Unbound starts failing when I set pi.hole to use it?

The issue I am facing:
After activating unbound and setting the DNS Server in pi.hole to use Custom Upstream DNS Server to: 127.0.0.1#5335, it starts to get serverfail, even from SSH

Details about my system:
Raspberry Pi 1B 512MB
Latest Raspberry Pi OS from https://www.raspberrypi.com/software/

What I have changed since installing Pi-hole:
Added some adlists first.
then installed Unbound, following this guide:
https://docs.pi-hole.net/guides/dns/unbound/

Notes:
/etc/unbound/unbound.conf.d/pi-hole.conf is identic to the example file
ran the root.hints command, as I noticed that was missing at first
Have restarted services

Tests:
With 127.0.0.1#5335as DNS Server in pi.hole:

dig facebook.com @127.0.0.1 -p 5335

; <<>> DiG 9.16.22-Raspbian <<>> facebook.com @127.0.0.1 -p 5335
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 24804
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;facebook.com.                  IN      A

;; Query time: 19 msec
;; SERVER: 127.0.0.1#5335(127.0.0.1)
;; WHEN: Sat Jan 15 18:25:01 CET 2022
;; MSG SIZE  rcvd: 41


dig itavisen.no @127.0.0.1 -p 5335

; <<>> DiG 9.16.22-Raspbian <<>> itavisen.no @127.0.0.1 -p 5335
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 55906
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;itavisen.no.                   IN      A

;; Query time: 3309 msec
;; SERVER: 127.0.0.1#5335(127.0.0.1)
;; WHEN: Sat Jan 15 18:24:26 CET 2022
;; MSG SIZE  rcvd: 40


dig twitter.com @127.0.0.1 -p 5335

; <<>> DiG 9.16.22-Raspbian <<>> twitter.com @127.0.0.1 -p 5335
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 62526
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;twitter.com.                   IN      A

;; Query time: 3869 msec
;; SERVER: 127.0.0.1#5335(127.0.0.1)
;; WHEN: Sat Jan 15 18:42:31 CET 2022
;; MSG SIZE  rcvd: 40


With 1.1.1.1 and 8.8.8.8 as DNS Servers in pi.hole:

 dig facebook.com @127.0.0.1 -p 5335

; <<>> DiG 9.16.22-Raspbian <<>> facebook.com @127.0.0.1 -p 5335
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60678
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;facebook.com.                  IN      A

;; ANSWER SECTION:
facebook.com.           0       IN      A       31.13.72.36

;; Query time: 89 msec
;; SERVER: 127.0.0.1#5335(127.0.0.1)
;; WHEN: Sat Jan 15 18:27:18 CET 2022
;; MSG SIZE  rcvd: 57


dig itavisen.no @127.0.0.1 -p 5335

; <<>> DiG 9.16.22-Raspbian <<>> itavisen.no @127.0.0.1 -p 5335
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20066
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;itavisen.no.                   IN      A

;; ANSWER SECTION:
itavisen.no.            300     IN      A       104.22.35.180
itavisen.no.            300     IN      A       172.67.40.115
itavisen.no.            300     IN      A       104.22.34.180

;; Query time: 89 msec
;; SERVER: 127.0.0.1#5335(127.0.0.1)
;; WHEN: Sat Jan 15 18:39:54 CET 2022
;; MSG SIZE  rcvd: 88

dig pi-hole.net @127.0.0.1 -p 5335

; <<>> DiG 9.16.22-Raspbian <<>> pi-hole.net @127.0.0.1 -p 5335
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41976
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;pi-hole.net.                   IN      A

;; ANSWER SECTION:
pi-hole.net.            300     IN      A       3.18.136.52

;; Query time: 79 msec
;; SERVER: 127.0.0.1#5335(127.0.0.1)
;; WHEN: Sat Jan 15 18:40:12 CET 2022
;; MSG SIZE  rcvd: 56


What is the output of the following command from the Pi terminal?

sudo grep -v '#\|^$' -R /etc/unbound/unbound.conf*


pi@raspberrypi:/etc/dnsmasq.d $ sudo grep -v '#\|^$' -R /etc/unbound/unbound.conf*
/etc/unbound/unbound.conf:include-toplevel: "/etc/unbound/unbound.conf.d/*.conf"
/etc/unbound/unbound.conf.d/root-auto-trust-anchor-file.conf:server:
/etc/unbound/unbound.conf.d/root-auto-trust-anchor-file.conf:    auto-trust-anchor-file: "/var/lib/unbound/root.key"
/etc/unbound/unbound.conf.d/pi-hole.conf:server:
/etc/unbound/unbound.conf.d/pi-hole.conf:    verbosity: 0
/etc/unbound/unbound.conf.d/pi-hole.conf:    interface: 127.0.0.1
/etc/unbound/unbound.conf.d/pi-hole.conf:    port: 5335
/etc/unbound/unbound.conf.d/pi-hole.conf:    do-ip4: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:    do-udp: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:    do-tcp: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:    do-ip6: no
/etc/unbound/unbound.conf.d/pi-hole.conf:    prefer-ip6: no
/etc/unbound/unbound.conf.d/pi-hole.conf:    harden-glue: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:    harden-dnssec-stripped: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:    use-caps-for-id: no
/etc/unbound/unbound.conf.d/pi-hole.conf:    edns-buffer-size: 1232
/etc/unbound/unbound.conf.d/pi-hole.conf:    prefetch: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:    num-threads: 1
/etc/unbound/unbound.conf.d/pi-hole.conf:    so-rcvbuf: 1m
/etc/unbound/unbound.conf.d/pi-hole.conf:    private-address: 192.168.0.0/16
/etc/unbound/unbound.conf.d/pi-hole.conf:    private-address: 169.254.0.0/16
/etc/unbound/unbound.conf.d/pi-hole.conf:    private-address: 172.16.0.0/12
/etc/unbound/unbound.conf.d/pi-hole.conf:    private-address: 10.0.0.0/8
/etc/unbound/unbound.conf.d/pi-hole.conf:    private-address: fd00::/8
/etc/unbound/unbound.conf.d/pi-hole.conf:    private-address: fe80::/10
/etc/unbound/unbound.conf.d/resolvconf_resolvers.conf:forward-zone:
/etc/unbound/unbound.conf.d/resolvconf_resolvers.conf:  name: "."
/etc/unbound/unbound.conf.d/resolvconf_resolvers.conf:  forward-addr: 192.168.10.1

This is your problem. All your unbound DNS queries are being forwarded to your router.

  1. Edit file /etc/resolvconf.conf and comment out the last line which should read:

unbound_conf=/etc/unbound/unbound.conf.d/resolvconf_resolvers.conf

  1. Delete the unwanted unbound configuration file:

sudo rm /etc/unbound/unbound.conf.d/resolvconf_resolvers.conf

  1. Restart unbound:

sudo service unbound restart

2 Likes

Thanks, seem to work great now!

Hopefully the model of pi I have wont be a bottleneck for my home network :slight_smile:

Only your DNS traffic goes to Pi-hole. Data traffic is between clients and the router. The model of Pi or method of connecting it to your network will not impact internet speed.

Has the documentation been changes yet?

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.