Hi there,
after going through several posts and long debugging sessions, I require further support as I am not able to solve my issue.
Unbound is not able to resolve my request and always gives me back SERVFAIL, regardless of the domain I try to reach.
I am currently running Pi-Hole v6.0 on a RaspPi 5 on a fresh install (just did a complete fresh install after retrying several times to fix the error).
Expected Behaviour:
I followed the Unbound guide to the letter and everything should be fine, here is the config file which should match that of the guide (but for the logfile and verbosity while debugging):
$ sudo grep -v '#\|^$' -R /etc/unbound/unbound.conf*
/etc/unbound/unbound.conf:include-toplevel: "/etc/unbound/unbound.conf.d/*.conf"
/etc/unbound/unbound.conf.d/root-auto-trust-anchor-file.conf:server:
/etc/unbound/unbound.conf.d/root-auto-trust-anchor-file.conf: auto-trust-anchor-file: "/var/lib/unbound/root.key"
/etc/unbound/unbound.conf.d/pi-hole.conf:server:
/etc/unbound/unbound.conf.d/pi-hole.conf: logfile: "/var/log/unbound/unbound.log"
/etc/unbound/unbound.conf.d/pi-hole.conf: verbosity: 3
/etc/unbound/unbound.conf.d/pi-hole.conf: interface: 127.0.0.1
/etc/unbound/unbound.conf.d/pi-hole.conf: port: 5335
/etc/unbound/unbound.conf.d/pi-hole.conf: do-ip4: yes
/etc/unbound/unbound.conf.d/pi-hole.conf: do-udp: yes
/etc/unbound/unbound.conf.d/pi-hole.conf: do-tcp: yes
/etc/unbound/unbound.conf.d/pi-hole.conf: do-ip6: no
/etc/unbound/unbound.conf.d/pi-hole.conf: prefer-ip6: no
/etc/unbound/unbound.conf.d/pi-hole.conf: harden-glue: yes
/etc/unbound/unbound.conf.d/pi-hole.conf: harden-dnssec-stripped: yes
/etc/unbound/unbound.conf.d/pi-hole.conf: use-caps-for-id: no
/etc/unbound/unbound.conf.d/pi-hole.conf: edns-buffer-size: 1232
/etc/unbound/unbound.conf.d/pi-hole.conf: prefetch: yes
/etc/unbound/unbound.conf.d/pi-hole.conf: num-threads: 1
/etc/unbound/unbound.conf.d/pi-hole.conf: so-rcvbuf: 1m
/etc/unbound/unbound.conf.d/pi-hole.conf: private-address: 192.168.0.0/16
/etc/unbound/unbound.conf.d/pi-hole.conf: private-address: 169.254.0.0/16
/etc/unbound/unbound.conf.d/pi-hole.conf: private-address: 172.16.0.0/12
/etc/unbound/unbound.conf.d/pi-hole.conf: private-address: 10.0.0.0/8
/etc/unbound/unbound.conf.d/pi-hole.conf: private-address: fd00::/8
/etc/unbound/unbound.conf.d/pi-hole.conf: private-address: fe80::/10
/etc/unbound/unbound.conf.d/pi-hole.conf: private-address: 192.0.2.0/24
/etc/unbound/unbound.conf.d/pi-hole.conf: private-address: 198.51.100.0/24
/etc/unbound/unbound.conf.d/pi-hole.conf: private-address: 203.0.113.0/24
/etc/unbound/unbound.conf.d/pi-hole.conf: private-address: 255.255.255.255/32
/etc/unbound/unbound.conf.d/pi-hole.conf: private-address: 2001:db8::/32
/etc/unbound/unbound.conf.d/remote-control.conf:remote-control:
/etc/unbound/unbound.conf.d/remote-control.conf: control-enable: yes
/etc/unbound/unbound.conf.d/remote-control.conf: control-interface: /run/unbound.ctl
Unbound is listening on the correct port:
$ sudo netstat -tulnp | grep 5335
tcp 0 0 127.0.0.1:5335 0.0.0.0:* LISTEN 32572/unbound
udp 0 0 127.0.0.1:5335 0.0.0.0:* 32572/unbound
Timesync looks ok:
$ timedatectl
Local time: Mon 2025-04-14 21:33:51 CEST
Universal time: Mon 2025-04-14 19:33:51 UTC
RTC time: Mon 2025-04-14 19:33:51
Time zone: Europe/Berlin (CEST, +0200)
System clock synchronized: yes
NTP service: active
RTC in local TZ: no
Actual Behaviour:
$ dig pi-hole.net @127.0.0.1 -p 5335
; <<>> DiG 9.18.33-1~deb12u2-Debian <<>> pi-hole.net @127.0.0.1 -p 5335
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 28705
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;pi-hole.net. IN A
;; Query time: 4356 msec
;; SERVER: 127.0.0.1#5335(127.0.0.1) (UDP)
;; WHEN: Mon Apr 14 21:32:49 CEST 2025
;; MSG SIZE rcvd: 40
$ dig dnssec.works @127.0.0.1 -p 5335
; <<>> DiG 9.18.33-1~deb12u2-Debian <<>> dnssec.works @127.0.0.1 -p 5335
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 57901
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;dnssec.works. IN A
;; Query time: 3600 msec
;; SERVER: 127.0.0.1#5335(127.0.0.1) (UDP)
;; WHEN: Mon Apr 14 21:44:22 CEST 2025
;; MSG SIZE rcvd: 41
After running dig pi-hole.net @127.0.0.1 -p 5335
this are the last few lines of the log file (if you need more, I can attach the full log file):
[1744659169] unbound[32572:0] debug: iterator[module 2] operate: extstate:module_wait_subquery event:module_event_pass
[1744659169] unbound[32572:0] info: iterator operate: query pi-hole.net. A IN
[1744659169] unbound[32572:0] info: processQueryTargets: pi-hole.net. A IN
[1744659169] unbound[32572:0] debug: Failed to get a delegation, giving up
[1744659169] unbound[32572:0] debug: return error response SERVFAIL
[1744659169] unbound[32572:0] debug: validator[module 1] operate: extstate:module_wait_module event:module_event_moddone
[1744659169] unbound[32572:0] info: validator operate: query pi-hole.net. A IN
[1744659169] unbound[32572:0] debug: subnetcache[module 0] operate: extstate:module_wait_module event:module_event_moddone
[1744659169] unbound[32572:0] info: subnetcache operate: query pi-hole.net. A IN
[1744659169] unbound[32572:0] debug: cache memory msg=66072 rrset=66072 infra=11669 val=66368 subnet=74504
$ delv @127.0.0.1 -p 5335 +rtrace +multiline 1.debian.pool.ntp.org
;; fetch: 1.debian.pool.ntp.org/A
;; resolution failed: failure