Unbound doesn't work, connection timed out

masadat@raspberrypi:~ $ dig +short -x 199.9.14.201
b.root-servers.net.
masadat@raspberrypi:~ $ dig +short -x 192.33.4.12
c.root-servers.net.
masadat@raspberrypi:~ $ dig +short ns .
a.root-servers.net.
b.root-servers.net.
c.root-servers.net.
d.root-servers.net.
e.root-servers.net.
f.root-servers.net.
g.root-servers.net.
h.root-servers.net.
i.root-servers.net.
j.root-servers.net.
k.root-servers.net.
l.root-servers.net.
m.root-servers.net.
masadat@raspberrypi:~ $ ping a.root-servers.net.
PING a.root-servers.net (198.41.0.4) 56(84) bytes of data.
64 bytes from a.root-servers.net (198.41.0.4): icmp_seq=1 ttl=52 time=50.0 ms
64 bytes from a.root-servers.net (198.41.0.4): icmp_seq=2 ttl=52 time=48.6 ms
64 bytes from a.root-servers.net (198.41.0.4): icmp_seq=3 ttl=52 time=49.5 ms
64 bytes from a.root-servers.net (198.41.0.4): icmp_seq=4 ttl=52 time=48.7 ms
64 bytes from a.root-servers.net (198.41.0.4): icmp_seq=5 ttl=52 time=49.3 ms
^X64 bytes from a.root-servers.net (198.41.0.4): icmp_seq=6 ttl=52 time=50.2 ms
^C
--- a.root-servers.net ping statistics ---
6 packets transmitted, 6 received, 0% packet loss, time 5007ms
rtt min/avg/max/mdev = 48.631/49.376/50.171/0.584 ms
masadat@raspberrypi:~ $ ping b.root-servers.net.
PING b.root-servers.net (199.9.14.201) 56(84) bytes of data.
64 bytes from b.root-servers.net (199.9.14.201): icmp_seq=1 ttl=55 time=49.3 ms
64 bytes from b.root-servers.net (199.9.14.201): icmp_seq=2 ttl=55 time=48.3 ms
64 bytes from b.root-servers.net (199.9.14.201): icmp_seq=3 ttl=55 time=49.1 ms
64 bytes from b.root-servers.net (199.9.14.201): icmp_seq=4 ttl=55 time=47.5 ms
^C
--- b.root-servers.net ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3383ms
rtt min/avg/max/mdev = 47.485/48.542/49.336/0.719 ms
masadat@raspberrypi:~ $ ping c.root-servers.net.
PING c.root-servers.net (192.33.4.12) 56(84) bytes of data.
64 bytes from c.root-servers.net (192.33.4.12): icmp_seq=1 ttl=51 time=189 ms
64 bytes from c.root-servers.net (192.33.4.12): icmp_seq=2 ttl=51 time=189 ms
64 bytes from c.root-servers.net (192.33.4.12): icmp_seq=3 ttl=51 time=188 ms
64 bytes from c.root-servers.net (192.33.4.12): icmp_seq=4 ttl=51 time=187 ms
^C
--- c.root-servers.net ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3003ms
rtt min/avg/max/mdev = 186.650/188.159/188.867/0.882 ms
masadat@raspberrypi:~ $ ping d.root-servers.net.
PING d.root-servers.net (199.7.91.13) 56(84) bytes of data.
64 bytes from d.root-servers.net (199.7.91.13): icmp_seq=1 ttl=58 time=4.26 ms
64 bytes from d.root-servers.net (199.7.91.13): icmp_seq=2 ttl=58 time=4.01 ms
64 bytes from d.root-servers.net (199.7.91.13): icmp_seq=3 ttl=58 time=3.99 ms
64 bytes from d.root-servers.net (199.7.91.13): icmp_seq=4 ttl=58 time=2.52 ms
^C
--- d.root-servers.net ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3563ms
rtt min/avg/max/mdev = 2.518/3.691/4.256/0.685 ms
masadat@raspberrypi:~ $ ping e.root-servers.net.
PING e.root-servers.net (192.203.230.10) 56(84) bytes of data.
64 bytes from e.root-servers.net (192.203.230.10): icmp_seq=1 ttl=58 time=27.2 ms
64 bytes from e.root-servers.net (192.203.230.10): icmp_seq=2 ttl=58 time=4.11 ms
64 bytes from e.root-servers.net (192.203.230.10): icmp_seq=3 ttl=58 time=3.70 ms
64 bytes from e.root-servers.net (192.203.230.10): icmp_seq=4 ttl=58 time=3.00 ms
^C
--- e.root-servers.net ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3003ms
rtt min/avg/max/mdev = 2.998/9.494/27.171/10.213 ms
masadat@raspberrypi:~ $ ping f.root-servers.net.
PING f.root-servers.net (192.5.5.241) 56(84) bytes of data.
64 bytes from f.root-servers.net (192.5.5.241): icmp_seq=1 ttl=57 time=4.21 ms
64 bytes from f.root-servers.net (192.5.5.241): icmp_seq=2 ttl=57 time=2.83 ms
64 bytes from f.root-servers.net (192.5.5.241): icmp_seq=3 ttl=57 time=3.46 ms
64 bytes from f.root-servers.net (192.5.5.241): icmp_seq=4 ttl=57 time=3.06 ms
^C
--- f.root-servers.net ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3003ms
rtt min/avg/max/mdev = 2.834/3.389/4.206/0.521 ms
masadat@raspberrypi:~ $ ping h.root-servers.net.
PING h.root-servers.net (198.97.190.53) 56(84) bytes of data.
64 bytes from h.root-servers.net (198.97.190.53): icmp_seq=1 ttl=50 time=83.1 ms
64 bytes from h.root-servers.net (198.97.190.53): icmp_seq=2 ttl=50 time=82.3 ms
64 bytes from h.root-servers.net (198.97.190.53): icmp_seq=3 ttl=50 time=82.9 ms
64 bytes from h.root-servers.net (198.97.190.53): icmp_seq=4 ttl=50 time=82.6 ms
^C
--- h.root-servers.net ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 4482ms
rtt min/avg/max/mdev = 82.258/82.706/83.070/0.307 ms
masadat@raspberrypi:~ $ ping i.root-servers.net.
PING i.root-servers.net (192.36.148.17) 56(84) bytes of data.
64 bytes from i.root-servers.net (192.36.148.17): icmp_seq=1 ttl=54 time=48.5 ms
64 bytes from i.root-servers.net (192.36.148.17): icmp_seq=2 ttl=54 time=48.5 ms
64 bytes from i.root-servers.net (192.36.148.17): icmp_seq=3 ttl=54 time=47.7 ms
64 bytes from i.root-servers.net (192.36.148.17): icmp_seq=4 ttl=54 time=46.7 ms
^C
--- i.root-servers.net ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 4084ms
rtt min/avg/max/mdev = 46.663/47.871/48.547/0.769 ms
masadat@raspberrypi:~ $ ping j.root-servers.net.
PING j.root-servers.net (192.58.128.30) 56(84) bytes of data.
64 bytes from j.root-servers.net (192.58.128.30): icmp_seq=1 ttl=242 time=47.8 ms
64 bytes from j.root-servers.net (192.58.128.30): icmp_seq=2 ttl=242 time=48.4 ms
64 bytes from j.root-servers.net (192.58.128.30): icmp_seq=3 ttl=242 time=49.2 ms
64 bytes from j.root-servers.net (192.58.128.30): icmp_seq=4 ttl=242 time=48.7 ms
^C
--- j.root-servers.net ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3031ms
rtt min/avg/max/mdev = 47.824/48.526/49.177/0.492 ms
masadat@raspberrypi:~ $ ping
k.root-servers.net.
ping: usage error: Destination address required
-bash: k.root-servers.net.: command not found
masadat@raspberrypi:~ $ ping k.root-servers.net.
PING k.root-servers.net (193.0.14.129) 56(84) bytes of data.
64 bytes from k.root-servers.net (193.0.14.129): icmp_seq=1 ttl=52 time=225 ms
64 bytes from k.root-servers.net (193.0.14.129): icmp_seq=2 ttl=52 time=225 ms
64 bytes from k.root-servers.net (193.0.14.129): icmp_seq=3 ttl=52 time=227 ms
^C
--- k.root-servers.net ping statistics ---
4 packets transmitted, 3 received, 25% packet loss, time 3002ms
rtt min/avg/max/mdev = 224.679/225.579/226.845/0.921 ms
masadat@raspberrypi:~ $ ping l.root-servers.net.
PING l.root-servers.net (199.7.83.42) 56(84) bytes of data.
64 bytes from l.root-servers.net (199.7.83.42): icmp_seq=1 ttl=54 time=49.8 ms
64 bytes from l.root-servers.net (199.7.83.42): icmp_seq=2 ttl=54 time=48.8 ms
64 bytes from l.root-servers.net (199.7.83.42): icmp_seq=3 ttl=54 time=47.9 ms
64 bytes from l.root-servers.net (199.7.83.42): icmp_seq=4 ttl=54 time=49.5 ms
^C
--- l.root-servers.net ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3535ms
rtt min/avg/max/mdev = 47.869/49.010/49.809/0.745 ms
masadat@raspberrypi:~ $ ping m.root-servers.net.
PING m.root-servers.net (202.12.27.33) 56(84) bytes of data.
64 bytes from m.root-servers.net (202.12.27.33): icmp_seq=1 ttl=245 time=48.2 ms
64 bytes from m.root-servers.net (202.12.27.33): icmp_seq=2 ttl=245 time=47.8 ms
64 bytes from m.root-servers.net (202.12.27.33): icmp_seq=3 ttl=245 time=47.4 ms
64 bytes from m.root-servers.net (202.12.27.33): icmp_seq=4 ttl=245 time=47.7 ms
^C
--- m.root-servers.net ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3117ms
rtt min/avg/max/mdev = 47.411/47.785/48.233/0.295 ms

btw, i pinged all the root servers here and only g.root-servers.net. is timing out

You have "Bengal" in your handle/nick.
Are you located in India?

Internet censorship in India is selectively practised by both federal and state governments. DNS filtering and educating service users in better usage is an active strategy and government policy to regulate and block access to Internet content on a large scale.

If so, better ask your government representative.

No, I don't live in India, that would be my worst nightmare, I live in neighbouring Bangladesh, don't worry it's worse here, my speakers blew up the other day due to trash level electricity and i am subjected to hollywood song parodies on loudspeakers about how we are all doomed to getting kicked by cows in the face.

Btw, Is there any way to get Ubuntu running on Raspberry Pi OS even if it means having that

cause as long as it works, I don't really care. It worked before, and the whole reason i want Unbound is to not have to use big name DNS servers like Google or Cloudflare, cause even they are subject to hacking and reduction in speed and whatnot, and it sounds cool to have a local DNS Server.

At this point, I have half a mind to even consider VPN, especially given that i can't watch ascii star wars also (not important here but thought i would mention)

Edit: Also,

yeah no they don't help. why would anyone willingly admit to glaring issues in their business?

Yeah shortly after posting I realized I made a mistake
Same applies for Bangladesh by the looks of it:

The Government has approved the usage of Deep packet inspection to monitor web traffic.[5] According to Freedom House, Bangladesh is partly free.

Meaning not only DNS is sniffed/filtered but also unencrypted SNI when connecting to web servers:

The desired hostname is not encrypted in the original SNI extension, so an eavesdropper can see which site is being requested.

If you configure unbound with that config file, it will function exactly the same as pihole-FTL does but without the ad blocking.
You can configure Pi-hole with any upstream DNS server IP(s) that you desire exactly the same as if you would with that unbound forward-addr config file but with one less DNS hop.
Check the Custom 1 to 4 address fields in the DNS settings also described in the docs:

https://docs.pi-hole.net/guides/dns/upstream-dns-providers/

With the pihole-FTL daemon you already have a DNS server with many options:

https://thekelleys.org.uk/dnsmasq/docs/dnsmasq-man.html

But it doesn resolve DNS names to IP's recursively like unbound can if configured correctly.
Meaning no unwanted config file and below needs to resolve:

Anyone that takes a glance at local news even for one day will know how much of an understatement that is. I heard on the news yesterday about how a goverment official chastized a news reporter for asking about the election and the fact there's literally no one coming to it. "The people of sylhet just take their breakfasts late" or so it goes..

https://www.tbsnews.net/bangladesh/politics/10-hurt-bnp-programme-comes-under-police-attack-rajshahi-609146

We mostly just forget about this sort of stuff.

I just stared at that line for 2 hours. The only thing I need to know on a bad day is my DNS Server won't run because I live in a totalitarian third world country that spies on its citizens to suppress dissent. Can we not bring this issue to Politics? It's sad and most definitely true but I need a solution, not someone to blame. Same goes for ISP, they just said the root servers must be down or don't even exist.

I see not many options:

1. VPN: Have to depend on another company, and speed is going to be bonkers amount of slow, but this seems like the only (and most definitely ironic) solution to running Unbound.
2. Set Unbound up recursively: At least i tried.

Wait, now that I think about it, can I update manually or something, i CAN ping most of the root servers

3. Set up Unbound as a stub resolver with resolvconf_resolvers.conf: not that it works anyway.

4. Give up: Hey, at least i fixed pi-hole, so not all is lost.

5. YOLO: Take out the Raspberry Pi Imager, Search on Google for Solutions and forum posts, and prepare for an unending session of troubleshooting and reinstallation.

Ping is not reliable for testing end to end.
Any router/hop/firewall between you and the root servers can reply to your ICMP ping.

If you read up on how recursive resolvers work, you would find out that this is close to impossible.
They not only work with root hints and nameserver records (ns), but there are also keys involved for checking validity for the records served.

You're a bit familiar with the dig command now I presume
Have a look below at all the queries unbound makes for just resolving the www.instagram.com domain.
The "Below my good logs" part:

VPN and Tor are the only ones that can encrypt all traffic.
With that, they wont be able to sniff DNS or SNI.

EDIT: Have a look at how those keys are managed/created:

Some call them "The Elders of The Internet"

EDIT2: Ow thats from "The IT Crowd" TV series:

Well that ends this one month (and a bit) saga.

Wow, this was a ride. Well a few things I have to note from this:

1. I am being watched by the government right now: ...welp.

2. We Are Sorry, but Setting Up A Recursive DNS Server is Not Possible in your Area: It happens sometimes, most companies are American or European anyways, so this wouldn't be the first time some service was unavailable here.

Yep, definitely.

I actually knew that this was nigh impossible, but still held hope that by some miracle, I would find a tool or something that would update everything for me. Held my hopes too high, I guess.

I will.

Haven't watched it yet, will watch when I have the time.

And that ends this thread I guess. This was my first post, let's see what other interesting problems and posts i run into! (I need sleep)

So, the Solution was: There is no solution lol. It's a local issue and there's nothing I can do about it.

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.