Unable to get to gov.uk domain when using PiHole & Unbound

i7andy · August 19, 2023, 7:16pm

Hi, I'm unable to reach gov.uk when using Pihole & Unbound. This has been a recurring problem even when freshly reinstalling both on various systems.

Currently using pihole on a Raspberry Pi Zero however have used it in the past on a Thinkcentre machine and the same issue occurs.

Both pihole and unbound have been setup through the recommended procedure in the Pi-hole installation documentation.

<<>> DiG 9.16.42-Raspbian <<>> gov.uk (at)127.0.0.1 -p 5335
 global options: +cmd
 connection timed out; no servers could be reached

if it helps ^

Many thanks team!

jfb · August 19, 2023, 9:48pm

Let's take a look at your unbound configuration. Please post the output of the following command from the Pi terminal:

sudo grep -v '#\|^$' -R /etc/unbound/unbound.conf*

i7andy · August 20, 2023, 8:00am

andy@pizero:~ $ sudo grep -v '#\|^$' -R /etc/unbound/unbound.conf*                                                            /etc/unbound/unbound.conf:include-toplevel: "/etc/unbound/unbound.conf.d/*.conf"
/etc/unbound/unbound.conf.d/root-auto-trust-anchor-file.conf:server:
/etc/unbound/unbound.conf.d/root-auto-trust-anchor-file.conf:    auto-trust-anch                                              or-file: "/var/lib/unbound/root.key"
/etc/unbound/unbound.conf.d/pi-hole.conf:server:
/etc/unbound/unbound.conf.d/pi-hole.conf:    verbosity: 0
/etc/unbound/unbound.conf.d/pi-hole.conf:    interface: 127.0.0.1
/etc/unbound/unbound.conf.d/pi-hole.conf:    port: 5335
/etc/unbound/unbound.conf.d/pi-hole.conf:    do-ip4: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:    do-udp: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:    do-tcp: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:    do-ip6: no
/etc/unbound/unbound.conf.d/pi-hole.conf:    prefer-ip6: no
/etc/unbound/unbound.conf.d/pi-hole.conf:    harden-glue: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:    harden-dnssec-stripped: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:    use-caps-for-id: no
/etc/unbound/unbound.conf.d/pi-hole.conf:    edns-buffer-size: 1232
/etc/unbound/unbound.conf.d/pi-hole.conf:    prefetch: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:    num-threads: 1
/etc/unbound/unbound.conf.d/pi-hole.conf:    so-rcvbuf: 1m
/etc/unbound/unbound.conf.d/pi-hole.conf:    private-address: 192.168.0.0/16
/etc/unbound/unbound.conf.d/pi-hole.conf:    private-address: 169.254.0.0/16
/etc/unbound/unbound.conf.d/pi-hole.conf:    private-address: 172.16.0.0/12
/etc/unbound/unbound.conf.d/pi-hole.conf:    private-address: 10.0.0.0/8
/etc/unbound/unbound.conf.d/pi-hole.conf:    private-address: fd00::/8
/etc/unbound/unbound.conf.d/pi-hole.conf:    private-address: fe80::/10
/etc/unbound/unbound.conf.d/resolvconf_resolvers.conf:forward-zone:
/etc/unbound/unbound.conf.d/resolvconf_resolvers.conf:  name: "."
/etc/unbound/unbound.conf.d/resolvconf_resolvers.conf:  forward-addr: 192.168.0.1
/etc/unbound/unbound.conf.d/resolvconf_resolvers.conf:  forward-addr: 9.9.9.9

Thanks for your reply jfb

extorian · August 20, 2023, 5:25pm

I would try using Google's 8.8.8.8 instead of Quad 9's 9.9.9.9 upstream DNS server, just to see if that fixes it.

Domains ending in .gov being blocked has been mentioned in the past (e.g. issues with nist.gov · Issue #2708 · pi-hole/pi-hole · GitHub) , both on here and Reddit, and it's usually down to the upstream DNS server treating .gov as malicious.

Specifically, this has been know to happen with cloudflare on 1.1.1.1 in the past. But it stands to reason that whatever their source for "malicious" domains, it's possible Quad9 on 9.9.9.9 are using the same source.

jfb · August 20, 2023, 8:00pm

Your unbound is currently configured as a forwarding resolver, not as a recursive resolver. This change was likely made by your operating system.

/etc/unbound/unbound.conf.d/resolvconf_resolvers.conf:forward-zone:
/etc/unbound/unbound.conf.d/resolvconf_resolvers.conf:  name: "."
/etc/unbound/unbound.conf.d/resolvconf_resolvers.conf:  forward-addr: 192.168.0.1
/etc/unbound/unbound.conf.d/resolvconf_resolvers.conf:  forward-addr: 9.9.9.9

Edit file /etc/resolvconf.conf and comment out the last line which should then read:

#unbound_conf=/etc/unbound/unbound.conf.d/resolvconf_resolvers.conf

Delete the unwanted unbound configuration file:

sudo rm /etc/unbound/unbound.conf.d/resolvconf_resolvers.conf

Restart unbound:

sudo service unbound restart

i7andy · August 21, 2023, 7:09am

Thanks jfb, this seems to have done the trick

i7andy · September 6, 2023, 8:19am

Hi jfb, looks to not be working again. Can't access domains like gov.uk and twitch.tv all of a sudden. Any help would be appreciated!

Moto · September 6, 2023, 9:44am

Same here. With me it happened when Virgin Media changed my IP address.
I now have a file /etc/dnsmasq.d/99-my-settings.conf in which I have added:
server=/**.gov.uk/1.0.0.1
server=/*.tv/1.0.0.1
and then restarted dns
(There should be a single asterisk on that first line )

It appears there is a problem routing to the name servers authorative for these domains from Virgin's network. My Pihole now uses 1.0.0.1 to lookup just these domains instead of using unbound.

Moto · September 6, 2023, 9:52am

DNSSEC Debugger - gov.uk tests ok
gov.uk | DNSViz is full of no response errors

dnsviz - GitHub - dnsviz/dnsviz - appears to be a script run from within your browser so indicates your ISP's shortcomings.

i7andy · September 6, 2023, 10:39am

Thanks mate, very helpful. I'm also using Virgin Media and have been wondering why Pi-Hole consistantly breaks on my network.

i7andy · September 6, 2023, 10:54am

are there any extra steps in order to get pi.hole to actually use that 99-my-settings.conf file? do i need to add it to the base config file?

Moto · September 6, 2023, 10:58am

No. I think I just clicked on restart DNS resolver on the settings tab. I had previously created it for some other settings.

i7andy · September 6, 2023, 11:12am

yeah thanks Moto, wasn't working at first but it was my mistake. thanks a lot for your help

chrislph · September 6, 2023, 1:11pm

Unbound has a special mode for logging DNSSEC failures. It would be interesting to enable it and try the gov digs again from Virgin Media and see what it reports.

Setup

To enable it, first of all enable Unbound logging to a dedicated log file, as per the "Add logging to unbound" part of the Pi-hole guide. Don't forget to create the log file, set the permissions and do the AppArmor steps, as per the guide.

Then add the special logging mode val-log-level set to 2 ("At 2, not only the query that failed is printed but also the reason why Unbound thought it was wrong and which server sent the faulty data.")

So it looks like this once done:

$ sudo nano /etc/unbound/unbound.conf.d/pi-hole.conf

server:
    # If no logfile is specified, syslog is used
    logfile: "/var/log/unbound/unbound.log"
    log-time-ascii: yes
    val-log-level: 2
    verbosity: 0

    ...

Restart Unbound

sudo service unbound restart

Testing

Now try to access the gov sites again, try dig etc. Any failures will be logged with the details. Eg using the test domains to dig, seeing the failures then looking at the log.

$ dig fail03.dnssec.works @127.0.0.1 -p 5335

...
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 54208
...

$ dig fail04.dnssec.works @127.0.0.1 -p 5335

; <<>> DiG 9.16.42-Debian <<>> fail04.dnssec.works @127.0.0.1 -p 5335
;; global options: +cmd
;; connection timed out; no servers could be reached

Log

$ less /var/log/unbound/unbound.log

Sep 06 13:56:43 unbound[498765:0] info: validation failure <fail03.dnssec.works. A IN>: signature crypto failed from 5.45.109.212
Sep 06 13:57:02 unbound[498765:0] info: validation failure <fail03.dnssec.works. A IN>: signature crypto failed from 5.45.109.212
Sep 06 13:57:23 unbound[498765:0] info: validation failure <fail04.dnssec.works. A IN>: no keys have a DS with algorithm RSASHA1-NSEC3-SHA1 from 5.45.109.212 for key fail04.dnssec.works. while building chain of trust
Sep 06 13:57:23 unbound[498765:0] info: validation failure <fail04.dnssec.works. A IN>: no keys have a DS with algorithm RSASHA1-NSEC3-SHA1 from 5.45.109.212 for key fail04.dnssec.works. while building chain of trust
Sep 06 13:57:23 unbound[498765:0] info: validation failure <fail04.dnssec.works. A IN>: no keys have a DS with algorithm RSASHA1-NSEC3-SHA1 from 5.45.109.212 for key fail04.dnssec.works. while building chain of trust

Cleanup

It only logs failures so could be left on so it always catches a situation. To disable it edit the pi-hole.conf file and either set val-log-level to 0 (which means off) or comment the line out. Then restart Unbound the same way as earlier on.

If you wish to clear out the log file use the command:

sudo truncate -s 0 /var/log/unbound/unbound.log

system · September 27, 2023, 1:11pm

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.