The issue I am facing: Pi-hole cannot connect to Unbound DNS
What I want to happen
I want to use Pi-hole to filter my network, and Encrypted Unbound as DNS for privacy. I have already set-up both Pi-hole and Unbound, and both seems to be working properly on their own. Pi-hole works when I'm connected to Quad9, and Unbound can dig websites (so I'm assuming that it works. The problem is, when I start to combine the two, it stops working. I cannot connect to any websites when I'm using Unbound as the only DNS in Pi-hole.
Details about my system:
╰─>$ neofetch
-` mika@Luna
.o+` ---------
`ooo/ OS: Arch Linux x86_64
`+oooo: Host: VivoBook_ASUSLaptop X515EA_X515EA 1.0
`+oooooo: Kernel: 5.18.3-arch1-1
-+oooooo+: Uptime: 6 hours, 50 mins
`/:-:++oooo+: Packages: 983 (pacman), 10 (flatpak)
`/++++/+++++++: Shell: fish 3.4.1
`/++++++++++++++: Resolution: 1920x1080
`/+++ooooooooooooo/` WM: i3
./ooosssso++osssssso+` Theme: Adwaita [GTK2/3]
.oossssso-````/ossssss+` Icons: Adwaita [GTK2/3]
-osssssso. :ssssssso. Terminal: xfce4-terminal
:osssssss/ osssso+++. Terminal Font: Monospace 12
/ossssssss/ +ssssooo/- CPU: 11th Gen Intel i3-1115G4 (4) @ 3.000GHz
`/ossssso+/:- -:/+osssso+- GPU: Intel Device 9a78
`+sso+:-` `.-/+oso: Memory: 8440MiB / 11667MiB
`++:. `-/+/
.` `/
Pi-hole was installted via Docker
╰─>$ sudo docker ps
[sudo] password for mika:
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
fd54d6c0a3fa pihole/pihole:latest "/s6-init" 4 hours ago Up 4 hours (healthy) 0.0.0.0:53->53/tcp, :::53->53/tcp, 0.0.0.0:80->80/tcp, 0.0.0.0:53->53/udp, :::80->80/tcp, :::53->53/udp, 67/udp pihole
╰─>$ cat docker-compose.yml
version: "3"
# More info at https://github.com/pi-hole/docker-pi-hole/ and https://docs.pi-hole.net/
services:
pihole:
container_name: pihole
image: pihole/pihole:latest
# For DHCP it is recommended to remove these ports and instead add: network_mode: "host"
ports:
- "53:53/tcp"
- "53:53/udp"
- "80:80/tcp"
environment:
TZ: 'America/Chicago'
# WEBPASSWORD: 'set a secure password here or it will be random'
# Volumes store your data between container upgrades
volumes:
- './etc-pihole:/etc/pihole'
- './etc-dnsmasq.d:/etc/dnsmasq.d'
# https://github.com/pi-hole/docker-pi-hole#note-on-capabilities
cap_add:
- NET_ADMIN # Required if you are using Pi-hole as your DHCP server, else not needed
restart: unless-stopped
Unbound was installed via pacman
unbound.conf
server:
# If no logfile is specified, syslog is used
logfile: /var/log/unbound/unbound.log
verbosity: 0
interface: 127.0.0.1
port: 5335
do-ip4: yes
do-udp: yes
do-tcp: yes
# May be set to yes if you have IPv6 connectivity
do-ip6: no
# You want to leave this to no unless you have *native* IPv6. With 6to4 and
# Terredo tunnels your web browser should favor IPv4 for the same reasons
prefer-ip6: no
# Use this only when you downloaded the list of primary root servers!
# If you use the default dns-root-data package, unbound will find it automatically
#root-hints: /var/lib/unbound/root.hints
# Trust glue only if it is within the server's authority
harden-glue: yes
# Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS
harden-dnssec-stripped: yes
# Don't use Capitalization randomization as it known to cause DNSSEC issues sometimes
# see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 for further details
use-caps-for-id: no
# Reduce EDNS reassembly buffer size.
# IP fragmentation is unreliable on the Internet today, and can cause
# transmission failures when large DNS messages are sent via UDP. Even
# when fragmentation does work, it may not be secure; it is theoretically
# possible to spoof parts of a fragmented DNS message, without easy
# detection at the receiving end. Recently, there was an excellent study
# >>> Defragmenting DNS - Determining the optimal maximum UDP response size for DNS <<<
# by Axel Koolhaas, and Tjeerd Slokker (https://indico.dns-oarc.net/event/36/contributions/776/)
# in collaboration with NLnet Labs explored DNS using real world data from the
# the RIPE Atlas probes and the researchers suggested different values for
# IPv4 and IPv6 and in different scenarios. They advise that servers should
# be configured to limit DNS messages sent over UDP to a size that will not
# trigger fragmentation on typical network links. DNS servers can switch
# from UDP to TCP when a DNS response is too big to fit in this limited
# buffer size. This value has also been suggested in DNS Flag Day 2020.
edns-buffer-size: 1232
# Perform prefetching of close to expired message cache entries
# This only applies to domains that have been frequently queried
prefetch: yes
# One thread should be sufficient, can be increased on beefy machines. In reality for most users running on small networks or on a single machine, it should be unnecessary to seek performance enhancement by increasing num-threads above 1.
num-threads: 1
# Ensure kernel buffer is large enough to not lose messages in traffic spikes
so-rcvbuf: 1m
# Ensure privacy of local IP ranges
private-address: 192.168.0.0/16
private-address: 169.254.0.0/16
private-address: 172.16.0.0/12
private-address: 10.0.0.0/8
private-address: fd00::/8
private-address: fe80::/10
do-not-query-localhost: no
tls-system-cert: yes
# control which clients are allowed to make (recursive) queries
access-control: 127.0.0.1/32 allow_snoop
access-control: ::1 allow_snoop
access-control: 127.0.0.0/8 allow
access-control: 192.168.1.0/24 allow
# Upstream Servers
forward-zone:
name: "."
forward-tls-upstream: yes
forward-addr: 45.90.28.0#[redacted].dns1.nextdns.io
forward-addr: 2a07:a8c0::#[redacted].dns1.nextdns.io
forward-addr: 45.90.30.0#[redacted].dns2.nextdns.io
forward-addr: 2a07:a8c1::#[redacted].dns2.nextdns.io
Unbound DNS seems working when digging websites
╰─>$ dig sigok.verteiltesysteme.net @127.0.0.1 -p 5335
; <<>> DiG 9.18.3 <<>> sigok.verteiltesysteme.net @127.0.0.1 -p 5335
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23492
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;sigok.verteiltesysteme.net. IN A
;; ANSWER SECTION:
sigok.verteiltesysteme.net. 30 IN A 134.91.78.139
;; Query time: 2073 msec
;; SERVER: 127.0.0.1#5335(127.0.0.1) (UDP)
;; WHEN: Fri Jun 17 01:24:05 +08 2022
;; MSG SIZE rcvd: 71
╰─>$ dig sigfail.verteiltesysteme.net @127.0.0.1 -p 5335
; <<>> DiG 9.18.3 <<>> sigfail.verteiltesysteme.net @127.0.0.1 -p 5335
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 51854
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;sigfail.verteiltesysteme.net. IN A
;; Query time: 2766 msec
;; SERVER: 127.0.0.1#5335(127.0.0.1) (UDP)
;; WHEN: Fri Jun 17 01:24:22 +08 2022
;; MSG SIZE rcvd: 57
Status of Unbound
╰─>$ systemctl status unbound
● unbound.service - Validating, recursive, and caching DNS resolver
Loaded: loaded (/usr/lib/systemd/system/unbound.service; enabled; vendor preset: disabled)
Active: active (running) since Thu 2022-06-16 23:08:16 +08; 2h 21min ago
Docs: man:unbound(8)
Main PID: 208332 (unbound)
Tasks: 1 (limit: 13976)
Memory: 2.4M
CPU: 64ms
CGroup: /system.slice/unbound.service
└─208332 /usr/bin/unbound -d -p
What I have changed since installing Pi-hole:
I changed my DNS server to 127.0.0.1#5335 to use Unbound DNS
Pi-hole DNS Servers
But I fail to load any website until I enable other DNS resolvers (Quad9)
Any ideas how to fix this? Thanks
