Root-servers.net & Co

Fionn · November 10, 2024, 12:51am

Hi All

I'm using pihole since ~1,5 year and so far no issues. Actually I love it Thank you Pihole team

There is something I like to understand and this is where I ask on help. Maybe my understanding is wrong from the beginning.
Pihole + Unbound is installed on a DietPi (DietPi v9.8.0 - Debian GNU/Linux 12 (bookworm)) VM and in theory all devices on the network are forced to use PiHole as every request directed against port 53 outside the LAN is blocked on the firewall except from pihole. Use PiHole or die - simple as that.

From the default PiHole list under settings in the web gui I have enabled
Quad9 (filtered, DNSSEC) 9.9.9.9 + 142.112.112.112
and added unbound as the upstream DNS Server 127.0.0.1#5335
I would think that pihole needs to access is 9.9.9.9 + 142.112.112.112 and that's it. I assume that unbound will also query those 2 directly. But I see in the firewall logs that a bunch (~200+ in 10 minutes) of other addresses are queried as well (all of them port 53) from the pihole server and most of them belong to *root-servers.net (that's fine) but also ns3.apnic.net, 1e100.net (google junk), etc are queried directly. Currently all of those are blocked. Checked all of them and all of them are some legitime name servers.
I'm still able to access all websites/services as it seems and feel no drawback. (yes feel )

And

dig pi-hole.net @127.0.0.1 -p 5335

works fine as I have added the above 2 to: /etc/unbound/unbound.conf.d/forwarders.conf

If I'm not mistaken unbounds primary role is some sort of cache so that pihole does not need to get to the external providers for every request. Faster, more private due to cache, etc.

But what might be the reason for so many outgoing requests to other IPs than the defines ones? Is this coming from PiHole, Unbound, or maybe something else installed on the same VM (DietPi)? Where could I check?

Thanks!

Settings on the PiHole VM:

cat /etc/resolv.conf

(empty - only the default comments)

cat /etc/hosts
127.0.0.1	localhost

cat /etc/unbound/unbound.conf
include-toplevel: "/etc/unbound/unbound.conf.d/*.conf"

cat /etc/unbound/unbound.conf.d/pi-hole.conf 
server:
logfile: "/var/log/unbound/unbound.log" -> does not exist, is that normal?

log-time-ascii: yes
verbosity: 1
interface: 127.0.0.1
port: 5335
do-ip4: yes
do-udp: yes
do-tcp: yes
do-ip6: no
prefer-ip6: no
harden-glue: yes
harden-dnssec-stripped: yes
use-caps-for-id: no
edns-buffer-size: 1232
prefetch: yes
num-threads: 1
so-rcvbuf: 1m
private-address: 192.168.0.0/16
private-address: 169.254.0.0/16
private-address: 172.16.0.0/12
private-address: 10.0.0.0/8

As suggested by: unbound - Pi-hole documentation

systemctl status unbound-resolvconf.service
○ unbound-resolvconf.service - Unbound asyncronous resolvconf update helper
     Loaded: loaded (/lib/systemd/system/unbound-resolvconf.service; disabled; preset: enabled)
     Active: inactive (dead)

systemctl status unbound.service
● unbound.service - Unbound DNS server
     Loaded: loaded (/lib/systemd/system/unbound.service; enabled; preset: enabled)
     Active: active (running) since Sat 2024-11-09 23:17:22 CET; 6min ago
       Docs: man:unbound(8)
    Process: 606 ExecStartPre=/usr/libexec/unbound-helper chroot_setup (code=exited, status=0/SUCCESS)
    Process: 637 ExecStartPre=/usr/libexec/unbound-helper root_trust_anchor_update (code=exited, status=0/SUCCESS)
   Main PID: 642 (unbound)
      Tasks: 1 (limit: 1092)
     Memory: 16.5M
        CPU: 47ms
     CGroup: /system.slice/unbound.service
             └─642 /usr/sbin/unbound -d -p

rdwebdesign · November 10, 2024, 1:14am

No.
The primary role of Unbound is to be a recursive DNS server.

A recursive DNS server will (recursively) query other DNS servers to find out the required IP address and return this IP to the client. After finding an IP address, this address will be cached for a time span (known as TTL - "time to live"), usually varying from a few seconds to a few hours.

I think your are seeing unbound querying other DNS servers.

Fionn · November 10, 2024, 1:19am

Thank you @rdwebdesign
Was also thinking that unbound is doing it but the setting in
/etc/unbound/unbound.conf.d/forwarders.conf
should prevent to go randomly around the internet.

forward-zone:
        name: "."
        forward-addr: 9.9.9.9
        forward-addr: 149.112.112.112

Or no?

Bucking_Horn · November 10, 2024, 8:41am

Besides unbound being a recursive resolver (as rdwebdesign has expained), Pi-hole already employs its own cache.

That would mean that Pi-hole would use one out of those three upstream DNS servers for any given query, preferring the fastest responding one, which unbound is at a disadvantage of becoming when having to walk the recursion chain.

This would contradict using unbound as a recursive resolver, as part of your DNS history may now leak to one of Quad9's DNS servers.

In a similar fashion, your custom unbound configuration has turned your unbound into a simple forwarding resolver (using the exact same upstreams as Pi-hole already does), i.e. it is not acting as a recursive resolver anymore,

If that configuration would indeed reflect your intentions, then you would not need unbound at all - go uninstall it and remove it from Pi-hole's upstreams.

Fionn · November 10, 2024, 11:23am

Thank you @Bucking_Horn

My intention would be:
1: Stop hardcoded dns resolvers from applications avoid using pihole as far as possible. If the application does not work like that -> good bye application. I would assume if I block port 53 on LAN to WAN connections (not pihole/unbound) would help with that by a great deal. Yes there are still ways around but that's why I say as far as possible.

2: I still see in the fw logs that for example 1e100.net (google) is being used and I don't like the sound of that at all. For this I would like to use only specific resolvers where after my judgement I say, that sounds ok (example Quad9, maybe 1.1.1.1, etc), but figuring out all those "rouge" servers might be a task for 2 lifetimes and beyond.

+1 edit: Maintain some sort of local cache to speed up a given query a bit. Even tho my rto times with quad9 are usually under 10ms which is much better than cloudfare for example. I assume they have something in very close proximity.

So if I got you correctly than the best would be to remove in the pihole settings in the web gui Quad9 (filtered, DNSSEC) 9.9.9.9 + 149.112.112.112 and leave only the upstream DNS Server 127.0.0.1#5335 with the settings applied in forwarders.conf. That would make sure that unbound is able to do its job. Or still wrong?

As its doing its refresh cycle?

Bucking_Horn · November 10, 2024, 9:12pm

No.
If you do not want recursion, then there is no use in running unbound, hence my previous recommendation:

Fionn · November 11, 2024, 10:32pm

Thank you both for your inputs!
I decided to get rid of unbound as I see only a very small benefit (if any) for my use case.

Here is a somewhat useful conversation in that regard:
https://www.reddit.com/r/pihole/comments/ydkkup/what_are_the_benefits_to_unbound/

system · December 2, 2024, 10:32pm

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.