Hello,
I've had Unbound setup for some time with its default setting. I have been noticing that from time to time there are websites that will not resolve. I thought it was just normal, so I let it be. But I have found and I've read that unbound is supposed to have Upstream dns server configure because If not, then It can have issues resolving websites.
Is this accurate? The default unbound config does not include any upstream dns, is that because it is meant to not use one, or is it because we are to add the upstream dns server we prefer and that's why it's not included on the initial config file?
Unbound is meant to run without an upstream resolver ( recursively ). It gets an authoritive answer from the root server down as opposed to an upstream resolver which is acting as a middle man. Initial queries can sometimes take longer but once cached it's fine. I've been using it this way for years and my personal experience has been fine.
Hmm.. Some of the websites that won't resolve are known websites. In order to access them I've had to whitelist them in pihole. So that root server, which dns would that be? I has to be some of the public dns servers right?
What they say is, without upstream servers, Unbound's ability to resolve new websites (not in the cache) is limited. It might attempt a basic form of resolution using its root hints, but this is unlikely to succeed for most internet domains.
When you use resolver like cloudflare it is serving a lot of people and likely has www.example.com already cached. You send a query to them and get a response and go to the site. If it doesn't have it has to go through the same process below.
When you use unbound as a recursive server it asks the root server (.) who has the domain .com and it gets a response and then asks the .com server (TLD) who has example.com and so on untill it get the authorative answer and caches it.
If you have sites that you need to whitelist in pihole those could be looked at invidually.
so the issue I encounter from time to time of websites not resolving would have nothing to do with this?
I ask because once I whitelist it, it pops right up.
If you have to whitelist it then it must be blacklisted to begin with. Whitelist has priority over blacklists as a domain is evaluated.
From a command line in the pihole you can run pihole -q example.com when example.com is the domain in question. It should show it all the lists that the domain is listed in.
You can also do this via the gui under tools > search adlists
