This is the log: https://tricorder.pi-hole.net/49SAgYav/
The pihole is connected to my Asus RT-AX88U router.
I have no idea why, but some sites are not loading, even if pihole is disabled. But if I change my PC's DNS to 8.8.8.8, the sites are loading. For example:
There are more sites like that. Any idea where to start the troubleshooting?
Take a close look at the replies to the queries in your query log on the web admin GUI, and in file /var/log/pihole/pihole.log (root access needed to read this file).
You are using unbound as your upstream DNS server, which may be failing to resolve those domains.
You can run a direct dig to unbound and see how it resolves in your case.
dig e-services.clalit.co.il @127.0.0.1 -p5300
Here is a reply from my unbound for comparison. Note that I have unbound on a different port, so my command is slightly different. This doesn't affect the results though.
dig e-services.clalit.co.il @127.0.0.1 -p5335
; <<>> DiG 9.18.19-1~deb12u1-Debian <<>> e-services.clalit.co.il @127.0.0.1 -p5335
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60554
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;e-services.clalit.co.il. IN A
;; ANSWER SECTION:
e-services.clalit.co.il. 300 IN CNAME ucetyes.impervadns.net.
ucetyes.impervadns.net. 300 IN A 45.60.240.36
;; Query time: 3015 msec
;; SERVER: 127.0.0.1#5335(127.0.0.1) (UDP)
;; WHEN: Mon Nov 13 10:53:24 CST 2023
;; MSG SIZE rcvd: 104
Running: dig e-services.clalit.co.il @127.0.0.1 -p5300
Gave this:
; <<>> DiG 9.16.1-Ubuntu <<>> e-services.clalit.co.il @127.0.0.1 -p5300
;; global options: +cmd
;; connection timed out; no servers could be reached
That's weird. Why would my installation of unbound behave differently than yours?
You could have a local unbound problem.
What guide did you use to install unbound? I note that you have unbound on port 5300, and the port in our guide is 5335.
What are the outputs of the following commands from the Pi terminal:
sudo grep -v '#\|^$' -R /etc/unbound/unbound.conf*
sudo service unbound status
What guide did you use to install unbound? I note that you have unbound on port 5300, and the port in our guide is 5335.
I used the guide from Pihole documentation, and then read more about the unbound config in reddit /r/pihole and added few more lines. I confirmed with the support from Unbound that my configs are legitimate and shouldn't cause any issues.
As for the 3500, I figured it would be wiser to not use a common port as 5335, but I'm more than happy to revert to 5335 if that solves something.
output 1:
/etc/unbound/unbound.conf:include: /etc/unbound/unbound.conf.d/*.conf
/etc/unbound/unbound.conf:server:
/etc/unbound/unbound.conf: tls-cert-bundle: "/etc/ssl/certs/ca-certificates.crt"
/etc/unbound/unbound.conf: chroot: "/etc/unbound"
/etc/unbound/unbound.conf: username: "unbound"
/etc/unbound/unbound.conf: directory: "/etc/unbound"
/etc/unbound/unbound.conf: logfile: "/etc/unbound/unbound.log"
/etc/unbound/unbound.conf: log-time-ascii: yes
/etc/unbound/unbound.conf: verbosity: 1
/etc/unbound/unbound.conf: root-hints: "root.hints"
/etc/unbound/unbound.conf: pidfile: "unbound.pid"
/etc/unbound/unbound.conf: auto-trust-anchor-file: "/etc/unbound/root.key"
/etc/unbound/unbound.conf:
/etc/unbound/unbound.conf: interface: 127.0.0.1
/etc/unbound/unbound.conf: port: 5300
/etc/unbound/unbound.conf: do-ip4: yes
/etc/unbound/unbound.conf: do-udp: yes
/etc/unbound/unbound.conf: do-tcp: yes
/etc/unbound/unbound.conf: outgoing-range: 8192
/etc/unbound/unbound.conf: num-queries-per-thread: 4096
/etc/unbound/unbound.conf: so-rcvbuf: 4M
/etc/unbound/unbound.conf: so-sndbuf: 4M
/etc/unbound/unbound.conf: access-control: 127.0.0.0/8 allow
/etc/unbound/unbound.conf: do-ip6: no
/etc/unbound/unbound.conf: prefer-ip6: no
/etc/unbound/unbound.conf: harden-glue: yes
/etc/unbound/unbound.conf: harden-large-queries: yes
/etc/unbound/unbound.conf: harden-dnssec-stripped: yes
/etc/unbound/unbound.conf: use-caps-for-id: no
/etc/unbound/unbound.conf: edns-buffer-size: 1232
/etc/unbound/unbound.conf: rrset-roundrobin: yes
/etc/unbound/unbound.conf: cache-min-ttl: 3600
/etc/unbound/unbound.conf: cache-max-ttl: 86400
/etc/unbound/unbound.conf: serve-expired: yes
/etc/unbound/unbound.conf: harden-algo-downgrade: yes
/etc/unbound/unbound.conf: harden-short-bufsize: yes
/etc/unbound/unbound.conf: hide-identity: yes
/etc/unbound/unbound.conf: identity: "Server"
/etc/unbound/unbound.conf: hide-version: yes
/etc/unbound/unbound.conf: do-daemonize: yes
/etc/unbound/unbound.conf: neg-cache-size: 4M
/etc/unbound/unbound.conf: qname-minimisation: yes
/etc/unbound/unbound.conf: minimal-responses: yes
/etc/unbound/unbound.conf: prefetch: yes
/etc/unbound/unbound.conf: prefetch-key: yes
/etc/unbound/unbound.conf: num-threads: 1
/etc/unbound/unbound.conf: msg-cache-size: 32m
/etc/unbound/unbound.conf: rrset-cache-size: 64m
/etc/unbound/unbound.conf: so-reuseport: yes
/etc/unbound/unbound.conf: unwanted-reply-threshold: 10000
/etc/unbound/unbound.conf: ratelimit: 1000
/etc/unbound/unbound.conf: private-address: 192.168.0.0/16
/etc/unbound/unbound.conf: private-address: 192.168.1.0/16
/etc/unbound/unbound.conf: private-address: 169.254.0.0/16
/etc/unbound/unbound.conf: private-address: 172.16.0.0/12
/etc/unbound/unbound.conf: private-address: 10.0.0.0/8
/etc/unbound/unbound.conf: private-address: fd00::/8
/etc/unbound/unbound.conf: private-address: fe80::/10
/etc/unbound/unbound.conf: private-domain: "home.lan"
/etc/unbound/unbound.conf: private-domain: "plex.direct"
/etc/unbound/unbound.conf: val-clean-additional: yes
/etc/unbound/unbound.conf:remote-control:
/etc/unbound/unbound.conf: control-enable: yes
/etc/unbound/unbound.conf: control-interface: 127.0.0.1
/etc/unbound/unbound.conf: control-port: 8953
/etc/unbound/unbound.conf:auth-zone:
/etc/unbound/unbound.conf:name: "."
/etc/unbound/unbound.conf:fallback-enabled: yes
/etc/unbound/unbound.conf:for-downstream: no
/etc/unbound/unbound.conf:for-upstream: yes
/etc/unbound/unbound.conf:zonefile: "root.zone"
/etc/unbound/unbound.conf.save:server:
/etc/unbound/unbound.conf.save: chroot: "/etc/unbound"
/etc/unbound/unbound.conf.save: username: "unbound"
/etc/unbound/unbound.conf.save: directory: "/etc/unbound"
/etc/unbound/unbound.conf.save: logfile: "/etc/unbound/unbound.log"
/etc/unbound/unbound.conf.save: root-hints: "root.hints"
/etc/unbound/unbound.conf.save: pidfile: "unbound.pid"
/etc/unbound/unbound.conf.save: auto-trust-anchor-file: "/etc/unbound/root.key"
/etc/unbound/unbound.conf.save:
/etc/unbound/unbound.conf.save: verbosity: 1
/etc/unbound/unbound.conf.save: interface: 0.0.0.0
/etc/unbound/unbound.conf.save: port: 5300
/etc/unbound/unbound.conf.save: do-ip4: yes
/etc/unbound/unbound.conf.save: do-udp: yes
/etc/unbound/unbound.conf.save: do-tcp: yes
/etc/unbound/unbound.conf.save: outgoing-range: 8192
/etc/unbound/unbound.conf.save: num-queries-per-thread: 4096
/etc/unbound/unbound.conf.save: so-rcvbuf: 4M
/etc/unbound/unbound.conf.save: so-sndbuf: 4M
/etc/unbound/unbound.conf.save: access-control: 192.16/8 allow
/etc/unbound/unbound.conf.save: do-ip6: no
/etc/unbound/unbound.conf.save: prefer-ip6: no
/etc/unbound/unbound.conf.save: harden-glue: yes
/etc/unbound/unbound.conf.save: harden-large-queries: yes
/etc/unbound/unbound.conf.save: harden-dnssec-stripped: yes
/etc/unbound/unbound.conf.save: use-caps-for-id: yes
/etc/unbound/unbound.conf.save: use-caps-for-id: yes
/etc/unbound/unbound.conf.save: edns-buffer-size: 1472
/etc/unbound/unbound.conf.save: rrset-roundrobin: yes
/etc/unbound/unbound.conf.save: cache-min-ttl: 3600
/etc/unbound/unbound.conf.save: cache-max-ttl: 86400
/etc/unbound/unbound.conf.save: serve-expired: yes
/etc/unbound/unbound.conf.save: harden-algo-downgrade: yes
/etc/unbound/unbound.conf.save: harden-short-bufsize: yes
/etc/unbound/unbound.conf.save: hide-identity: yes
/etc/unbound/unbound.conf.save: identity: "Server"
/etc/unbound/unbound.conf.save: hide-version: yes
/etc/unbound/unbound.conf.save: do-daemonize: yes
/etc/unbound/unbound.conf.save: neg-cache-size: 4M
/etc/unbound/unbound.conf.save: qname-minimisation: yes
/etc/unbound/unbound.conf.save: minimal-responses: yes
/etc/unbound/unbound.conf.save: prefetch: yes
/etc/unbound/unbound.conf.save: prefetch-key: yes
/etc/unbound/unbound.conf.save: num-threads: 1
/etc/unbound/unbound.conf.save: msg-cache-size: 32m
/etc/unbound/unbound.conf.save: rrset-cache-size: 64m
/etc/unbound/unbound.conf.save: so-reuseport: yes
/etc/unbound/unbound.conf.save: unwanted-reply-threshold: 10000
/etc/unbound/unbound.conf.save: ratelimit: 1000
/etc/unbound/unbound.conf.save: private-address: 192.168.0.0/16
/etc/unbound/unbound.conf.save: private-address: 169.254.0.0/16
/etc/unbound/unbound.conf.save: private-address: 172.16.0.0/12
/etc/unbound/unbound.conf.save: private-address: 10.0.0.0/8
/etc/unbound/unbound.conf.save: private-address: fd00::/8
/etc/unbound/unbound.conf.save: private-address: fe80::/10
/etc/unbound/unbound.conf.save: private-domain: "home.lan"
/etc/unbound/unbound.conf.save: private-domain: "plex.direct"
/etc/unbound/unbound.conf.save: val-clean-additional: yes
/etc/unbound/unbound.conf.save:remote-control:
/etc/unbound/unbound.conf.save: control-enable: yes
/etc/unbound/unbound.conf.save: control-interface: 127.0.0.1
/etc/unbound/unbound.conf.save:auth-zone:
/etc/unbound/unbound.conf.save:name: "."
/etc/unbound/unbound.conf.save:fallback-enabled: yes
/etc/unbound/unbound.conf.save:for-downstream: no
/etc/unbound/unbound.conf.save:for-upstream: yes
/etc/unbound/unbound.conf.save:zonefile: "root.zone"
/etc/unbound/unbound.conf.save.1: tls-cert-bundle: "/etc/ssl/certs/ca-certificates.crt"
/etc/unbound/unbound.conf.save.1: chroot: "/etc/unbound"
/etc/unbound/unbound.conf.save.1: username: "unbound"
/etc/unbound/unbound.conf.save.1: directory: "/etc/unbound"
/etc/unbound/unbound.conf.save.1: logfile: "/etc/unbound/unbound.log"
/etc/unbound/unbound.conf.save.1: root-hints: "root.hints"
/etc/unbound/unbound.conf.save.1: pidfile: "unbound.pid"
/etc/unbound/unbound.conf.save.1: auto-trust-anchor-file: "/etc/unbound/root.key"
/etc/unbound/unbound.conf.save.1:
/etc/unbound/unbound.conf.save.1: verbosity: 1
/etc/unbound/unbound.conf.save.1: interface: 127.0.0.1
/etc/unbound/unbound.conf.save.1: port: 5300
/etc/unbound/unbound.conf.save.1: do-ip4: yes
/etc/unbound/unbound.conf.save.1: do-udp: yes
/etc/unbound/unbound.conf.save.1: do-tcp: yes
/etc/unbound/unbound.conf.save.1: outgoing-range: 8192
/etc/unbound/unbound.conf.save.1: num-queries-per-thread: 4096
/etc/unbound/unbound.conf.save.1: so-rcvbuf: 4M
/etc/unbound/unbound.conf.save.1: so-sndbuf: 4M
/etc/unbound/unbound.conf.save.1: access-control: 127.0.0.0/8 allow
/etc/unbound/unbound.conf.save.1: do-ip6: no
/etc/unbound/unbound.conf.save.1: prefer-ip6: no
/etc/unbound/unbound.conf.save.1: harden-glue: yes
/etc/unbound/unbound.conf.save.1: harden-large-queries: yes
/etc/unbound/unbound.conf.save.1: harden-dnssec-stripped: yes
/etc/unbound/unbound.conf.save.1: use-caps-for-id: no
/etc/unbound/unbound.conf.save.1: use-caps-for-id: yes
/etc/unbound/unbound.conf.save.1: edns-buffer-size: 1232
/etc/unbound/unbound.conf.save.1: rrset-roundrobin: yes
/etc/unbound/unbound.conf.save.1: cache-min-ttl: 3600
/etc/unbound/unbound.conf.save.1: cache-max-ttl: 86400
/etc/unbound/unbound.conf.save.1: serve-expired: yes
/etc/unbound/unbound.conf.save.1: harden-algo-downgrade: yes
/etc/unbound/unbound.conf.save.1: harden-short-bufsize: yes
/etc/unbound/unbound.conf.save.1: hide-identity: yes
/etc/unbound/unbound.conf.save.1: identity: "Server"
/etc/unbound/unbound.conf.save.1: hide-version: yes
/etc/unbound/unbound.conf.save.1: do-daemonize: yes
/etc/unbound/unbound.conf.save.1: neg-cache-size: 4M
/etc/unbound/unbound.conf.save.1: qname-minimisation: yes
/etc/unbound/unbound.conf.save.1: minimal-responses: yes
/etc/unbound/unbound.conf.save.1: prefetch: yes
/etc/unbound/unbound.conf.save.1: prefetch-key: yes
/etc/unbound/unbound.conf.save.1: num-threads: 1
/etc/unbound/unbound.conf.save.1: msg-cache-size: 32m
/etc/unbound/unbound.conf.save.1: rrset-cache-size: 64m
/etc/unbound/unbound.conf.save.1: so-reuseport: yes
/etc/unbound/unbound.conf.save.1: unwanted-reply-threshold: 10000
/etc/unbound/unbound.conf.save.1: ratelimit: 1000
/etc/unbound/unbound.conf.save.1: private-address: 192.168.0.0/16
/etc/unbound/unbound.conf.save.1: private-address: 192.168.1.0/16
/etc/unbound/unbound.conf.save.1: private-address: 169.254.0.0/16
/etc/unbound/unbound.conf.save.1: private-address: 172.16.0.0/12
/etc/unbound/unbound.conf.save.1: private-address: 10.0.0.0/8
/etc/unbound/unbound.conf.save.1: private-address: fd00::/8
/etc/unbound/unbound.conf.save.1: private-address: fe80::/10
/etc/unbound/unbound.conf.save.1: private-domain: "home.lan"
/etc/unbound/unbound.conf.save.1: private-domain: "plex.direct"
/etc/unbound/unbound.conf.save.1: val-clean-additional: yes
/etc/unbound/unbound.conf.save.1:remote-control:
/etc/unbound/unbound.conf.save.1: control-enable: yes
/etc/unbound/unbound.conf.save.1: control-interface: 127.0.0.1
/etc/unbound/unbound.conf.save.1:auth-zone:
/etc/unbound/unbound.conf.save.1:name: "."
/etc/unbound/unbound.conf.save.1:fallback-enabled: yes
/etc/unbound/unbound.conf.save.1:for-downstream: no
/etc/unbound/unbound.conf.save.1:for-upstream: yes
/etc/unbound/unbound.conf.save.1:zonefile: "root.zone"
2nd output:
sudo service unbound status
β unbound.service - Unbound DNS resolver
Loaded: loaded (/lib/systemd/system/unbound.service; enabled; vendor preset: enabled)
Active: active (running) since Sun 2023-10-15 09:17:07 IDT; 4 weeks 2 days ago
Docs: man:unbound(8)
Main PID: 508 (unbound)
Tasks: 1 (limit: 2059)
CGroup: /system.slice/unbound.service
ββ508 /usr/sbin/unbound -c /etc/unbound/unbound.conf -d
Oct 15 09:17:06 raspberrypi systemd[1]: Starting Unbound DNS resolver...
Oct 15 09:17:07 raspberrypi systemd[1]: Started Unbound DNS resolver.
Up log verbosity from default 0 to 3 with below:
pi@ph5a:~ $ sudo nano /etc/unbound/unbound.conf.d/pi-hole.conf
server:
# If no logfile is specified, syslog is used
# logfile: "/var/log/unbound/unbound.log"
verbosity: 3
[..]
Save/exit and reload:
pi@ph5a:~ $ sudo systemctl reload unbound.service
pi@ph5a:~ $
Tail the unbound journals live with below:
pi@ph5a:~ $ sudo journalctl --full --follow --priority 4 -u unbound.service
-- Logs begin at Thu 2023-11-09 02:39:01 CET. --
When performing below dig in another SSH session, what errors/warnings are displayed in the journals ... if any?
dig e-services.clalit.co.il @127.0.0.1 -p5300
After diagnosing, set verbosity back to 0 and reload unbound again!
Above I'm experimenting a bit with the --priority 4 argument for the first time.
So if no errors/warnings are displayed, you could also do the same but omitting the --priority 4 argument to see if any errors/warnings are displayed when running the dig.
Or even try up verbosity to 5:
pi@ph5a:~ $ man unbound.conf
[..]
verbosity: <number>
The verbosity number, level 0 means no verbosity, only erβ
rors. Level 1 gives operational information. Level 2 gives
detailed operational information. Level 3 gives query level
information, output per query. Level 4 gives algorithm level
information. Level 5 logs client identification for cache
misses. Default is level 1. The verbosity can also be inβ
creased from the commandline, see unbound(8).
I set the verbosity to 3, and then 5, but there's nothing unusual when I run the dig command.
What I get is:
pi@raspberrypi:~ $ sudo journalctl --full --follow -u unbound.service
-- Logs begin at Tue 2023-11-14 17:22:25 IST. --
Nov 15 10:57:39 raspberrypi systemd[1]: Started Unbound DNS resolver.
Nov 15 10:57:39 raspberrypi unbound[8060]: Nov 15 10:57:39 unbound[8060:0] debug: increased limit(open files) from 1024 to 8236
Nov 15 10:57:39 raspberrypi unbound[8060]: Nov 15 10:57:39 unbound[8060:0] debug: creating udp4 socket 127.0.0.1 5335
Nov 15 10:57:39 raspberrypi unbound[8060]: Nov 15 10:57:39 unbound[8060:0] debug: creating tcp4 socket 127.0.0.1 5335
Nov 15 10:57:39 raspberrypi unbound[8060]: Nov 15 10:57:39 unbound[8060:0] debug: creating tcp4 socket 127.0.0.1 8953
Nov 15 10:57:39 raspberrypi unbound[8060]: Nov 15 10:57:39 unbound[8060:0] debug: setup SSL certificates
Nov 15 10:57:39 raspberrypi unbound[8060]: Nov 15 10:57:39 unbound[8060:0] debug: chdir to /etc/unbound
Nov 15 10:57:39 raspberrypi unbound[8060]: Nov 15 10:57:39 unbound[8060:0] debug: chroot to /etc/unbound
Nov 15 10:57:39 raspberrypi unbound[8060]: Nov 15 10:57:39 unbound[8060:0] debug: drop user privileges, run as unbound
Nov 15 10:57:39 raspberrypi unbound[8060]: Nov 15 10:57:39 unbound[8060:0] debug: switching log to /etc/unbound/unbound.log
Nov 15 11:00:11 raspberrypi systemd[1]: Stopping Unbound DNS resolver...
Nov 15 11:00:11 raspberrypi unbound-control[8151]: ok
Nov 15 11:00:11 raspberrypi systemd[1]: unbound.service: Succeeded.
Nov 15 11:00:11 raspberrypi systemd[1]: Stopped Unbound DNS resolver.
Nov 15 11:00:11 raspberrypi systemd[1]: Starting Unbound DNS resolver...
Nov 15 11:00:11 raspberrypi systemd[1]: Started Unbound DNS resolver.
pi@raspberrypi:~ $ dig e-services.clalit.co.il @127.0.0.1 -p5335
; <<>> DiG 9.11.5-P4-5.1+deb10u9-Raspbian <<>> e-services.clalit.co.il @127.0.0.1 -p5335
;; global options: +cmd
;; connection timed out; no servers could be reached
pi@raspberrypi:~ $
p.s. - I reverted my ports to the default 5335
Upping verbosity to 3 should log individual queries in the journals.
Your unbound configuration is not according to the official Pi-hole guide.
Revert back to the guides configuration or I wont be able to help.
You can always add directives later when get things working properly first.
Below how it looks like for Raspbian Bullseye:
pi@ph5b:~ $ sudo grep -v '#\|^$' -R /etc/unbound/unbound.conf*
/etc/unbound/unbound.conf:include-toplevel: "/etc/unbound/unbound.conf.d/*.conf"
/etc/unbound/unbound.conf.d/root-auto-trust-anchor-file.conf:server:
/etc/unbound/unbound.conf.d/root-auto-trust-anchor-file.conf: auto-trust-anchor-file: "/var/lib/unbound/root.key"
/etc/unbound/unbound.conf.d/pi-hole.conf:server:
/etc/unbound/unbound.conf.d/pi-hole.conf: verbosity: 0
/etc/unbound/unbound.conf.d/pi-hole.conf: interface: 127.0.0.1
/etc/unbound/unbound.conf.d/pi-hole.conf: port: 5335
/etc/unbound/unbound.conf.d/pi-hole.conf: do-ip4: yes
/etc/unbound/unbound.conf.d/pi-hole.conf: do-udp: yes
/etc/unbound/unbound.conf.d/pi-hole.conf: do-tcp: yes
/etc/unbound/unbound.conf.d/pi-hole.conf: do-ip6: no
/etc/unbound/unbound.conf.d/pi-hole.conf: prefer-ip6: no
/etc/unbound/unbound.conf.d/pi-hole.conf: harden-glue: yes
/etc/unbound/unbound.conf.d/pi-hole.conf: harden-dnssec-stripped: yes
/etc/unbound/unbound.conf.d/pi-hole.conf: use-caps-for-id: no
/etc/unbound/unbound.conf.d/pi-hole.conf: edns-buffer-size: 1232
/etc/unbound/unbound.conf.d/pi-hole.conf: prefetch: yes
/etc/unbound/unbound.conf.d/pi-hole.conf: num-threads: 1
/etc/unbound/unbound.conf.d/pi-hole.conf: so-rcvbuf: 1m
/etc/unbound/unbound.conf.d/pi-hole.conf: private-address: 192.168.0.0/16
/etc/unbound/unbound.conf.d/pi-hole.conf: private-address: 169.254.0.0/16
/etc/unbound/unbound.conf.d/pi-hole.conf: private-address: 172.16.0.0/12
/etc/unbound/unbound.conf.d/pi-hole.conf: private-address: 10.0.0.0/8
/etc/unbound/unbound.conf.d/pi-hole.conf: private-address: fd00::/8
/etc/unbound/unbound.conf.d/pi-hole.conf: private-address: fe80::/10
Older Raspian releases are slightly different with an include directive instead of include-toplevel.
Oh thats probably bc of below:
EDIT:
syslog has been replaced with the journals since systemd took over:
dehakkelaar@ph6b:~$ cat /var/log/README
You are looking for the traditional text log files in /var/log, and they are
gone?
Here's an explanation on what's going on:
You are running a systemd-based OS where traditional syslog has been replaced
with the Journal. The journal stores the same (and more) information as classic
syslog. To make use of the journal and access the collected log data simply
invoke "journalctl", which will output the logs in the identical text-based
format the syslog files in /var/log used to be. For further details, please
refer to journalctl(1).
Alternatively, consider installing one of the traditional syslog
implementations available for your distribution, which will generate the
classic log files for you. Syslog implementations such as syslog-ng or rsyslog
may be installed side-by-side with the journal and will continue to function
the way they always did.
Thank you!
Further reading:
man:journalctl(1)
man:systemd-journald.service(8)
man:journald.conf(5)
https://0pointer.de/blog/projects/the-journal.html
I reverted my unbound.conf to be exactly as pihole documentation:
server:
# If no logfile is specified, syslog is used
# logfile: "/var/log/unbound/unbound.log"
verbosity: 0
interface: 127.0.0.1
port: 5335
do-ip4: yes
do-udp: yes
do-tcp: yes
# May be set to yes if you have IPv6 connectivity
do-ip6: no
# You want to leave this to no unless you have *native* IPv6. With 6to4 and
# Terredo tunnels your web browser should favor IPv4 for the same reasons
prefer-ip6: no
# Use this only when you downloaded the list of primary root servers!
# If you use the default dns-root-data package, unbound will find it automatically
#root-hints: "/var/lib/unbound/root.hints"
# Trust glue only if it is within the server's authority
harden-glue: yes
# Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS
harden-dnssec-stripped: yes
# Don't use Capitalization randomization as it known to cause DNSSEC issues sometimes
# see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 for further details
use-caps-for-id: no
# Reduce EDNS reassembly buffer size.
# IP fragmentation is unreliable on the Internet today, and can cause
# transmission failures when large DNS messages are sent via UDP. Even
# when fragmentation does work, it may not be secure; it is theoretically
# possible to spoof parts of a fragmented DNS message, without easy
# detection at the receiving end. Recently, there was an excellent study
# >>> Defragmenting DNS - Determining the optimal maximum UDP response size for DNS <<<
# by Axel Koolhaas, and Tjeerd Slokker (https://indico.dns-oarc.net/event/36/contributions/776/)
# in collaboration with NLnet Labs explored DNS using real world data from the
# the RIPE Atlas probes and the researchers suggested different values for
# IPv4 and IPv6 and in different scenarios. They advise that servers should
# be configured to limit DNS messages sent over UDP to a size that will not
# trigger fragmentation on typical network links. DNS servers can switch
# from UDP to TCP when a DNS response is too big to fit in this limited
# buffer size. This value has also been suggested in DNS Flag Day 2020.
edns-buffer-size: 1232
# Perform prefetching of close to expired message cache entries
# This only applies to domains that have been frequently queried
prefetch: yes
# One thread should be sufficient, can be increased on beefy machines. In reality for most users running on small networks or on a single machine, it should be unnecessary to seek performance enhancement by increasing num-threads above 1.
num-threads: 1
# Ensure kernel buffer is large enough to not lose messages in traffic spikes
so-rcvbuf: 1m
# Ensure privacy of local IP ranges
private-address: 192.168.0.0/16
private-address: 169.254.0.0/16
private-address: 172.16.0.0/12
private-address: 10.0.0.0/8
private-address: fd00::/8
private-address: fe80::/10
The issue persists.
Have you adjusted the port on the tests to now be 5335 instead of 5300?
With the new config in place would you please do another debug log and post the token URL? Thanks.
Yes, I have updated the ports accordingly:
pi@raspberrypi:~ $ dig e-services.clalit.co.il @127.0.0.1 -p5335
; <<>> DiG 9.11.5-P4-5.1+deb10u9-Raspbian <<>> e-services.clalit.co.il @127.0.0.1 -p5335
;; global options: +cmd
;; connection timed out; no servers could be reached
pi@raspberrypi:~ $
Here's the new debug link: https://tricorder.pi-hole.net/sT6mGgrG/
Thanks.
This error implies that the dig command running on your Pi-hole cannot communicate with the Unbound service running on the same Pi-hole. The debug log shows Unbound is running. The Unbound service is attached only to localhost, so that Pi-hole can access it but nothing external can. The symptoms you describe imply that even Pi-hole may not be able to access it.
The only thing I can think of is that something specific to how you are connected to it, or the Avahi service, or a leftover config from your previous setup, is preventing dig from seeing this service on the same machine.
In this situation I would be removing all traces of Unbound completely and confirming Pi-hole works with one of the inbuilt upstreams, and then installing Unbound from the guide and testing it anew. I appreciate that's a bit of messing around. Someone else may have an idea how to fix it with the existing installation.
I've also seen "connection timed out" if unbound fails to connect to one of its upstream DNS servers.
Just to be sure, below one does provide you an answer section right?
dig @127.0.0.1 -p 5335 pi-hole.net
Have you upped verbosity to 3 now and tailed the journals live to see if anything gets processed when running dig?
And could you post output for below one more time pls?
sudo rgrep -v '^ *#\|^$' /etc/unbound/unbound.conf*
Yes, here is the result:
pi@raspberrypi:~ $ dig @127.0.0.1 -p 5335 pi-hole.net
; <<>> DiG 9.11.5-P4-5.1+deb10u9-Raspbian <<>> @127.0.0.1 -p 5335 pi-hole.net
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 65008
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;pi-hole.net. IN A
;; ANSWER SECTION:
pi-hole.net. 300 IN A 3.18.136.52
;; Query time: 116 msec
;; SERVER: 127.0.0.1#5335(127.0.0.1)
;; WHEN: Fri Nov 17 18:09:05 IST 2023
;; MSG SIZE rcvd: 56
I don't have unbound.service. I have unbound.
pi@raspberrypi:~ $ sudo systemctl reload unbound.service
Job for unbound.service failed.
See "systemctl status unbound.service" and "journalctl -xe" for details.
pi@raspberrypi:~ $ sudo systemctl status unbound
β unbound.service - Unbound DNS resolver
Loaded: loaded (/lib/systemd/system/unbound.service; enabled; vendor preset: enabled)
Active: active (running) since Fri 2023-11-17 18:08:06 IST; 2min 41s ago
Docs: man:unbound(8)
Process: 17843 ExecStartPre=/usr/sbin/unbound-anchor -r /etc/unbound/root.hints -a /etc/unbound/root.key (code=exited,
Process: 17930 ExecReload=/usr/sbin/unbound-control -c /etc/unbound/unbound.conf reload (code=exited, status=1/FAILURE
Main PID: 17844 (unbound)
Tasks: 1 (limit: 2059)
CGroup: /system.slice/unbound.service
ββ17844 /usr/sbin/unbound -c /etc/unbound/unbound.conf -d
Nov 17 18:09:05 raspberrypi unbound[17844]: [17844:0] info: query response was ANSWER
Nov 17 18:09:05 raspberrypi unbound[17844]: [17844:0] info: finishing processing for pi-hole.net. A IN
Nov 17 18:09:05 raspberrypi unbound[17844]: [17844:0] debug: validator[module 0] operate: extstate:module_wait_module ev
Nov 17 18:09:05 raspberrypi unbound[17844]: [17844:0] info: validator operate: query pi-hole.net. A IN
Nov 17 18:09:05 raspberrypi unbound[17844]: [17844:0] debug: cache memory msg=34066 rrset=45510 infra=4900 val=33672
Nov 17 18:10:33 raspberrypi systemd[1]: Reloading Unbound DNS resolver.
Nov 17 18:10:33 raspberrypi unbound-control[17930]: [1700237433] unbound-control[17930:0] warning: control-enable is 'no
Nov 17 18:10:33 raspberrypi unbound-control[17930]: [1700237433] unbound-control[17930:0] error: connect: Connection ref
Nov 17 18:10:33 raspberrypi systemd[1]: unbound.service: Control process exited, code=exited, status=1/FAILURE
Nov 17 18:10:33 raspberrypi systemd[1]: Reload failed for Unbound DNS resolver.
BUT if I run: sudo systemctl restart unbound
pi@raspberrypi:~ $ sudo systemctl restart unbound
pi@raspberrypi:~ $ sudo systemctl status unbound
β unbound.service - Unbound DNS resolver
Loaded: loaded (/lib/systemd/system/unbound.service; enabled; vendor preset: enabled)
Active: active (running) since Fri 2023-11-17 18:11:07 IST; 2s ago
Docs: man:unbound(8)
Process: 17950 ExecStartPre=/usr/sbin/unbound-anchor -r /etc/unbound/root.hints -a /etc/unbound/root.key (code=exited,
Main PID: 17951 (unbound)
Tasks: 1 (limit: 2059)
CGroup: /system.slice/unbound.service
ββ17951 /usr/sbin/unbound -c /etc/unbound/unbound.conf -d
Nov 17 18:11:07 raspberrypi unbound[17951]: [17951:0] debug: module config: "validator iterator"
Nov 17 18:11:07 raspberrypi unbound[17951]: [17951:0] notice: init module 0: validator
Nov 17 18:11:07 raspberrypi unbound[17951]: [17951:0] notice: init module 1: iterator
Nov 17 18:11:07 raspberrypi unbound[17951]: [17951:0] debug: target fetch policy for level 0 is 3
Nov 17 18:11:07 raspberrypi unbound[17951]: [17951:0] debug: target fetch policy for level 1 is 2
Nov 17 18:11:07 raspberrypi unbound[17951]: [17951:0] debug: target fetch policy for level 2 is 1
Nov 17 18:11:07 raspberrypi unbound[17951]: [17951:0] debug: target fetch policy for level 3 is 0
Nov 17 18:11:07 raspberrypi unbound[17951]: [17951:0] debug: target fetch policy for level 4 is 0
Nov 17 18:11:07 raspberrypi unbound[17951]: [17951:0] debug: cache memory msg=33056 rrset=33056 infra=3968 val=33216
Nov 17 18:11:07 raspberrypi unbound[17951]: [17951:0] info: start of service (unbound 1.18.0).
pi@raspberrypi:~ $ sudo rgrep -v '^ *#\|^$' /etc/unbound/unbound.conf*
/etc/unbound/unbound.conf:server:
/etc/unbound/unbound.conf: verbosity: 3
/etc/unbound/unbound.conf: interface: 127.0.0.1
/etc/unbound/unbound.conf: port: 5335
/etc/unbound/unbound.conf: do-ip4: yes
/etc/unbound/unbound.conf: do-udp: yes
/etc/unbound/unbound.conf: do-tcp: yes
/etc/unbound/unbound.conf: do-ip6: no
/etc/unbound/unbound.conf: prefer-ip6: no
/etc/unbound/unbound.conf: harden-glue: yes
/etc/unbound/unbound.conf: harden-dnssec-stripped: yes
/etc/unbound/unbound.conf: use-caps-for-id: no
/etc/unbound/unbound.conf: edns-buffer-size: 1232
/etc/unbound/unbound.conf: prefetch: yes
/etc/unbound/unbound.conf: num-threads: 1
/etc/unbound/unbound.conf: so-rcvbuf: 1m
/etc/unbound/unbound.conf: private-address: 192.168.0.0/16
/etc/unbound/unbound.conf: private-address: 169.254.0.0/16
/etc/unbound/unbound.conf: private-address: 172.16.0.0/12
/etc/unbound/unbound.conf: private-address: 10.0.0.0/8
/etc/unbound/unbound.conf: private-address: fd00::/8
/etc/unbound/unbound.conf: private-address: fe80::/10
/etc/unbound/unbound.conf.bak:include: /etc/unbound/unbound.conf.d/*.conf
/etc/unbound/unbound.conf.bak:server:
/etc/unbound/unbound.conf.bak: tls-cert-bundle: "/etc/ssl/certs/ca-certificates.crt"
/etc/unbound/unbound.conf.bak: chroot: "/etc/unbound"
/etc/unbound/unbound.conf.bak: username: "unbound"
/etc/unbound/unbound.conf.bak: directory: "/etc/unbound"
/etc/unbound/unbound.conf.bak: logfile: "/etc/unbound/unbound.log"
/etc/unbound/unbound.conf.bak: log-time-ascii: yes
/etc/unbound/unbound.conf.bak: verbosity: 0
/etc/unbound/unbound.conf.bak: root-hints: "root.hints"
/etc/unbound/unbound.conf.bak: pidfile: "unbound.pid"
/etc/unbound/unbound.conf.bak: auto-trust-anchor-file: "/etc/unbound/root.key"
/etc/unbound/unbound.conf.bak:
/etc/unbound/unbound.conf.bak: interface: 127.0.0.1
/etc/unbound/unbound.conf.bak: port: 5335
/etc/unbound/unbound.conf.bak: do-ip4: yes
/etc/unbound/unbound.conf.bak: do-udp: yes
/etc/unbound/unbound.conf.bak: do-tcp: yes
/etc/unbound/unbound.conf.bak: outgoing-range: 8192
/etc/unbound/unbound.conf.bak: num-queries-per-thread: 4096
/etc/unbound/unbound.conf.bak: so-rcvbuf: 4M
/etc/unbound/unbound.conf.bak: so-sndbuf: 4M
/etc/unbound/unbound.conf.bak: access-control: 127.0.0.0/8 allow
/etc/unbound/unbound.conf.bak: do-ip6: no
/etc/unbound/unbound.conf.bak: prefer-ip6: no
/etc/unbound/unbound.conf.bak: harden-glue: yes
/etc/unbound/unbound.conf.bak: harden-large-queries: yes
/etc/unbound/unbound.conf.bak: harden-dnssec-stripped: yes
/etc/unbound/unbound.conf.bak: use-caps-for-id: no
/etc/unbound/unbound.conf.bak: edns-buffer-size: 1232
/etc/unbound/unbound.conf.bak: rrset-roundrobin: yes
/etc/unbound/unbound.conf.bak: cache-min-ttl: 3600
/etc/unbound/unbound.conf.bak: cache-max-ttl: 86400
/etc/unbound/unbound.conf.bak: serve-expired: yes
/etc/unbound/unbound.conf.bak: harden-algo-downgrade: yes
/etc/unbound/unbound.conf.bak: harden-short-bufsize: yes
/etc/unbound/unbound.conf.bak: hide-identity: yes
/etc/unbound/unbound.conf.bak: identity: "Server"
/etc/unbound/unbound.conf.bak: hide-version: yes
/etc/unbound/unbound.conf.bak: do-daemonize: yes
/etc/unbound/unbound.conf.bak: neg-cache-size: 4M
/etc/unbound/unbound.conf.bak: qname-minimisation: yes
/etc/unbound/unbound.conf.bak: minimal-responses: yes
/etc/unbound/unbound.conf.bak: prefetch: yes
/etc/unbound/unbound.conf.bak: prefetch-key: yes
/etc/unbound/unbound.conf.bak: num-threads: 1
/etc/unbound/unbound.conf.bak: msg-cache-size: 32m
/etc/unbound/unbound.conf.bak: rrset-cache-size: 64m
/etc/unbound/unbound.conf.bak: so-reuseport: yes
/etc/unbound/unbound.conf.bak: unwanted-reply-threshold: 10000
/etc/unbound/unbound.conf.bak: ratelimit: 1000
/etc/unbound/unbound.conf.bak: private-address: 192.168.0.0/16
/etc/unbound/unbound.conf.bak: private-address: 192.168.1.0/16
/etc/unbound/unbound.conf.bak: private-address: 169.254.0.0/16
/etc/unbound/unbound.conf.bak: private-address: 172.16.0.0/12
/etc/unbound/unbound.conf.bak: private-address: 10.0.0.0/8
/etc/unbound/unbound.conf.bak: private-address: fd00::/8
/etc/unbound/unbound.conf.bak: private-address: fe80::/10
/etc/unbound/unbound.conf.bak: private-domain: "home.lan"
/etc/unbound/unbound.conf.bak: private-domain: "plex.direct"
/etc/unbound/unbound.conf.bak: val-clean-additional: yes
/etc/unbound/unbound.conf.bak:remote-control:
/etc/unbound/unbound.conf.bak: control-enable: yes
/etc/unbound/unbound.conf.bak: control-interface: 127.0.0.1
/etc/unbound/unbound.conf.bak: control-port: 8953
/etc/unbound/unbound.conf.bak:auth-zone:
/etc/unbound/unbound.conf.bak:name: "."
/etc/unbound/unbound.conf.bak:master: 192.5.5.241 # f.root-servers.net
/etc/unbound/unbound.conf.bak:master: 2001:500:2f::f # f.root-servers.net
/etc/unbound/unbound.conf.bak:master: 192.0.32.132 # lax.xfr.dns.icann.org
/etc/unbound/unbound.conf.bak:master: 192.0.47.132 # iad.xfr.dns.icann.org
/etc/unbound/unbound.conf.bak:master: 2620:0:2d0:202::132 # lax.xfr.dns.icann.org
/etc/unbound/unbound.conf.bak:master: 2620:0:2830:202::132 # iad.xfr.dns.icann.org
/etc/unbound/unbound.conf.bak:fallback-enabled: yes
/etc/unbound/unbound.conf.bak:for-downstream: no
/etc/unbound/unbound.conf.bak:for-upstream: yes
/etc/unbound/unbound.conf.bak:zonefile: "root.zone"
/etc/unbound/unbound.conf.d/pi-hole.conf:server:
/etc/unbound/unbound.conf.d/pi-hole.conf: verbosity: 0
/etc/unbound/unbound.conf.d/pi-hole.conf: interface: 127.0.0.1
/etc/unbound/unbound.conf.d/pi-hole.conf: port: 5335
/etc/unbound/unbound.conf.d/pi-hole.conf: do-ip4: yes
/etc/unbound/unbound.conf.d/pi-hole.conf: do-udp: yes
/etc/unbound/unbound.conf.d/pi-hole.conf: do-tcp: yes
/etc/unbound/unbound.conf.d/pi-hole.conf: do-ip6: no
/etc/unbound/unbound.conf.d/pi-hole.conf: prefer-ip6: no
/etc/unbound/unbound.conf.d/pi-hole.conf: harden-glue: yes
/etc/unbound/unbound.conf.d/pi-hole.conf: harden-dnssec-stripped: yes
/etc/unbound/unbound.conf.d/pi-hole.conf: use-caps-for-id: no
/etc/unbound/unbound.conf.d/pi-hole.conf: edns-buffer-size: 1232
/etc/unbound/unbound.conf.d/pi-hole.conf: prefetch: yes
/etc/unbound/unbound.conf.d/pi-hole.conf: num-threads: 1
/etc/unbound/unbound.conf.d/pi-hole.conf: so-rcvbuf: 1m
/etc/unbound/unbound.conf.d/pi-hole.conf: private-address: 192.168.0.0/16
/etc/unbound/unbound.conf.d/pi-hole.conf: private-address: 169.254.0.0/16
/etc/unbound/unbound.conf.d/pi-hole.conf: private-address: 172.16.0.0/12
/etc/unbound/unbound.conf.d/pi-hole.conf: private-address: 10.0.0.0/8
/etc/unbound/unbound.conf.d/pi-hole.conf: private-address: fd00::/8
/etc/unbound/unbound.conf.d/pi-hole.conf: private-address: fe80::/10
/etc/unbound/unbound.conf.save:server:
/etc/unbound/unbound.conf.save: chroot: "/etc/unbound"
/etc/unbound/unbound.conf.save: username: "unbound"
/etc/unbound/unbound.conf.save: directory: "/etc/unbound"
/etc/unbound/unbound.conf.save: logfile: "/etc/unbound/unbound.log"
/etc/unbound/unbound.conf.save: root-hints: "root.hints"
/etc/unbound/unbound.conf.save: pidfile: "unbound.pid"
/etc/unbound/unbound.conf.save: auto-trust-anchor-file: "/etc/unbound/root.key"
/etc/unbound/unbound.conf.save:
/etc/unbound/unbound.conf.save: verbosity: 1
/etc/unbound/unbound.conf.save: interface: 0.0.0.0
/etc/unbound/unbound.conf.save: port: 5300
/etc/unbound/unbound.conf.save: do-ip4: yes
/etc/unbound/unbound.conf.save: do-udp: yes
/etc/unbound/unbound.conf.save: do-tcp: yes
/etc/unbound/unbound.conf.save: outgoing-range: 8192
/etc/unbound/unbound.conf.save: num-queries-per-thread: 4096
/etc/unbound/unbound.conf.save: so-rcvbuf: 4M
/etc/unbound/unbound.conf.save: so-sndbuf: 4M
/etc/unbound/unbound.conf.save: access-control: 192.16/8 allow
/etc/unbound/unbound.conf.save: do-ip6: no
/etc/unbound/unbound.conf.save: prefer-ip6: no
/etc/unbound/unbound.conf.save: harden-glue: yes
/etc/unbound/unbound.conf.save: harden-large-queries: yes
/etc/unbound/unbound.conf.save: harden-dnssec-stripped: yes
/etc/unbound/unbound.conf.save: use-caps-for-id: yes
/etc/unbound/unbound.conf.save: use-caps-for-id: yes
/etc/unbound/unbound.conf.save: edns-buffer-size: 1472
/etc/unbound/unbound.conf.save: rrset-roundrobin: yes
/etc/unbound/unbound.conf.save: cache-min-ttl: 3600
/etc/unbound/unbound.conf.save: cache-max-ttl: 86400
/etc/unbound/unbound.conf.save: serve-expired: yes
/etc/unbound/unbound.conf.save: harden-algo-downgrade: yes
/etc/unbound/unbound.conf.save: harden-short-bufsize: yes
/etc/unbound/unbound.conf.save: hide-identity: yes
/etc/unbound/unbound.conf.save: identity: "Server"
/etc/unbound/unbound.conf.save: hide-version: yes
/etc/unbound/unbound.conf.save: do-daemonize: yes
/etc/unbound/unbound.conf.save: neg-cache-size: 4M
/etc/unbound/unbound.conf.save: qname-minimisation: yes
/etc/unbound/unbound.conf.save: minimal-responses: yes
/etc/unbound/unbound.conf.save: prefetch: yes
/etc/unbound/unbound.conf.save: prefetch-key: yes
/etc/unbound/unbound.conf.save: num-threads: 1
/etc/unbound/unbound.conf.save: msg-cache-size: 32m
/etc/unbound/unbound.conf.save: rrset-cache-size: 64m
/etc/unbound/unbound.conf.save: so-reuseport: yes
/etc/unbound/unbound.conf.save: unwanted-reply-threshold: 10000
/etc/unbound/unbound.conf.save: ratelimit: 1000
/etc/unbound/unbound.conf.save: private-address: 192.168.0.0/16
/etc/unbound/unbound.conf.save: private-address: 169.254.0.0/16
/etc/unbound/unbound.conf.save: private-address: 172.16.0.0/12
/etc/unbound/unbound.conf.save: private-address: 10.0.0.0/8
/etc/unbound/unbound.conf.save: private-address: fd00::/8
/etc/unbound/unbound.conf.save: private-address: fe80::/10
/etc/unbound/unbound.conf.save: private-domain: "home.lan"
/etc/unbound/unbound.conf.save: private-domain: "plex.direct"
/etc/unbound/unbound.conf.save: val-clean-additional: yes
/etc/unbound/unbound.conf.save:remote-control:
/etc/unbound/unbound.conf.save: control-enable: yes
/etc/unbound/unbound.conf.save: control-interface: 127.0.0.1
/etc/unbound/unbound.conf.save:auth-zone:
/etc/unbound/unbound.conf.save:name: "."
/etc/unbound/unbound.conf.save:master: 192.5.5.241 # f.root-servers.net
/etc/unbound/unbound.conf.save:master: 2001:500:2f::f # f.root-servers.net
/etc/unbound/unbound.conf.save:master: 192.0.32.132 # lax.xfr.dns.icann.org
/etc/unbound/unbound.conf.save:master: 192.0.47.132 # iad.xfr.dns.icann.org
/etc/unbound/unbound.conf.save:master: 2620:0:2d0:202::132 # lax.xfr.dns.icann.org
/etc/unbound/unbound.conf.save:master: 2620:0:2830:202::132 # iad.xfr.dns.icann.org
/etc/unbound/unbound.conf.save:fallback-enabled: yes
/etc/unbound/unbound.conf.save:for-downstream: no
/etc/unbound/unbound.conf.save:for-upstream: yes
/etc/unbound/unbound.conf.save:zonefile: "root.zone"
/etc/unbound/unbound.conf.save.1: tls-cert-bundle: "/etc/ssl/certs/ca-certificates.crt"
/etc/unbound/unbound.conf.save.1: chroot: "/etc/unbound"
/etc/unbound/unbound.conf.save.1: username: "unbound"
/etc/unbound/unbound.conf.save.1: directory: "/etc/unbound"
/etc/unbound/unbound.conf.save.1: logfile: "/etc/unbound/unbound.log"
/etc/unbound/unbound.conf.save.1: root-hints: "root.hints"
/etc/unbound/unbound.conf.save.1: pidfile: "unbound.pid"
/etc/unbound/unbound.conf.save.1: auto-trust-anchor-file: "/etc/unbound/root.key"
/etc/unbound/unbound.conf.save.1:
/etc/unbound/unbound.conf.save.1: verbosity: 1
/etc/unbound/unbound.conf.save.1: interface: 127.0.0.1
/etc/unbound/unbound.conf.save.1: port: 5300
/etc/unbound/unbound.conf.save.1: do-ip4: yes
/etc/unbound/unbound.conf.save.1: do-udp: yes
/etc/unbound/unbound.conf.save.1: do-tcp: yes
/etc/unbound/unbound.conf.save.1: outgoing-range: 8192
/etc/unbound/unbound.conf.save.1: num-queries-per-thread: 4096
/etc/unbound/unbound.conf.save.1: so-rcvbuf: 4M
/etc/unbound/unbound.conf.save.1: so-sndbuf: 4M
/etc/unbound/unbound.conf.save.1: access-control: 127.0.0.0/8 allow
/etc/unbound/unbound.conf.save.1: do-ip6: no
/etc/unbound/unbound.conf.save.1: prefer-ip6: no
/etc/unbound/unbound.conf.save.1: harden-glue: yes
/etc/unbound/unbound.conf.save.1: harden-large-queries: yes
/etc/unbound/unbound.conf.save.1: harden-dnssec-stripped: yes
/etc/unbound/unbound.conf.save.1: use-caps-for-id: no
/etc/unbound/unbound.conf.save.1: use-caps-for-id: yes
/etc/unbound/unbound.conf.save.1: edns-buffer-size: 1232
/etc/unbound/unbound.conf.save.1: rrset-roundrobin: yes
/etc/unbound/unbound.conf.save.1: cache-min-ttl: 3600
/etc/unbound/unbound.conf.save.1: cache-max-ttl: 86400
/etc/unbound/unbound.conf.save.1: serve-expired: yes
/etc/unbound/unbound.conf.save.1: harden-algo-downgrade: yes
/etc/unbound/unbound.conf.save.1: harden-short-bufsize: yes
/etc/unbound/unbound.conf.save.1: hide-identity: yes
/etc/unbound/unbound.conf.save.1: identity: "Server"
/etc/unbound/unbound.conf.save.1: hide-version: yes
/etc/unbound/unbound.conf.save.1: do-daemonize: yes
/etc/unbound/unbound.conf.save.1: neg-cache-size: 4M
/etc/unbound/unbound.conf.save.1: qname-minimisation: yes
/etc/unbound/unbound.conf.save.1: minimal-responses: yes
/etc/unbound/unbound.conf.save.1: prefetch: yes
/etc/unbound/unbound.conf.save.1: prefetch-key: yes
/etc/unbound/unbound.conf.save.1: num-threads: 1
/etc/unbound/unbound.conf.save.1: msg-cache-size: 32m
/etc/unbound/unbound.conf.save.1: rrset-cache-size: 64m
/etc/unbound/unbound.conf.save.1: so-reuseport: yes
/etc/unbound/unbound.conf.save.1: unwanted-reply-threshold: 10000
/etc/unbound/unbound.conf.save.1: ratelimit: 1000
/etc/unbound/unbound.conf.save.1: private-address: 192.168.0.0/16
/etc/unbound/unbound.conf.save.1: private-address: 192.168.1.0/16
/etc/unbound/unbound.conf.save.1: private-address: 169.254.0.0/16
/etc/unbound/unbound.conf.save.1: private-address: 172.16.0.0/12
/etc/unbound/unbound.conf.save.1: private-address: 10.0.0.0/8
/etc/unbound/unbound.conf.save.1: private-address: fd00::/8
/etc/unbound/unbound.conf.save.1: private-address: fe80::/10
/etc/unbound/unbound.conf.save.1: private-domain: "home.lan"
/etc/unbound/unbound.conf.save.1: private-domain: "plex.direct"
/etc/unbound/unbound.conf.save.1: val-clean-additional: yes
/etc/unbound/unbound.conf.save.1:remote-control:
/etc/unbound/unbound.conf.save.1: control-enable: yes
/etc/unbound/unbound.conf.save.1: control-interface: 127.0.0.1
/etc/unbound/unbound.conf.save.1:auth-zone:
/etc/unbound/unbound.conf.save.1:name: "."
/etc/unbound/unbound.conf.save.1:master: 192.5.5.241 # f.root-servers.net
/etc/unbound/unbound.conf.save.1:master: 2001:500:2f::f # f.root-servers.net
/etc/unbound/unbound.conf.save.1:master: 192.0.32.132 # lax.xfr.dns.icann.org
/etc/unbound/unbound.conf.save.1:master: 192.0.47.132 # iad.xfr.dns.icann.org
/etc/unbound/unbound.conf.save.1:master: 2620:0:2d0:202::132 # lax.xfr.dns.icann.org
/etc/unbound/unbound.conf.save.1:master: 2620:0:2830:202::132 # iad.xfr.dns.icann.org
/etc/unbound/unbound.conf.save.1:fallback-enabled: yes
/etc/unbound/unbound.conf.save.1:for-downstream: no
/etc/unbound/unbound.conf.save.1:for-upstream: yes
/etc/unbound/unbound.conf.save.1:zonefile: "root.zone"
Above output is telling you something went wrong reloading unbound.service.
If you didnt have that systemd unit, you would be seeing something like below:
dehakkelaar@ph6b:~$ sudo systemctl reload bogus.service
Failed to reload bogus.service: Unit bogus.service not found.
The thing going wrong is most likely your config.
You seem to have duplicates all over:
You can see unbound complaining if run below:
sudo unbound-checkconf
I would advice to restore the /etc/unbound/unbound.conf file to default by first moving it out of the way to your home folder ~ with below:
sudo mv /etc/unbound/unbound.conf ~
And reinstall that now missing config file with below:
sudo apt -o Dpkg::Options::="--force-confmiss" install --reinstall unbound
Check config:
sudo unbound-checkconf
If OK, restart unbound:
sudo systemctl restart unbound.service
Check status
sudo systemctl status unbound.service
And journals at time of restart:
sudo journalctl --full --no-pager --boot -u unbound.service
If that looks good, make sure verbosity is set to 3 and start tailing the journals again when running dig for testing.
Oh and below directive/line seems also to be missing and will be restored when reinstalling the config file:
pi@ph5a:~ $ sudo rgrep -v '^ *#\|^$' /etc/unbound/unbound.conf*
/etc/unbound/unbound.conf:include: "/etc/unbound/unbound.conf.d/*.conf"
[..]
I decided to nuke the whole thing and reinstall unbound as was advised before.
I removed unbound per the documentation, and I deleted the /etc/unbound folder.
Now when I try to install unbound, I get this error:
pi@raspberrypi:~ $ sudo apt install unbound
Reading package lists... Done
Building dependency tree
Reading state information... Done
Suggested packages:
apparmor
The following NEW packages will be installed:
unbound
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 674 kB of archives.
After this operation, 3,646 kB of additional disk space will be used.
Get:1 http://mirror.de.leaseweb.net/raspbian/raspbian buster/main armhf unbound armhf 1.9.0-2+deb10u3 [674 kB]
Fetched 674 kB in 1s (1,170 kB/s)
Selecting previously unselected package unbound.
(Reading database ... 157367 files and directories currently installed.)
Preparing to unpack .../unbound_1.9.0-2+deb10u3_armhf.deb ...
Unpacking unbound (1.9.0-2+deb10u3) ...
Setting up unbound (1.9.0-2+deb10u3) ...
Job for unbound.service failed because the control process exited with error code.
See "systemctl status unbound.service" and "journalctl -xe" for details.
Job for unbound.service failed because the control process exited with error code.
See "systemctl status unbound.service" and "journalctl -xe" for details.
invoke-rc.d: initscript unbound, action "restart" failed.
β unbound.service - Unbound DNS server
Loaded: loaded (/lib/systemd/system/unbound.service; enabled; vendor preset: enabled)
Active: activating (auto-restart) (Result: exit-code) since Fri 2023-11-17 20:13:51 IST; 28ms ago
Docs: man:unbound(8)
Process: 1500 ExecStartPre=/usr/lib/unbound/package-helper chroot_setup (code=exited, status=1/FAILURE)
Process: 1503 ExecStartPre=/usr/lib/unbound/package-helper root_trust_anchor_update (code=exited, status=1/FAILURE)
Process: 1506 ExecStart=/usr/sbin/unbound -d $DAEMON_OPTS (code=exited, status=1/FAILURE)
Main PID: 1506 (code=exited, status=1/FAILURE)
Processing triggers for man-db (2.8.5-2) ...
Processing triggers for systemd (241-7~deb10u9+rpi1) ...
pi@raspberrypi:~ $ sudo systemctl status unbound.service
β unbound.service - Unbound DNS server
Loaded: loaded (/lib/systemd/system/unbound.service; enabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Fri 2023-11-17 20:13:53 IST; 48s ago
Docs: man:unbound(8)
Process: 1570 ExecStartPre=/usr/lib/unbound/package-helper chroot_setup (code=exited, status=1/FAILURE)
Process: 1576 ExecStartPre=/usr/lib/unbound/package-helper root_trust_anchor_update (code=exited, status=1/FAILURE)
Process: 1579 ExecStart=/usr/sbin/unbound -d $DAEMON_OPTS (code=exited, status=1/FAILURE)
Main PID: 1579 (code=exited, status=1/FAILURE)
Nov 17 20:13:53 raspberrypi systemd[1]: unbound.service: Main process exited, code=exited, status=1/FAILURE
Nov 17 20:13:53 raspberrypi systemd[1]: unbound.service: Failed with result 'exit-code'.
Nov 17 20:13:53 raspberrypi systemd[1]: Failed to start Unbound DNS server.
Nov 17 20:13:53 raspberrypi systemd[1]: unbound.service: Service RestartSec=100ms expired, scheduling restart.
Nov 17 20:13:53 raspberrypi systemd[1]: unbound.service: Scheduled restart job, restart counter is at 8.
Nov 17 20:13:53 raspberrypi systemd[1]: Stopped Unbound DNS server.
Nov 17 20:13:53 raspberrypi systemd[1]: unbound.service: Start request repeated too quickly.
Nov 17 20:13:53 raspberrypi systemd[1]: unbound.service: Failed with result 'exit-code'.
Nov 17 20:13:53 raspberrypi systemd[1]: Failed to start Unbound DNS server.
pi@raspberrypi:~ $
Not sure how to resolve this.
Thats expected.
Just finish the guide and the error will be gone.
I can't finish the setup.
I still get this error throughout the guide.
Any ideas what to do?