i dont have a wifi module but i have a PiZero2W with DietPi v8.11.2
i try this command
root@DietPi:~# unbound
[1671111324] unbound[1536:0] warning: so-rcvbuf 4194304 was not granted. Got 425984. To fix: start with root permissions(linux) or sysctl bigger net.core.rmem_max(linux) or kern.ipc.maxsockbuf(bsd) values.
[1671111324] unbound[1536:0] warning: so-sndbuf 4194304 was not granted. Got 425984. To fix: start with root permissions(linux) or sysctl bigger net.core.wmem_max(linux) or kern.ipc.maxsockbuf(bsd) values.
[1671111324] unbound[1536:0] error: can't bind socket: Address already in use for 127.0.0.1 port 8953
[1671111324] unbound[1536:0] error: cannot open control interface 127.0.0.1 8953
[1671111324] unbound[1536:0] fatal error: could not open ports
unbound is already started as service. You can’t start it twice
What I’m still not sure about are these messages
theoretically you could try to install unbound while connected to your local network and check how it is going. No need to install AGH. Issue is with unbound directly.
As you pointed out @Joulinar the SERVFAIL is a sign of DNSSEC failure.
Reading this thread from the beginning, I’ll share a crazy idea which I faced recently.
Could the original DNS packet to the root dns server be hijacked?
Could you try over another connection? LTE, VPN…
does it mean, using a different network, hotspot, was resolving the issue? Not sure if there are settings on your router that could be changed. We are not familiar with your hardware. Probably you could ask technical support of your ISP?
Sorry if I didn’t specify better, I took the RPi 2w and connected it to the hostpot of the mobile phone (this time I did everything with the monitor and not blindly), what should I tell the ISP customer service? “why are DNS/DNSSEC calls being hijacked?” can i be more specific?
I share with you some settings maybe you can help me
Well by default DNS is not encrypted and someone who like, could theoretically see what request has been sent. Unbound by default is not encrypting DNS reuest. However, it’s giving some kind of privacy as DNS request are send to the root DNS server directly and not to your ISP or some other global upstream DNS provider. If you like encrypted DNS, you will need to look into DNS over TLS (DoT). We describe a configuration example on our online docs. DNS Servers Options - DietPi.com Docs
Yes, best practice is to have server using a global upstream DNS server. And clients should point to your AdBlock server. However you should try to distribute DNS server settings via DHCP. Manual configuration might be working on a Windows or Mac client. But on mobile devices or other small network devices, it might become impossible.