Trying to get unbound working with ftldns beta
Installed according to the guide Redirecting...
dig results
root@pihole:~# dig pi-hole.net @127.0.0.1 -p 5353
; <<>> DiG 9.10.3-P4-Raspbian <<>> pi-hole.net @127.0.0.1 -p 5353
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 45995
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1472
;; QUESTION SECTION:
;pi-hole.net. IN A;; Query time: 653 msec
;; SERVER: 127.0.0.1#5353(127.0.0.1)
;; WHEN: Fri Jun 15 09:23:29 BST 2018
;; MSG SIZE rcvd: 40root@pihole:~# dig sigok.verteiltesysteme.net @127.0.0.1 -p 5353
; <<>> DiG 9.10.3-P4-Raspbian <<>> sigok.verteiltesysteme.net @127.0.0.1 -p 5353
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 9541
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1472
;; QUESTION SECTION:
;sigok.verteiltesysteme.net. IN A;; Query time: 677 msec
;; SERVER: 127.0.0.1#5353(127.0.0.1)
;; WHEN: Fri Jun 15 09:26:53 BST 2018
;; MSG SIZE rcvd: 55
root@pihole:~# dig sigok.verteiltesysteme.net @127.0.0.1 -p 5353
; <<>> DiG 9.10.3-P4-Raspbian <<>> sigok.verteiltesysteme.net @127.0.0.1 -p 5353
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 9541
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1472
;; QUESTION SECTION:
;sigok.verteiltesysteme.net. IN A;; Query time: 677 msec
;; SERVER: 127.0.0.1#5353(127.0.0.1)
;; WHEN: Fri Jun 15 09:26:53 BST 2018
;; MSG SIZE rcvd: 55root@pihole:~# dig sigok.verteiltesysteme.net @127.0.0.1 -p 5353
; <<>> DiG 9.10.3-P4-Raspbian <<>> sigok.verteiltesysteme.net @127.0.0.1 -p 5353
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 9541
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1472
;; QUESTION SECTION:
;sigok.verteiltesysteme.net. IN A;; Query time: 677 msec
;; SERVER: 127.0.0.1#5353(127.0.0.1)
;; WHEN: Fri Jun 15 09:26:53 BST 2018
;; MSG SIZE rcvd: 55So good queries are failing, looks like DNSSEC issue
Added a log file as suggested on another topic hereroot@pihole:~# tail /var/log/unbound.log -f
[1529051004] unbound[10249:0] info: failed to prime trust anchor -- could not fetch DNSKEY rrset . DNSKEY IN
[1529051005] unbound[10249:0] info: failed to prime trust anchor -- could not fetch DNSKEY rrset . DNSKEY IN
[1529051006] unbound[10249:0] info: failed to prime trust anchor -- could not fetch DNSKEY rrset . DNSKEY IN
[1529051007] unbound[10249:0] info: failed to prime trust anchor -- could not fetch DNSKEY rrset . DNSKEY IN
[1529051008] unbound[10249:0] info: failed to prime trust anchor -- could not fetch DNSKEY rrset . DNSKEY IN
[1529051009] unbound[10249:0] info: failed to prime trust anchor -- could not fetch DNSKEY rrset . DNSKEY IN
[1529051208] unbound[10249:0] info: failed to prime trust anchor -- could not fetch DNSKEY rrset . DNSKEY IN
[1529051209] unbound[10249:0] info: failed to prime trust anchor -- could not fetch DNSKEY rrset . DNSKEY IN
[1529051210] unbound[10249:0] info: failed to prime trust anchor -- could not fetch DNSKEY rrset . DNSKEY IN
[1529051211] unbound[10249:0] info: failed to prime trust anchor -- could not fetch DNSKEY rrset . DNSKEY IN
[1529051212] unbound[10249:0] info: failed to prime trust anchor -- could not fetch DNSKEY rrset . DNSKEY IN
[1529051213] unbound[10249:0] info: failed to prime trust anchor -- could not fetch DNSKEY rrset . DNSKEY IN
config file
server:
logfile: /var/log/unbound.log
verbosity: 1
port: 5353
do-ip4: yes
do-udp: yes
do-tcp: yes# May be set to yes if you have IPv6 connectivity do-ip6: no # Use this only when you downloaded the list of primary root servers! root-hints: "/var/lib/unbound/root.hints" # Trust glue only if it is within the servers authority harden-glue: yes # Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS harden-dnssec-stripped: yes # Don't use Capitalization randomization as it known to cause DNSSEC issues sometimes # see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 for further details use-caps-for-id: no # Reduce EDNS reassembly buffer size. # Suggested by the unbound man page to reduce fragmentation reassembly problems edns-buffer-size: 1472 # TTL bounds for cache cache-min-ttl: 3600 cache-max-ttl: 86400 # Perform prefetching of close to expired message cache entries # This only applies to domains that have been frequently queried prefetch: yes # One thread should be sufficient, can be increased on beefy machines num-threads: 1 # Ensure kernel buffer is large enough to not loose messages in traffic spikes so-rcvbuf: 1m # Ensure privacy of local IP ranges private-address: 192.168.0.0/16 private-address: 172.16.0.0/12 private-address: 10.0.0.0/8