to the end (or, /tmp/unbound.log whatever you want to use - just make sure the value is the same in the unbound config). Then reload AppArmor using
sudo apparmor_parser -r /etc/apparmor.d/usr.sbin.unbound
sudo service unbound restart
and then we shall see if this helped... If it did, we will add this to the documentation, too. AppArmor might simply be deployed much wider by now than it was when we initially wrote the unbound guide.
[1672468980] unbound[29165:0] notice: init module 0: subnet
[1672468980] unbound[29165:0] notice: init module 1: validator
[1672468980] unbound[29165:0] notice: init module 2: iterator
[1672468980] unbound[29165:0] info: start of service (unbound 1.13.1).
[1672469056] unbound[29165:0] info: generate keytag query _ta-4f66. NULL IN
[1672469056] unbound[29165:0] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN
[1672469056] unbound[29165:0] info: generate keytag query _ta-4f66. NULL IN
[1672469056] unbound[29165:0] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN
[1672469056] unbound[29165:0] info: generate keytag query _ta-4f66. NULL IN
[1672469056] unbound[29165:0] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN
[1672469056] unbound[29165:0] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN
[1672469056] unbound[29165:0] info: generate keytag query _ta-4f66. NULL IN
[1672469056] unbound[29165:0] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN
[1672469056] unbound[29165:0] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN
[1672469056] unbound[29165:0] info: generate keytag query _ta-4f66. NULL IN
[1672469056] unbound[29165:0] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN
[1672469056] unbound[29165:0] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN
[1672469056] unbound[29165:0] info: generate keytag query _ta-4f66. NULL IN
[1672469056] unbound[29165:0] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN
[1672469056] unbound[29165:0] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN
There's is one other file in /etc/unbound/unbound.conf.d/. It's called root-auto-trust-anchor-file.conf and here's what's in it:
server:
# The following line will configure unbound to perform cryptographic
# DNSSEC validation using the root trust anchor.
auto-trust-anchor-file: "/var/lib/unbound/root.key"
That's fine, I do have the same file, it is installed alongside unbound by the operating system. I just realized that I have the root-hints: line commented out in my pi-hole.conf as it is already contained in the other file.
I increased the verbosity to 2 and this is what I get now:
[1672470141] unbound[30234:0] notice: init module 2: iterator
[1672470142] unbound[30234:0] info: start of service (unbound 1.13.1).
[1672470164] unbound[30234:0] info: resolving pi-hole.net. A IN
[1672470164] unbound[30234:0] info: priming . IN NS
[1672470164] unbound[30234:0] info: response for . NS IN
[1672470164] unbound[30234:0] info: reply from <.> 192.5.5.241#53
[1672470164] unbound[30234:0] info: query response REC_LAME: recursive but not authoritative server
[1672470164] unbound[30234:0] info: mark as REC_LAME
[1672470164] unbound[30234:0] info: response for . NS IN
[1672470164] unbound[30234:0] info: reply from <.> 199.7.83.42#53
[1672470164] unbound[30234:0] info: query response REC_LAME: recursive but not authoritative server
[1672470164] unbound[30234:0] info: mark as REC_LAME
[1672470164] unbound[30234:0] info: response for . NS IN
[1672470164] unbound[30234:0] info: reply from <.> 198.41.0.4#53
[1672470164] unbound[30234:0] info: query response REC_LAME: recursive but not authoritative server
[1672470164] unbound[30234:0] info: mark as REC_LAME
[1672470164] unbound[30234:0] info: response for . NS IN
[1672470164] unbound[30234:0] info: reply from <.> 202.12.27.33#53
[1672470164] unbound[30234:0] info: query response REC_LAME: recursive but not authoritative server
[1672470164] unbound[30234:0] info: mark as REC_LAME
[1672470164] unbound[30234:0] info: response for . NS IN
[1672470164] unbound[30234:0] info: reply from <.> 193.0.14.129#53
[1672470164] unbound[30234:0] info: query response REC_LAME: recursive but not authoritative server
[1672470164] unbound[30234:0] info: mark as REC_LAME
[1672470164] unbound[30234:0] info: response for . NS IN
[1672470164] unbound[30234:0] info: reply from <.> 199.9.14.201#53
[1672470164] unbound[30234:0] info: query response REC_LAME: recursive but not authoritative server
[1672470164] unbound[30234:0] info: mark as REC_LAME
[1672470164] unbound[30234:0] info: response for . NS IN
[1672470164] unbound[30234:0] info: reply from <.> 192.203.230.10#53
[1672470164] unbound[30234:0] info: query response REC_LAME: recursive but not authoritative server
[1672470164] unbound[30234:0] info: mark as REC_LAME
[1672470165] unbound[30234:0] info: response for . NS IN
[1672470165] unbound[30234:0] info: reply from <.> 192.33.4.12#53
[1672470165] unbound[30234:0] info: query response REC_LAME: recursive but not authoritative server
[1672470165] unbound[30234:0] info: mark as REC_LAME
[1672470165] unbound[30234:0] info: response for . NS IN
[1672470165] unbound[30234:0] info: reply from <.> 198.97.190.53#53
[1672470165] unbound[30234:0] info: query response REC_LAME: recursive but not authoritative server
[1672470165] unbound[30234:0] info: mark as REC_LAME
[1672470165] unbound[30234:0] info: response for . NS IN
[1672470165] unbound[30234:0] info: reply from <.> 192.112.36.4#53
[1672470165] unbound[30234:0] info: query response REC_LAME: recursive but not authoritative server
[1672470165] unbound[30234:0] info: mark as REC_LAME
[1672470165] unbound[30234:0] info: response for . NS IN
[1672470165] unbound[30234:0] info: reply from <.> 192.36.148.17#53
[1672470165] unbound[30234:0] info: query response REC_LAME: recursive but not authoritative server
[1672470165] unbound[30234:0] info: mark as REC_LAME
[1672470165] unbound[30234:0] info: response for . NS IN
[1672470165] unbound[30234:0] info: reply from <.> 199.7.91.13#53
[1672470165] unbound[30234:0] info: query response REC_LAME: recursive but not authoritative server
[1672470165] unbound[30234:0] info: mark as REC_LAME
[1672470165] unbound[30234:0] info: response for . NS IN
[1672470165] unbound[30234:0] info: reply from <.> 192.58.128.30#53
[1672470165] unbound[30234:0] info: query response REC_LAME: recursive but not authoritative server
[1672470165] unbound[30234:0] info: mark as REC_LAME
[1672470165] unbound[30234:0] info: response for . NS IN
[1672470165] unbound[30234:0] info: reply from <.> 198.97.190.53#53
[1672470165] unbound[30234:0] info: query response was ANSWER
[1672470165] unbound[30234:0] info: priming successful for . NS IN
[1672470165] unbound[30234:0] info: resolving a.root-servers.net. A IN
[1672470165] unbound[30234:0] info: response for a.root-servers.net. A IN
[1672470165] unbound[30234:0] info: reply from <.> 192.5.5.241#53
[1672470165] unbound[30234:0] info: query response was nodata ANSWER
[1672470165] unbound[30234:0] info: response for a.root-servers.net. A IN
[1672470165] unbound[30234:0] info: reply from <.> 192.36.148.17#53
[1672470165] unbound[30234:0] info: query response was nodata ANSWER
[1672470165] unbound[30234:0] info: response for a.root-servers.net. A IN
[1672470165] unbound[30234:0] info: reply from <.> 192.203.230.10#53
[1672470165] unbound[30234:0] info: query response was ANSWER
[1672470165] unbound[30234:0] info: response for pi-hole.net. A IN
[1672470165] unbound[30234:0] info: reply from <.> 199.7.83.42#53
[1672470165] unbound[30234:0] info: query response was ANSWER
[1672470165] unbound[30234:0] info: prime trust anchor
[1672470165] unbound[30234:0] info: generate keytag query _ta-4f66. NULL IN
[1672470165] unbound[30234:0] info: resolving . DNSKEY IN
[1672470165] unbound[30234:0] info: resolving _ta-4f66. NULL IN
[1672470165] unbound[30234:0] info: response for . DNSKEY IN
[1672470165] unbound[30234:0] info: reply from <.> 202.12.27.33#53
[1672470165] unbound[30234:0] info: query response was ANSWER
[1672470165] unbound[30234:0] info: validate keys with anchor(DS): sec_status_bogus
[1672470165] unbound[30234:0] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN
[1672470165] unbound[30234:0] info: prime trust anchor
[1672470165] unbound[30234:0] info: generate keytag query _ta-4f66. NULL IN
[1672470165] unbound[30234:0] info: resolving . DNSKEY IN
[1672470165] unbound[30234:0] info: response for _ta-4f66. NULL IN
[1672470165] unbound[30234:0] info: reply from <.> 199.9.14.201#53
[1672470165] unbound[30234:0] info: query response was NXDOMAIN ANSWER
[1672470165] unbound[30234:0] info: response for . DNSKEY IN
[1672470165] unbound[30234:0] info: reply from <.> 199.7.91.13#53
[1672470165] unbound[30234:0] info: query response was ANSWER
[1672470165] unbound[30234:0] info: validate keys with anchor(DS): sec_status_bogus
[1672470165] unbound[30234:0] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN
[1672470165] unbound[30234:0] info: prime trust anchor
[1672470165] unbound[30234:0] info: generate keytag query _ta-4f66. NULL IN
[1672470165] unbound[30234:0] info: resolving . DNSKEY IN
[1672470165] unbound[30234:0] info: resolving _ta-4f66. NULL IN
[1672470165] unbound[30234:0] info: resolving _ta-4f66. A IN
[1672470165] unbound[30234:0] info: prime trust anchor
[1672470165] unbound[30234:0] info: response for . DNSKEY IN
[1672470165] unbound[30234:0] info: reply from <.> 199.9.14.201#53
[1672470165] unbound[30234:0] info: query response was ANSWER
[1672470165] unbound[30234:0] info: validate keys with anchor(DS): sec_status_bogus
[1672470165] unbound[30234:0] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN
[1672470165] unbound[30234:0] info: validate keys with anchor(DS): sec_status_bogus
[1672470165] unbound[30234:0] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN
[1672470165] unbound[30234:0] info: prime trust anchor
[1672470165] unbound[30234:0] info: generate keytag query _ta-4f66. NULL IN
[1672470165] unbound[30234:0] info: prime trust anchor
[1672470165] unbound[30234:0] info: resolving . DNSKEY IN
[1672470165] unbound[30234:0] info: response for _ta-4f66. NULL IN
[1672470165] unbound[30234:0] info: reply from <.> 192.36.148.17#53
[1672470165] unbound[30234:0] info: query response was NXDOMAIN ANSWER
[1672470165] unbound[30234:0] info: response for . DNSKEY IN
[1672470165] unbound[30234:0] info: reply from <.> 202.12.27.33#53
[1672470165] unbound[30234:0] info: query response was ANSWER
[1672470165] unbound[30234:0] info: validate keys with anchor(DS): sec_status_bogus
[1672470165] unbound[30234:0] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN
[1672470165] unbound[30234:0] info: validate keys with anchor(DS): sec_status_bogus
[1672470165] unbound[30234:0] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN
[1672470165] unbound[30234:0] info: prime trust anchor
[1672470165] unbound[30234:0] info: generate keytag query _ta-4f66. NULL IN
[1672470165] unbound[30234:0] info: resolving _ta-4f66. NULL IN
[1672470165] unbound[30234:0] info: prime trust anchor
[1672470165] unbound[30234:0] info: resolving . DNSKEY IN
[1672470165] unbound[30234:0] info: response for _ta-4f66. NULL IN
[1672470165] unbound[30234:0] info: reply from <.> 192.112.36.4#53
[1672470165] unbound[30234:0] info: query response was NXDOMAIN ANSWER
[1672470165] unbound[30234:0] info: response for . DNSKEY IN
[1672470165] unbound[30234:0] info: reply from <.> 198.41.0.4#53
[1672470165] unbound[30234:0] info: query response was ANSWER
[1672470165] unbound[30234:0] info: validate keys with anchor(DS): sec_status_bogus
[1672470165] unbound[30234:0] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN
[1672470165] unbound[30234:0] info: validate keys with anchor(DS): sec_status_bogus
[1672470165] unbound[30234:0] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN
[1672470165] unbound[30234:0] info: prime trust anchor
[1672470165] unbound[30234:0] info: generate keytag query _ta-4f66. NULL IN
[1672470165] unbound[30234:0] info: resolving _ta-4f66. NULL IN
[1672470165] unbound[30234:0] info: prime trust anchor
[1672470165] unbound[30234:0] info: resolving . DNSKEY IN
[1672470165] unbound[30234:0] info: response for _ta-4f66. NULL IN
[1672470165] unbound[30234:0] info: reply from <.> 198.97.190.53#53
[1672470165] unbound[30234:0] info: query response was NXDOMAIN ANSWER
[1672470165] unbound[30234:0] info: response for . DNSKEY IN
[1672470165] unbound[30234:0] info: reply from <.> 192.58.128.30#53
[1672470165] unbound[30234:0] info: query response was ANSWER
[1672470165] unbound[30234:0] info: validate keys with anchor(DS): sec_status_bogus
[1672470165] unbound[30234:0] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN
[1672470165] unbound[30234:0] info: validate keys with anchor(DS): sec_status_bogus
[1672470165] unbound[30234:0] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN
[1672470165] unbound[30234:0] info: Could not establish a chain of trust to keys for . DNSKEY IN
Just watching this from the sidelines, thought I'd mention this is also a handy logging option:
val-log-level: <number> Have the validator print validation failures to the log. Regardless of the verbosity setting. Default is 0, off. At 1, for every user query that fails a line is printed to the logs. This way you can monitor what happens with validation. Use a diagnosis tool, such as dig or drill, to find out why validation is failing for these queries. At 2, not only the query that failed is printed but also the reason why unbound thought it was wrong and which server sent the faulty data.
192.5.5.241 is indeed f.root-servers.net, the others are root server, too, so this is fine, however,
is really bad.
It makes me suspicious that anything in your house (router, firewall) is intercepting DNS queries and reroutes them to somewhere else. Can this be the case? If not, your ISP might be doing this for you.
Please run the following commands on your Pi-hole:
As you are not able to contact the root servers - or, in fact, any DNS server on the Internet, you cannot use unbound as your own resolver as it won't be able to do the recursion for you.
I'd suggest contacting your ISP and asking them if/why they are doing this. Typically, they are helpful (after all you pay them). In my case, for instance, my ISP blocked all inward traffic and I could only use Wireguard once I contacted them and they removed this "extra protection" for me.
In some sense, the DNS rerouting can be understood as a similar mean of "extra security" as it will enforce devices with hard-coded DNS server addresses to go through their servers so they can apply by-law DNS filtering (depending on the country you live in this may or not be a thing).
I wish you all the best with you endeavor of getting the full-featured version of the Internet Sun is just getting up in Germany right now (8:30 AM). Take care!
You can use the commands above
to check if it worked. And in case you need further assistance, we are here!
Heh, you are the native speaker here I'd imagine something along the lines of
Hey, I want to set up my own recursive DNS resolver for private use. However, I realized that all my requests on port 53 get rerouted to one and the same server identifying itself as "dnsmasq-2.57-OpenDNS-1". Please disable this rule for me so I can contact DNS servers in the Internet directly.
Just FYI: dnsmasq-2.57 has been released back in 2011 ...