Issue:
Unbound does not return results when Pi4 is on VPN.
Outside of VPN:
- Pihole with unbound installed locally and as upstream DNS server is able to return results.
- Pihole with Cloudflare as upstream DNS server is able to return results.
On VPN:
- Pihole with unbound installed locally and as upstream DNS server is unable to return results.
- Pihole with Cloudflare as upstream DNS server is able to return results.
Details about my system:
I'm running pihole with unbound as upstream dns server both installed locally on a raspberry pi 4 using the documentation Installation - Pi-hole documentation and unbound - Pi-hole documentation .
What I have changed since installing Pi-hole:
I've not made any "customization" to pihole installation but the reason I'm posting this in community help is that once in a while I have my pihole on VPN and this causes unbound to stop returning results. I'm not sure whether this is a "customization" or not but figured this was slightly outside the norm.
Note that I've uploaded logs to a pastebin service as I was running into character limit when posting it here
Logs Success
Edited /etc/unbound/unbound.conf.d/pi-hole.conf to increase verbosity to 5 and attaching logs.
2 queries - One for www.google.com using dig www.google.com @127.0.0.1 -p 5335 outside of VPN with 2nd being for www.google.com on VPN (2nd query was returned from cache)
http://0x0.st/XsCi.txt
Logs Failure
Query www.eff.org using dig www.eff.org @127.0.0.1 -p 5335 on VPN
http://0x0.st/XsCH.txt
This setup (unbound returning results when Pi4 on VPN) has worked for more than 2 years and something seems to have changed in the last month or so. No configuration changes were made only standard OS updates.
Appreciate help in trying to figure out how to get it working again.
Your issue is not related to unbound.
As you've stated to have followed our guide, Pi-hole is using unbound on the same machine as its sole upstream DNS server, making Pi-hole on localhost its only client. That connection is localhost only, so it won't be affected by how a DNS client is connecting to Pi-hole.
That could indicate that your issue is with your VPN not using Pi-hole for DNS.
This is supported by your log:
Your second log does not contain a single occurrence of www.google.com, demonstrating that your Pi-hole never has forwarded that query to unbound.
With unbound being Pi-hole's sole upstream, that could only happen if Pi-hole had blocked that request, or if it never had received that request to begin with.
You should check your VPN configuration for its DNS details.
I was traveling, hence the late response - back now so my replies should be faster.
Your second log does not contain a single occurrence of www.google.com, demonstrating that your Pi-hole never has forwarded that query to unbound.
In order to ensure that there are no caching forwards, the 2nd log i.e. logs failure uses the query to eff.org instead of google.com
dig www.eff.org @127.0.0.1 -p 5335
Query www.eff.org using dig www.eff.org @127.0.0.1 -p 5335 on VPN
But all of the responses from the root server seem to be empty:
Mar 29 15:37:28 raspberrypi unbound[814]: [814:0] info: reply from <.> 192.112.36.4#53
Mar 29 15:37:28 raspberrypi unbound[814]: [814:0] info: incoming scrubbed packet: ;; ->>HEADER<<- opcode: QUERY, rcode: REFUSED, id: 0
;; flags: qr ra ; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
www.eff.org. IN A
;; ANSWER SECTION:
;; AUTHORITY SECTION:
;; ADDITIONAL SECTION:
;; MSG SIZE rcvd: 29
Which in turn shows in the logs as:
Mar 29 15:37:28 raspberrypi unbound[814]: [814:0] info: query response was THROWAWAY