Unbound fails to load

Help
1

Expected Behaviour:

Running Raspbian on a RPi 3. Tried to install Unbound DNS.

Actual Behaviour:

No issues when following the official installation guide, but after changing the upstream dns server to 127.0.0.1#5335 no pages would load.

Debug Token:

*** [ INITIALIZING ]
[i] 2022-10-03:22:55:33 debug log has been initialized.
[i] System has been running for 62 days, 0 hours, 17 minutes

*** [ INITIALIZING ] Sourcing setup variables
[i] Sourcing /etc/pihole/setupVars.conf...

*** [ DIAGNOSING ]: Core version
[i] Core: v5.12.2 (https://discourse.pi-hole.net/t/how-do-i-update-pi-hole/249)
[i] Remotes: origin	https://github.com/pi-hole/pi-hole.git (fetch)
             origin	https://github.com/pi-hole/pi-hole.git (push)
[i] Branch: master
[i] Commit: v5.12.2-0-gd88629e

*** [ DIAGNOSING ]: Web version
[i] Web: v5.12 (https://discourse.pi-hole.net/t/how-do-i-update-pi-hole/249)
[i] Remotes: origin	https://github.com/pi-hole/AdminLTE.git (fetch)
             origin	https://github.com/pi-hole/AdminLTE.git (push)
[i] Branch: master
[i] Commit: v5.12-0-g6c320a4

*** [ DIAGNOSING ]: FTL version
[βœ“] FTL: v5.18.1
[i] Branch: master
[i] Commit: 4c8abe6

*** [ DIAGNOSING ]: lighttpd version
[i] 1.4.53

*** [ DIAGNOSING ]: php version
[i] 7.3.31

*** [ DIAGNOSING ]: Operating system
[i] dig return code:  0
[i] dig response:  "Raspbian=10,11 Ubuntu=20,22 Debian=10,11 Fedora=34 CentOS=8 Rocky=8"
[βœ“] Distro:  Raspbian
[βœ“] Version: 10

*** [ DIAGNOSING ]: SELinux
[i] SELinux not detected

*** [ DIAGNOSING ]: FirewallD
[i] Firewalld service inactive

*** [ DIAGNOSING ]: Processor
[βœ“] armv7l

*** [ DIAGNOSING ]: Disk usage
   Filesystem      Size  Used Avail Use% Mounted on
   /dev/root        15G  1.8G   12G  13% /
   devtmpfs        776M     0  776M   0% /dev
   tmpfs           937M  1.6M  935M   1% /dev/shm
   tmpfs           937M   97M  840M  11% /run
   tmpfs           5.0M  4.0K  5.0M   1% /run/lock
   tmpfs           937M     0  937M   0% /sys/fs/cgroup
   /dev/mmcblk0p1  253M   49M  204M  20% /boot
   tmpfs           188M     0  188M   0% /run/user/999
   tmpfs           188M     0  188M   0% /run/user/1000

*** [ DIAGNOSING ]: Network interfaces and addresses
   1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
       link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
       inet 127.0.0.1/8 scope host lo
          valid_lft forever preferred_lft forever
       inet6 ::1/128 scope host 
          valid_lft forever preferred_lft forever
   2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
       link/ether dc:a6:32:b3:a7:e4 brd ff:ff:ff:ff:ff:ff
       inet 192.168.8.238/24 brd 192.168.8.255 scope global noprefixroute eth0
          valid_lft forever preferred_lft forever
       inet6 fe80::bbc2:ac43:432b:c481/64 scope link 
          valid_lft forever preferred_lft forever
   3: wlan0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
       link/ether dc:a6:32:b3:a7:e5 brd ff:ff:ff:ff:ff:ff

*** [ DIAGNOSING ]: Network routing table
   default via 192.168.8.1 dev eth0 src 192.168.8.238 metric 202 
   192.168.8.0/24 dev eth0 proto dhcp scope link src 192.168.8.238 metric 202 

*** [ DIAGNOSING ]: Networking
[βœ“] IPv4 address(es) bound to the eth0 interface:
    192.168.8.238/24

[βœ“] IPv6 address(es) bound to the eth0 interface:
    fe80::bbc2:ac43:432b:c481/64

[i] Default IPv4 gateway: 192.168.8.1
   * Pinging 192.168.8.1...
[βœ“] Gateway responded.

*** [ DIAGNOSING ]: Ports in use
[βœ“] udp:0.0.0.0:53 is in use by pihole-FTL
    udp:0.0.0.0:68 is in use by dhcpcd
    udp:0.0.0.0:59028 is in use by avahi-daemon
    udp:127.0.0.1:5335 is in use by unbound
    udp:0.0.0.0:5353 is in use by avahi-daemon
[βœ“] udp:*:53 is in use by pihole-FTL
    udp:*:40097 is in use by avahi-daemon
    udp:*:5353 is in use by avahi-daemon
[βœ“] tcp:0.0.0.0:80 is in use by lighttpd
[βœ“] tcp:0.0.0.0:53 is in use by pihole-FTL
    tcp:0.0.0.0:22 is in use by sshd
    tcp:127.0.0.1:5335 is in use by unbound
[βœ“] tcp:127.0.0.1:4711 is in use by pihole-FTL
[βœ“] tcp:[::]:80 is in use by lighttpd
[βœ“] tcp:[::]:53 is in use by pihole-FTL
    tcp:[::]:22 is in use by sshd
[βœ“] tcp:[::1]:4711 is in use by pihole-FTL

*** [ DIAGNOSING ]: Name resolution (IPv4) using a random blocked domain and a known ad-serving domain
[βœ“] bpeml.mlb.com is 0.0.0.0 on lo (127.0.0.1)
[βœ“] bpeml.mlb.com is 0.0.0.0 on eth0 (192.168.8.238)
[βœ“] doubleclick.com is 216.58.212.206 via a remote, public DNS server (8.8.8.8)

*** [ DIAGNOSING ]: Name resolution (IPv6) using a random blocked domain and a known ad-serving domain
[βœ“] search.reco.ns.machinens-service.net.zooplus.it is :: on lo (::1)
[βœ“] search.reco.ns.machinens-service.net.zooplus.it is :: on eth0 (fe80::bbc2:ac43:432b:c481)
[βœ—] Failed to resolve doubleclick.com via a remote, public DNS server (2001:4860:4860::8888)

*** [ DIAGNOSING ]: Discovering active DHCP servers (takes 10 seconds)
   Scanning all your interfaces for DHCP servers
   Timeout: 10 seconds
   
   WARN: Could not sendto() in send_dhcp_discover() (/__w/FTL/FTL/src/dhcp-discover.c:233): Network is unreachable
   * Received 300 bytes from eth0:192.168.8.1
     Offered IP address: 192.168.8.239
     Server IP address: 192.168.8.1
     Relay-agent IP address: N/A
     BOOTP server: (empty)
     BOOTP file: (empty)
     DHCP options:
      Message type: DHCPOFFER (2)
      server-identifier: 192.168.8.1
      lease-time: 43200 ( 12h )
      renewal-time: 21600 ( 6h )
      rebinding-time: 37800 ( 10h 30m )
      netmask: 255.255.255.0
      broadcast: 192.168.8.255
      router: 192.168.8.1
      dns-server: 192.168.8.1
      domain-name: "lan"
      --- end of options ---
    
   DHCP packets received on interface eth0: 1
   DHCP packets received on interface lo: 0
   DHCP packets received on interface wlan0: 0

*** [ DIAGNOSING ]: Pi-hole processes
[βœ“] lighttpd daemon is active
[βœ“] pihole-FTL daemon is active

*** [ DIAGNOSING ]: Pi-hole-FTL full status
   ● pihole-FTL.service - LSB: pihole-FTL daemon
   Loaded: loaded (/etc/init.d/pihole-FTL; generated)
   Active: active (exited) since Mon 2022-10-03 22:45:14 BST; 10min ago
     Docs: man:systemd-sysv-generator(8)
  Process: 21116 ExecStart=/etc/init.d/pihole-FTL start (code=exited, status=0/SUCCESS)

Oct 03 22:45:14 raspberrypi systemd[1]: Starting LSB: pihole-FTL daemon...
Oct 03 22:45:14 raspberrypi pihole-FTL[21116]: Not running
Oct 03 22:45:14 raspberrypi su[21138]: (to pihole) root on none
Oct 03 22:45:14 raspberrypi su[21138]: pam_unix(su:session): session opened for user pihole by (uid=0)
Oct 03 22:45:14 raspberrypi pihole-FTL[21116]: FTL started!
Oct 03 22:45:14 raspberrypi su[21138]: pam_unix(su:session): session closed for user pihole
Oct 03 22:45:14 raspberrypi systemd[1]: Started LSB: pihole-FTL daemon.

*** [ DIAGNOSING ]: Setup variables
    BLOCKING_ENABLED=true
    IPV4_ADDRESS=192.168.8.238/24
    IPV6_ADDRESS=
    DNSSEC=false
    REV_SERVER=false
    PIHOLE_INTERFACE=eth0
    QUERY_LOGGING=false
    INSTALL_WEB_SERVER=true
    INSTALL_WEB_INTERFACE=true
    LIGHTTPD_ENABLED=true
    CACHE_SIZE=10000
    DNS_FQDN_REQUIRED=true
    DNS_BOGUS_PRIV=true
    DNSMASQ_LISTENING=local
    PIHOLE_DNS_1=9.9.9.10
    PIHOLE_DNS_2=149.112.112.10
    PIHOLE_DNS_3=127.0.0.1#5335

*** [ DIAGNOSING ]: Dashboard headers
[βœ“] Web interface X-Header: X-Pi-hole: The Pi-hole Web interface is working!

*** [ DIAGNOSING ]: Pi-hole FTL Query Database
-rw-rw-r-- 1 pihole pihole 125M Oct  3 22:55 /etc/pihole/pihole-FTL.db

*** [ DIAGNOSING ]: Gravity Database
-rw-rw-r-- 1 pihole pihole 14M Oct  3 22:44 /etc/pihole/gravity.db

*** [ DIAGNOSING ]: Info table
   property              value                                   
   --------------------  ----------------------------------------
   version               15                                      
   updated               1664833471                              
   gravity_count         177551                                  
   Last gravity run finished at: Mon Oct  3 22:44:31 BST 2022

   ----- First 10 Gravity Domains -----
   localhost.localdomain
   eu1.clevertap-prod.com
   wizhumpgyros.com
   coccyxwickimp.com
   webmail-who-int.000webhostapp.com
   010sec.com
   01mspmd5yalky8.com
   0byv9mgbn0.com
   ns6.0pendns.org
   dns.0pengl.com


*** [ DIAGNOSING ]: Groups
   id    enabled  name                                                date_added           date_modified        description                                       
   ----  -------  --------------------------------------------------  -------------------  -------------------  --------------------------------------------------
   0           1  Default                                             2021-08-25 00:56:47  2021-08-25 00:56:47  The default group                                 

*** [ DIAGNOSING ]: Domainlist (0/1 = exact white-/blacklist, 2/3 = regex white-/blacklist)
   id     type  enabled  group_ids     domain                                                                                                date_added           date_modified        comment                                           
   -----  ----  -------  ------------  ----------------------------------------------------------------------------------------------------  -------------------  -------------------  --------------------------------------------------
   1       1          1  0             clicktale.net                                                                                         2021-08-25 01:39:11  2021-08-25 01:39:11                                                    
   2       1          1  0             www.clicktale.net                                                                                     2021-08-25 01:39:11  2021-08-25 01:39:11                                                    
   3       1          1  0             conductor.clicktale.net                                                                               2021-08-25 01:39:11  2021-08-25 01:39:11                                                    
   4       1          1  0             www.conductor.clicktale.net                                                                           2021-08-25 01:39:11  2021-08-25 01:39:11                                                    
   5       1          1  0             ing-district.clicktale.net                                                                            2021-08-25 01:39:11  2021-08-25 01:39:11                                                    
   6       1          1  0             www.ing-district.clicktale.net                                                                        2021-08-25 01:39:11  2021-08-25 01:39:11                                                    
   7       1          1  0             cdnssl.clicktale.net                                                                                  2021-08-25 01:39:11  2021-08-25 01:39:11                                                    
   8       1          1  0             www.cdnssl.clicktale.net                                                                              2021-08-25 01:39:11  2021-08-25 01:39:11                                                    
   9       1          1  0             cdn.clicktale.net                                                                                     2021-08-25 01:39:11  2021-08-25 01:39:11                                                    
   10      1          1  0             www.cdn.clicktale.net                                                                                 2021-08-25 01:39:11  2021-08-25 01:39:11                                                    
   11      1          1  0             static.hotjar.com                                                                                     2021-08-25 01:39:11  2021-08-25 01:39:11                                                    
   12      1          1  0             www.static.hotjar.com                                                                                 2021-08-25 01:39:11  2021-08-25 01:39:11                                                    
   13      1          1  0             script.hotjar.com                                                                                     2021-08-25 01:39:11  2021-08-25 01:39:11                                                    
   14      1          1  0             www.script.hotjar.com                                                                                 2021-08-25 01:39:11  2021-08-25 01:39:11                                                    
   15      1          1  0             mc.yandex.ru                                                                                          2021-08-25 01:39:11  2021-08-25 01:39:11                                                    
   16      1          1  0             www.mc.yandex.ru                                                                                      2021-08-25 01:39:11  2021-08-25 01:39:11                                                    
   17      1          1  0             cdn.decibelinsight.net                                                                                2021-08-25 01:39:11  2021-08-25 01:39:11                                                    
   18      1          1  0             www.cdn.decibelinsight.net                                                                            2021-08-25 01:39:11  2021-08-25 01:39:11                                                    
   19      1          1  0             ws.sessioncam.com                                                                                     2021-08-25 01:39:11  2021-08-25 01:39:11                                                    
   20      1          1  0             www.ws.sessioncam.com                                                                                 2021-08-25 01:39:11  2021-08-25 01:39:11                                                    
   21      1          1  0             d2oh4tlt9mrke9.cloudfront.net                                                                         2021-08-25 01:39:11  2021-08-25 01:39:11                                                    
   22      1          1  0             www.d2oh4tlt9mrke9.cloudfront.net                                                                     2021-08-25 01:39:11  2021-08-25 01:39:11                                                    
   23      1          1  0             api.iperceptions.com                                                                                  2021-08-25 01:39:11  2021-08-25 01:39:11                                                    
   24      1          1  0             www.api.iperceptions.com                                                                              2021-08-25 01:39:11  2021-08-25 01:39:11                                                    
   25      1          1  0             bskyb.demdex.net                                                                                      2021-08-25 01:39:11  2021-08-25 01:39:11                                                    
   26      1          1  0             www.bskyb.demdex.net                                                                                  2021-08-25 01:39:11  2021-08-25 01:39:11                                                    
   27      1          1  0             dpm.demdex.net                                                                                        2021-08-25 01:39:11  2021-08-25 01:39:11                                                    
   28      1          1  0             www.dpm.demdex.net                                                                                    2021-08-25 01:39:11  2021-08-25 01:39:11                                                    
   29      1          1  0             col.eum-appdynamics.com                                                                               2021-08-25 01:39:11  2021-08-25 01:39:11                                                    
   30      1          1  0             www.col.eum-appdynamics.com                                                                           2021-08-25 01:39:11  2021-08-25 01:39:11                                                    
   31      1          1  0             cdn.mouseflow.com                                                                                     2021-08-25 01:39:11  2021-08-25 01:39:11                                                    
   32      1          1  0             www.cdn.mouseflow.com                                                                                 2021-08-25 01:39:11  2021-08-25 01:39:11                                                    
   33      1          1  0             cdn.inspectlet.com                                                                                    2021-08-25 01:39:11  2021-08-25 01:39:11                                                    
   34      1          1  0             www.cdn.inspectlet.com                                                                                2021-08-25 01:39:11  2021-08-25 01:39:11                                                    
   35      1          1  0             hn.inspectlet.com                                                                                     2021-08-25 01:39:11  2021-08-25 01:39:11                                                    
   36      1          1  0             www.hn.inspectlet.com                                                                                 2021-08-25 01:39:11  2021-08-25 01:39:11                                                    
   37      1          1  0             wu-app.quantummetric.com                                                                              2021-08-25 01:39:11  2021-08-25 01:39:11                                                    
   38      1          1  0             www.wu-app.quantummetric.com                                                                          2021-08-25 01:39:11  2021-08-25 01:39:11                                                    
   39      1          1  0             cdn.quantummetric.com                                                                                 2021-08-25 01:39:11  2021-08-25 01:39:11                                                    
   40      1          1  0             www.cdn.quantummetric.com                                                                             2021-08-25 01:39:11  2021-08-25 01:39:11                                                    
   41      1          1  0             neimans-app.quantummetric.com                                                                         2021-08-25 01:39:11  2021-08-25 01:39:11                                                    
   42      1          1  0             www.neimans-app.quantummetric.com                                                                     2021-08-25 01:39:11  2021-08-25 01:39:11                                                    
   43      1          1  0             frontier-app.quantummetric.com                                                                        2021-08-25 01:39:11  2021-08-25 01:39:11                                                    
   44      1          1  0             www.frontier-app.quantummetric.com                                                                    2021-08-25 01:39:11  2021-08-25 01:39:11                                                    
   45      1          1  0             d10lpsik1i8c69.cloudfront.net                                                                         2021-08-25 01:39:11  2021-08-25 01:39:11                                                    
   46      1          1  0             www.d10lpsik1i8c69.cloudfront.net                                                                     2021-08-25 01:39:11  2021-08-25 01:39:11                                                    
   47      1          1  0             rs.fullstory.com                                                                                      2021-08-25 01:39:11  2021-08-25 01:39:11                                                    
   48      1          1  0             www.rs.fullstory.com                                                                                  2021-08-25 01:39:11  2021-08-25 01:39:11                                                    
   49      1          1  0             bizographics.com                                                                                      2021-08-25 01:39:11  2021-08-25 01:39:11                                                    
   50      1          1  0             www.bizographics.com                                                                                  2021-08-25 01:39:11  2021-08-25 01:39:11                                                    
   51      1          1  0             rec.smartlook.com                                                                                     2021-08-25 01:39:11  2021-08-25 01:39:11                                                    
   52      1          1  0             www.rec.smartlook.com                                                                                 2021-08-25 01:39:11  2021-08-25 01:39:11                                                    
   53      1          1  0             sb.scorecardresearch.com                                                                              2021-08-25 01:39:11  2021-08-25 01:39:11                                                    
   54      1          1  0             www.sb.scorecardresearch.com                                                                          2021-08-25 01:39:11  2021-08-25 01:39:11                                                    
   55      1          1  0             cdn.userreplay.net                                                                                    2021-08-25 01:39:11  2021-08-25 01:39:11                                                    
   56      1          1  0             www.cdn.userreplay.net                                                                                2021-08-25 01:39:11  2021-08-25 01:39:11                                                    
   57      1          1  0             onaudience.com                                                                                        2021-08-25 01:39:11  2021-08-25 01:39:11                                                    
   58      1          1  0             www.onaudience.com                                                                                    2021-08-25 01:39:11  2021-08-25 01:39:11                                                    
   59      1          1  0             pixel.onaudience.com                                                                                  2021-08-25 01:39:11  2021-08-25 01:39:11                                                    
   60      1          1  0             www.pixel.onaudience.com                                                                              2021-08-25 01:39:11  2021-08-25 01:39:11                                                    
   64      1          1  0             www.instagram.com                                                                                     2021-11-02 21:52:24  2021-11-02 21:52:53                                                    
   65      1          1  0             instagram.com                                                                                         2021-11-02 21:52:30  2021-11-02 21:52:30  Added from Query Log                              
   68     0           1  0             googleads.g.doubleclick.net                                                                           2021-12-24 13:15:45  2021-12-24 13:15:45  Added from Query Log                              
   69     0           1  0             app.adjust.world                                                                                      2022-01-19 19:03:24  2022-01-19 19:03:24  Added from Query Log                              
   70     0           1  0             sdk.split.io                                                                                          2022-01-19 19:03:27  2022-01-19 19:03:27  Added from Query Log                              
   71     0           1  0             cdn.segment.com                                                                                       2022-01-19 19:04:10  2022-01-19 19:04:10  Added from Query Log                              

*** [ DIAGNOSING ]: Clients

*** [ DIAGNOSING ]: Adlists
   id     enabled  group_ids     address                                                                                               date_added           date_modified        comment                                           
   -----  -------  ------------  ----------------------------------------------------------------------------------------------------  -------------------  -------------------  --------------------------------------------------
   1            1  0             https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts                                      2021-08-25 00:56:47  2021-08-25 00:56:47  Migrated from /etc/pihole/adlists.list            
   2            1  0             https://raw.githubusercontent.com/anudeepND/blacklist/master/facebook.txt                             2021-08-25 01:32:46  2021-08-25 01:32:46                                                    
   3            1  0             https://adaway.org/hosts.txt                                                                          2021-08-25 01:33:33  2021-08-25 01:33:33                                                    
   4            1  0             https://v.firebog.net/hosts/Easyprivacy.txt                                                           2021-08-25 01:33:48  2021-08-25 01:33:48                                                    
   5            1  0             https://raw.githubusercontent.com/Perflyst/PiHoleBlocklist/master/AmazonFireTV.txt                    2021-08-25 01:34:04  2021-08-25 01:34:04                                                    
   6            1  0             https://raw.githubusercontent.com/kboghdady/youTube_ads_4_pi-hole/master/youtubelist.txt              2022-05-13 14:19:29  2022-05-13 14:19:29                                                    

*** [ DIAGNOSING ]: contents of /etc/pihole

-rw-r--r-- 1 root root 0 Aug 25  2021 /etc/pihole/custom.list

-rw-r--r-- 1 root root 65 Oct  3 22:44 /etc/pihole/local.list

-rw-r--r-- 1 root root 241 Oct  3 22:44 /etc/pihole/logrotate
   /var/log/pihole/pihole.log {
   	su root root
   	daily
   	copytruncate
   	rotate 5
   	compress
   	delaycompress
   	notifempty
   	nomail
   }
   /var/log/pihole/FTL.log {
   	su root root
   	weekly
   	copytruncate
   	rotate 3
   	compress
   	delaycompress
   	notifempty
   	nomail
   }

-rw-rw-r-- 1 pihole root 34 Oct  3 22:45 /etc/pihole/pihole-FTL.conf
   RATE_LIMIT=1000/60
   PRIVACYLEVEL=0

*** [ DIAGNOSING ]: contents of /etc/dnsmasq.d

-rw-r--r-- 1 root root 1.4K Oct  3 22:45 /etc/dnsmasq.d/01-pihole.conf
   addn-hosts=/etc/pihole/local.list
   addn-hosts=/etc/pihole/custom.list
   localise-queries
   no-resolv
   cache-size=10000
   log-facility=/var/log/pihole/pihole.log
   log-async
   server=9.9.9.10
   server=149.112.112.10
   server=127.0.0.1#5335
   domain-needed
   expand-hosts
   bogus-priv
   local-service

-rw-r--r-- 1 root root 2.2K Oct  3 22:44 /etc/dnsmasq.d/06-rfc6761.conf
   server=/test/
   server=/localhost/
   server=/invalid/
   server=/bind/
   server=/onion/

*** [ DIAGNOSING ]: contents of /etc/lighttpd

-rw-r--r-- 1 root root 0 Mar  9  2022 /etc/lighttpd/external.conf

-rw-r--r-- 1 root root 5.6K Oct  3 22:44 /etc/lighttpd/lighttpd.conf
   server.modules = (
       "mod_access",
       "mod_accesslog",
       "mod_auth",
       "mod_expire",
       "mod_redirect",
       "mod_setenv",
       "mod_rewrite"
   )
   server.document-root        = "/var/www/html"
   server.error-handler-404    = "/pihole/index.php"
   server.upload-dirs          = ( "/var/cache/lighttpd/uploads" )
   server.errorlog             = "/var/log/lighttpd/error-pihole.log"
   server.pid-file             = "/run/lighttpd.pid"
   server.username             = "www-data"
   server.groupname            = "www-data"
   server.port                 = 80
   accesslog.filename          = "/var/log/lighttpd/access-pihole.log"
   accesslog.format            = "%{%s}t|%V|%r|%s|%b"
   server.stream-response-body = 1
   index-file.names            = ( "index.php", "index.html", "index.lighttpd.html" )
   url.access-deny             = ( "~", ".inc", ".md", ".yml", ".ini" )
   static-file.exclude-extensions = ( ".php", ".pl", ".fcgi" )
   mimetype.assign = (
       ".ico"   => "image/x-icon",
       ".jpeg"  => "image/jpeg",
       ".jpg"   => "image/jpeg",
       ".png"   => "image/png",
       ".svg"   => "image/svg+xml",
       ".css"   => "text/css; charset=utf-8",
       ".html"  => "text/html; charset=utf-8",
       ".js"    => "text/javascript; charset=utf-8",
       ".json"  => "application/json; charset=utf-8",
       ".map"   => "application/json; charset=utf-8",
       ".txt"   => "text/plain; charset=utf-8",
       ".eot"   => "application/vnd.ms-fontobject",
       ".otf"   => "font/otf",
       ".ttc"   => "font/collection",
       ".ttf"   => "font/ttf",
       ".woff"  => "font/woff",
       ".woff2" => "font/woff2"
   )
   include_shell "cat external.conf 2>/dev/null"
   include_shell "/usr/share/lighttpd/use-ipv6.pl " + server.port
   include_shell "find /etc/lighttpd/conf-enabled -name '*.conf' -a ! -name 'letsencrypt.conf' -printf 'include \"%p\"
' 2>/dev/null"
   $HTTP["url"] =~ "^/admin/" {
       setenv.add-response-header = (
           "X-Pi-hole" => "The Pi-hole Web interface is working!",
           "X-Frame-Options" => "DENY",
           "X-XSS-Protection" => "1; mode=block",
           "X-Content-Type-Options" => "nosniff",
           "Content-Security-Policy" => "default-src 'self' 'unsafe-inline';",
           "X-Permitted-Cross-Domain-Policies" => "none",
           "Referrer-Policy" => "same-origin"
       )
   }
   $HTTP["url"] =~ "^/admin/\.(.*)" {
       url.access-deny = ("")
   }
   $HTTP["url"] =~ "/(teleporter|api_token)\.php$" {
       $HTTP["referer"] =~ "/admin/settings\.php" {
           setenv.add-response-header = ( "X-Frame-Options" => "SAMEORIGIN" )
       }
   }
   expire.url = ( "" => "access plus 0 seconds" )

*** [ DIAGNOSING ]: contents of /etc/cron.d

-rw-r--r-- 1 root root 1.8K Oct  3 22:44 /etc/cron.d/pihole
   51 3   * * 7   root    PATH="$PATH:/usr/sbin:/usr/local/bin/" pihole updateGravity >/var/log/pihole/pihole_updateGravity.log || cat /var/log/pihole/pihole_updateGravity.log
   00 00   * * *   root    PATH="$PATH:/usr/sbin:/usr/local/bin/" pihole flush once quiet
   @reboot root /usr/sbin/logrotate --state /var/lib/logrotate/pihole /etc/pihole/logrotate
   */10 *  * * *   root    PATH="$PATH:/usr/sbin:/usr/local/bin/" pihole updatechecker local
   15 14  * * *   root    PATH="$PATH:/usr/sbin:/usr/local/bin/" pihole updatechecker remote
   @reboot root    PATH="$PATH:/usr/sbin:/usr/local/bin/" pihole updatechecker remote reboot

*** [ DIAGNOSING ]: contents of /var/log/lighttpd

-rw-r--r-- 1 www-data www-data 71 Oct  3 22:44 /var/log/lighttpd/error-pihole.log
   -----head of error-pihole.log------
   2022-10-03 22:44:18: (server.c.1464) server started (lighttpd/1.4.53) 

   -----tail of error-pihole.log------
   2022-10-03 22:44:18: (server.c.1464) server started (lighttpd/1.4.53) 

*** [ DIAGNOSING ]: contents of /var/log/pihole

-rw-r--r-- 1 pihole pihole 33K Oct  3 22:50 /var/log/pihole/FTL.log
   -----head of FTL.log------
   [2022-10-03 01:00:00.042 608/T612] Notice: Database size is 130.07 MB, deleted 4 rows
   [2022-10-03 02:00:00.046 608/T612] Notice: Database size is 130.07 MB, deleted 4 rows
   [2022-10-03 03:00:00.042 608/T612] Notice: Database size is 130.07 MB, deleted 4 rows
   [2022-10-03 04:00:00.109 608/T612] Notice: Database size is 130.07 MB, deleted 4 rows
   [2022-10-03 05:00:00.074 608/T612] Notice: Database size is 130.07 MB, deleted 4 rows
   [2022-10-03 06:00:00.133 608/T612] Notice: Database size is 130.07 MB, deleted 4 rows
   [2022-10-03 07:00:00.111 608/T612] Notice: Database size is 130.07 MB, deleted 4 rows
   [2022-10-03 08:00:00.119 608/T612] Notice: Database size is 130.07 MB, deleted 4 rows
   [2022-10-03 09:00:00.106 608/T612] Notice: Database size is 130.07 MB, deleted 4 rows
   [2022-10-03 10:00:00.037 608/T612] Notice: Database size is 130.07 MB, deleted 4 rows
   [2022-10-03 11:00:00.100 608/T612] Notice: Database size is 130.07 MB, deleted 90 rows
   [2022-10-03 12:00:00.112 608/T612] Notice: Database size is 130.07 MB, deleted 8 rows
   [2022-10-03 12:36:11.184 608M] Resizing "FTL-dns-cache" from 221184 to (14080 * 16) == 225280 (/dev/shm: 2.1MB used, 981.6MB total, FTL uses 2.1MB)
   [2022-10-03 12:50:34.192 608M] Resizing "FTL-strings" from 286720 to (327680 * 1) == 327680 (/dev/shm: 2.1MB used, 981.6MB total, FTL uses 2.1MB)
   [2022-10-03 13:00:00.254 608/T612] Notice: Database size is 130.07 MB, deleted 8 rows
   [2022-10-03 14:00:00.252 608/T612] Notice: Database size is 130.07 MB, deleted 4 rows
   [2022-10-03 15:00:00.114 608/T612] Notice: Database size is 130.07 MB, deleted 4 rows
   [2022-10-03 16:00:00.072 608/T612] Notice: Database size is 130.07 MB, deleted 4 rows
   [2022-10-03 16:48:44.368 608M] Resizing "FTL-dns-cache" from 225280 to (14336 * 16) == 229376 (/dev/shm: 2.2MB used, 981.6MB total, FTL uses 2.2MB)
   [2022-10-03 17:00:00.370 608/T612] Notice: Database size is 130.07 MB, deleted 295 rows
   [2022-10-03 17:59:00.150 608/T612] Notice: Database size is 130.07 MB, deleted 7 rows
   [2022-10-03 18:32:44.292 608M] Resizing "FTL-dns-cache" from 229376 to (14592 * 16) == 233472 (/dev/shm: 2.2MB used, 981.6MB total, FTL uses 2.2MB)
   [2022-10-03 19:00:00.123 608/T612] Notice: Database size is 130.07 MB, deleted 240 rows
   [2022-10-03 20:00:00.017 608/T612] Notice: Database size is 130.07 MB, deleted 12 rows
   [2022-10-03 21:00:00.115 608/T612] Notice: Database size is 130.07 MB, deleted 8 rows
   [2022-10-03 22:00:00.091 608/T612] Notice: Database size is 130.07 MB, deleted 8 rows
   [2022-10-03 22:27:59.252 608M] Shutting down...
   [2022-10-03 22:27:59.524 608M] Finished final database update (stored 4 queries)
   [2022-10-03 22:27:59.524 608M] Waiting for threads to join
   [2022-10-03 22:27:59.524 608M] Thread telnet-IPv4 (0) is idle, terminating it.
   [2022-10-03 22:27:59.524 608M] Thread telnet-IPv6 (1) is idle, terminating it.
   [2022-10-03 22:27:59.525 608M] Thread telnet-socket (2) is idle, terminating it.
   [2022-10-03 22:27:59.525 608M] Thread database (3) is idle, terminating it.
   [2022-10-03 22:27:59.526 608M] Thread housekeeper (4) is idle, terminating it.
   [2022-10-03 22:27:59.526 608M] Thread DNS client (5) is idle, terminating it.
2

(remaining debug log)

   -----tail of FTL.log------
   [2022-10-03 22:45:14.410 21141M]    CHECK_LOAD: Enabled
   [2022-10-03 22:45:14.410 21141M]    CHECK_SHMEM: Warning if shared-memory usage exceeds 90%
   [2022-10-03 22:45:14.410 21141M]    CHECK_DISK: Warning if certain disk usage exceeds 90%
   [2022-10-03 22:45:14.410 21141M] Finished config file parsing
   [2022-10-03 22:45:14.411 21141M] Database version is 12
   [2022-10-03 22:45:14.411 21141M] Resizing "FTL-strings" from 40960 to (81920 * 1) == 81920 (/dev/shm: 1.2MB used, 981.6MB total, FTL uses 1.2MB)
   [2022-10-03 22:45:14.411 21141M] Imported 0 alias-clients
   [2022-10-03 22:45:14.411 21141M] Database successfully initialized
   [2022-10-03 22:45:14.491 21141M] New upstream server: 149.112.112.10:53 (0/1024)
   [2022-10-03 22:45:14.493 21141M] New upstream server: 9.9.9.10:53 (1/1024)
   [2022-10-03 22:45:14.544 21141M] Resizing "FTL-queries" from 180224 to (8192 * 44) == 360448 (/dev/shm: 1.3MB used, 981.6MB total, FTL uses 1.3MB)
   [2022-10-03 22:45:14.578 21141M] Resizing "FTL-domains" from 20480 to (2048 * 20) == 40960 (/dev/shm: 1.4MB used, 981.6MB total, FTL uses 1.4MB)
   [2022-10-03 22:45:14.615 21141M] New upstream server: 127.0.0.1:5335 (2/1024)
   [2022-10-03 22:45:14.626 21141M] Imported 8170 queries from the long-term database
   [2022-10-03 22:45:14.626 21141M]  -> Total DNS queries: 8170
   [2022-10-03 22:45:14.626 21141M]  -> Cached DNS queries: 224
   [2022-10-03 22:45:14.626 21141M]  -> Forwarded DNS queries: 5508
   [2022-10-03 22:45:14.626 21141M]  -> Blocked DNS queries: 2438
   [2022-10-03 22:45:14.626 21141M]  -> Unknown DNS queries: 0
   [2022-10-03 22:45:14.626 21141M]  -> Unique domains: 1384
   [2022-10-03 22:45:14.626 21141M]  -> Unique clients: 2
   [2022-10-03 22:45:14.626 21141M]  -> Known forward destinations: 3
   [2022-10-03 22:45:14.626 21141M] Successfully accessed setupVars.conf
   [2022-10-03 22:45:14.627 21141M] listening on 0.0.0.0 port 53
   [2022-10-03 22:45:14.627 21141M] listening on :: port 53
   [2022-10-03 22:45:14.632 21143M] PID of FTL process: 21143
   [2022-10-03 22:45:14.633 21143M] Listening on port 4711 for incoming IPv4 telnet connections
   [2022-10-03 22:45:14.633 21143M] Listening on port 4711 for incoming IPv6 telnet connections
   [2022-10-03 22:45:14.634 21143M] Listening on port 4711 for incoming socket telnet connections
   [2022-10-03 22:45:14.634 21143M] INFO: FTL is running as user pihole (UID 999)
   [2022-10-03 22:45:14.635 21143M] Reloading DNS cache
   [2022-10-03 22:45:14.737 21143/T21159] Compiled 0 whitelist and 0 blacklist regex filters for 2 clients in 0.5 msec
   [2022-10-03 22:45:14.738 21143/T21159] Blocking status is enabled
   [2022-10-03 22:49:13.086 21143M] Resizing "FTL-queries" from 360448 to (12288 * 44) == 540672 (/dev/shm: 1.5MB used, 981.6MB total, FTL uses 1.5MB)
   [2022-10-03 22:50:00.083 21143/T21159] Notice: Database size is 130.07 MB, deleted 3 rows

*** [ DIAGNOSING ]: contents of /dev/shm
-rw------- 1 pihole pihole 324K Oct  3 22:45 /dev/shm/FTL-clients
-rw------- 1 pihole pihole 244 Oct  3 22:45 /dev/shm/FTL-counters
-rw------- 1 pihole pihole 4.0K Oct  3 22:45 /dev/shm/FTL-dns-cache
-rw------- 1 pihole pihole 40K Oct  3 22:45 /dev/shm/FTL-domains
-rw------- 1 pihole pihole 56 Oct  3 22:45 /dev/shm/FTL-lock
-rw------- 1 pihole pihole 12K Oct  3 22:45 /dev/shm/FTL-overTime
-rw------- 1 pihole pihole 4.0K Oct  3 22:45 /dev/shm/FTL-per-client-regex
-rw------- 1 pihole pihole 528K Oct  3 22:45 /dev/shm/FTL-queries
-rw------- 1 pihole pihole 12 Oct  3 22:45 /dev/shm/FTL-settings
-rw------- 1 pihole pihole 80K Oct  3 22:45 /dev/shm/FTL-strings
-rw------- 1 pihole pihole 604K Oct  3 22:45 /dev/shm/FTL-upstreams

*** [ DIAGNOSING ]: contents of /etc

-rw-r--r-- 1 root root 24 Oct  3 22:44 /etc/dnsmasq.conf
   conf-dir=/etc/dnsmasq.d

-rw-r--r-- 1 root root 47 Oct  3 22:38 /etc/resolv.conf
   nameserver 127.0.0.1

*** [ DIAGNOSING ]: Pi-hole diagnosis messages

*** [ DIAGNOSING ]: Locale
    LANG=

*** [ DIAGNOSING ]: Pi-hole log
[i] Query logging is disabled

-rw-r----- 1 pihole pihole 4.8K Oct  3 22:45 /var/log/pihole/pihole.log
   -----head of pihole.log------
   Oct  3 22:27:59 dnsmasq[608]: exiting on receipt of SIGTERM
   Oct  3 22:28:00 dnsmasq[18823]: started, version pi-hole-2.87test8 cachesize 10000
   Oct  3 22:28:00 dnsmasq[18823]: DNS service limited to local subnets
   Oct  3 22:28:00 dnsmasq[18823]: compile time options: IPv6 GNU-getopt no-DBus no-UBus no-i18n IDN DHCP DHCPv6 Lua TFTP no-conntrack ipset no-nftset auth cryptohash DNSSEC loop-detect inotify dumpfile
   Oct  3 22:28:00 dnsmasq[18823]: using nameserver 127.0.0.1#5335
   Oct  3 22:28:00 dnsmasq[18823]: using only locally-known addresses for onion
   Oct  3 22:28:00 dnsmasq[18823]: using only locally-known addresses for bind
   Oct  3 22:28:00 dnsmasq[18823]: using only locally-known addresses for invalid
   Oct  3 22:28:00 dnsmasq[18823]: using only locally-known addresses for localhost
   Oct  3 22:28:00 dnsmasq[18823]: using only locally-known addresses for test
   Oct  3 22:28:00 dnsmasq[18823]: read /etc/hosts - 5 addresses
   Oct  3 22:28:00 dnsmasq[18823]: read /etc/pihole/custom.list - 0 addresses
   Oct  3 22:28:00 dnsmasq[18823]: read /etc/pihole/local.list - 0 addresses
   Oct  3 22:41:52 dnsmasq[18823]: exiting on receipt of SIGTERM
   Oct  3 22:41:53 dnsmasq[19563]: started, version pi-hole-2.87test8 cachesize 10000
   Oct  3 22:41:53 dnsmasq[19563]: DNS service limited to local subnets
   Oct  3 22:41:53 dnsmasq[19563]: compile time options: IPv6 GNU-getopt no-DBus no-UBus no-i18n IDN DHCP DHCPv6 Lua TFTP no-conntrack ipset no-nftset auth cryptohash DNSSEC loop-detect inotify dumpfile
   Oct  3 22:41:53 dnsmasq[19563]: using nameserver 9.9.9.10#53
   Oct  3 22:41:53 dnsmasq[19563]: using nameserver 149.112.112.10#53
   Oct  3 22:41:53 dnsmasq[19563]: using nameserver 127.0.0.1#5335

   -----tail of pihole.log------
   Oct  3 22:44:21 dnsmasq[20604]: read /etc/pihole/custom.list - 0 addresses
   Oct  3 22:44:21 dnsmasq[20604]: read /etc/pihole/local.list - 0 addresses
   Oct  3 22:44:33 dnsmasq[20604]: read /etc/hosts - 5 addresses
   Oct  3 22:44:33 dnsmasq[20604]: read /etc/pihole/custom.list - 0 addresses
   Oct  3 22:44:33 dnsmasq[20604]: read /etc/pihole/local.list - 0 addresses
   Oct  3 22:45:13 dnsmasq[20604]: exiting on receipt of SIGTERM
   Oct  3 22:45:14 dnsmasq[21143]: started, version pi-hole-v2.87rc1 cachesize 10000
   Oct  3 22:45:14 dnsmasq[21143]: DNS service limited to local subnets
   Oct  3 22:45:14 dnsmasq[21143]: compile time options: IPv6 GNU-getopt no-DBus no-UBus no-i18n IDN DHCP DHCPv6 Lua TFTP no-conntrack ipset no-nftset auth cryptohash DNSSEC loop-detect inotify dumpfile
   Oct  3 22:45:14 dnsmasq[21143]: using nameserver 9.9.9.10#53
   Oct  3 22:45:14 dnsmasq[21143]: using nameserver 149.112.112.10#53
   Oct  3 22:45:14 dnsmasq[21143]: using nameserver 127.0.0.1#5335
   Oct  3 22:45:14 dnsmasq[21143]: using only locally-known addresses for onion
   Oct  3 22:45:14 dnsmasq[21143]: using only locally-known addresses for bind
   Oct  3 22:45:14 dnsmasq[21143]: using only locally-known addresses for invalid
   Oct  3 22:45:14 dnsmasq[21143]: using only locally-known addresses for localhost
   Oct  3 22:45:14 dnsmasq[21143]: using only locally-known addresses for test
   Oct  3 22:45:14 dnsmasq[21143]: read /etc/hosts - 5 addresses
   Oct  3 22:45:14 dnsmasq[21143]: read /etc/pihole/custom.list - 0 addresses
   Oct  3 22:45:14 dnsmasq[21143]: read /etc/pihole/local.list - 0 addresses


********************************************
********************************************
[βœ“] ** FINISHED DEBUGGING! **
3

What is the output of the following command from the Pi terminal?

sudo grep -v '^#\|^$' -R /etc/unbound/unbound.conf*

4

Apologies for the delay.

/etc/unbound/unbound.conf:include: "/etc/unbound/unbound.conf.d/*.conf"
/etc/unbound/unbound.conf.d/pi-hole.conf::server:
/etc/unbound/unbound.conf.d/pi-hole.conf::    # If no logfile is specified, syslog is used
/etc/unbound/unbound.conf.d/pi-hole.conf::    # logfile: "/var/log/unbound/unbound.log"
/etc/unbound/unbound.conf.d/pi-hole.conf::    verbosity: 0
/etc/unbound/unbound.conf.d/pi-hole.conf::    interface: 127.0.0.1
/etc/unbound/unbound.conf.d/pi-hole.conf::    port: 5335
/etc/unbound/unbound.conf.d/pi-hole.conf::    do-ip4: yes
/etc/unbound/unbound.conf.d/pi-hole.conf::    do-udp: yes
/etc/unbound/unbound.conf.d/pi-hole.conf::    do-tcp: yes
/etc/unbound/unbound.conf.d/pi-hole.conf::    # May be set to yes if you have IPv6 connectivity
/etc/unbound/unbound.conf.d/pi-hole.conf::    do-ip6: no
/etc/unbound/unbound.conf.d/pi-hole.conf::    # You want to leave this to no unless you have *native* IPv6. With 6to4 and
/etc/unbound/unbound.conf.d/pi-hole.conf::    # Terredo tunnels your web browser should favor IPv4 for the same reasons
/etc/unbound/unbound.conf.d/pi-hole.conf::    prefer-ip6: no
/etc/unbound/unbound.conf.d/pi-hole.conf::    # Use this only when you downloaded the list of primary root servers!
/etc/unbound/unbound.conf.d/pi-hole.conf::    # If you use the default dns-root-data package, unbound will find it automatically
/etc/unbound/unbound.conf.d/pi-hole.conf::    #root-hints: "/var/lib/unbound/root.hints"
/etc/unbound/unbound.conf.d/pi-hole.conf::    # Trust glue only if it is within the server's authority
/etc/unbound/unbound.conf.d/pi-hole.conf::    harden-glue: yes
/etc/unbound/unbound.conf.d/pi-hole.conf::    # Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS
/etc/unbound/unbound.conf.d/pi-hole.conf::    harden-dnssec-stripped: yes
/etc/unbound/unbound.conf.d/pi-hole.conf::    # Don't use Capitalization randomization as it known to cause DNSSEC issues sometimes
/etc/unbound/unbound.conf.d/pi-hole.conf::    # see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 for further details
/etc/unbound/unbound.conf.d/pi-hole.conf::    use-caps-for-id: no
/etc/unbound/unbound.conf.d/pi-hole.conf::    # Reduce EDNS reassembly buffer size.
/etc/unbound/unbound.conf.d/pi-hole.conf::    # IP fragmentation is unreliable on the Internet today, and can cause
/etc/unbound/unbound.conf.d/pi-hole.conf::    # transmission failures when large DNS messages are sent via UDP. Even
/etc/unbound/unbound.conf.d/pi-hole.conf::    # when fragmentation does work, it may not be secure; it is theoretically
/etc/unbound/unbound.conf.d/pi-hole.conf::    # possible to spoof parts of a fragmented DNS message, without easy
/etc/unbound/unbound.conf.d/pi-hole.conf::    # detection at the receiving end. Recently, there was an excellent study
/etc/unbound/unbound.conf.d/pi-hole.conf::    # >>> Defragmenting DNS - Determining the optimal maximum UDP response size for DNS <<<
/etc/unbound/unbound.conf.d/pi-hole.conf::    # by Axel Koolhaas, and Tjeerd Slokker (https://indico.dns-oarc.net/event/36/contributions/776/)
/etc/unbound/unbound.conf.d/pi-hole.conf::    # in collaboration with NLnet Labs explored DNS using real world data from the
/etc/unbound/unbound.conf.d/pi-hole.conf::    # the RIPE Atlas probes and the researchers suggested different values for
/etc/unbound/unbound.conf.d/pi-hole.conf::    # IPv4 and IPv6 and in different scenarios. They advise that servers should
/etc/unbound/unbound.conf.d/pi-hole.conf::    # be configured to limit DNS messages sent over UDP to a size that will not
/etc/unbound/unbound.conf.d/pi-hole.conf::    # trigger fragmentation on typical network links. DNS servers can switch
/etc/unbound/unbound.conf.d/pi-hole.conf::    # from UDP to TCP when a DNS response is too big to fit in this limited
/etc/unbound/unbound.conf.d/pi-hole.conf::    # buffer size. This value has also been suggested in DNS Flag Day 2020.
/etc/unbound/unbound.conf.d/pi-hole.conf::    edns-buffer-size: 1232
/etc/unbound/unbound.conf.d/pi-hole.conf::    # Perform prefetching of close to expired message cache entries
/etc/unbound/unbound.conf.d/pi-hole.conf::    # This only applies to domains that have been frequently queried
/etc/unbound/unbound.conf.d/pi-hole.conf::    prefetch: yes
/etc/unbound/unbound.conf.d/pi-hole.conf::    # One thread should be sufficient, can be increased on beefy machines. In reality for most users running on small networks or on a single machine, it should be unnecessary to seek performance enhancement by increasing num-threads above 1.
/etc/unbound/unbound.conf.d/pi-hole.conf::    num-threads: 1
/etc/unbound/unbound.conf.d/pi-hole.conf::    # Ensure kernel buffer is large enough to not lose messages in traffic spikes
/etc/unbound/unbound.conf.d/pi-hole.conf::    so-rcvbuf: 1m
/etc/unbound/unbound.conf.d/pi-hole.conf::    # Ensure privacy of local IP ranges
/etc/unbound/unbound.conf.d/pi-hole.conf::    private-address: 192.168.0.0/16
/etc/unbound/unbound.conf.d/pi-hole.conf::    private-address: 169.254.0.0/16
/etc/unbound/unbound.conf.d/pi-hole.conf::    private-address: 172.16.0.0/12
/etc/unbound/unbound.conf.d/pi-hole.conf::    private-address: 10.0.0.0/8
/etc/unbound/unbound.conf.d/pi-hole.conf::    private-address: fd00::/8
/etc/unbound/unbound.conf.d/pi-hole.conf::    private-address: fe80::/10
/etc/unbound/unbound.conf.d/pi-hole.conf:server:
/etc/unbound/unbound.conf.d/pi-hole.conf:    # If no logfile is specified, syslog is used
/etc/unbound/unbound.conf.d/pi-hole.conf:    # logfile: "/var/log/unbound/unbound.log"
/etc/unbound/unbound.conf.d/pi-hole.conf:    verbosity: 0
/etc/unbound/unbound.conf.d/pi-hole.conf:    interface: 127.0.0.1
/etc/unbound/unbound.conf.d/pi-hole.conf:    port: 5335
/etc/unbound/unbound.conf.d/pi-hole.conf:    do-ip4: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:    do-udp: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:    do-tcp: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:    # May be set to yes if you have IPv6 connectivity
/etc/unbound/unbound.conf.d/pi-hole.conf:    do-ip6: no
/etc/unbound/unbound.conf.d/pi-hole.conf:    # You want to leave this to no unless you have *native* IPv6. With 6to4 and
/etc/unbound/unbound.conf.d/pi-hole.conf:    # Terredo tunnels your web browser should favor IPv4 for the same reasons
/etc/unbound/unbound.conf.d/pi-hole.conf:    prefer-ip6: no
/etc/unbound/unbound.conf.d/pi-hole.conf:    # Use this only when you downloaded the list of primary root servers!
/etc/unbound/unbound.conf.d/pi-hole.conf:    # If you use the default dns-root-data package, unbound will find it automatically
/etc/unbound/unbound.conf.d/pi-hole.conf:    #root-hints: "/var/lib/unbound/root.hints"
/etc/unbound/unbound.conf.d/pi-hole.conf:    # Trust glue only if it is within the server's authority
/etc/unbound/unbound.conf.d/pi-hole.conf:    harden-glue: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:    # Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS
/etc/unbound/unbound.conf.d/pi-hole.conf:    harden-dnssec-stripped: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:    # Don't use Capitalization randomization as it known to cause DNSSEC issues sometimes
/etc/unbound/unbound.conf.d/pi-hole.conf:    # see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 for further details
/etc/unbound/unbound.conf.d/pi-hole.conf:    use-caps-for-id: no
/etc/unbound/unbound.conf.d/pi-hole.conf:    # Reduce EDNS reassembly buffer size.
/etc/unbound/unbound.conf.d/pi-hole.conf:    # IP fragmentation is unreliable on the Internet today, and can cause
/etc/unbound/unbound.conf.d/pi-hole.conf:    # transmission failures when large DNS messages are sent via UDP. Even
/etc/unbound/unbound.conf.d/pi-hole.conf:    # when fragmentation does work, it may not be secure; it is theoretically
/etc/unbound/unbound.conf.d/pi-hole.conf:    # possible to spoof parts of a fragmented DNS message, without easy
/etc/unbound/unbound.conf.d/pi-hole.conf:    # detection at the receiving end. Recently, there was an excellent study
/etc/unbound/unbound.conf.d/pi-hole.conf:    # >>> Defragmenting DNS - Determining the optimal maximum UDP response size for DNS <<<
/etc/unbound/unbound.conf.d/pi-hole.conf:    # by Axel Koolhaas, and Tjeerd Slokker (https://indico.dns-oarc.net/event/36/contributions/776/)
/etc/unbound/unbound.conf.d/pi-hole.conf:    # in collaboration with NLnet Labs explored DNS using real world data from the
/etc/unbound/unbound.conf.d/pi-hole.conf:    # the RIPE Atlas probes and the researchers suggested different values for
/etc/unbound/unbound.conf.d/pi-hole.conf:    # IPv4 and IPv6 and in different scenarios. They advise that servers should
/etc/unbound/unbound.conf.d/pi-hole.conf:    # be configured to limit DNS messages sent over UDP to a size that will not
/etc/unbound/unbound.conf.d/pi-hole.conf:    # trigger fragmentation on typical network links. DNS servers can switch
/etc/unbound/unbound.conf.d/pi-hole.conf:    # from UDP to TCP when a DNS response is too big to fit in this limited
/etc/unbound/unbound.conf.d/pi-hole.conf:    # buffer size. This value has also been suggested in DNS Flag Day 2020.
/etc/unbound/unbound.conf.d/pi-hole.conf:    edns-buffer-size: 1232
/etc/unbound/unbound.conf.d/pi-hole.conf:    # Perform prefetching of close to expired message cache entries
/etc/unbound/unbound.conf.d/pi-hole.conf:    # This only applies to domains that have been frequently queried
/etc/unbound/unbound.conf.d/pi-hole.conf:    prefetch: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:    # One thread should be sufficient, can be increased on beefy machines. In reality for most users running on small networks or on a single machine, it should be unnecessary to seek performance enhancement by increasing num-threads above 1.
/etc/unbound/unbound.conf.d/pi-hole.conf:    num-threads: 1
/etc/unbound/unbound.conf.d/pi-hole.conf:    # Ensure kernel buffer is large enough to not lose messages in traffic spikes
/etc/unbound/unbound.conf.d/pi-hole.conf:    so-rcvbuf: 1m
/etc/unbound/unbound.conf.d/pi-hole.conf:    # Ensure privacy of local IP ranges
/etc/unbound/unbound.conf.d/pi-hole.conf:    private-address: 192.168.0.0/16
/etc/unbound/unbound.conf.d/pi-hole.conf:    private-address: 169.254.0.0/16
/etc/unbound/unbound.conf.d/pi-hole.conf:    private-address: 172.16.0.0/12
/etc/unbound/unbound.conf.d/pi-hole.conf:    private-address: 10.0.0.0/8
/etc/unbound/unbound.conf.d/pi-hole.conf:    private-address: fd00::/8
/etc/unbound/unbound.conf.d/pi-hole.conf:    private-address: fe80::/10
5

Looks like you have duplicate entries in that file (each line appearing twice).

Clean that up and restart unbound.

6

Thanks. When I look into that file I don't see the duplicate entries, how should I clean it up?

server:
    # If no logfile is specified, syslog is used
    # logfile: "/var/log/unbound/unbound.log"
    verbosity: 0

    interface: 127.0.0.1
    port: 5335
    do-ip4: yes
    do-udp: yes
    do-tcp: yes

    # May be set to yes if you have IPv6 connectivity
    do-ip6: no

    # You want to leave this to no unless you have *native* IPv6. With 6to4 and
    # Terredo tunnels your web browser should favor IPv4 for the same reasons
    prefer-ip6: no

    # Use this only when you downloaded the list of primary root servers!
    # If you use the default dns-root-data package, unbound will find it automatically
    #root-hints: "/var/lib/unbound/root.hints"

    # Trust glue only if it is within the server's authority
    harden-glue: yes

    # Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS
    harden-dnssec-stripped: yes

    # Don't use Capitalization randomization as it known to cause DNSSEC issues sometimes
    # see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 for further details
    use-caps-for-id: no

    # Reduce EDNS reassembly buffer size.
    # IP fragmentation is unreliable on the Internet today, and can cause
    # transmission failures when large DNS messages are sent via UDP. Even
    # when fragmentation does work, it may not be secure; it is theoretically
    # possible to spoof parts of a fragmented DNS message, without easy
    # detection at the receiving end. Recently, there was an excellent study
    # >>> Defragmenting DNS - Determining the optimal maximum UDP response size for DNS <<<
    # by Axel Koolhaas, and Tjeerd Slokker (https://indico.dns-oarc.net/event/36/contributions/776/)
    # in collaboration with NLnet Labs explored DNS using real world data from the
    # the RIPE Atlas probes and the researchers suggested different values for
    # IPv4 and IPv6 and in different scenarios. They advise that servers should
    # be configured to limit DNS messages sent over UDP to a size that will not
    # trigger fragmentation on typical network links. DNS servers can switch
    # from UDP to TCP when a DNS response is too big to fit in this limited
    # buffer size. This value has also been suggested in DNS Flag Day 2020.
    edns-buffer-size: 1232

    # Perform prefetching of close to expired message cache entries
    # This only applies to domains that have been frequently queried
    prefetch: yes

    # One thread should be sufficient, can be increased on beefy machines. In reality for most users running on small networks or on a single machine, it should be unnecessary to seek perfo$
    num-threads: 1

    # Ensure kernel buffer is large enough to not lose messages in traffic spikes
    so-rcvbuf: 1m

    # Ensure privacy of local IP ranges
    private-address: 192.168.0.0/16
    private-address: 169.254.0.0/16
    private-address: 172.16.0.0/12
    private-address: 10.0.0.0/8
    private-address: fd00::/8
    private-address: fe80::/10
7

This output does not match your previous output, which showed duplicate entries. Perhaps it was a cut/paste problem when you posted the previous output.

Taking a second look at your previous output, you appear to be missing the file:

/etc/unbound/unbound.conf

This should contain the following uncommented line, which is a pointer to all the configuration files.

include-toplevel: "/etc/unbound/unbound.conf.d/*.conf"

Without this file, your pi-hole.conf file is ignored.

8

I see. I was about to create this file and see that it already exists? (with the same line)

include-toplevel: "/etc/unbound/unbound.conf.d/*.conf"
9

There is something screwy with the output you are providing. Let's try again - copy and paste this command into your terminal:

sudo grep -v '#\|^$' -R /etc/unbound/unbound.conf*

10

Still returns duplicate lines?

/etc/unbound/unbound.conf:include: "/etc/unbound/unbound.conf.d/*.conf"
/etc/unbound/unbound.conf.d/pi-hole.conf::server:
/etc/unbound/unbound.conf.d/pi-hole.conf::    verbosity: 0
/etc/unbound/unbound.conf.d/pi-hole.conf::    interface: 127.0.0.1
/etc/unbound/unbound.conf.d/pi-hole.conf::    port: 5335
/etc/unbound/unbound.conf.d/pi-hole.conf::    do-ip4: yes
/etc/unbound/unbound.conf.d/pi-hole.conf::    do-udp: yes
/etc/unbound/unbound.conf.d/pi-hole.conf::    do-tcp: yes
/etc/unbound/unbound.conf.d/pi-hole.conf::    do-ip6: no
/etc/unbound/unbound.conf.d/pi-hole.conf::    prefer-ip6: no
/etc/unbound/unbound.conf.d/pi-hole.conf::    harden-glue: yes
/etc/unbound/unbound.conf.d/pi-hole.conf::    harden-dnssec-stripped: yes
/etc/unbound/unbound.conf.d/pi-hole.conf::    use-caps-for-id: no
/etc/unbound/unbound.conf.d/pi-hole.conf::    edns-buffer-size: 1232
/etc/unbound/unbound.conf.d/pi-hole.conf::    prefetch: yes
/etc/unbound/unbound.conf.d/pi-hole.conf::    num-threads: 1
/etc/unbound/unbound.conf.d/pi-hole.conf::    so-rcvbuf: 1m
/etc/unbound/unbound.conf.d/pi-hole.conf::    private-address: 192.168.0.0/16
/etc/unbound/unbound.conf.d/pi-hole.conf::    private-address: 169.254.0.0/16
/etc/unbound/unbound.conf.d/pi-hole.conf::    private-address: 172.16.0.0/12
/etc/unbound/unbound.conf.d/pi-hole.conf::    private-address: 10.0.0.0/8
/etc/unbound/unbound.conf.d/pi-hole.conf::    private-address: fd00::/8
/etc/unbound/unbound.conf.d/pi-hole.conf::    private-address: fe80::/10
/etc/unbound/unbound.conf.d/pi-hole.conf:server:
/etc/unbound/unbound.conf.d/pi-hole.conf:    verbosity: 0
/etc/unbound/unbound.conf.d/pi-hole.conf:    interface: 127.0.0.1
/etc/unbound/unbound.conf.d/pi-hole.conf:    port: 5335
/etc/unbound/unbound.conf.d/pi-hole.conf:    do-ip4: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:    do-udp: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:    do-tcp: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:    do-ip6: no
/etc/unbound/unbound.conf.d/pi-hole.conf:    prefer-ip6: no
/etc/unbound/unbound.conf.d/pi-hole.conf:    harden-glue: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:    harden-dnssec-stripped: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:    use-caps-for-id: no
/etc/unbound/unbound.conf.d/pi-hole.conf:    edns-buffer-size: 1232
/etc/unbound/unbound.conf.d/pi-hole.conf:    prefetch: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:    num-threads: 1
/etc/unbound/unbound.conf.d/pi-hole.conf:    so-rcvbuf: 1m
/etc/unbound/unbound.conf.d/pi-hole.conf:    private-address: 192.168.0.0/16
/etc/unbound/unbound.conf.d/pi-hole.conf:    private-address: 169.254.0.0/16
/etc/unbound/unbound.conf.d/pi-hole.conf:    private-address: 172.16.0.0/12
/etc/unbound/unbound.conf.d/pi-hole.conf:    private-address: 10.0.0.0/8
/etc/unbound/unbound.conf.d/pi-hole.conf:    private-address: fd00::/8
/etc/unbound/unbound.conf.d/pi-hole.conf:    private-address: fe80::/10
11

you should, if it's available, run 'sudo /usr/sbin/unbound-checkconf'. this will tell you what's wrong.

the binary may be in another location, use 'which unbound-checkconf' to show the correct location and replace it in the above command.

use '/usr/sbin/unbound-checkconf --help' to see the options, if for example the config file isn't in the default location.

12

Why do the upper ones have double colons and the lower ones have single colons in both cases? They're not quite duplicates.

...
pi-hole.conf::    verbosity: 0
...
pi-hole.conf:    verbosity: 0
...
13

Returns unbound-checkconf: no errors in /etc/unbound/unbound.conf

14

I see. Honestly, I don't have much experience with any of this, so I'm not sure

15

Since we can't really tell what your problem might be (your text outputs are not consistent), I would do the following.

sudo service unbound stop

sudo rm /etc/unbound/unbound.conf.d/pi-hole.conf

sudo nano /etc/unbound/unbound.conf.d/pi-hole conf

Then while the editor is open, copy and paste the contents of our guide template for this file:

Save and exit the file.

sudo service unbound start

16

Reinstalled, original issue persists.

Not sure if output of sudo grep -v '^#\|^`` -R /etc/unbound/unbound.conf* is needed, if so:

/etc/unbound/unbound.conf:include: "/etc/unbound/unbound.conf.d/*.conf"
/etc/unbound/unbound.conf.d/pi-hole.conf:server:
/etc/unbound/unbound.conf.d/pi-hole.conf:    # If no logfile is specified, syslog is used
/etc/unbound/unbound.conf.d/pi-hole.conf:    # logfile: "/var/log/unbound/unbound.log"
/etc/unbound/unbound.conf.d/pi-hole.conf:    verbosity: 0
/etc/unbound/unbound.conf.d/pi-hole.conf:    interface: 127.0.0.1
/etc/unbound/unbound.conf.d/pi-hole.conf:    port: 5335
/etc/unbound/unbound.conf.d/pi-hole.conf:    do-ip4: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:    do-udp: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:    do-tcp: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:    # May be set to yes if you have IPv6 connectivity
/etc/unbound/unbound.conf.d/pi-hole.conf:    do-ip6: no
/etc/unbound/unbound.conf.d/pi-hole.conf:    # You want to leave this to no unless you have *native* IPv6. With 6to4 and
/etc/unbound/unbound.conf.d/pi-hole.conf:    # Terredo tunnels your web browser should favor IPv4 for the same reasons
/etc/unbound/unbound.conf.d/pi-hole.conf:    prefer-ip6: no
/etc/unbound/unbound.conf.d/pi-hole.conf:    # Use this only when you downloaded the list of primary root servers!
/etc/unbound/unbound.conf.d/pi-hole.conf:    # If you use the default dns-root-data package, unbound will find it automatically
/etc/unbound/unbound.conf.d/pi-hole.conf:    #root-hints: "/var/lib/unbound/root.hints"
/etc/unbound/unbound.conf.d/pi-hole.conf:    # Trust glue only if it is within the server's authority
/etc/unbound/unbound.conf.d/pi-hole.conf:    harden-glue: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:    # Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS
/etc/unbound/unbound.conf.d/pi-hole.conf:    harden-dnssec-stripped: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:    # Don't use Capitalization randomization as it known to cause DNSSEC issues sometimes
/etc/unbound/unbound.conf.d/pi-hole.conf:    # see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 for further details
/etc/unbound/unbound.conf.d/pi-hole.conf:    use-caps-for-id: no
/etc/unbound/unbound.conf.d/pi-hole.conf:    # Reduce EDNS reassembly buffer size.
/etc/unbound/unbound.conf.d/pi-hole.conf:    # IP fragmentation is unreliable on the Internet today, and can cause
/etc/unbound/unbound.conf.d/pi-hole.conf:    # transmission failures when large DNS messages are sent via UDP. Even
/etc/unbound/unbound.conf.d/pi-hole.conf:    # when fragmentation does work, it may not be secure; it is theoretically
/etc/unbound/unbound.conf.d/pi-hole.conf:    # possible to spoof parts of a fragmented DNS message, without easy
/etc/unbound/unbound.conf.d/pi-hole.conf:    # detection at the receiving end. Recently, there was an excellent study
/etc/unbound/unbound.conf.d/pi-hole.conf:    # >>> Defragmenting DNS - Determining the optimal maximum UDP response size for DNS <<<
/etc/unbound/unbound.conf.d/pi-hole.conf:    # by Axel Koolhaas, and Tjeerd Slokker (https://indico.dns-oarc.net/event/36/contributions/776/)
/etc/unbound/unbound.conf.d/pi-hole.conf:    # in collaboration with NLnet Labs explored DNS using real world data from the
/etc/unbound/unbound.conf.d/pi-hole.conf:    # the RIPE Atlas probes and the researchers suggested different values for
/etc/unbound/unbound.conf.d/pi-hole.conf:    # IPv4 and IPv6 and in different scenarios. They advise that servers should
/etc/unbound/unbound.conf.d/pi-hole.conf:    # be configured to limit DNS messages sent over UDP to a size that will not
/etc/unbound/unbound.conf.d/pi-hole.conf:    # trigger fragmentation on typical network links. DNS servers can switch
/etc/unbound/unbound.conf.d/pi-hole.conf:    # from UDP to TCP when a DNS response is too big to fit in this limited
/etc/unbound/unbound.conf.d/pi-hole.conf:    # buffer size. This value has also been suggested in DNS Flag Day 2020.
/etc/unbound/unbound.conf.d/pi-hole.conf:    edns-buffer-size: 1232
/etc/unbound/unbound.conf.d/pi-hole.conf:    # Perform prefetching of close to expired message cache entries
/etc/unbound/unbound.conf.d/pi-hole.conf:    # This only applies to domains that have been frequently queried
/etc/unbound/unbound.conf.d/pi-hole.conf:    prefetch: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:    # One thread should be sufficient, can be increased on beefy machines. In reality for most users running on small networks or on a single machine, it should be unnecessary to seek performance enhancement by increasing num-threads above 1.
/etc/unbound/unbound.conf.d/pi-hole.conf:    num-threads: 1
/etc/unbound/unbound.conf.d/pi-hole.conf:    # Ensure kernel buffer is large enough to not lose messages in traffic spikes
/etc/unbound/unbound.conf.d/pi-hole.conf:    so-rcvbuf: 1m
/etc/unbound/unbound.conf.d/pi-hole.conf:    # Ensure privacy of local IP ranges
/etc/unbound/unbound.conf.d/pi-hole.conf:    private-address: 192.168.0.0/16
/etc/unbound/unbound.conf.d/pi-hole.conf:    private-address: 169.254.0.0/16
/etc/unbound/unbound.conf.d/pi-hole.conf:    private-address: 172.16.0.0/12
/etc/unbound/unbound.conf.d/pi-hole.conf:    private-address: 10.0.0.0/8
/etc/unbound/unbound.conf.d/pi-hole.conf:    private-address: fd00::/8
/etc/unbound/unbound.conf.d/pi-hole.conf:    private-address: fe80::/10
17

That first line is wrong and should look like below:

pi@ph5b:~ $ sudo grep -v '^#\|^$' -R /etc/unbound/unbound.conf*
/etc/unbound/unbound.conf:include-toplevel: "/etc/unbound/unbound.conf.d/*.conf"
[..]

To fix, edit that file with below:

sudo nano /etc/unbound/unbound.conf

And change that one line into below:

include-toplevel: "/etc/unbound/unbound.conf.d/*.conf"

Save/exit and check config for errors:

unbound-checkconf

Restart to apply:

sudo systemctl restart unbound

And check status:

systemctl status unbound

And journals:

journalctl --no-pager --full -u unbound

You can check if its listening with below:

pi@ph5b:~ $ sudo ss -nltup sport = 5335
Netid    State     Recv-Q    Send-Q       Local Address:Port        Peer Address:Port    Process
udp      UNCONN    0         0                127.0.0.1:5335             0.0.0.0:*        users:(("unbound",pid=32563,fd=3))
tcp      LISTEN    0         256              127.0.0.1:5335             0.0.0.0:*        users:(("unbound",pid=32563,fd=4))

Or if its answering:

pi@ph5b:~ $ dig +short @localhost -p 5335 version.bind chaos txt
"unbound 1.13.1"
18

See his earlier reply #7 in thread.

There's something more going on with these outputs, relating to regex's, his shell, copy and paste. Regardless, the original problem seems to be that the router's DNS is being used and not unbound, so I'd want to work through that step by step and manually check specific files one at a time, with dhcpcd and avahi also being involved in this somewhere. That's why I've left it, since the debug log is far more reliable than trying to pick through config files and daemons one at a time.

19

Below bit?

Thats bc the include: directive is a valid one:

pi@ph5b:~ $ man unbound.conf
[..]
       Files  can be included using the include: directive. It can appear
       anywhere, it accepts a single file name as  argument.   Processing
       continues  as  if  the text from the included file was copied into
       the config file at that point.  If also using chroot,  using  full
       path  names  for  the included files works, relative pathnames for
       the included names work if  the  directory  where  the  daemon  is
       started equals its chroot/working directory or is specified before
       the include statement with directory: dir.  Wildcards can be  used
       to include multiple files, see glob(7).

       For a more structural include option, the include-toplevel: direc‐
       tive can be used.  This closes whatever clause is currently active
       (if  any)  and forces the use of clauses in the included files and
       right after this directive.
20

Post #7.