Unbound SERVFAIL results only

Help
1

I installed Pi-hole on a clean Raspberry OS SD card.

I followed all steps. Got Pi-hole working perfectly. But I'm having issues setting up Unbound.

I am only getting SERVFAIL results.

I wasn't able to generate a debug token. It didn't resolve

  • The debug log can be uploaded to tricorder.pi-hole.net for sharing with developers only.
    [i] Debug script running in automated mode
    • Using curl for transmission.
    • curl failed, contact Pi-hole support for assistance.
    • Error message: curl: (6) Could not resolve host: tricorder.pi-hole.net

[✗] There was an error uploading your debug log.

  • Please try again or contact the Pi-hole team for assistance.
  • A local copy of the debug log can be found at: /var/log/pihole/pihole_debug.log

Here's my dhcpdc.conf

interface eth0
static ip_address=192.168.1.157/24
static routers=192.168.1.1
static domain_name_servers=127.0.0.1

Should I add a second DNS (external) as well? I did that. But it stopped blocking sites.

Honestly I don't know what else to do

2

unbound (or DNSSEC in general) needs correct timing information.

Check your system's time and time zone information.

3

If you are referring to the timezone in my Raspberry Pi OS install it is correctly set to GMT-3 (Brazil)

$ date
Fri 25 Nov 20:56:31 -03 2022

I'm getting a lot of these on Query Log:

022-11-25 21:02:01 A clients4.google.com openwrt OK (answered by localhost#5335) CNAME (96.4ms)

How can I know if it is resolved locally instead of being forwarded?

4

The part in brackets tells you which DNS server Pi-hole sent your query to. In this case it is localhost#5335 which is your own Unbound running on port 5335. This is correct and means your Pi-hole is sending its queries to your Unbound which is running alongside it on the same Pi.

So the question is whether Unbound itself has some problem which is causing SERVFAIL. As @Bucking_Horn said the timing info has to be correct or else the data that Unbound fetches will appear to be outdated and will be rejected, and it's a common problem so a good place to start.

Try running the command below and see if you have the correct numbers for Local time, Universal time, Time zone, is the System clock synchronized and is NTP active.

timedatectl
5

timedatectl
Local time: Fri 2022-11-25 22:51:19 -03
Universal time: Sat 2022-11-26 01:51:19 UTC
RTC time: n/a
Time zone: America/Bahia (-03, -0300)
System clock synchronized: yes
NTP service: active
RTC in local TZ: no

NTP was disabled. I'm getting NOERROR using dig.

But how (or where) can I make sure is it really working as it should?

6

Screenshot_3
Screenshot_3965×596 59.1 KB

Isn't those latency times higher than it should be?

7

It says active in the output so I assume you enabled it?

To test it now, try flushing the Unbound cache (note the dot at the end of the command) and then running the DNSSEC test from the Pi-hole Unbound setup guide.

sudo unbound-control flush_zone .
dig dnssec.works @127.0.0.1 -p 5335

If this gives NOERROR and an IP address then you're working.

Possibly but there are a lot of variables and Unbound builds up its cache along the way. See if the SERVFAIL issue is resolved.

8

Sorry. I wish I could do a more elaborate post. But the forum won't let me do it. I can't use quotes. New User policy

Yes. It is solved. I did what you asked me to. Flushed everything and I'm getting NOERROR.

Screenshot_4

Thank you.

But, if I may. I've read somewhere that Unbound can be configured to fully resolve domain names locally. Is that what am I already getting?

Sorry for asking these newbies questions. I really didn't know about this stuff until yesterday.

9

It looks like the problem was what @Bucking_Horn said, and your system time was wrong. This turned out to be because NTP wasn't enabled and your enabling of it fixed the problem and this allowed Unbound to work correctly.

If you installed it from the Pi-hole guide (here) then that sets it up to fully resolve domains name locally. In this mode it's called a "recursive resolver" because it steps through the domain name one piece at a time and resolves each piece.

This is the same as what an external name server like Google would be doing, only you're doing it yourself directly now. It's much better for privacy, and Pi-hole and Unbound in recursive mode work really well together. The earlier online guide explains the difference between sending your queries to an external server vs resolving them yourself.

You can confirm it by looking at your dig output. Where it says flags you have ra (recursion available). That's Unbound telling your dig command that it's configured as a recursive resolver.
[ Edit - the above is not correct because the ra flag would also be picked up from an external upstream resolver if Unbound was simply forwarding requests to that resolver ]

No need to be sorry, you're very welcome; these kind of questions and answers also help others who find Pi-hole and this forum later on.

10

Thinks for replying and for the understanding of my situation.

One last thing. An odd thing. Looking for the reasons why it wasn't working before posting here I've noticed that my unbound log it's not recording anything.

This is my permissions:

ls -ld /var/log/unbound/
drwxr-xr-x 2 unbound unbound 4096 Nov 24 20:23 /var/log/unbound/

Do you happen to have an idea of what might be happening here?

It's working. Don't get me wrong. But i feel that it might come handy in the future to use that log.

BTW, Verbose is set to 1 on my pi-hole.conf.

11

Yes you're right, it's handy to have a dedicated log file available for it. You have to enable it – as standard it's using syslog. See the Add logging to unbound section at the end of that online guide for the steps.

In summary, in pi-hole.conf you'll uncomment the logfile entry to enable logging into /var/log/unbound/unbound.log, then create the logfile and set its permissions, and finally restart Unbound.

A handy tip; in pi-hole.conf add the line below to make the logging use human-readable time.

log-time-ascii: yes

At verbosity level 1 you just get Unbound start and stop entries. If you hit a weird problem you can temporarily knock it up to a higher level to help diagnose it, and put it back to 1 when done. It can get quite large at higher verbosity levels. If you ever need to zero the log after filling it with diagnostics, you can do so with the command

sudo truncate -s 0 /var/log/unbound/unbound.log
12

It's done.

What if I want to properly delete the log because of its file size?

13

The above truncate command will empty the unbound.log file and set the size back to 0, without deleting the file itself. This way the file still exists and Unbound can continue to add new entries to it.

On verbosity level 1 you don't need to worry about this at all. It's useful if you have been doing some higher level verbosity diagnostics and the file has grown a lot with domain details.

14

Last question.

How can I make all my devices inside this network open http://pi.hole?

15

Devices will recognise the domain pi.hole as resolving to your Pi-hole if their query is ultimately answered by the Pi-hole, ie because either they are using the Pi-hole for their DNS, or because they are using something else, such as a router, and that is using Pi-hole for it's DNS.

16

This is my setup.

I have a Openwrt. In there I set my Pi-Hole network address as DNS (192.168.1.157)

As it stands. I can't not open the pi-hole admin webpage using http:://pi.hole/admin

It can only be open using the ip address

This is my /etc/hosts

cat /etc/hosts
127.0.0.1 localhost
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

127.0.0.1 pi.hole

192.168.1.1 openwrt
192.168.1.157 pi.hole
.

/etc/dhcpcd.conf

hostname
clientid
persistent
option rapid_commit
option domain_name_servers, domain_name, domain_search, host_name
option classless_static_routes
option interface_mtu
require dhcp_server_identifier
slaac private
interface eth0
static ip_address=192.168.1.157/24
static routers=192.168.1.1
static domain_name_servers=127.0.0.1 1.1.1.1

17

Best thing now is to create a debug log on your Pi-hole and one of the devs will be able to take a look.

Run pihole -d and select Y when prompted to upload, then post just the debug token URL in here.

18

This is my debug log: https://tricorder.pi-hole.net/UCauk3Rc/

19

This doesn't seems to be correct. Your debug log shows your router it is using itself as DNS server (bypassing Pi-hole).

     DHCP options:
      Message type: DHCPOFFER (2)
      server-identifier: 192.168.1.1
      lease-time: 43200 ( 12h )
      renewal-time: 21600 ( 6h )
      rebinding-time: 37800 ( 10h 30m )
      netmask: 255.255.255.0
      broadcast: 192.168.1.255
      router: 192.168.1.1
      dns-server: 192.168.1.1
20

Sorry about that. I was testing yesterday and forget to remove this other DNS entry.

Screenshot_3

https://tricorder.pi-hole.net/rzKubo7V/

I still can't open http://pi.hole/admin.

Everything else is apparently working.

dig dnssec.works @127.0.0.1 -p 5335

; <<>> DiG 9.16.33-Raspbian <<>> dnssec.works @127.0.0.1 -p 5335
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44345
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;dnssec.works. IN A

;; ANSWER SECTION:
dnssec.works. 3351 IN A 5.45.107.88

;; Query time: 0 msec
;; SERVER: 127.0.0.1#5335(127.0.0.1)
;; WHEN: Sat Nov 26 18:18:12 -03 2022
;; MSG SIZE rcvd: 57

Can you please, have a look now?