Unbound + Pihole: server not reachable when traffic tunneled through VPN

0MiguelAnge0 · February 10, 2021, 10:51am

Expected Behaviour:

Pihole + unbound to resolve the DNS queries but it always ends with SERVER not reachable.

Raspberry PI4B will freshly updated for system and all other stuffs I have.

Actual Behaviour:

I have configured my router with two below data paths:

Direct to ISP
Through a VPN running at router level

Using a policy based routing, I am forwarding some IP's device only through the VPN. For DNS I have a twin Pihole configurations:

PI_1 in the ISP route with unbound working perfectly. All devices using ISP are pointing to PI_1 as DNS
PI_2 in the VPN route with the issue with unbound. All devices using are pointing to PI_2 as DNS
PI_2 IP is well routed through the VPN

Issue:
-unbound cannot contact any server when activated in PI_2 while passing through the VPN
-unbound can contact servers when activated in PI_2 while passing through the ISP
-when using an external resolver in PI_2, while passing through the VPN, I can get back correctly the IPs targeted
-when unbound is running PI_2 while passing through the VPN, Pihole is well sending to the unbound server all requests

So I should be missing something huge but I have no idea what. My conclusion is no external requests are being processed by PI_2 if passing through VPN + inbound, while PI_2 can well make requests directly through the VPN (tested with the browser)

Debug Token:

Below the log from unbound while tunneled through the VPN:

1612942720] unbound[1901:0] info: validator operate: query apple.com. A IN
[1612942720] unbound[1901:0] debug: iterator[module 2] operate: extstate:module_state_initial event:module_event_pass
[1612942720] unbound[1901:0] info: resolving apple.com. A IN
[1612942720] unbound[1901:0] info: priming . IN NS
[1612942720] unbound[1901:0] debug: iterator[module 2] operate: extstate:module_state_initial event:module_event_pass
[1612942720] unbound[1901:0] info: iterator operate: query . NS IN
[1612942720] unbound[1901:0] info: processQueryTargets: . NS IN
[1612942720] unbound[1901:0] info: sending query: . NS IN
[1612942720] unbound[1901:0] debug: sending to target: <.> 2001:500:1::53#53
[1612942720] unbound[1901:0] info: error sending query to auth server 2001:500:1::53 port 53
[1612942720] unbound[1901:0] info: processQueryTargets: . NS IN
[1612942720] unbound[1901:0] info: sending query: . NS IN
[1612942720] unbound[1901:0] debug: sending to target: <.> 2001:500:a8::e#53
[1612942720] unbound[1901:0] info: error sending query to auth server 2001:500:a8::e port 53
[1612942720] unbound[1901:0] info: processQueryTargets: . NS IN
[1612942720] unbound[1901:0] info: sending query: . NS IN
[1612942720] unbound[1901:0] debug: sending to target: <.> 2001:503:c27::2:30#53
[1612942720] unbound[1901:0] info: error sending query to auth server 2001:503:c27::2:30 port 53
[1612942720] unbound[1901:0] info: processQueryTargets: . NS IN
[1612942720] unbound[1901:0] info: sending query: . NS IN
[1612942720] unbound[1901:0] debug: sending to target: <.> 2001:500:200::b#53
[1612942720] unbound[1901:0] info: error sending query to auth server 2001:500:200::b port 53
[1612942720] unbound[1901:0] info: processQueryTargets: . NS IN
[1612942720] unbound[1901:0] info: sending query: . NS IN
[1612942720] unbound[1901:0] debug: sending to target: <.> 2001:500:2f::f#53
[1612942720] unbound[1901:0] info: error sending query to auth server 2001:500:2f::f port 53
[1612942720] unbound[1901:0] info: processQueryTargets: . NS IN

Below the output of systemctl status unbound.service

● unbound.service - Unbound DNS server
Loaded: loaded (/lib/systemd/system/unbound.service; enabled; vendor preset: enabled)
Active: active (running) since Wed 2021-02-10 15:38:21 CST; 3h 4min ago
Docs: man:unbound(8)
Process: 1888 ExecStartPre=/usr/lib/unbound/package-helper chroot_setup (code=exited, status=0/SUCCESS)
Process: 1891 ExecStartPre=/usr/lib/unbound/package-helper root_trust_anchor_update (code=exited, status=0/SUCCESS)
Main PID: 1901 (unbound)
Tasks: 1 (limit: 4915)
CGroup: /system.slice/unbound.service
└─1901 /usr/sbin/unbound -d

Feb 10 15:37:30 Pi-Toy systemd[1]: Starting Unbound DNS server...
Feb 10 15:38:21 Pi-Toy package-helper[1891]: /var/lib/unbound/root.key has content
Feb 10 15:38:21 Pi-Toy package-helper[1891]: fail: the anchor is NOT ok and could not be fixed
Feb 10 15:38:21 Pi-Toy unbound[1901]: [1612942701] unbound[1901:0] debug: chdir to /etc/unbound
Feb 10 15:38:21 Pi-Toy unbound[1901]: [1612942701] unbound[1901:0] debug: drop user privileges, run as unbound
Feb 10 15:38:21 Pi-Toy unbound[1901]: [1612942701] unbound[1901:0] debug: switching log to /var/log/unbound/unbound.log
Feb 10 15:38:21 Pi-Toy systemd[1]: Started Unbound DNS server.

0MiguelAnge0 · February 13, 2021, 6:28am

Hi,

Sounds my exotic issue is not raising many hints

Well, I have replaced unbound by DoH (Cloudflared) that also used a local proxy concept running on the Pi. And....it works!

But if switching to the unbound proxy, no way to connect any server. So, I am a bit lost now, as I spent last days to check any wrong doing with my router, firewall... But once I can reach well the Cloudflare server though the local proxy, why, it cannot using unbound?

Interestingly, I can update the list of certified servers using the manual update. I got a list of iPv4 and iPv6 servers

Using my Police Based Routing in my server which drives the selected IPs though my VPN, for sure, my gateway (x.x.x.1) is still going through the ISP.

I have confirmed the resolver is well configured to use the local server on the right port for unbound, but could not get any hint if the gateway will be used by unbound for any reasons.

Well, I will keep on digging but once DoH works well, it freezes the remaining few ideas I had...

Miguel

system · March 6, 2021, 6:29am

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.