Unbound not working even with extra steps

Hello, friends.

I followed the basic setup and the optional disabling of resolvconf

I've also done this.

When I do

dig pi-hole.net @127.0.0.1 -p 5335

I get SERVFAIL.

There's nothing different about the unbound configuration that I have than the one specified in the guide.

However, if I stop the running service and manually run unbound myself with

sudo /sbin/unbound -ddd -vvv -c /etc/unbound/unbound.conf.d/pi-hole.conf

And I run that same dig command I get NOERROR.

Please add logging to yourunbound and show us the full log output (in /var/log/unbound.log) from starting unbound to after you made the dig call. This should give us a hint what is amiss here.

This might sound weird, but I don't think the unbound service is using my config file.

I just did what was in that link for adding debugging to unbound, restarted the service, ran the same dig command I have been, and the log file is empty.

Here's what I did:

  • Added the following to my /etc/unbound/unbound.conf.d/pi-hole.conf file at the top of the server section:
    logfile: "/var/log/unbound/unbound.log"
    verbosity: 1
    
  • Ran the following
    sudo mkdir -p /var/log/unbound
    sudo touch /var/log/unbound/unbound.log
    sudo chown unbound /var/log/unbound/unbound.log 
    
  • Restarted the unbound service with sudo service unbound restart
  • Ran dig pi-hole.net @127.0.0.1 -p 5335
  • Ran cat /var/log/unbound/unbound.log and got nothing back

EDIT:

Here's the full config file. The comments are what I had at the start before I first ran into issues and just commented those lines out for now:

server:
    logfile: "/var/log/unbound/unbound.log"
    verbosity: 1
    interface: 127.0.0.1
    port: 5335
    do-ip4: yes
    do-udp: yes
    do-tcp: yes
    do-ip6: no
    prefer-ip6: no
    #root-hints: "/var/lib/unbound/root.hints"
    harden-dnssec-stripped: yes
    harden-glue: yes
    #harden-short-bufsize: yes
    #harden-large-queries: yes
    #harden-below-nxdomain: yes
    #harden-referral-path: yes
    #harden-algo-downgrade: yes
    #hide-identity: yes
    #hide-version: yes
    #identity: "Server"
    #do-daemonize: no
    #neg-cache-size: 4m
    #qname-minimisation: yes
    #deny-any: yes
    #minimal-responses: yes
    use-caps-for-id: no
    edns-buffer-size: 1232
    prefetch: yes
    #msg-cache-size: 50m
    #rrset-cache-size: 100m
    num-threads: 1
    #so-reuseport: yes
    so-rcvbuf: 1m
    #so-sndbuf: 4m
    #unwanted-reply-threshold: 100000
    #log-queries: no
    #log-replies: no
    #log-servfail: no
    #log-local-actions: no
    #logfile: /dev/null

    private-address: 192.168.0.0/16
    private-address: 169.254.0.0/16
    private-address: 172.16.0.0/12
    private-address: 10.0.0.0/8
    private-address: fd00::/8
    private-address: fe80::/10

Hmm, what is the output of

sudo systemctl status unbound

?

● unbound.service - Unbound DNS server
     Loaded: loaded (/lib/systemd/system/unbound.service; enabled; vendor preset: enabled)
     Active: active (running) since Fri 2022-12-30 23:12:10 CST; 38min ago
       Docs: man:unbound(8)
    Process: 23992 ExecStartPre=/usr/lib/unbound/package-helper chroot_setup (code=exited, status=0/SUCCESS)
    Process: 23995 ExecStartPre=/usr/lib/unbound/package-helper root_trust_anchor_update (code=exited, status=0/SUCCESS)
   Main PID: 23998 (unbound)
      Tasks: 1 (limit: 1624)
        CPU: 192ms
     CGroup: /system.slice/unbound.service
             └─23998 /usr/sbin/unbound -d -p

Dec 30 23:19:23 raspberrypi unbound[23998]: [1672463963] unbound[23998:0] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN
Dec 30 23:19:23 raspberrypi unbound[23998]: [1672463963] unbound[23998:0] info: generate keytag query _ta-4f66. NULL IN
Dec 30 23:19:23 raspberrypi unbound[23998]: [1672463963] unbound[23998:0] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN
Dec 30 23:19:23 raspberrypi unbound[23998]: [1672463963] unbound[23998:0] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN
Dec 30 23:19:23 raspberrypi unbound[23998]: [1672463963] unbound[23998:0] info: generate keytag query _ta-4f66. NULL IN
Dec 30 23:19:24 raspberrypi unbound[23998]: [1672463964] unbound[23998:0] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN
Dec 30 23:19:24 raspberrypi unbound[23998]: [1672463964] unbound[23998:0] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN
Dec 30 23:19:24 raspberrypi unbound[23998]: [1672463964] unbound[23998:0] info: generate keytag query _ta-4f66. NULL IN
Dec 30 23:19:24 raspberrypi unbound[23998]: [1672463964] unbound[23998:0] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN
Dec 30 23:19:24 raspberrypi unbound[23998]: [1672463964] unbound[23998:0] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN

Okay, this shouldn't happen and is likely a consequence of you commenting out

root-hints: "/var/lib/unbound/root.hints"
  • Does this file exist?

  • How does status look like after you re-add this line and restart unbound ?

Hmm, odd. I thought the guide showed that we don't necessarily need that line. Anyway, here's the status now:

● unbound.service - Unbound DNS server
     Loaded: loaded (/lib/systemd/system/unbound.service; enabled; vendor preset: enabled)
     Active: active (running) since Sat 2022-12-31 00:19:03 CST; 4s ago
       Docs: man:unbound(8)
    Process: 27483 ExecStartPre=/usr/lib/unbound/package-helper chroot_setup (code=exited, status=0/SUCCESS)
    Process: 27486 ExecStartPre=/usr/lib/unbound/package-helper root_trust_anchor_update (code=exited, status=0/SUCCESS)
   Main PID: 27489 (unbound)
      Tasks: 1 (limit: 1624)
        CPU: 142ms
     CGroup: /system.slice/unbound.service
             └─27489 /usr/sbin/unbound -d -p

Dec 31 00:19:03 raspberrypi systemd[1]: Starting Unbound DNS server...
Dec 31 00:19:03 raspberrypi unbound[27489]: [1672467543] unbound[27489:0] warning: so-rcvbuf 1048576 was not granted. Got 360448. To fix: start with root permissions(linux) or sysctl bigger net.core.rmem_max(linux) or kern.ipc.maxsockbuf(bsd) values.
Dec 31 00:19:03 raspberrypi unbound[27489]: [1672467543] unbound[27489:0] error: Could not open logfile /var/log/unbound/unbound.log: Permission denied
Dec 31 00:19:03 raspberrypi unbound[27489]: [1672467543] unbound[27489:0] notice: init module 0: subnet
Dec 31 00:19:03 raspberrypi unbound[27489]: [1672467543] unbound[27489:0] notice: init module 1: validator
Dec 31 00:19:03 raspberrypi unbound[27489]: [1672467543] unbound[27489:0] notice: init module 2: iterator
Dec 31 00:19:03 raspberrypi unbound[27489]: [1672467543] unbound[27489:0] info: start of service (unbound 1.13.1).
Dec 31 00:19:03 raspberrypi systemd[1]: Started Unbound DNS server

Okay, so ... Let's try using

logfile: "/tmp/unbound.log"

instead. This should be accessible for everyone without us fiddling around with file system permission too much here.

Nope, still permission denied.

Oh, I'm suspecting AppArmor protection here.

Edit

/etc/apparmor.d/local/usr.sbin.unbound

and append

/var/log/unbound/unbound.log rw,

to the end (or, /tmp/unbound.log whatever you want to use - just make sure the value is the same in the unbound config). Then reload AppArmor using

sudo apparmor_parser -r /etc/apparmor.d/usr.sbin.unbound 
sudo service unbound restart

and then we shall see if this helped... If it did, we will add this to the documentation, too. AppArmor might simply be deployed much wider by now than it was when we initially wrote the unbound guide.

Yup, that worked!

Here's what's in the log file:

[1672468980] unbound[29165:0] notice: init module 0: subnet
[1672468980] unbound[29165:0] notice: init module 1: validator
[1672468980] unbound[29165:0] notice: init module 2: iterator
[1672468980] unbound[29165:0] info: start of service (unbound 1.13.1).
[1672469056] unbound[29165:0] info: generate keytag query _ta-4f66. NULL IN
[1672469056] unbound[29165:0] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN
[1672469056] unbound[29165:0] info: generate keytag query _ta-4f66. NULL IN
[1672469056] unbound[29165:0] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN
[1672469056] unbound[29165:0] info: generate keytag query _ta-4f66. NULL IN
[1672469056] unbound[29165:0] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN
[1672469056] unbound[29165:0] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN
[1672469056] unbound[29165:0] info: generate keytag query _ta-4f66. NULL IN
[1672469056] unbound[29165:0] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN
[1672469056] unbound[29165:0] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN
[1672469056] unbound[29165:0] info: generate keytag query _ta-4f66. NULL IN
[1672469056] unbound[29165:0] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN
[1672469056] unbound[29165:0] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN
[1672469056] unbound[29165:0] info: generate keytag query _ta-4f66. NULL IN
[1672469056] unbound[29165:0] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN
[1672469056] unbound[29165:0] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN

Okay, so this is still here, did you check this?

another question: Do you have any other files in /etc/unbound/unbound.conf.d/ ? If so, what's their content?

Here's what's in the /var/lib/unbound/root.hints:

;       This file holds the information on root name servers needed to
;       initialize cache of Internet domain name servers
;       (e.g. reference this file in the "cache  .  <file>"
;       configuration file of BIND domain name servers).
;
;       This file is made available by InterNIC
;       under anonymous FTP as
;           file                /domain/named.cache
;           on server           FTP.INTERNIC.NET
;       -OR-                    RS.INTERNIC.NET
;
;       last update:     December 01, 2022
;       related version of root zone:     2022120101
;
; FORMERLY NS.INTERNIC.NET
;
.                        3600000      NS    A.ROOT-SERVERS.NET.
A.ROOT-SERVERS.NET.      3600000      A     198.41.0.4
A.ROOT-SERVERS.NET.      3600000      AAAA  2001:503:ba3e::2:30
;
; FORMERLY NS1.ISI.EDU
;
.                        3600000      NS    B.ROOT-SERVERS.NET.
B.ROOT-SERVERS.NET.      3600000      A     199.9.14.201
B.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:200::b
;
; FORMERLY C.PSI.NET
;
.                        3600000      NS    C.ROOT-SERVERS.NET.
C.ROOT-SERVERS.NET.      3600000      A     192.33.4.12
C.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:2::c
;
; FORMERLY TERP.UMD.EDU
;
.                        3600000      NS    D.ROOT-SERVERS.NET.
D.ROOT-SERVERS.NET.      3600000      A     199.7.91.13
D.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:2d::d
;
; FORMERLY NS.NASA.GOV
;
.                        3600000      NS    E.ROOT-SERVERS.NET.
E.ROOT-SERVERS.NET.      3600000      A     192.203.230.10
E.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:a8::e
;
; FORMERLY NS.ISC.ORG
;
.                        3600000      NS    F.ROOT-SERVERS.NET.
F.ROOT-SERVERS.NET.      3600000      A     192.5.5.241
F.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:2f::f
;
; FORMERLY NS.NIC.DDN.MIL
;
.                        3600000      NS    G.ROOT-SERVERS.NET.
G.ROOT-SERVERS.NET.      3600000      A     192.112.36.4
G.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:12::d0d
;
; FORMERLY AOS.ARL.ARMY.MIL
;
.                        3600000      NS    H.ROOT-SERVERS.NET.
H.ROOT-SERVERS.NET.      3600000      A     198.97.190.53
H.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:1::53
;
; FORMERLY NIC.NORDU.NET
;
.                        3600000      NS    I.ROOT-SERVERS.NET.
I.ROOT-SERVERS.NET.      3600000      A     192.36.148.17
I.ROOT-SERVERS.NET.      3600000      AAAA  2001:7fe::53
;
; OPERATED BY VERISIGN, INC.
;
.                        3600000      NS    J.ROOT-SERVERS.NET.
J.ROOT-SERVERS.NET.      3600000      A     192.58.128.30
J.ROOT-SERVERS.NET.      3600000      AAAA  2001:503:c27::2:30
;
; OPERATED BY RIPE NCC
;
.                        3600000      NS    K.ROOT-SERVERS.NET.
K.ROOT-SERVERS.NET.      3600000      A     193.0.14.129
K.ROOT-SERVERS.NET.      3600000      AAAA  2001:7fd::1
;
; OPERATED BY ICANN
;
.                        3600000      NS    L.ROOT-SERVERS.NET.
L.ROOT-SERVERS.NET.      3600000      A     199.7.83.42
L.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:9f::42
;
; OPERATED BY WIDE
;
.                        3600000      NS    M.ROOT-SERVERS.NET.
M.ROOT-SERVERS.NET.      3600000      A     202.12.27.33
M.ROOT-SERVERS.NET.      3600000      AAAA  2001:dc3::35

There's is one other file in /etc/unbound/unbound.conf.d/. It's called root-auto-trust-anchor-file.conf and here's what's in it:

server:
    # The following line will configure unbound to perform cryptographic
    # DNSSEC validation using the root trust anchor.
    auto-trust-anchor-file: "/var/lib/unbound/root.key"

To clarify, I never put this file there.

That's fine, I do have the same file, it is installed alongside unbound by the operating system. I just realized that I have the root-hints: line commented out in my pi-hole.conf as it is already contained in the other file.

Please increase verbosity of the unbound logging.

I increased the verbosity to 2 and this is what I get now:

[1672470141] unbound[30234:0] notice: init module 2: iterator
[1672470142] unbound[30234:0] info: start of service (unbound 1.13.1).
[1672470164] unbound[30234:0] info: resolving pi-hole.net. A IN
[1672470164] unbound[30234:0] info: priming . IN NS
[1672470164] unbound[30234:0] info: response for . NS IN
[1672470164] unbound[30234:0] info: reply from <.> 192.5.5.241#53
[1672470164] unbound[30234:0] info: query response REC_LAME: recursive but not authoritative server
[1672470164] unbound[30234:0] info: mark as REC_LAME
[1672470164] unbound[30234:0] info: response for . NS IN
[1672470164] unbound[30234:0] info: reply from <.> 199.7.83.42#53
[1672470164] unbound[30234:0] info: query response REC_LAME: recursive but not authoritative server
[1672470164] unbound[30234:0] info: mark as REC_LAME
[1672470164] unbound[30234:0] info: response for . NS IN
[1672470164] unbound[30234:0] info: reply from <.> 198.41.0.4#53
[1672470164] unbound[30234:0] info: query response REC_LAME: recursive but not authoritative server
[1672470164] unbound[30234:0] info: mark as REC_LAME
[1672470164] unbound[30234:0] info: response for . NS IN
[1672470164] unbound[30234:0] info: reply from <.> 202.12.27.33#53
[1672470164] unbound[30234:0] info: query response REC_LAME: recursive but not authoritative server
[1672470164] unbound[30234:0] info: mark as REC_LAME
[1672470164] unbound[30234:0] info: response for . NS IN
[1672470164] unbound[30234:0] info: reply from <.> 193.0.14.129#53
[1672470164] unbound[30234:0] info: query response REC_LAME: recursive but not authoritative server
[1672470164] unbound[30234:0] info: mark as REC_LAME
[1672470164] unbound[30234:0] info: response for . NS IN
[1672470164] unbound[30234:0] info: reply from <.> 199.9.14.201#53
[1672470164] unbound[30234:0] info: query response REC_LAME: recursive but not authoritative server
[1672470164] unbound[30234:0] info: mark as REC_LAME
[1672470164] unbound[30234:0] info: response for . NS IN
[1672470164] unbound[30234:0] info: reply from <.> 192.203.230.10#53
[1672470164] unbound[30234:0] info: query response REC_LAME: recursive but not authoritative server
[1672470164] unbound[30234:0] info: mark as REC_LAME
[1672470165] unbound[30234:0] info: response for . NS IN
[1672470165] unbound[30234:0] info: reply from <.> 192.33.4.12#53
[1672470165] unbound[30234:0] info: query response REC_LAME: recursive but not authoritative server
[1672470165] unbound[30234:0] info: mark as REC_LAME
[1672470165] unbound[30234:0] info: response for . NS IN
[1672470165] unbound[30234:0] info: reply from <.> 198.97.190.53#53
[1672470165] unbound[30234:0] info: query response REC_LAME: recursive but not authoritative server
[1672470165] unbound[30234:0] info: mark as REC_LAME
[1672470165] unbound[30234:0] info: response for . NS IN
[1672470165] unbound[30234:0] info: reply from <.> 192.112.36.4#53
[1672470165] unbound[30234:0] info: query response REC_LAME: recursive but not authoritative server
[1672470165] unbound[30234:0] info: mark as REC_LAME
[1672470165] unbound[30234:0] info: response for . NS IN
[1672470165] unbound[30234:0] info: reply from <.> 192.36.148.17#53
[1672470165] unbound[30234:0] info: query response REC_LAME: recursive but not authoritative server
[1672470165] unbound[30234:0] info: mark as REC_LAME
[1672470165] unbound[30234:0] info: response for . NS IN
[1672470165] unbound[30234:0] info: reply from <.> 199.7.91.13#53
[1672470165] unbound[30234:0] info: query response REC_LAME: recursive but not authoritative server
[1672470165] unbound[30234:0] info: mark as REC_LAME
[1672470165] unbound[30234:0] info: response for . NS IN
[1672470165] unbound[30234:0] info: reply from <.> 192.58.128.30#53
[1672470165] unbound[30234:0] info: query response REC_LAME: recursive but not authoritative server
[1672470165] unbound[30234:0] info: mark as REC_LAME
[1672470165] unbound[30234:0] info: response for . NS IN
[1672470165] unbound[30234:0] info: reply from <.> 198.97.190.53#53
[1672470165] unbound[30234:0] info: query response was ANSWER
[1672470165] unbound[30234:0] info: priming successful for . NS IN
[1672470165] unbound[30234:0] info: resolving a.root-servers.net. A IN
[1672470165] unbound[30234:0] info: response for a.root-servers.net. A IN
[1672470165] unbound[30234:0] info: reply from <.> 192.5.5.241#53
[1672470165] unbound[30234:0] info: query response was nodata ANSWER
[1672470165] unbound[30234:0] info: response for a.root-servers.net. A IN
[1672470165] unbound[30234:0] info: reply from <.> 192.36.148.17#53
[1672470165] unbound[30234:0] info: query response was nodata ANSWER
[1672470165] unbound[30234:0] info: response for a.root-servers.net. A IN
[1672470165] unbound[30234:0] info: reply from <.> 192.203.230.10#53
[1672470165] unbound[30234:0] info: query response was ANSWER
[1672470165] unbound[30234:0] info: response for pi-hole.net. A IN
[1672470165] unbound[30234:0] info: reply from <.> 199.7.83.42#53
[1672470165] unbound[30234:0] info: query response was ANSWER
[1672470165] unbound[30234:0] info: prime trust anchor
[1672470165] unbound[30234:0] info: generate keytag query _ta-4f66. NULL IN
[1672470165] unbound[30234:0] info: resolving . DNSKEY IN
[1672470165] unbound[30234:0] info: resolving _ta-4f66. NULL IN
[1672470165] unbound[30234:0] info: response for . DNSKEY IN
[1672470165] unbound[30234:0] info: reply from <.> 202.12.27.33#53
[1672470165] unbound[30234:0] info: query response was ANSWER
[1672470165] unbound[30234:0] info: validate keys with anchor(DS): sec_status_bogus
[1672470165] unbound[30234:0] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN
[1672470165] unbound[30234:0] info: prime trust anchor
[1672470165] unbound[30234:0] info: generate keytag query _ta-4f66. NULL IN
[1672470165] unbound[30234:0] info: resolving . DNSKEY IN
[1672470165] unbound[30234:0] info: response for _ta-4f66. NULL IN
[1672470165] unbound[30234:0] info: reply from <.> 199.9.14.201#53
[1672470165] unbound[30234:0] info: query response was NXDOMAIN ANSWER
[1672470165] unbound[30234:0] info: response for . DNSKEY IN
[1672470165] unbound[30234:0] info: reply from <.> 199.7.91.13#53
[1672470165] unbound[30234:0] info: query response was ANSWER
[1672470165] unbound[30234:0] info: validate keys with anchor(DS): sec_status_bogus
[1672470165] unbound[30234:0] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN
[1672470165] unbound[30234:0] info: prime trust anchor
[1672470165] unbound[30234:0] info: generate keytag query _ta-4f66. NULL IN
[1672470165] unbound[30234:0] info: resolving . DNSKEY IN
[1672470165] unbound[30234:0] info: resolving _ta-4f66. NULL IN
[1672470165] unbound[30234:0] info: resolving _ta-4f66. A IN
[1672470165] unbound[30234:0] info: prime trust anchor
[1672470165] unbound[30234:0] info: response for . DNSKEY IN
[1672470165] unbound[30234:0] info: reply from <.> 199.9.14.201#53
[1672470165] unbound[30234:0] info: query response was ANSWER
[1672470165] unbound[30234:0] info: validate keys with anchor(DS): sec_status_bogus
[1672470165] unbound[30234:0] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN
[1672470165] unbound[30234:0] info: validate keys with anchor(DS): sec_status_bogus
[1672470165] unbound[30234:0] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN
[1672470165] unbound[30234:0] info: prime trust anchor
[1672470165] unbound[30234:0] info: generate keytag query _ta-4f66. NULL IN
[1672470165] unbound[30234:0] info: prime trust anchor
[1672470165] unbound[30234:0] info: resolving . DNSKEY IN
[1672470165] unbound[30234:0] info: response for _ta-4f66. NULL IN
[1672470165] unbound[30234:0] info: reply from <.> 192.36.148.17#53
[1672470165] unbound[30234:0] info: query response was NXDOMAIN ANSWER
[1672470165] unbound[30234:0] info: response for . DNSKEY IN
[1672470165] unbound[30234:0] info: reply from <.> 202.12.27.33#53
[1672470165] unbound[30234:0] info: query response was ANSWER
[1672470165] unbound[30234:0] info: validate keys with anchor(DS): sec_status_bogus
[1672470165] unbound[30234:0] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN
[1672470165] unbound[30234:0] info: validate keys with anchor(DS): sec_status_bogus
[1672470165] unbound[30234:0] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN
[1672470165] unbound[30234:0] info: prime trust anchor
[1672470165] unbound[30234:0] info: generate keytag query _ta-4f66. NULL IN
[1672470165] unbound[30234:0] info: resolving _ta-4f66. NULL IN
[1672470165] unbound[30234:0] info: prime trust anchor
[1672470165] unbound[30234:0] info: resolving . DNSKEY IN
[1672470165] unbound[30234:0] info: response for _ta-4f66. NULL IN
[1672470165] unbound[30234:0] info: reply from <.> 192.112.36.4#53
[1672470165] unbound[30234:0] info: query response was NXDOMAIN ANSWER
[1672470165] unbound[30234:0] info: response for . DNSKEY IN
[1672470165] unbound[30234:0] info: reply from <.> 198.41.0.4#53
[1672470165] unbound[30234:0] info: query response was ANSWER
[1672470165] unbound[30234:0] info: validate keys with anchor(DS): sec_status_bogus
[1672470165] unbound[30234:0] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN
[1672470165] unbound[30234:0] info: validate keys with anchor(DS): sec_status_bogus
[1672470165] unbound[30234:0] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN
[1672470165] unbound[30234:0] info: prime trust anchor
[1672470165] unbound[30234:0] info: generate keytag query _ta-4f66. NULL IN
[1672470165] unbound[30234:0] info: resolving _ta-4f66. NULL IN
[1672470165] unbound[30234:0] info: prime trust anchor
[1672470165] unbound[30234:0] info: resolving . DNSKEY IN
[1672470165] unbound[30234:0] info: response for _ta-4f66. NULL IN
[1672470165] unbound[30234:0] info: reply from <.> 198.97.190.53#53
[1672470165] unbound[30234:0] info: query response was NXDOMAIN ANSWER
[1672470165] unbound[30234:0] info: response for . DNSKEY IN
[1672470165] unbound[30234:0] info: reply from <.> 192.58.128.30#53
[1672470165] unbound[30234:0] info: query response was ANSWER
[1672470165] unbound[30234:0] info: validate keys with anchor(DS): sec_status_bogus
[1672470165] unbound[30234:0] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN
[1672470165] unbound[30234:0] info: validate keys with anchor(DS): sec_status_bogus
[1672470165] unbound[30234:0] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN
[1672470165] unbound[30234:0] info: Could not establish a chain of trust to keys for . DNSKEY IN

Just watching this from the sidelines, thought I'd mention this is also a handy logging option:

val-log-level: <number>
Have the validator print validation failures to the log. Regardless of the verbosity setting. Default is 0, off. At 1, for every user query that fails a line is printed to the logs. This way you can monitor what happens with validation. Use a diagnosis tool, such as dig or drill, to find out why validation is failing for these queries. At 2, not only the query that failed is printed but also the reason why unbound thought it was wrong and which server sent the faulty data.

Something of note that's...odd, I can't ping anything outside of my pi-hole. If I try ping -c 3 pi-hole.net the command is just stuck perpetually.

192.5.5.241 is indeed f.root-servers.net, the others are root server, too, so this is fine, however,

is really bad.

It makes me suspicious that anything in your house (router, firewall) is intercepting DNS queries and reroutes them to somewhere else. Can this be the case? If not, your ISP might be doing this for you.

Please run the following commands on your Pi-hole:

dig CHAOS TXT version.bind @192.33.4.12 +short
dig CHAOS TXT version.bind @198.97.190.53 +short

the expected replies are:

"c-root"
"NSD 4.5.0"

I got

"dnsmasq-2.57-OpenDNS-1"

for both. As of note, the pi-hole is not the DNS server. The router doesn't let me configure my own DNS server. I had to do this.

So it's quite possible my ISP is doing this. I have ufw enabled but it's pretty basic.