Verständnisfrage Pi-hole mit Unbound (DNSSEC + Logs)

Hallo Gemeinde,

ich betreibe einen Pi-hole mit Unbound- Alles läuft soweit. Ich habe zwei Fragen:

Frage 1:
Muss ich DNSSEC im Unbound extra an machen, oder ist das Default?

DNSSEC Resolver Test (wander.science)
= Test result: success

Ausgabe von:

dig @127.0.0.1 -p 5335 +dnssec +multi icann.org | grep ad
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

Frage 2:
Wenn die Zeile in der Config zwecks Logging auskommentiere
# logfile: "/var/log/unbound/unbound.log"

bekomme ich folgendes beim Check:

unbound-checkconf /etc/unbound/unbound.conf.d/pi-hole.conf
/usr/local/etc/unbound/var/log/unbound: No such file or directory
[1725906502] unbound-checkconf[6247:0] fatal error: logfile directory does not exist

Der Pfad wird zusammengewürfelt. Ich glaube das hat irgendwas mit chroot zu tun ...
Wer kann helfen?

Danke!

Unbound does DNSSEC validation OOTB if setup according to the official guide:

Verify DNSSEC signatures, discarding BOGUS domains

Why do you need a log file?
Pi-hole is already logging client queries and has a way nicer interface to look them up.

Depending if you're running a systemd distro:

$ readlink -f /sbin/init
/usr/lib/systemd/systemd

You can check the systemd journal for the current --boot:

sudo journalctl --all --boot --unit unbound.service

Or two boots back (-2):

sudo journalctl --all --boot -2 --unit unbound.service

Or follow/tail live:

sudo journalctl --all --follow --unit unbound.service

If you want to see queries in the journal for diagnostic purposes, you can up verbosity to three in below config file:

$ cat /etc/unbound/unbound.conf.d/pi-hole.conf
server:
    # If no logfile is specified, syslog is used
    # logfile: "/var/log/unbound/unbound.log"
    verbosity: 0
[..]

Or higher if necessary:

$ man unbound.conf
[..]
       verbosity: <number>
              The  verbosity  number, level 0 means no verbosity, only errors.
              Level 1 gives operational information.  Level 2  gives  detailed
              operational  information  including short information per query.
              Level 3 gives query level information, output per query.   Level
              4  gives algorithm level information.  Level 5 logs client iden-
              tification for cache misses.  Default is level 1.  The verbosity
              can also be increased from the commandline, see unbound(8).

And reload to apply:

sudo systemctl reload unbound.service

EDIT: If want to list all units and their enabled status:

systemctl list-unit-files

EDIT2: Dont forget to set verbosity back to zero after diagnosing as this uses up extra disk space and you have more writes to the FS if not!

Scheint wohl alles zu passen:

dig fail01.dnssec.works @127.0.0.1 -p 5335

; <<>> DiG 9.18.28-0ubuntu0.22.04.1-Ubuntu <<>> fail01.dnssec.works @127.0.0.1 -p 5335
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 39813
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;fail01.dnssec.works.           IN      A

;; Query time: 0 msec
;; SERVER: 127.0.0.1#5335(127.0.0.1) (UDP)
;; WHEN: Mon Sep 09 21:45:21 CEST 2024
;; MSG SIZE  rcvd: 48

dig dnssec.works @127.0.0.1 -p 5335

; <<>> DiG 9.18.28-0ubuntu0.22.04.1-Ubuntu <<>> dnssec.works @127.0.0.1 -p 5335
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26301
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;dnssec.works.                  IN      A

;; ANSWER SECTION:
dnssec.works.           3393    IN      A       46.23.92.212

;; Query time: 0 msec
;; SERVER: 127.0.0.1#5335(127.0.0.1) (UDP)
;; WHEN: Mon Sep 09 21:45:37 CEST 2024
;; MSG SIZE  rcvd: 57

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.