Unbound starts failing when I set pi.hole to use it?

Norlig · January 15, 2022, 5:43pm

The issue I am facing:
After activating unbound and setting the DNS Server in pi.hole to use Custom Upstream DNS Server to: 127.0.0.1#5335, it starts to get serverfail, even from SSH

Details about my system:
Raspberry Pi 1B 512MB
Latest Raspberry Pi OS from https://www.raspberrypi.com/software/

What I have changed since installing Pi-hole:
Added some adlists first.
then installed Unbound, following this guide:
https://docs.pi-hole.net/guides/dns/unbound/

Notes:
/etc/unbound/unbound.conf.d/pi-hole.conf is identic to the example file
ran the root.hints command, as I noticed that was missing at first
Have restarted services

Tests:
With 127.0.0.1#5335as DNS Server in pi.hole:

dig facebook.com @127.0.0.1 -p 5335

; <<>> DiG 9.16.22-Raspbian <<>> facebook.com @127.0.0.1 -p 5335
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 24804
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;facebook.com.                  IN      A

;; Query time: 19 msec
;; SERVER: 127.0.0.1#5335(127.0.0.1)
;; WHEN: Sat Jan 15 18:25:01 CET 2022
;; MSG SIZE  rcvd: 41


dig itavisen.no @127.0.0.1 -p 5335

; <<>> DiG 9.16.22-Raspbian <<>> itavisen.no @127.0.0.1 -p 5335
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 55906
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;itavisen.no.                   IN      A

;; Query time: 3309 msec
;; SERVER: 127.0.0.1#5335(127.0.0.1)
;; WHEN: Sat Jan 15 18:24:26 CET 2022
;; MSG SIZE  rcvd: 40


dig twitter.com @127.0.0.1 -p 5335

; <<>> DiG 9.16.22-Raspbian <<>> twitter.com @127.0.0.1 -p 5335
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 62526
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;twitter.com.                   IN      A

;; Query time: 3869 msec
;; SERVER: 127.0.0.1#5335(127.0.0.1)
;; WHEN: Sat Jan 15 18:42:31 CET 2022
;; MSG SIZE  rcvd: 40

With 1.1.1.1 and 8.8.8.8 as DNS Servers in pi.hole:

 dig facebook.com @127.0.0.1 -p 5335

; <<>> DiG 9.16.22-Raspbian <<>> facebook.com @127.0.0.1 -p 5335
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60678
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;facebook.com.                  IN      A

;; ANSWER SECTION:
facebook.com.           0       IN      A       31.13.72.36

;; Query time: 89 msec
;; SERVER: 127.0.0.1#5335(127.0.0.1)
;; WHEN: Sat Jan 15 18:27:18 CET 2022
;; MSG SIZE  rcvd: 57


dig itavisen.no @127.0.0.1 -p 5335

; <<>> DiG 9.16.22-Raspbian <<>> itavisen.no @127.0.0.1 -p 5335
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20066
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;itavisen.no.                   IN      A

;; ANSWER SECTION:
itavisen.no.            300     IN      A       104.22.35.180
itavisen.no.            300     IN      A       172.67.40.115
itavisen.no.            300     IN      A       104.22.34.180

;; Query time: 89 msec
;; SERVER: 127.0.0.1#5335(127.0.0.1)
;; WHEN: Sat Jan 15 18:39:54 CET 2022
;; MSG SIZE  rcvd: 88

dig pi-hole.net @127.0.0.1 -p 5335

; <<>> DiG 9.16.22-Raspbian <<>> pi-hole.net @127.0.0.1 -p 5335
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41976
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;pi-hole.net.                   IN      A

;; ANSWER SECTION:
pi-hole.net.            300     IN      A       3.18.136.52

;; Query time: 79 msec
;; SERVER: 127.0.0.1#5335(127.0.0.1)
;; WHEN: Sat Jan 15 18:40:12 CET 2022
;; MSG SIZE  rcvd: 56

jfb · January 15, 2022, 6:32pm

What is the output of the following command from the Pi terminal?

sudo grep -v '#\|^$' -R /etc/unbound/unbound.conf*

Norlig · January 15, 2022, 7:06pm


pi@raspberrypi:/etc/dnsmasq.d $ sudo grep -v '#\|^$' -R /etc/unbound/unbound.conf*
/etc/unbound/unbound.conf:include-toplevel: "/etc/unbound/unbound.conf.d/*.conf"
/etc/unbound/unbound.conf.d/root-auto-trust-anchor-file.conf:server:
/etc/unbound/unbound.conf.d/root-auto-trust-anchor-file.conf:    auto-trust-anchor-file: "/var/lib/unbound/root.key"
/etc/unbound/unbound.conf.d/pi-hole.conf:server:
/etc/unbound/unbound.conf.d/pi-hole.conf:    verbosity: 0
/etc/unbound/unbound.conf.d/pi-hole.conf:    interface: 127.0.0.1
/etc/unbound/unbound.conf.d/pi-hole.conf:    port: 5335
/etc/unbound/unbound.conf.d/pi-hole.conf:    do-ip4: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:    do-udp: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:    do-tcp: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:    do-ip6: no
/etc/unbound/unbound.conf.d/pi-hole.conf:    prefer-ip6: no
/etc/unbound/unbound.conf.d/pi-hole.conf:    harden-glue: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:    harden-dnssec-stripped: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:    use-caps-for-id: no
/etc/unbound/unbound.conf.d/pi-hole.conf:    edns-buffer-size: 1232
/etc/unbound/unbound.conf.d/pi-hole.conf:    prefetch: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:    num-threads: 1
/etc/unbound/unbound.conf.d/pi-hole.conf:    so-rcvbuf: 1m
/etc/unbound/unbound.conf.d/pi-hole.conf:    private-address: 192.168.0.0/16
/etc/unbound/unbound.conf.d/pi-hole.conf:    private-address: 169.254.0.0/16
/etc/unbound/unbound.conf.d/pi-hole.conf:    private-address: 172.16.0.0/12
/etc/unbound/unbound.conf.d/pi-hole.conf:    private-address: 10.0.0.0/8
/etc/unbound/unbound.conf.d/pi-hole.conf:    private-address: fd00::/8
/etc/unbound/unbound.conf.d/pi-hole.conf:    private-address: fe80::/10
/etc/unbound/unbound.conf.d/resolvconf_resolvers.conf:forward-zone:
/etc/unbound/unbound.conf.d/resolvconf_resolvers.conf:  name: "."
/etc/unbound/unbound.conf.d/resolvconf_resolvers.conf:  forward-addr: 192.168.10.1

jfb · January 15, 2022, 7:26pm

Norlig:

/etc/unbound/unbound.conf.d/resolvconf_resolvers.conf:forward-zone:
/etc/unbound/unbound.conf.d/resolvconf_resolvers.conf:  name: "."
/etc/unbound/unbound.conf.d/resolvconf_resolvers.conf:  forward-addr: 192.168.10.1

This is your problem. All your unbound DNS queries are being forwarded to your router.

Edit file /etc/resolvconf.conf and comment out the last line which should read:

unbound_conf=/etc/unbound/unbound.conf.d/resolvconf_resolvers.conf

Delete the unwanted unbound configuration file:

sudo rm /etc/unbound/unbound.conf.d/resolvconf_resolvers.conf

Restart unbound:

sudo service unbound restart

Norlig · January 15, 2022, 7:54pm

Thanks, seem to work great now!

Hopefully the model of pi I have wont be a bottleneck for my home network

jfb · January 15, 2022, 8:24pm

Only your DNS traffic goes to Pi-hole. Data traffic is between clients and the router. The model of Pi or method of connecting it to your network will not impact internet speed.

wd9895 · January 15, 2022, 10:41pm

Has the documentation been changes yet?

system · February 5, 2022, 10:42pm

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.