I’m experiencing an issue where Pi-hole works as expected, but Unbound does not seem to respond to DNS queries after startup. I’m using a Raspberry Pi Zero W 1.1 with both Pi-hole and Unbound installed and configured to work together. The issue appears to be with Unbound, as when I uncheck the configured upstream servers (IPv4: 127.0.0.1#5300 and IPv6: ::1#5300) and instead enable Google’s DNS servers, I can access the internet again—bypassing Unbound entirely.
Key Observations:
After switching temporarily to Google’s DNS servers and then re-enabling Unbound’s upstream addresses (127.0.0.1#5300 and ::1#5300), Unbound works as expected.
This suggests the issue occurs only during the initial startup of Unbound, and the service can function normally once manually re-enabled.
Details of the Issue:
Problem started: About a week ago.
Configured Pi-hole upstream DNS servers:
IPv4: 127.0.0.1#5300
IPv6: ::1#5300
When Unbound does not respond, these servers fail, but switching to Google DNS servers restores functionality.
unbound checks DNS responses for authenticity and integrity via DNSSEC, and this DNSSEC validation requires DNS servers and your RPi using the same time frame.
A Zero lacks a real time clock (RTC), so it has to rely on syncing time with NTP servers periodically, where times could wander off a bit in between syncs.
Normally, one of the next few consecutive lookups succeeds, and this goes unnoticed, but on power cycling, it may take as long as a few minutes before you've a correct time. On large offsets, syncing may even not work at all and you'd have to set the time manually.
If this would be the case for you here, you may consider to fit a battery-buffered RTC on your RPi (e.g. DS3231 are available for only a few bucks).
I actually made some changes to the NTP settings in my router about a week ago, as I suspected there might have been an issue with time synchronization. I reverted those changes, but unfortunately, the issue with Unbound not starting/responding persists.
I ran all the commands you asked for, and based on the output of sudo journalctl, it seems that Unbound is attempting to start but ultimately fails to do so. Unfortunately, it doesn't seem to be fully initializing, which might explain why Pi-hole can't communicate with it initially.
Blockquote
pi@raspberrypi:~ $ apt policy openresolv
openresolv:
Installed: 3.12.0-1
Candidate: 3.12.0-1
Version table:
*** 3.12.0-1 500
500 Index of /raspbian bullseye/main armhf Packages
100 /var/lib/dpkg/status
pi@raspberrypi:~ $ sudo rgrep -v '^ #|^ $' /etc/unbound/unbound.conf
/etc/unbound/unbound.conf:include-toplevel: "/etc/unbound/unbound.conf.d/.conf"
/etc/unbound/unbound.conf.d/root-auto-trust-anchor-file.conf:server:
/etc/unbound/unbound.conf.d/root-auto-trust-anchor-file.conf: auto-trust-anchor-file: "/var/lib/unbound/root.key"
/etc/unbound/unbound.conf.d/pi-hole.conf:server:
/etc/unbound/unbound.conf.d/pi-hole.conf: logfile: "/var/log/unbound/unbound.log"
/etc/unbound/unbound.conf.d/pi-hole.conf: log-time-ascii: yes
/etc/unbound/unbound.conf.d/pi-hole.conf: verbosity: 1
/etc/unbound/unbound.conf.d/pi-hole.conf: interface: 0.0.0.0
/etc/unbound/unbound.conf.d/pi-hole.conf: interface: ::0
/etc/unbound/unbound.conf.d/pi-hole.conf: port: 5335
/etc/unbound/unbound.conf.d/pi-hole.conf: num-threads: 4
/etc/unbound/unbound.conf.d/pi-hole.conf: msg-cache-slabs: 16
/etc/unbound/unbound.conf.d/pi-hole.conf: rrset-cache-slabs: 16
/etc/unbound/unbound.conf.d/pi-hole.conf: infra-cache-slabs: 16
/etc/unbound/unbound.conf.d/pi-hole.conf: key-cache-slabs: 16
/etc/unbound/unbound.conf.d/pi-hole.conf: outgoing-range: 206
/etc/unbound/unbound.conf.d/pi-hole.conf: so-rcvbuf: 4m
/etc/unbound/unbound.conf.d/pi-hole.conf: so-sndbuf: 4m
/etc/unbound/unbound.conf.d/pi-hole.conf: so-reuseport: yes
/etc/unbound/unbound.conf.d/pi-hole.conf: rrset-cache-size: 100m
/etc/unbound/unbound.conf.d/pi-hole.conf: msg-cache-size: 50m
/etc/unbound/unbound.conf.d/pi-hole.conf: do-ip4: yes
/etc/unbound/unbound.conf.d/pi-hole.conf: do-ip6: yes
/etc/unbound/unbound.conf.d/pi-hole.conf: do-udp: yes
/etc/unbound/unbound.conf.d/pi-hole.conf: do-tcp: yes
/etc/unbound/unbound.conf.d/pi-hole.conf: cache-max-ttl: 86400
/etc/unbound/unbound.conf.d/pi-hole.conf: cache-min-ttl: 3600
/etc/unbound/unbound.conf.d/pi-hole.conf: hide-identity: yes
/etc/unbound/unbound.conf.d/pi-hole.conf: hide-version: yes
/etc/unbound/unbound.conf.d/pi-hole.conf: minimal-responses: yes
/etc/unbound/unbound.conf.d/pi-hole.conf: prefetch: yes
/etc/unbound/unbound.conf.d/pi-hole.conf: use-caps-for-id: yes
/etc/unbound/unbound.conf.d/pi-hole.conf: verbosity: 1
/etc/unbound/unbound.conf.d/pi-hole.conf: harden-glue: yes
/etc/unbound/unbound.conf.d/pi-hole.conf: harden-dnssec-stripped: yes
/etc/unbound/unbound.conf.d/pi-hole.conf: private-domain: "lan"
/etc/unbound/unbound.conf.d/pi-hole.conf: private-address: 192.168.0.0/16
/etc/unbound/unbound.conf.d/pi-hole.conf: private-address: 169.254.0.0/16
/etc/unbound/unbound.conf.d/pi-hole.conf: private-address: 172.16.0.0/12
/etc/unbound/unbound.conf.d/pi-hole.conf: private-address: fd00::/8
/etc/unbound/unbound.conf.d/pi-hole.conf: private-address: fe80::/10
pi@raspberrypi:~ $ sudo journalctl --full --no-hostname --no-pager --lines 20 --unit unbound.service
-- Journal begins at Tue 2024-10-22 15:56:52 EEST, ends at Wed 2025-01-15 19:45:52 EET. --
Jan 11 11:34:42 systemd[1]: Starting Unbound DNS server...
Jan 11 11:34:44 systemd[1]: Started Unbound DNS server.
-- Boot 63cc1fd085134a9897b204576616db7a --
Jan 11 22:28:18 systemd[1]: Starting Unbound DNS server...
Jan 11 22:28:20 systemd[1]: Started Unbound DNS server.
-- Boot bdad62ec12b648788663b6dfc43c7ab9 --
Jan 12 21:53:20 systemd[1]: Starting Unbound DNS server...
Jan 12 21:53:22 systemd[1]: Started Unbound DNS server.
-- Boot f900803f0ef841f5835e553a6a894512 --
Jan 13 21:49:01 systemd[1]: Starting Unbound DNS server...
Jan 13 21:49:03 systemd[1]: Started Unbound DNS server.
-- Boot 44acb7e4347e469ca0a8a939a79444c2 --
Jan 14 22:02:19 systemd[1]: Starting Unbound DNS server...
Jan 14 22:02:22 systemd[1]: Started Unbound DNS server.
Jan 15 19:39:43 systemd[1]: Stopping Unbound DNS server...
Jan 15 19:39:43 systemd[1]: unbound.service: Succeeded.
Jan 15 19:39:43 systemd[1]: Stopped Unbound DNS server.
Jan 15 19:39:43 systemd[1]: Starting Unbound DNS server...
Jan 15 19:39:45 systemd[1]: Started Unbound DNS server.
Jan 15 19:40:24 systemd[1]: Stopping Unbound DNS server...
Jan 15 19:40:24 systemd[1]: unbound.service: Succeeded.
Jan 15 19:40:24 systemd[1]: Stopped Unbound DNS server.
Jan 15 19:40:24 systemd[1]: Starting Unbound DNS server...
Jan 15 19:40:24 systemd[1]: Started Unbound DNS server.
Unbound isnt configured according to the official guide.
Its got additional directives like num-threads, msg-cache-slabs, cache-max-ttl etc.
Have you tried without those modifications and configuring exactly like in the guide?
Where did you get those added directives from?
I reinstalled Unbound, and it seems to be working fine right after the installation. The only changes I made in addition to the guide's settings were switching do-ip6: no >> do-ip6: yes and adding the line interface: ::1.
In Pi-hole, I also configured the following upstream DNS servers:
IPv4: 127.0.0.1#5300
IPv6: ::1#5300
Let's see how it performs after the first reboot. Fortunately, disabling Unbound is a quick task if needed – I just have to remove the upstream addresses from Pi-hole and switch to something like Google DNS.
Blockquote
server:
# If no logfile is specified, syslog is used
logfile: "/var/log/unbound/unbound.log"
log-time-ascii: yes
verbosity: 1
interface: 127.0.0.1
interface: ::1
port: 5335
do-ip4: yes
do-udp: yes
do-tcp: yes
# May be set to yes if you have IPv6 connectivity
do-ip6: yes
I see that you have Pi-hole set to talk to unbound on port 5300, but it would appear from a couple of spots in the above post, and earlier ones unbound is set to 5335, which is the default shown in the guide. Is the above information you provide for your Pi-hole configuration correct?
I just added unbound using the guide in the Pi-hole Guides section, and had zero issues getting it to work on two separate Pi-hole instances.
It seems I mistakenly posted the wrong address on the forum (#5300), even though I have set Pi-hole's upstream address to the correct port (#5335).
So is it true that Unbound can handle DNS requests coming from IPv6 addresses if I remove ::1#5335 from Pi-hole's upstream settings and only use 127.0.0.1#5335?
To allow Unbound to receive DNS requests from IPv6 addresses, does the do-ip6: yes setting need to be enabled in Unbound's configuration? I have configured Pi-hole to work with both IPv6 and IPv4 addresses (a bit of a pain in the butt, but it works... I think? :D)
After the first reboot today, everything seems to be working as expected. Indeed, I had mistakenly written the wrong port in my response post as well as in the initial one. I’ve now corrected the port to 5335 as it should be, and everything is running smoothly.