspberrypi package-helper[545]: fail: the anchor is NOT ok and could not be fixed
Nov 18 18:45:54 raspberrypi systemd[1]: Started Unbound DNS server.
pi@raspberrypi:~ $

Bazza_R · November 18, 2019, 11:30pm

this is with cloud flare ticked and 127.0.0.1#5353 not ticket

pi@raspberrypi:~ $ sudo netstat -tulpn | grep :5353
tcp        0      0 127.0.0.1:5353          0.0.0.0:*               LISTEN      583/unbound
tcp        0      0 127.0.0.1:5353          0.0.0.0:*               LISTEN      583/unbound
tcp        0      0 127.0.0.1:5353          0.0.0.0:*               LISTEN      583/unbound
tcp        0      0 127.0.0.1:5353          0.0.0.0:*               LISTEN      583/unbound
udp        0      0 127.0.0.1:5353          0.0.0.0:*                           583/unbound
udp        0      0 127.0.0.1:5353          0.0.0.0:*                           583/unbound
udp        0      0 127.0.0.1:5353          0.0.0.0:*                           583/unbound
udp        0      0 127.0.0.1:5353          0.0.0.0:*                           583/unbound
udp        0      0 0.0.0.0:5353            0.0.0.0:*                           354/avahi-daemon: r
udp6       0      0 :::5353                 :::*                                354/avahi-daemon: r

pi@raspberrypi:~ $ sudo systemctl status --full --no-pager unbound.service
● unbound.service - Unbound DNS server
   Loaded: loaded (/lib/systemd/system/unbound.service; enabled; vendor preset: enabled)
   Active: active (running) since Mon 2019-11-18 18:45:54 AWST; 12h ago
     Docs: man:unbound(8)
  Process: 458 ExecStartPre=/usr/lib/unbound/package-helper chroot_setup (code=exited, status=0/SUCCESS)
  Process: 545 ExecStartPre=/usr/lib/unbound/package-helper root_trust_anchor_update (code=exited, status=0/SUCCESS)
 Main PID: 583 (unbound)
    Tasks: 4 (limit: 4915)
   Memory: 17.6M
   CGroup: /system.slice/unbound.service
           └─583 /usr/sbin/unbound -d

Nov 18 18:45:53 raspberrypi systemd[1]: Starting Unbound DNS server...
Nov 18 18:45:54 raspberrypi package-helper[545]: /var/lib/unbound/root.key has content
Nov 18 18:45:54 raspberrypi package-helper[545]: fail: the anchor is NOT ok and could not be fixed
Nov 18 18:45:54 raspberrypi systemd[1]: Started Unbound DNS server.
pi@raspberrypi:~ $

Bazza_R · November 18, 2019, 11:33pm

sudo unbound -d -v
[1574119885] unbound[6438:0] notice: Start of unbound 1.9.0.
[1574119885] unbound[6438:0] warning: unbound is already running as pid 583.
^Cpi@raspberrypi:~ $ root.key
-bash: root.key: command not found
pi@raspberrypi:~ $ sudo unbound-anchor -v
/var/lib/unbound/root.key has content
success: the anchor is ok

DanSchaper · November 19, 2019, 12:15am

What is inside the key file. sudo cat /var/lib/unbound/root.key

Bazza_R · November 19, 2019, 10:28am

Please see below results for cammand

pi@raspberrypi:~ $ sudo cat /var/lib/unbound/root.key

; autotrust trust anchor file
;;id: . 1
;;last_queried: 1574119945 ;;Tue Nov 19 07:32:25 2019
;;last_success: 1574119945 ;;Tue Nov 19 07:32:25 2019
;;next_probe_time: 1574161087 ;;Tue Nov 19 18:58:07 2019
;;query_failed: 0
;;query_interval: 43199
;;retry_time: 8639
.       86400   IN      DNSKEY  257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU= ;{id = 20326 (ksk), size = 2048b} ;;state=2 [  VALID  ] ;;count=0 ;;lastchange=1573910877 ;;Sat Nov 16 21:27:57 2019

Bazza_R · November 19, 2019, 11:17am

i just checked sudo vi /etc/unbound/unbound.conf.d has nothing in it.

i have put my config in the following sudo vi /etc/unbound/unbound.conf.d/pi-hole.conf
does that help with your question? about whats in config of unbound? i can put that information up if that will help?

jfb · November 19, 2019, 12:10pm

sudo grep -v '#\|^$' -R /etc/unbound/unbound.conf.d

Bazza_R · November 19, 2019, 12:18pm

pi@raspberrypi:~ $ sudo grep -v '#|^$' -R /etc/unbound/unbound.conf.d

/etc/unbound/unbound.conf.d/pi-hole.conf:server:
/etc/unbound/unbound.conf.d/pi-hole.conf:   logfile: "/var/log/unbound/unbound.log"
/etc/unbound/unbound.conf.d/pi-hole.conf:   verbosity: 0
/etc/unbound/unbound.conf.d/pi-hole.conf:   port: 5353
/etc/unbound/unbound.conf.d/pi-hole.conf:   do-ip4: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:   do-udp: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:   do-tcp: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:   do-ip6: no
/etc/unbound/unbound.conf.d/pi-hole.conf:   root-hints: "/var/lib/unbound/root.hints"
/etc/unbound/unbound.conf.d/pi-hole.conf:   cache-min-ttl: 3600
/etc/unbound/unbound.conf.d/pi-hole.conf:   cache-max-ttl: 86400
/etc/unbound/unbound.conf.d/pi-hole.conf:   cache-max-negative-ttl: 3600
/etc/unbound/unbound.conf.d/pi-hole.conf:   edns-buffer-size: 4096
/etc/unbound/unbound.conf.d/pi-hole.conf:   interface: 127.0.0.1
/etc/unbound/unbound.conf.d/pi-hole.conf:   private-address: 192.168.0.1/24
/etc/unbound/unbound.conf.d/pi-hole.conf:   private-address: 192.168.0.0/16
/etc/unbound/unbound.conf.d/pi-hole.conf:   private-address: 192.168.20.1/24
/etc/unbound/unbound.conf.d/pi-hole.conf:   private-address: 192.168.20.0/16
/etc/unbound/unbound.conf.d/pi-hole.conf:   private-address: 172.16.0.0/12
/etc/unbound/unbound.conf.d/pi-hole.conf:   private-address: 10.0.0.0/8
/etc/unbound/unbound.conf.d/pi-hole.conf:   private-address: fd00::/8
/etc/unbound/unbound.conf.d/pi-hole.conf:   private-address: fe80::/10
/etc/unbound/unbound.conf.d/pi-hole.conf:   access-control: 0.0.0.0/0 refuse
/etc/unbound/unbound.conf.d/pi-hole.conf:   access-control: 127.0.0.0/8 allow
/etc/unbound/unbound.conf.d/pi-hole.conf:   access-control: 192.168.0.0/24 allow
/etc/unbound/unbound.conf.d/pi-hole.conf:   access-control: 192.168.20.0/24 allow
/etc/unbound/unbound.conf.d/pi-hole.conf:   harden-glue: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:   harden-dnssec-stripped: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:   harden-short-bufsize: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:   harden-large-queries: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:   hide-identity: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:   hide-version: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:   ratelimit: 1000
/etc/unbound/unbound.conf.d/pi-hole.conf:   unwanted-reply-threshold: 10000
/etc/unbound/unbound.conf.d/pi-hole.conf:   use-caps-for-id: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:   ssl-upstream: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:   val-clean-additional: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:   harden-below-nxdomain: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:   delay-close: 10000
/etc/unbound/unbound.conf.d/pi-hole.conf:   neg-cache-size: 4M
/etc/unbound/unbound.conf.d/pi-hole.conf:   do-daemonize: no
/etc/unbound/unbound.conf.d/pi-hole.conf:   qname-minimisation: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:   qname-minimisation-strict: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:   rrset-roundrobin: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:   num-threads: 4
/etc/unbound/unbound.conf.d/pi-hole.conf:   msg-cache-slabs: 4
/etc/unbound/unbound.conf.d/pi-hole.conf:   rrset-cache-slabs: 4
/etc/unbound/unbound.conf.d/pi-hole.conf:   infra-cache-slabs: 4
/etc/unbound/unbound.conf.d/pi-hole.conf:   key-cache-slabs: 4
/etc/unbound/unbound.conf.d/pi-hole.conf:   ratelimit-slabs: 4
/etc/unbound/unbound.conf.d/pi-hole.conf:   ratelimit-size: 4m
/etc/unbound/unbound.conf.d/pi-hole.conf:   rrset-cache-size: 128m
/etc/unbound/unbound.conf.d/pi-hole.conf:   msg-cache-size: 64m
/etc/unbound/unbound.conf.d/pi-hole.conf:   outgoing-range: 256
/etc/unbound/unbound.conf.d/pi-hole.conf:   num-queries-per-thread: 1024
/etc/unbound/unbound.conf.d/pi-hole.conf:   so-rcvbuf: 1m
/etc/unbound/unbound.conf.d/pi-hole.conf:   so-sndbuf: 1m
/etc/unbound/unbound.conf.d/pi-hole.conf:   prefetch: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:   prefetch-key: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:   minimal-responses: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:   serve-expired: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:   so-reuseport: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:forward-zone:
/etc/unbound/unbound.conf.d/pi-hole.conf:   name: "."
/etc/unbound/unbound.conf.d/pi-hole.conf:   forward-ssl-upstream: yes
Binary file /etc/unbound/unbound.conf.d/.pi-hole.conf.swp matches
/etc/unbound/unbound.conf.d/root-auto-trust-anchor-file.conf:server:
/etc/unbound/unbound.conf.d/root-auto-trust-anchor-file.conf:    auto-trust-anchor-file: "/var/lib/unbound/root.key"
Binary file /etc/unbound/unbound.conf.d/.pi-hole.conf.swo matches