Raspberry Pi 2 Model B Pi-Hole unbound, standard install

Anders_Eriksson · May 10, 2023, 2:26pm

Please follow the below template, it will help us to help you!

If you are Experiencing issues with a Pi-hole install that has non-standard elements (e.g you are using `nginx` instead of `lighttpd`, or there is some other aspect of your install that is customised) - please use the Community Help category.

Expected Behaviour:

I have followed this guide Pi Hole install
and this guide Pi Hole Unbound

cat /etc/resolv.conf

# Generated by resolvconf
domain lan
nameserver 192.168.50.1

So resolv.conf does not get updated and unbound does not seem to be working.

dig pi-hole.net @127.0.0.1 -p 5335

; <<>> DiG 9.16.37-Raspbian <<>> pi-hole.net @127.0.0.1 -p 5335
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 63935
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;pi-hole.net.                   IN      A

;; Query time: 2189 msec
;; SERVER: 127.0.0.1#5335(127.0.0.1)
;; WHEN: Wed May 10 16:20:18 CEST 2023
;; MSG SIZE  rcvd: 40

Note that i had to make a space between @ and 127.0.0.1 because new users cant mention other users.

Distributor ID: Raspbian
Description:    Raspbian GNU/Linux 11 (bullseye)
Release:        11
Codename:       bullseye

raspberry pi 2 model b

Actual Behaviour:

Debug Token:

QREPVNeX

Bucking_Horn · May 10, 2023, 9:57pm

You seem to run your Pi-hole on an RPi, and there is a notable time jump in your logs:

*** [ DIAGNOSING ]: Pi-hole log
-rw-r----- 1 pihole pihole 651K May 10 16:14 /var/log/pihole/pihole.log

   -----tail of pihole.log------
(...)
   May 10 15:49:00 dnsmasq[1736]: read /etc/pihole/local.list - 0 names
   May 10 16:14:37 dnsmasq[1736]: query[A] xn--myetherwllet-9bb.com from 127.0.0.1

At the time you ran that dig, was your RPi's time and time zone information accurate?
Is it now?

Anders_Eriksson · May 11, 2023, 6:23am

Well, i guess?

pi@raspberrypi:~ $ date
Thu 11 May 08:21:51 CEST 2023

pi@raspberrypi:~ $ ll /etc/localtime
lrwxrwxrwx 1 root root 36 May 3 02:26 /etc/localtime -> /usr/share/zoneinfo/Europe/Stockholm

pi@raspberrypi:~ $ timedatectl status
Local time: Thu 2023-05-11 08:23:43 CEST
Universal time: Thu 2023-05-11 06:23:43 UTC
RTC time: n/a
Time zone: Europe/Stockholm (CEST, +0200)
System clock synchronized: yes
NTP service: active
RTC in local TZ: no

Btw, is it quotes you are using to get the text formated in the way in your and my edited post?

Anders_Eriksson · May 11, 2023, 7:18am

I have made a new install and saved all the commands. So everything can be looked at step by step, if you want to see it.

But im thinking, I am using Asus-Merlin firmware on my RT-AX86U router. Where i am running AdGuard Home, no unbound though, but the router is intercepting all DNS querys. Does this affect my lab raspberry pi too when it runs unbound locally?

https://tricorder.pi-hole.net/2QMgKEgn/

rdwebdesign · May 11, 2023, 7:37am

You can format an inline code surrounding the command with backticks:

# This will show the command without trigger a mention:
`dig pi-hole.net @127.0.0.1 -p 5335`

The result will be like this: dig pi-hole.net @127.0.0.1 -p 5335

Also, you can create code blocks (like file contents) putting the code inside fences (```), like this:

```
multiline code
another line
and another one 
```

The result will look like this:

multiline code
another line
and another one

Edit:
Tip:
you can add code format (inline or multi-line) simply selecting the text and pressing CTRL+E.

Bucking_Horn · May 11, 2023, 11:52am

I am simply applying 'Preformatted text' to a highlighted selection in the editor, which would add the necessary characters mentioned by rdwebdesign:
preformatted-text

A synchronised time is essential for DNSSEC validation.
In absence of a correct timeframe, all DNSSEC validation is bound to fail, and you lose DNS resolution capabilities completely.

If your time is correct now, and your dig still fails, then your issue is not related to wrong timings.

Possibly.

Since you followed our guide, unbound would be configured as a recursive resolver, i.e. it would walk the chain of authoritative DNS resolvers until it gets to the one that is serving the requested DNS record.

If you'd block, restrict, redirect or otherwise manipulate DNS for the machine hosting unbound, then its DNS requests will likely fail, either because they would never reach the respective authoritative DNS servers, or because DNSSEC validation would fail, resulting in unbound dsicarding DNS replies as BOGUS.

Anders_Eriksson · May 12, 2023, 10:47am

Yeah i see. Maybe i can find another router somewhere where i can test this.
I'll be back!

Bucking_Horn · May 12, 2023, 7:26pm

A new router wouldn't be required:
Just allow your Pi-hole/unbound host to access any public DNS server in your Merlin firmware's firewall.

Anders_Eriksson · May 14, 2023, 10:16am

Hmm how do i do that? I'm running Skynet

Bucking_Horn · May 15, 2023, 12:00pm

How does that relate to:

Specifically, how would using Skynet as an ISP affect your Asus-Merlin firmware's configuration?

Anders_Eriksson · May 30, 2023, 1:57pm

Skynet is a firewall for Asus merlin routers.

https://github.com/Adamm00/IPSet_ASUS

system · June 20, 2023, 1:57pm

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.