Unbound is forwarding to Cloudflare

Area1 · February 20, 2026, 2:31am

So I just got unbound configured and it’s forwarding to Cloudflare, is this normal?

deHakkelaar · February 20, 2026, 2:48am

No.

If configured according to the official guide, Unbound will traverse the DNS tree recursively to find an authoritative DNS server for a particular domain/zone starting at the root servers below:

$ cat /usr/share/dns/root.hints
;       This file holds the information on root name servers needed to
;       initialize cache of Internet domain name servers
;       (e.g. reference this file in the "cache  .  <file>"
;       configuration file of BIND domain name servers).
;
;       This file is made available by InterNIC
;       under anonymous FTP as
;           file                /domain/named.cache
;           on server           FTP.INTERNIC.NET
;       -OR-                    RS.INTERNIC.NET
;
;       last update:     April 18, 2024
;       related version of root zone:     2024041801
;
; FORMERLY NS.INTERNIC.NET
;
.                        3600000      NS    A.ROOT-SERVERS.NET.
A.ROOT-SERVERS.NET.      3600000      A     198.41.0.4
A.ROOT-SERVERS.NET.      3600000      AAAA  2001:503:ba3e::2:30
;
; FORMERLY NS1.ISI.EDU
;
.                        3600000      NS    B.ROOT-SERVERS.NET.
B.ROOT-SERVERS.NET.      3600000      A     170.247.170.2
B.ROOT-SERVERS.NET.      3600000      AAAA  2801:1b8:10::b
;
; FORMERLY C.PSI.NET
;
.                        3600000      NS    C.ROOT-SERVERS.NET.
C.ROOT-SERVERS.NET.      3600000      A     192.33.4.12
C.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:2::c
;
; FORMERLY TERP.UMD.EDU
;
.                        3600000      NS    D.ROOT-SERVERS.NET.
D.ROOT-SERVERS.NET.      3600000      A     199.7.91.13
D.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:2d::d
;
; FORMERLY NS.NASA.GOV
;
.                        3600000      NS    E.ROOT-SERVERS.NET.
E.ROOT-SERVERS.NET.      3600000      A     192.203.230.10
E.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:a8::e
;
; FORMERLY NS.ISC.ORG
;
.                        3600000      NS    F.ROOT-SERVERS.NET.
F.ROOT-SERVERS.NET.      3600000      A     192.5.5.241
F.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:2f::f
;
; FORMERLY NS.NIC.DDN.MIL
;
.                        3600000      NS    G.ROOT-SERVERS.NET.
G.ROOT-SERVERS.NET.      3600000      A     192.112.36.4
G.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:12::d0d
;
; FORMERLY AOS.ARL.ARMY.MIL
;
.                        3600000      NS    H.ROOT-SERVERS.NET.
H.ROOT-SERVERS.NET.      3600000      A     198.97.190.53
H.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:1::53
;
; FORMERLY NIC.NORDU.NET
;
.                        3600000      NS    I.ROOT-SERVERS.NET.
I.ROOT-SERVERS.NET.      3600000      A     192.36.148.17
I.ROOT-SERVERS.NET.      3600000      AAAA  2001:7fe::53
;
; OPERATED BY VERISIGN, INC.
;
.                        3600000      NS    J.ROOT-SERVERS.NET.
J.ROOT-SERVERS.NET.      3600000      A     192.58.128.30
J.ROOT-SERVERS.NET.      3600000      AAAA  2001:503:c27::2:30
;
; OPERATED BY RIPE NCC
;
.                        3600000      NS    K.ROOT-SERVERS.NET.
K.ROOT-SERVERS.NET.      3600000      A     193.0.14.129
K.ROOT-SERVERS.NET.      3600000      AAAA  2001:7fd::1
;
; OPERATED BY ICANN
;
.                        3600000      NS    L.ROOT-SERVERS.NET.
L.ROOT-SERVERS.NET.      3600000      A     199.7.83.42
L.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:9f::42
;
; OPERATED BY WIDE
;
.                        3600000      NS    M.ROOT-SERVERS.NET.
M.ROOT-SERVERS.NET.      3600000      A     202.12.27.33
M.ROOT-SERVERS.NET.      3600000      AAAA  2001:dc3::35

Area1 · February 20, 2026, 2:53am

So I followed the guide to the T. But I had to force it to populate all the config files. How do I fix it so I can get away from Cloudflare

deHakkelaar · February 20, 2026, 2:56am

How did you determine queries are being forwarded to Cloudflare?

Post output for below one pls?

sudo rgrep -v '^ *$#\|$$' /etc/unbound/unbound.conf*

Area1 · February 20, 2026, 3:04am

I used dnsleaktest.com

/etc/unbound/unbound.conf:include-toplevel: "/etc/unbound/unbound.conf.d/\*.conf"
/etc/unbound/unbound.conf.d/remote-control.conf:remote-control:
/etc/unbound/unbound.conf.d/remote-control.conf:  control-enable: yes
/etc/unbound/unbound.conf.d/remote-control.conf:  control-interface: /run/unbound.ctl
/etc/unbound/unbound.conf.d/root-auto-trust-anchor-file.conf:server:
/etc/unbound/unbound.conf.d/root-auto-trust-anchor-file.conf:    auto-trust-anchor-file: "/var/lib/unbound/root.key"
/etc/unbound/unbound.conf.d/pi-hole.conf:server:
/etc/unbound/unbound.conf.d/pi-hole.conf:    verbosity: 0
/etc/unbound/unbound.conf.d/pi-hole.conf:    interface: 127.0.0.1
/etc/unbound/unbound.conf.d/pi-hole.conf:    port: 5335
/etc/unbound/unbound.conf.d/pi-hole.conf:    do-ip4: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:    do-udp: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:    do-tcp: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:    do-ip6: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:    prefer-ip6: no
/etc/unbound/unbound.conf.d/pi-hole.conf:    harden-glue: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:    harden-dnssec-stripped: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:    use-caps-for-id: no
/etc/unbound/unbound.conf.d/pi-hole.conf:    edns-buffer-size: 1232
/etc/unbound/unbound.conf.d/pi-hole.conf:    prefetch: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:    num-threads: 1
/etc/unbound/unbound.conf.d/pi-hole.conf:    so-rcvbuf: 1m
/etc/unbound/unbound.conf.d/pi-hole.conf:    private-address: 192.168.0.0/16
/etc/unbound/unbound.conf.d/pi-hole.conf:    private-address: 169.254.0.0/16
/etc/unbound/unbound.conf.d/pi-hole.conf:    private-address: 172.16.0.0/12
/etc/unbound/unbound.conf.d/pi-hole.conf:    private-address: 10.0.0.0/8
/etc/unbound/unbound.conf.d/pi-hole.conf:    private-address: fd00::/8
/etc/unbound/unbound.conf.d/pi-hole.conf:    private-address: fe80::/10
/etc/unbound/unbound.conf.d/pi-hole.conf:    private-address: 192.0.2.0/24
/etc/unbound/unbound.conf.d/pi-hole.conf:    private-address: 198.51.100.0/24
/etc/unbound/unbound.conf.d/pi-hole.conf:    private-address: 203.0.113.0/24
/etc/unbound/unbound.conf.d/pi-hole.conf:    private-address: 255.255.255.255/32
/etc/unbound/unbound.conf.d/pi-hole.conf:    private-address: 2001:db8::/32

deHakkelaar · February 20, 2026, 3:08am

Most likely its not reporting correctly.

What does below output?

sudo unbound-control lookup .

From above, do you have native IPv6 support by your ISP upstream if check with below link?

If you dont, better flip above do-ip6 setting to no.

Area1 · February 20, 2026, 3:10am

I’m getting

this option requires a domain name

deHakkelaar · February 20, 2026, 3:11am

You most likely missed copying/pasting the last dot ".":

The dot represents the root domain.

Area1 · February 20, 2026, 3:13am

The following name servers are used for lookup of .
;rrset 80112 13 1 8 0
.       80112   IN      NS      a.root-servers.net.
.       80112   IN      NS      b.root-servers.net.
.       80112   IN      NS      c.root-servers.net.
.       80112   IN      NS      d.root-servers.net.
.       80112   IN      NS      e.root-servers.net.
.       80112   IN      NS      f.root-servers.net.
.       80112   IN      NS      g.root-servers.net.
.       80112   IN      NS      h.root-servers.net.
.       80112   IN      NS      i.root-servers.net.
.       80112   IN      NS      j.root-servers.net.
.       80112   IN      NS      k.root-servers.net.
.       80112   IN      NS      l.root-servers.net.
.       80112   IN      NS      m.root-servers.net.
.       80112   IN      RRSIG   NS 8 0 518400 20260304170000 20260219160000 21831 . b3ogwpEmK+uUwUhsj3IwIGALm3V8FRGQur1fLCxG/WTwczuWJ603jF0eirVg4m3Jud3GawoFtodoSV0+V1K03XRDocRhMadX5ysvk0zCUBgP4py98Xjpiekr+uI0E9yjtKIZfaLifjBYhhYPrHvl1asGpZmcZ38WY1MZDpQSRpuhZyzhQuh33EIvx7OFEvIoHiCGrMcRm+3Ue1KONAVZxWJ3BC5m8cWmiIaGx+SzgOoNlyQ5FVqWCk+c+8WP2h92K+X4QEf4w86FYqqmAfSRgwnczlzrYonqCp3maBsRt0Y5PmGeNJlzPU+UOV8jcZ8GSqKGsdIN8USGtFqu1TG7wg== ;{id = 21831}
;rrset 80112 1 0 8 0
m.root-servers.net.     80112   IN      A     202.12.27.33
;rrset 80112 1 0 8 0
m.root-servers.net.     80112   IN      AAAA  2001:dc3::35
;rrset 80112 1 0 8 0
l.root-servers.net.     80112   IN      A     199.7.83.42
;rrset 80112 1 0 8 0
l.root-servers.net.     80112   IN      AAAA  2001:500:9f::42
;rrset 80112 1 0 3 0
k.root-servers.net.     80112   IN      A     193.0.14.129
;rrset 80112 1 0 3 0
k.root-servers.net.     80112   IN      AAAA  2001:7fd::1
;rrset 80112 1 0 3 0
j.root-servers.net.     80112   IN      A     192.58.128.30
;rrset 80112 1 0 3 0
j.root-servers.net.     80112   IN      AAAA  2001:503:c27::2:30
;rrset 80112 1 0 3 0
i.root-servers.net.     80112   IN      A     192.36.148.17
;rrset 80112 1 0 3 0
i.root-servers.net.     80112   IN      AAAA  2001:7fe::53
;rrset 80112 1 0 3 0
h.root-servers.net.     80112   IN      A     198.97.190.53
;rrset 80112 1 0 3 0
h.root-servers.net.     80112   IN      AAAA  2001:500:1::53
;rrset 80112 1 0 3 0
g.root-servers.net.     80112   IN      A     192.112.36.4
;rrset 80112 1 0 3 0
g.root-servers.net.     80112   IN      AAAA  2001:500:12::d0d
;rrset 80112 1 0 3 0
f.root-servers.net.     80112   IN      A     192.5.5.241
;rrset 80112 1 0 3 0
f.root-servers.net.     80112   IN      AAAA  2001:500:2f::f
;rrset 80112 1 0 3 0
e.root-servers.net.     80112   IN      A     192.203.230.10
;rrset 80112 1 0 3 0
e.root-servers.net.     80112   IN      AAAA  2001:500:a8::e
;rrset 80112 1 0 3 0
d.root-servers.net.     80112   IN      A     199.7.91.13
;rrset 80112 1 0 3 0
d.root-servers.net.     80112   IN      AAAA  2001:500:2d::d
;rrset 80112 1 0 3 0
c.root-servers.net.     80112   IN      A     192.33.4.12
;rrset 80112 1 0 3 0
c.root-servers.net.     80112   IN      AAAA  2001:500:2::c
;rrset 80112 1 0 3 0
b.root-servers.net.     80112   IN      A     170.247.170.2
;rrset 80112 1 0 3 0
b.root-servers.net.     80112   IN      AAAA  2801:1b8:10::b
;rrset 80112 1 0 3 0
a.root-servers.net.     80112   IN      A     198.41.0.4
;rrset 80112 1 0 3 0
a.root-servers.net.     80112   IN      AAAA  2001:503:ba3e::2:30
Delegation with 13 names, of which 0 can be examined to query further addresses.
It provides 26 IP addresses.
2001:503:ba3e::2:30     rto 376 msec, ttl 188, ping 0 var 94 rtt 376, tA 0, tAAAA 0, tother 0, EDNS 0 assumed.
198.41.0.4              rto 301 msec, ttl 188, ping 1 var 75 rtt 301, tA 0, tAAAA 0, tother 0, EDNS 0 probed.
2801:1b8:10::b          rto 376 msec, ttl 488, ping 0 var 94 rtt 376, tA 0, tAAAA 0, tother 0, EDNS 0 assumed.
170.247.170.2           rto 302 msec, ttl 484, ping 2 var 75 rtt 302, tA 0, tAAAA 0, tother 0, EDNS 0 probed.
2001:500:2::c           not in infra cache.
192.33.4.12             not in infra cache.
2001:500:2d::d          rto 376 msec, ttl 188, ping 0 var 94 rtt 376, tA 0, tAAAA 0, tother 0, EDNS 0 assumed.
199.7.91.13             rto 243 msec, ttl 484, ping 3 var 60 rtt 243, tA 0, tAAAA 0, tother 0, EDNS 0 probed.
2001:500:a8::e          not in infra cache.
192.203.230.10          rto 177 msec, ttl 188, ping 1 var 44 rtt 177, tA 0, tAAAA 0, tother 0, EDNS 0 probed.
2001:500:2f::f          not in infra cache.
192.5.5.241             not in infra cache.
2001:500:12::d0d        not in infra cache.
192.112.36.4            not in infra cache.
2001:500:1::53          not in infra cache.
198.97.190.53           not in infra cache.
2001:7fe::53            not in infra cache.
192.36.148.17           not in infra cache.
2001:503:c27::2:30      not in infra cache.
192.58.128.30           rto 315 msec, ttl 488, ping 3 var 78 rtt 315, tA 0, tAAAA 0, tother 0, EDNS 0 probed.
2001:7fd::1             not in infra cache.
193.0.14.129            not in infra cache.
2001:500:9f::42         not in infra cache.
199.7.83.42             rto 566 msec, ttl 187, ping 58 var 127 rtt 566, tA 0, tAAAA 0, tother 0, EDNS 0 probed.
2001:dc3::35            rto 376 msec, ttl 188, ping 0 var 94 rtt 376, tA 0, tAAAA 0, tother 0, EDNS 0 assumed.
202.12.27.33            not in infra cache.

Area1 · February 20, 2026, 3:13am

Also my ISP does not support ipv6

deHakkelaar · February 20, 2026, 3:14am

Those are the root servers and not those of Cloudflare (1.1.1.1 or 1.0.0.1).

deHakkelaar · February 20, 2026, 3:16am

So flip below one:

And restart to apply:

sudo systemctl restart unbound.service

Area1 · February 20, 2026, 3:21am

Its still using Cloudflare through dnsleaktest

deHakkelaar · February 20, 2026, 3:22am

Well Unbound doesnt query the Cloudflare servers.
Maybe you have a DNS leak somewhere.
For that I would suggest you open a new help topic including a debug token.
As this doesnt seem related to Unbound.

Area1 · February 20, 2026, 3:23am

Ok, thank you for your time

Area1 · February 20, 2026, 3:26am

It may be from my secondary pihole, so I’ll disable ipv6 on that as well

deHakkelaar · February 20, 2026, 3:53am

Dont need to disable anything IPv6 related in your network or on the O-Pi if below one run on the O-Pi doesnt return an IP (or multiple):

ip -br -6 address show scope global

Dont post IPv6 addresses here for privacy!

robgill · February 20, 2026, 8:40am

Is it possible you have cloudflare enabled as a DNS-over-HTTPS server in your browser that you're using to run leaktest?

Area1 · February 20, 2026, 1:13pm

I figured it out…. I was using dnsleaktest on my iPhone with Brave browser. Upon reading into it Cloudflare is hardcoded into the app.

deHakkelaar · February 20, 2026, 3:37pm

Most Likely below setting that needs to be DISABLED or it will allow leaking: