Unbound DNSSEC validation not working

Chris_Anthony · October 23, 2021, 4:50pm

Please follow the below template, it will help us to help you!

If you are Experiencing issues with a Pi-hole install that has non-standard elements (e.g you are using `nginx` instead of `lighttpd`, or there is some other aspect of your install that is customised) - please use the Community Help category.

Expected Behaviour:

dig sigfail.verteiltesysteme.net @127.0.0.1 -p 5335
dig sigok.verteiltesysteme.net @127.0.0.1 -p 5335
The first command should give a status report of SERVFAIL and no IP address. The second should give NOERROR plus an IP address.

From: https://docs.pi-hole.net/guides/dns/unbound/#

Actual Behaviour:

pi@raspberrypi:~ $ dig sigfail.verteiltesysteme.net @127.0.0.1 -p 5335

; <<>> DiG 9.11.5-P4-5.1+deb10u5-Raspbian <<>> sigfail.verteiltesysteme.net @127.0.0.1 -p 5335
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11994
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1472
;; QUESTION SECTION:
;sigfail.verteiltesysteme.net. IN A

;; ANSWER SECTION:
sigfail.verteiltesysteme.net. 60 IN A 134.91.78.139

;; Query time: 174 msec
;; SERVER: 127.0.0.1#5335(127.0.0.1)
;; WHEN: Sat Oct 23 10:49:25 MDT 2021
;; MSG SIZE rcvd: 73

pi@raspberrypi:~ $ dig sigok.verteiltesysteme.net @127.0.0.1 -p 5335

; <<>> DiG 9.11.5-P4-5.1+deb10u5-Raspbian <<>> sigok.verteiltesysteme.net @127.0.0.1 -p 5335
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33132
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1472
;; QUESTION SECTION:
;sigok.verteiltesysteme.net. IN A

;; ANSWER SECTION:
sigok.verteiltesysteme.net. 60 IN A 134.91.78.139

;; Query time: 174 msec
;; SERVER: 127.0.0.1#5335(127.0.0.1)
;; WHEN: Sat Oct 23 10:49:35 MDT 2021
;; MSG SIZE rcvd: 71

pi@raspberrypi:~ $

Debug Token:

https://tricorder.pi-hole.net/pFmCboBC/

Chris_Anthony · October 23, 2021, 4:57pm

Some aditional settings but still can't get Unbound DNSSEC to work correctly.

grep PIHOLE_DNS /etc/pihole/setupVars.conf

PIHOLE_DNS_1=127.0.0.1#5335

nslookup pi.hole

Server: 127.0.0.1
Address: 127.0.0.1#53

Name: pi.hole
Address: 127.0.0.1
Name: pi.hole
Address: ::1

I am woundering if it's do to domain_name_servers being Googles DNS in /etc/dhcpcd.conf

interface eth0
static ip_address=192.168.1.5/24
static routers=192.168.1.1
static domain_name_servers=8.8.8.8 8.8.4.4

Pi Hole settings

Can I use this for IPv6 for Unbound?

::1/128#5335

jfb · October 23, 2021, 5:14pm

This is unrelated to how unbound performs. This tells Pi-hole to use unbound as the upstream DNS server, and that's all.

This is locally served by Pi-hole and not forwarded to unbound for resolution/

No. This setting specifies what DNS server the Pi should use, and is unrelated to the performance of unbound.

Yes, but not in that format and not needed. Unbound can resolve both A and AAAA queries on IPv4 only. There is not need to add an IPv6 address. The existing IPv4 IP will suffice.

Chris_Anthony · October 23, 2021, 5:29pm

That just means none of those settings are wrong but doesn't explain why I'm not getting a SERVFAIL as expected with:

dig sigfail.verteiltesysteme.net @127.0.0.1 -p 5335

Chris_Anthony · October 23, 2021, 7:08pm

Using

/var/lib/unbound/root.hints

instead of

dns-root- data

Made no difference still no SERVFAIL where one is expected.

Chris_Anthony · October 23, 2021, 7:56pm

I finaly found a fix for this and looks like some directions are missing from https://docs.pi-hole.net/guides/dns/unbound.

Fix Unbound Service Erroring out

I couldn't get unbound to run until adding a line to the /etc/unbound/unbound.conf

include: "/etc/unbound/unbound.conf.d/*.conf"

This will allow unbound to look at /etc/unbound/unbound.conf.d/pi-hole.conf as used in the documentation.

Unbound will launch but was still unable to validate DNSSEC.

To Fix Unbound DNSSEC Validating

Run sudo unbound-anchor to create a root.key file (mine ended up being in /var/lib/unbound). Add the following line to /etc/unbound/unbound.conf

auto-trust-anchor-file: "/var/lib/unbound/root.key"

Now I restarted the unbound service and I also restarted the dhcpcd service (but likely not required).

sudo service unbound restart
sudo systemctl restart dhcpcd

the dig commands are now working as expected from the documentstion.

dig sigfail.verteiltesysteme.net @127.0.0.1 -p 5335
dig sigok.verteiltesysteme.net @127.0.0.1 -p 5335

The first command should give a status report of SERVFAIL and no IP address. The second should give NOERROR plus an IP address.

Linked Resources

Pi-hole documentation - Unbound
Error installing unbound on new PI 4
Reddit - help_with_unbound_running_with_pihole
DNSSEC Validation with Unbound on a Raspberry

Chris_Anthony · October 23, 2021, 9:36pm

It looks like IPv6 isn't working though

dig AAAA ipv6.google.com @127.0.0.1 -p 5353

I do have my config file set to: do-ip6: yes

DanSchaper · October 23, 2021, 9:42pm

You're not using IPv6 to send that query to unbound. You're using IPv4 (127.0.0.1) and asking for an AAAA record, which is perfectly legal.

Getting a response of 'no servers could be reached' means that unbound is not listening on port 5353 on the localhost interface. Which is highly likely since the guide uses 5335 and not 5353 for the port.

Try your dig again with 5335 instead.

Chris_Anthony · October 23, 2021, 9:50pm

Before I had this working Connection test reported IPV6 as working but now that I have unbound working it reports

Modern addresses not reachable (IPv6)

Chris_Anthony · October 23, 2021, 9:54pm

dig again 5335 and everything is working grate. Thank you for the help. I deleated my old posts after this one because the issue was the device and not the pi hole.

system · November 13, 2021, 10:07pm

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.