Something is wrong with unbound

Help Community Help
1

image
image575×299 92.9 KB

with unbound running on my pc, vs on dietpi (pihole+unbound)192.168.1.3, there's a huge difference of latency, running dig +trace for both, here's the output:

pi:

dig +trace example.com 127.0.0.1 -p 5335

; <<>> DiG 9.18.24-1-Debian <<>> +trace example.com 127.0.0.1 -p 5335
;; global options: +cmd
. 62343 IN NS j.root-servers.net.
. 62343 IN NS a.root-servers.net.
. 62343 IN NS c.root-servers.net.
. 62343 IN NS f.root-servers.net.
. 62343 IN NS l.root-servers.net.
. 62343 IN NS m.root-servers.net.
. 62343 IN NS e.root-servers.net.
. 62343 IN NS h.root-servers.net.
. 62343 IN NS b.root-servers.net.
. 62343 IN NS d.root-servers.net.
. 62343 IN NS i.root-servers.net.
. 62343 IN NS k.root-servers.net.
. 62343 IN NS g.root-servers.net.
. 62343 IN RRSIG NS 8 0 518400 20240716050000 20240703040000 20038 . HWNE1Ndvh1yquZ45LapvoSbiiBjMs7cRvTUiRhd4qErwEWH2iZwbV+ZJ ujv56PTlKc7slQPyRa5ageqt++MP64URll30ZKd/bVOf/NG3qnQl+yKH OXfd1oZWS4vlY+UTNxkOgfCbn2mP2wGE466TvFioy2ZL/YEa2/yGSZWb j5A0t1ynt9diMOkXDGJZFp+ErmHrgJf4vtApbc+EMH9jhexyhnwVtfWS FRZ9h45B+nPO8YScyO8OkPTu1jhsy6WnPBKVtSzVISIx94rK0oEojFhD 3CU747qEZlgVqPn9MeF8Obdss+ALJE6IqcQ4yQnZvpbIiYBYfVDLdOWg sl0Tgw==
;; Received 525 bytes from 127.0.0.1#5335(127.0.0.1) in 0 ms

;; communications error to 202.12.27.33#5335: timed out
;; communications error to 202.12.27.33#5335: timed out
;; communications error to 202.12.27.33#5335: timed out
;; communications error to 193.0.14.129#5335: timed out
;; communications error to 2001:500:2::c#5335: timed out
;; communications error to 192.5.5.241#5335: timed out
;; communications error to 2001:503:ba3e::2:30#5335: timed out
;; communications error to 199.7.91.13#5335: host unreachable
;; communications error to 192.36.148.17#5335: timed out
;; communications error to 2001:7fe::53#5335: timed out
;; communications error to 2001:500:1::53#5335: timed out
;; communications error to 2001:500:9f::42#5335: timed out
;; communications error to 198.41.0.4#5335: timed out
;; communications error to 2001:500:2f::f#5335: timed out
;; communications error to 192.203.230.10#5335: timed out
;; communications error to 2001:7fd::1#5335: timed out
;; communications error to 2801:1b8:10::b#5335: timed out
;; communications error to 2001:dc3::35#5335: timed out
;; communications error to 2001:503:c27::2:30#5335: timed out
;; communications error to 192.33.4.12#5335: connection refused
;; communications error to 192.112.36.4#5335: timed out
;; communications error to 2001:500:a8::e#5335: timed out
;; communications error to 198.97.190.53#5335: host unreachable
;; communications error to 192.58.128.30#5335: timed out
;; communications error to 170.247.170.2#5335: timed out
;; communications error to 2001:500:12::d0d#5335: timed out
;; communications error to 199.7.83.42#5335: timed out
;; communications error to 2001:500:2d::d#5335: timed out
;; no servers could be reached

for unbound on windows:

dig +trace example.com 127.0.0.1

; <<>> DiG 9.16.28 <<>> +trace example.com 127.0.0.1
;; global options: +cmd
. 80592 IN NS h.root-servers.net.
. 80592 IN NS g.root-servers.net.
. 80592 IN NS b.root-servers.net.
. 80592 IN NS c.root-servers.net.
. 80592 IN NS f.root-servers.net.
. 80592 IN NS a.root-servers.net.
. 80592 IN NS k.root-servers.net.
. 80592 IN NS m.root-servers.net.
. 80592 IN NS e.root-servers.net.
. 80592 IN NS l.root-servers.net.
. 80592 IN NS d.root-servers.net.
. 80592 IN NS j.root-servers.net.
. 80592 IN NS i.root-servers.net.
. 80592 IN RRSIG NS 8 0 518400 20240716170000 20240703160000 20038 . x9rd7O4A/xHzvv4zofsjOgJxPKLEoQfTewwSASpbGjJ2+59WjgT9CPKV NSBnQVK4e2JIPxsHJuwhLVRBR6TP9RQpxpW029E0pieb+vl99n4V40Zz nizBTsHc+AXdNi5/mDxYIb94dLwGpsriLwU/cojEGx3oYBiKKVVjJcPn x1ZsgPVRBIc/YO6QyGWa54bAskPFYeUgyIjgLBUzpP+8o8ClYvdCxHqG SnqXTMJBYMDLZmNV27mKmIKsoWLyNPgJiTgfbfkjlvEKjv1sAIHE5x8d OFtGrT85a3QrI2oTXtggZ4jHWMcR1+TdFvPhzSmzfF775W78N7o2MZsl F/QoAA==
;; Received 1097 bytes from 127.0.0.1#53(127.0.0.1) in 0 ms

com. 172800 IN NS a.gtld-servers.net.
com. 172800 IN NS b.gtld-servers.net.
com. 172800 IN NS c.gtld-servers.net.
com. 172800 IN NS d.gtld-servers.net.
com. 172800 IN NS e.gtld-servers.net.
com. 172800 IN NS f.gtld-servers.net.
com. 172800 IN NS g.gtld-servers.net.
com. 172800 IN NS h.gtld-servers.net.
com. 172800 IN NS i.gtld-servers.net.
com. 172800 IN NS j.gtld-servers.net.
com. 172800 IN NS k.gtld-servers.net.
com. 172800 IN NS l.gtld-servers.net.
com. 172800 IN NS m.gtld-servers.net.
com. 86400 IN DS 19718 13 2 8ACBB0CD28F41250A80A491389424D341522D946B0DA0C0291F2D3D7 71D7805A
com. 86400 IN RRSIG DS 8 1 86400 20240716200000 20240703190000 20038 . lljng7dgmebJlFpU2vvBpUNhSoF9iPAB/9nSyiWUIkr+Vu6u6O593Bi1 wD0AD4U0D7bUOgwGUPoSWZQ7cpcy0HHilHUNLlkYS7np3dORHOjZJWZM ZoccEZ2H/RC/Z/DYSuPnpnRqHfXqrj4n3eyPpaVixGhS48YxrLPjXZIP m2Sg8IkyzbihW/eiYLIYl1YUl1GYwKeYd5RuV3lQHOOL3Q/GlIy9PhTd nX+CmFZj1diswwtEwEmfnK/Z7/ewL38wHJwfUe1Yu+ETgk6qb4Y9Trt/ n7tVWyBu6aXi/ITJ+/+k1Q3muKBGvp8fKDCHkOIFC0lwmif/oWPxALtS 3PArlg==
;; Received 1171 bytes from 170.247.170.2#53(b.root-servers.net) in 65 ms

example.com. 172800 IN NS a.iana-servers.net.
example.com. 172800 IN NS b.iana-servers.net.
example.com. 86400 IN DS 370 13 2 BE74359954660069D5C63D200C39F5603827D7DD02B56F120EE9F3A8 6764247C
example.com. 86400 IN RRSIG DS 13 2 86400 20240710012723 20240703001723 956 com. t5pizbIGIk2NRpbX00AJebqJ+WsVQD9KaKCFJct8nUu+UsHtIEoL7Li5 biiGyLydiK0mO7WBNizKi4gHJZ1BcA==
;; Received 235 bytes from 192.52.178.30#53(k.gtld-servers.net) in 42 ms

example.com. 3600 IN A 93.184.215.14
example.com. 3600 IN RRSIG A 13 2 3600 20240721163219 20240630095548 14293 example.com. rIPnGSHdd6uw7aCbKD5/NpmC8ds7tMT69wwajj9vQzfH5DfavzLIRRvL 7Gvuq8qFEDvNo1IBVQ6xSabNf+2GTA==
;; Received 163 bytes from 199.43.135.53#53(a.iana-servers.net) in 146 ms

what's happening and how do I solve this? btw the pihole is running without any blocklists rn, and it should matter for the dig part since I'm testing unbound directly

3

This is actually normal. When +trace is enabled, dig asks the specified nameserver for the root nameservers, picks one and asks that for the nameservers for the TLD, and so on. It's not doing recursion itself; it's essentially mimicking what a recursive server would be seeing, asking each authoritative nameserver in turn.

The problem is that your Unbound nameserver on your Pi is on port 5335 and so you specified -p 5335, but now it will use that port for each query in the trace. For anything beyond your Unbound on localhost that will fail and eventually time out.

You can see the unwanted port number in the errors it's giving you, eg

;; communications error to 202.12.27.33#5335: timed out

The workaround is to have Unbound as Pi-hole's only upstream server – which is how it will be running when following the guide anyway – and make your +trace query to Pi-hole, now on the standard port, ie no -p 5335 since you are talking with Pi-hole now. This will allow all subsequent lookups, which form the +trace, to also work on the standard port.

That's why the Windows one is working, since Unbound on there is running on standard port 53 so you didn't need to specify a non-standard port.

1 Like
4

yeah I figured this out after posting, but still the results of the dns benchmark in the first screenshot is strange, even testing induvial queries, unbound on the pi(ssh with dig)/ through the pi (192.168.1.3), is always slower than the windows one by tens of milliseconds to an entire second, for non cached queries of course, I disabled ipv6 on the dietpi, and now the results look like this:

image
image537×267 9.74 KB

which is better but still not quite the same as the unbound running on windows

5

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.