Unbound / Pi-Hole settings advice


I have Pi-Hole running with Unbound as upstream resolver.
In the past after installing Unbound I did these adjustments to Pi-Hole:

Open the configuration file /etc/dnsmasq.d/01-pihole.conf and make sure that cache size is zero by setting cache-size=0. This step is important because the caching is already handled by the Unbound Please note that the changes made to this file will be overwritten once you update/modify Pi-hole.

When you're using unbound you're relying on that for DNSSEC validation and caching, and pi-hole doing those same things are just going to waste time validating DNSSEC twice. In order to resolve this issue you need to untick the Use DNSSEC option in Pi-hole web interface by navigating to Settings > DNS > Advanced DNS settings.

Is this till the case? Since Unbound en Pi-Hole have been updated.

This step has never been important and the developers have consistently recommended that you keep the Pi-hole cache enabled regardless of the upstream DNS server you use.

In previous versions of dnsmasq (prior to the current 2.81 embedded in Pi-hole 5.2) dnsmasq bugs caused problems with pass-through DNSSEC information. This is no longer the case.

If you enable DNSSEC in Pi-hole when running unbound, this enables the DNSSEC column in the query log.

1 Like