after looking at everything, confs etc and seeing basically these two rpi’s running pihole + unbound are basically config’d identical. only main diff is rpi5 has ISC-dhcpd running.
i had recently purchased a new netgate fw router and configured it and added my VPN’s to it. for whatever reason somewhere in the mix i put rpi3 through one VPN and the other rpi5 through another. at that time i could have sworn both were working but i guess not. so a search sent me to a thread at pi-hole : unbound-getting-servfail-when-connected-to-nordvpn
although rpi3, the one returning SERVFAIL, was though Surfshark, and the rpi5, that works, is through protonVPN. i have NordVPN too so of course unbound didn’t work there either. they both work ok through ProtonVPN.
@rdwebdesign, that works, whether rpi3 is in or out of the VPN tunnel. even Surfshark. both rpi’s have quad9 dns in /etc/resolv.conf. appreciate your reply and help! though i had ventured over to the netgate appliance prior to reading your question to me i’m gonna tick yours as solution. you know, you’ve looked at everying else, go look at your firewall.
i think, and i’m guessing, my issue had to do with unbound in the VPNs that others have threaded about. i haven’t sent a tech request to ProtonVPN and ask about any restrictions they have regarding unbound, but i may just for the education.
for now, glad this is solved.