Is unbound set to use DNSSEC? Most default installations and guides enable it and if time is borked then the unbound will not work right. If we can isolate the problem between Pi-hole, unbound and upstreams then we have a better chance of solving this issue.
If you install nmap on the Pi:
sudo apt install nmap
You can scan for NTP servers on your network like below (my network is 10.0.0.0/24):
pi@ph5b:~ $ sudo nmap -sU -p123 --open 10.0.0.0/24
Starting Nmap 7.80 ( https://nmap.org ) at 2022-02-24 01:07 CET
Nmap scan report for 10.0.0.3
Host is up (0.00089s latency).
PORT STATE SERVICE
123/udp open ntp
MAC Address: 00:11:32:XX:XX:XX (Synology Incorporated)
Nmap scan report for 10.0.0.9
Host is up (0.00095s latency).
PORT STATE SERVICE
123/udp open ntp
MAC Address: B8:27:EB:XX:XX:XX (Raspberry Pi Foundation)
Nmap done: 256 IP addresses (8 hosts up) scanned in 8.87 seconds
10.0.0.3 is my NAS and 10.0.0.9 is my Kodi media center.
If you install ntpdate:
sudo apt install ntpdate
You can check any NTP server(s):
pi@ph5b:~ $ ntpdate -q 10.0.0.3
server 10.0.0.3, stratum 2, offset +0.005757, delay 0.02654
24 Feb 01:16:38 ntpdate[13742]: adjust time server 10.0.0.3 offset +0.005757 sec
pi@ph5b:~ $ ntpdate -q 0.europe.pool.ntp.org
server 193.4.58.44, stratum 2, offset +0.002880, delay 0.08061
server 212.227.8.137, stratum 3, offset +0.005689, delay 0.05190
server 217.182.77.103, stratum 2, offset +0.005357, delay 0.05791
server 130.208.87.152, stratum 3, offset +0.003265, delay 0.08269
24 Feb 01:16:07 ntpdate[13740]: adjust time server 217.182.77.103 offset +0.005357 sec
Update:
So it seems that unbound uses DNSSEC and that has been causing issues. I disabled unbound and my time has been working fine.
Using ntpdate I've added ntp server adresses to my chrony.conf file, now my chrony works even with unbound enabled.
timedatectl
Local time: Thu 2022-02-24 22:16:15 CET
Universal time: Thu 2022-02-24 21:16:15 UTC
RTC time: n/a
Time zone: Europe/Amsterdam (CET, +0100)
System clock synchronized: yes
NTP service: active
RTC in local TZ: no
Unbound itself still doesn't work:
dig 1.1.1.1
; <<>> DiG 9.16.22-Raspbian <<>> 1.1.1.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 38999
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;1.1.1.1. IN A
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Feb 24 22:17:21 CET 2022
;; MSG SIZE rcvd: 36
dig sigok.verteiltesysteme.net @127.0.0.1 -p 5335
; <<>> DiG 9.16.22-Raspbian <<>> sigok.verteiltesysteme.net @127.0.0.1 -p 5335
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 45557
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;sigok.verteiltesysteme.net. IN A
;; Query time: 0 msec
;; SERVER: 127.0.0.1#5335(127.0.0.1)
;; WHEN: Thu Feb 24 22:17:58 CET 2022
;; MSG SIZE rcvd: 55
Another problem I've been having: even with unbound disabled my internet traffic isn't going through Pi-hole. Except from the RPi itself (I only have ~500 logged querries).
Even when I select the Pi as a custion IPv4 DNS server in Windows 10 no traffic is going through the Pi-hole.
Any ideas why this is?
Have you installed the latest Raspbian/Pi-OS Bullseye?
lsb_release -d
If so, make sure you do below:
Pi-hole needs to be the only DNS server for your clients:
Check on this Win client what DNS servers are configured:
netsh interface ip show dnsservers
Or run below on this Win client to see what server it prefers currently:
nslookup pi.hole
Yeah I forgot that part when I initially replied 
I do not understand most of of the most of the diagnostic commands. Much less the results they give.
I do not need to understand (unless I'm asking); so I do not ask.
It is.
He just saying that if he manually configs (aka, in Windows as a 'Custom Setup') Windows to point to the pi-hole, after trying to use DHCP to assign it, it is still not using it.
Some of my devices are manually configured with static addresses and DNS assigned and some use DHCP and both ways work fine.
If you are going to install Bullseye, as I suggested
and bydeHakkelaar, there is a new version Raspberry Pi Imager v1.7.1. to use to write the card.
People have mixed results trying to command line to upgrade; I was told this by a mod that had mixed results. Not to mention if this is just something went sideways, a new install may be easier than all this.
And I also suggested a RTC. But that will take soldering and for you to Dremel tool about space for it in its case. Well, maybe not need to cut a hole for it: this looks like it is deep enough to sit on top: https://www.amazon.com/Adafruit-4282-PiRTC-Precise-Raspberry/dp/B07W6Y4P99/ref=sr_1_5?crid=33PO0M2P2293G&keywords=pi+zero+RTC&qid=1645818864&sprefix=pi+zero+rtc%2Caps%2C124&sr=8-5
Then it is okay to use the 64bit version on your Pi zero 2 w; I use Raspberry Pi OS (64-bit) Not full, not lite; I just find it easier to use a monitor than SSH in. The 64bit versions are at the bottom of 'Raspberry Pi OS (other)
And this time, either stick with WiFi or start out wired. WiFi works fine and you do not need to unplug it from the router every time you finish.
It is just that I see a some things lost in translation e.g. below there is a misunderstanding by deHakkelaar about configuring a windows device to use Pi-hole DNS lookup and configuring another device too to use, I presume a Windows device, for DNS lookup.
I think the misunderstanding is on your side:
We don't know that yet for sure.
deHakkelaar pointed out that necessity and also provided the commands to verify that statement in order to help OP.
1 Like
I have conflated this thread with another.
Sorry, I did mean all those are set up when Raspian was installed.
And by settle in I mean when I set up Bullseye it just would not come off GMT for minutes; even though every time I looked, under settings it was all correct. It took so long I even tried a reboot but about 7 minutes later it, finally, displayed local time in the taskbar.
I don't have access to my RPi right now, will try some things after the weekend
This fixed my Unbound issuess. It is now working without problems.
I still can't get my router's traffic to go through pi-hole. My routers DNS settings: [Wireless Router] How to configure Router to use Pi-Hole?
Even changing both DNS server 1 and 2 to the Pi-hole's adress doesn't change anything.
I have no clue why it isn't working, seems like the final step to fixing my problems 
Edit:
Results:
netsh interface ip show dnsservers
... 89.101.251.228
nslookup pi.hole
Server: dns.mnd.iss.as9143.net
Address: 2001:b88:1002::10
*** dns.mnd.iss.as9143.net can't find pi.hole: Non-existent domain
Above DNS IP is not Pi-hole or running through Pi-hole:
pi@ph5b:~ $ dig +short -x 89.101.251.228
089-101-251228.ntlworld.ie.
And I should have supplied you also with the IPv6 version for that command:
netsh interface ipv6 show dnsservers
And above one is also not Pi-holed.
The nslookup should have returned either the IP for your Asus router (in the "Server Address" field) or the IP for the Pi-hole host for proper blocking.
Also the "Name Address" reply would then be the IP for the Pi-hole host like below example:
C:\>nslookup pi.hole
Server: ph5a.home.dehakkelaar.nl
Address: 10.0.0.2
Name: pi.hole
Address: 10.0.0.2
Asus routers are a bit tricky to configure as can be seen from below thread:
I also run an Asus router and decided to disable IPv6 support for the LAN side (dont need it anyway and complicates allot),
and disabled the DHCPv4 service on the Asus so that Pi-hole can take over:
A recent firmware version has severly limited the amount of settings I can change:
I cannot disable DHCPv4 nor IPv6 using the web-gui.
SSH is available on this router so I can try using that but haven't been able to find a solid guide on how to disable those settings. Do you have any experience with this?
Another option might be to install an older firmware version to change the settings and upgrade. But I don't know if the settings would stay after upgrading.
Aha I see.
Below the settings I have available:
That limits your options considerably.
Basically with the current setup, your only able to make use of Pi-hole if you configured DSN manually on each and every device which is not desired.
Only options I can think of besides downgrading is flashing the Asus with a custom made firmware like for example Asuswrt-Merlin or OpenWRT.
Quick search for supported devices and the RT-AC1200 model is not on the list for Asuswrt-Merlin.
OpenWRT does seem to support your RT-AC1200 model (not sure though, ask support forum!!!) :
pi@ph5b:~ $ curl -sSL https://openwrt.org/_media/toh_dump_tab_separated.gz | zgrep --binary-files=text -i RT-AC1200
15676602 WiFi Router ASUS RT-AC57U v1 NULL Available 2019 amazon.de, amazon.co.uk, reichelt.de https://git.openwrt.org/?p=openwrt/openwrt.git;a=commit;h=14e0e4f138e35c3e2a15cc3a836c939547ee053b 19.07.0 21.02.2 NULL ramips mt7621 mipsel_24kc U-Boot MediaTek MT7621AT 2 880 16 128 - 5 MediaTek MT7621AT Yes - MediaTek MT7612EN b/g/n a/n/ac mt76 - - 1x 2.0 - -- - Yes 57600 / 8N1 ▒ 9 2 - 12 VDC, 2.0 A toh:asus:rt-ac57u View/Edit data NULL NULL RT-AC57U RT-AC57U https://wikidevi.wi-cat.ru/ASUS_RT-AC57U https://www.asus.com/Networking/RT-AC57U/ https://www.asus.com/Networking/RT-AC57U/HelpDesk_BIOS/ NULL https://downloads.openwrt.org/releases/21.02.2/targets/ramips/mt7621/openwrt-21.02.2-ramips-mt7621-asus_rt-ac57u-squashfs-sysupgrade.bin NULL https://downloads.openwrt.org/snapshots/targets/ramips/mt7621/openwrt-ramips-mt7621-asus_rt-ac57u-squashfs-sysupgrade.bin U-Boot TFTP recovery U-Boot TFTP recovery media:example:genericrouter1.png RT-AC57U v1 is a rebadged RT-AC1200GU
RT-AC57U v1 is a rebadged RT-AC1200GU
But this is not without risks bc if something goes wrong while flashing, it could potentially brick your router permanently!!!
The other option is getting another router.
Ow ps. I've read a posting somewhere before explaining steps to change DNS via SSH but cant find it anymore.
Closest I could find was below and am not sure it will work for your Asus:
The RT-AC1200GU ( RT-AC57U) and RT-AC1200 V2 have a different SoC: ASUS RT-AC1200 series
Seems like to big of a risk to try to install OpenWrt on the router.
I'll see if SSH might work, saw that forum post as well!
1 Like