Hi,
Just found something interesting.
Having setup PiHole and Unbound the system is running just fine.
Every now and then I check things running DNS Benchmark
On this page Steve Gibson explains about second column of colored dots, donuts, circles and arcs. He writes The best possible protection is therefore represented by a full, unbroken, green outer ring signifying that all four network IP ranges are being blocked in both IPv4 and IPv6 formats. While no nameservers are providing this protection at the time of this new feature's release, it is our hope that, with time, many nameservers will be updated to do so. No new programming is required to provide this feature. It is simply a matter of updating the nameserver's configuration file.
What I want to bring up:
Given the choice of Unbound and UUNET, US would you choose UUNET or would you add UUNET to the /var/lib/unbound/root.hints file?
Or maybe even uninstall Unbound and set DNS to 193.78.240.12 and for instance 1.1.1.1 as second server?
The outer green circle is only an indication of the status for DNS rebind protection. If you took your unbound configuration from pihole's guides, you have already set up DNS rebind protection:
server:
# Ensure privacy of local IP ranges
private-address: 192.168.0.0/16
private-address: 169.254.0.0/16
private-address: 172.16.0.0/12
private-address: 10.0.0.0/8
private-address: fd00::/8
private-address: fe80::/10
It does show a blue circle for my installation (except for 127.0.0.1, but that was to be expected with pihole's configuration file).
You should check your configuration for possible mistakes with unbound-checkconf. Make sure your /etc/unbound/unbound.conf is actually including other files that you may have created elsewhere.
Regarding the color of the ring, the documentation you linked says:
GRC's DNS Benchmark tests each nameserver to determine whether it blocks (filters) the return of these reserved private IP addresses — in both IPv4 and IPv6 formats.
I don't even know what that means. If you look at the picture on their site, it only shows the private IPv4 addresses. What is the IPv6 format of 10.0.0.1 or 192.168.0.1? Does it even properly test fd00::/8?
Weird, I was just playing around with it a little and now the ring still comes up but then disappears again a second later.
I also found out what the IPv6 version of the IPv4 addresses is. It's literally just the IPv4 mapped IPv6 address, i.e. ::ffff:192.168.0.1 (or rather ::ffff:c0a8:0001). You need to add private-address: ::ffff:0:0/96 to you unbound configuration. This benchmark isn't testing fd00::/8 or fe80::/10 at all.
