I have been trying to set up Pi-hole and Unbound for about a week now and I'm currently on my second install (wiped the SD after the first try didn't work and now it seems worse than before :P). I'm currently back to using 1.1.1.1 as a manual DNS on my devices so I can write this post at all.
Expected Behaviour:
I used this guide to install Pi-hole on a Raspberry Pie 4 and this subsection to set-up unbound. I am now at the end of the installation process and I'm trying these three tests:
dig pi-hole.net @127.0.0.1 -p 5335
dig fail01.dnssec.works @127.0.0.1 -p 5335
dig dnssec.works @127.0.0.1 -p 5335
Actual Behaviour:
SERVFAIL. For all of them.
Debug Token:
I cannot upload the log as I receive an error uploading it, so it suggests contacting the Pi-hole team.
Let me know what other info I can provide, I really appreciate the help!
DNSSEC needs an accurate clock. Check that your clock is accurate and the timezone is correct. The command below will let you confirm. This page has more info on how to set your time zone and enable NTP (to automatically keep it accurate) if needed.
timedatectl
I've had very mixed results using the dnssec.works domains recently, but the pi-hole.net one should work and return the IP of their site rather than fail.
Local time: Sat 2023-12-23 21:40:53 CET
Universal time: Sat 2023-12-23 20:40:53 UTC
RTC time: n/a
Time zone: Europe/Berlin (CET, +0100)
System clock synchronized: yes
NTP service: active
RTC in local TZ: no
and I'm based in Germany, so that should be alright I guess?
[✓] FTL is listening on port 53
[✓] UDP (IPv4)
[✓] TCP (IPv4)
[✓] UDP (IPv6)
[✓] TCP (IPv6)
[✓] Pi-hole blocking is enabled
and Unbound
● unbound.service - Unbound DNS server
Loaded: loaded (/lib/systemd/system/unbound.service; enabled; preset: enabled)
Active: active (running) since Sat 2023-12-23 21:39:40 CET; 6min ago
Docs: man:unbound(8)
Process: 1559 ExecStartPre=/usr/libexec/unbound-helper chroot_setup (code=exited, status=0/SUCCESS)
Process: 1561 ExecStartPre=/usr/libexec/unbound-helper root_trust_anchor_update (code=exited, status=0/SUCCESS)
Main PID: 1563 (unbound)
Tasks: 1 (limit: 3919)
CPU: 331ms
CGroup: /system.slice/unbound.service
└─1563 /usr/sbin/unbound -d -p
Dec 23 21:39:40 raspberrypi systemd[1]: Starting unbound.service - Unbound DNS server...
Dec 23 21:39:40 raspberrypi unbound[1563]: [1563:0] warning: subnetcache: prefetch is set but not working for data originating from >
Dec 23 21:39:40 raspberrypi unbound[1563]: [1563:0] info: start of service (unbound 1.17.1).
Dec 23 21:39:40 raspberrypi systemd[1]: Started unbound.service - Unbound DNS server.
lines 1-16/16 (END)
OK so I don't know why, but I was able to replace 1.1.1.1 with the IP of my Pi just now and I'm able to resolve adresses on my computer again (although manually in WiFi settings, on the previous install it worked without that). Then I tried
dig fail01.dnssec.works
and
dig dnssec.works
on a client (the computer) for a change and here I received SERVAIL and NOERROR respectively. So while I'm happy my Internet works again I'd still like to figure out why it works on the client side and not on the Pi itself (where I still receive SERVAIL for both (ammended) commands.
Would you mind also trying the following please? Set your Pi-hole DNS back to just Unbound on 127.0.0.1#5335 (you can put it back to just 1.1.1.1 afterwards). Then run the above command again but without the port option:
delv dnssec.works @127.0.0.1
Presumably that still fails, since now you are asking Pi-hole and Pi-hole is asking Unbound. However now the Pi-hole Query Log will show the request. Do you see BOGUS, Retried, or anything else of interest related to that dnssec.works domain?
No, I meant in Pi-hole's Settings > DNS page, which is what I assumed you were referring to in the opening post when you mentioned changing them from Unbound to 1.1.1.1 as a workaround.
The purpose of that test is to review the Query Log.
Presumably that still fails, since now you are asking Pi-hole and Pi-hole is asking Unbound. However now the Pi-hole Query Log will show the request. Do you see BOGUS , Retried , or anything else of interest related to that dnssec.works domain?
