Unbound on pi hole causing SERVFAIL

duhipu.ugofin · May 6, 2023, 7:44pm

The issue I am facing:
Getting an SERVFAIL on unbound with pi hole installed
Details about my system:
raspberry pi 4 (4gb)
What I have changed since installing Pi-hole:
I've installed Unbound following the official documentation

When I use the dig command
dig pi-hole.net 127.0.0.1 -p 5335

I get

; <<>> DiG 9.16.37-Debian <<>> pi-hole.net @127.0.0.1 -p 5335
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 7704
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;pi-hole.net.			IN	A

;; Query time: 0 msec
;; SERVER: 127.0.0.1#5335(127.0.0.1)
;; WHEN: Sat May 06 12:43:51 PDT 2023
;; MSG SIZE  rcvd: 40

Oddly enough all domains get forwarded when setup on Pi hole just nothing caches. Also dig reads no error when set to just 127.0.0.1 without the port

jfb · May 6, 2023, 8:00pm

What is the complete output of the following command from the Pi terminal:

sudo grep -v '#\|^$' -R /etc/unbound/unbound.conf*

duhipu.ugofin · May 6, 2023, 8:05pm

/etc/unbound/unbound.conf:include-toplevel: "/etc/unbound/unbound.conf.d/*.conf"
/etc/unbound/unbound.conf.d/root-auto-trust-anchor-file.conf:server:
/etc/unbound/unbound.conf.d/root-auto-trust-anchor-file.conf:    auto-trust-anchor-file: "/var/lib/unbound/root.key"
/etc/unbound/unbound.conf.d/resolvconf_resolvers.conf:forward-zone:
/etc/unbound/unbound.conf.d/resolvconf_resolvers.conf:	name: "."
/etc/unbound/unbound.conf.d/resolvconf_resolvers.conf:	forward-addr: 2600:6c51:4c3f:7159::1
/etc/unbound/unbound.conf.d/pi-hole.conf:server:
/etc/unbound/unbound.conf.d/pi-hole.conf:    verbosity: 0
/etc/unbound/unbound.conf.d/pi-hole.conf:    interface: 127.0.0.1
/etc/unbound/unbound.conf.d/pi-hole.conf:    port: 5335
/etc/unbound/unbound.conf.d/pi-hole.conf:    do-ip4: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:    do-udp: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:    do-tcp: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:    do-ip6: no
/etc/unbound/unbound.conf.d/pi-hole.conf:    prefer-ip6: no
/etc/unbound/unbound.conf.d/pi-hole.conf:    harden-glue: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:    harden-dnssec-stripped: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:    use-caps-for-id: no
/etc/unbound/unbound.conf.d/pi-hole.conf:    edns-buffer-size: 1232
/etc/unbound/unbound.conf.d/pi-hole.conf:    prefetch: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:    num-threads: 1
/etc/unbound/unbound.conf.d/pi-hole.conf:    so-rcvbuf: 1m
/etc/unbound/unbound.conf.d/pi-hole.conf:    private-address: 192.168.0.0/16
/etc/unbound/unbound.conf.d/pi-hole.conf:    private-address: 169.254.0.0/16
/etc/unbound/unbound.conf.d/pi-hole.conf:    private-address: 172.16.0.0/12
/etc/unbound/unbound.conf.d/pi-hole.conf:    private-address: 10.0.0.0/8
/etc/unbound/unbound.conf.d/pi-hole.conf:    private-address: fd00::/8
/etc/unbound/unbound.conf.d/pi-hole.conf:    private-address: fe80::/10

jfb · May 6, 2023, 8:21pm

duhipu.ugofin:

/etc/unbound/unbound.conf.d/resolvconf_resolvers.conf:forward-zone:
/etc/unbound/unbound.conf.d/resolvconf_resolvers.conf:	name: "."
/etc/unbound/unbound.conf.d/resolvconf_resolvers.conf:	forward-addr: 2600:6c51:4c3f:7159::1

Edit file /etc/resolvconf.conf and comment out the last line which should then read:

#unbound_conf=/etc/unbound/unbound.conf.d/resolvconf_resolvers.conf

Delete the unwanted unbound configuration file:

sudo rm /etc/unbound/unbound.conf.d/resolvconf_resolvers.conf

Restart unbound:

sudo service unbound restart

duhipu.ugofin · May 6, 2023, 8:24pm

this is the new output of the dig command

; <<>> DiG 9.16.37-Debian <<>> pi-hole.net @127.0.0.1 -p 5335
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50610
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;pi-hole.net.			IN	A

;; ANSWER SECTION:
pi-hole.net.		295	IN	A	3.18.136.52

;; Query time: 0 msec
;; SERVER: 127.0.0.1#5335(127.0.0.1)
;; WHEN: Sat May 06 13:24:02 PDT 2023
;; MSG SIZE  rcvd: 56

jfb · May 6, 2023, 8:27pm

That is the correct reply for that dig command. Problem solved?

duhipu.ugofin · May 6, 2023, 8:29pm

From the looks of it yes. What was the issue?

jfb · May 6, 2023, 8:31pm

Your OS installed a forwarding configuration, which changed unbound from a recursive resolver (our default setup per our guide) to a forwarding resolver.

Deleting the forwarding configuration and disabling the mechanism that installed that configuration returns unbound to the recursive configuration.

duhipu.ugofin · May 6, 2023, 8:32pm

That's weird as I'm using raspberry pi's os 64 bit (fresh install)

jfb · May 6, 2023, 8:34pm

That may not be as weird as you think. This is a problem with the Bullseye version of Debian/Raspbian.

system · May 27, 2023, 8:35pm

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.