Question about Unbound + Pi-Hole via Optimized Software

Greetings,

A few weeks back I decided to switch from Ad-Guard Home to Pi-Hole, but this time I decided to give Unbound a shot as well.

After figuring out that Unbound wasn’t actually working, I was able to troubleshoot the issue and find that I needed to add

127.0.0.1#5335

in Pi-Holes Custom Upstream DNS Server.

Once I got that running, I decided to do a little exploring on multiple forums to see if there was a way to test if Unbound was working because I was not able to figure out how to pull up any Unbound info or interface to show me statistics. I found some CLI commands such as

dig

which based on Pi-Hole’s documentation on testing, everything looked OK. I also found the following websites to validate Unbound:

…with the following results:

UnboundTest.com

Query results for CAA pi-hole.net

Response:
;; opcode: QUERY, status: NOERROR, id: 36865
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;pi-hole.net.	IN	 CAA

;; ANSWER SECTION:
pi-hole.net.	0	IN	CAA	0 iodef "mailto:thebridge@pi-hole.net"
pi-hole.net.	0	IN	CAA	0 issue "comodoca.com"
pi-hole.net.	0	IN	CAA	0 issue "godaddy.com"
pi-hole.net.	0	IN	CAA	0 issuewild "letsencrypt.org"
pi-hole.net.	0	IN	CAA	0 issue "letsencrypt.org"

----- Unbound logs -----
Apr 10 17:30:44 unbound[1251242:0] notice: init module 0: validator
Apr 10 17:30:44 unbound[1251242:0] notice: init module 1: iterator
Apr 10 17:30:44 unbound[1251242:0] info: start of service (unbound 1.12.0).
Apr 10 17:30:45 unbound[1251242:0] info: 127.0.0.1 pi-hole.net. CAA IN
Apr 10 17:30:45 unbound[1251242:0] info: resolving pi-hole.net. CAA IN
Apr 10 17:30:45 unbound[1251242:0] info: priming . IN NS
Apr 10 17:30:45 unbound[1251242:0] info: response for . NS IN
Apr 10 17:30:45 unbound[1251242:0] info: reply from <.> 192.33.4.12#53
Apr 10 17:30:45 unbound[1251242:0] info: query response was ANSWER
Apr 10 17:30:45 unbound[1251242:0] info: priming successful for . NS IN
Apr 10 17:30:45 unbound[1251242:0] info: response for pi-hole.net. CAA IN
Apr 10 17:30:45 unbound[1251242:0] info: reply from <.> 192.33.4.12#53
Apr 10 17:30:45 unbound[1251242:0] info: query response was REFERRAL
Apr 10 17:30:45 unbound[1251242:0] info: response for pi-hole.net. CAA IN
Apr 10 17:30:45 unbound[1251242:0] info: reply from <net.> 192.42.93.30#53
Apr 10 17:30:45 unbound[1251242:0] info: query response was REFERRAL
Apr 10 17:30:45 unbound[1251242:0] info: response for pi-hole.net. CAA IN
Apr 10 17:30:45 unbound[1251242:0] info: reply from <pi-hole.net.> 2a06:fb00:1::2:96#53
Apr 10 17:30:45 unbound[1251242:0] info: query response was ANSWER
Apr 10 17:30:45 unbound[1251242:0] info: prime trust anchor
Apr 10 17:30:45 unbound[1251242:0] info: generate keytag query _ta-4f66. NULL IN
Apr 10 17:30:45 unbound[1251242:0] info: resolving . DNSKEY IN
Apr 10 17:30:45 unbound[1251242:0] info: resolving _ta-4f66. NULL IN
Apr 10 17:30:45 unbound[1251242:0] info: response for . DNSKEY IN
Apr 10 17:30:45 unbound[1251242:0] info: reply from <.> 2001:7fd::1#53
Apr 10 17:30:45 unbound[1251242:0] info: query response was ANSWER
Apr 10 17:30:45 unbound[1251242:0] info: validate keys with anchor(DS): sec_status_secure
Apr 10 17:30:45 unbound[1251242:0] info: Successfully primed trust anchor . DNSKEY IN
Apr 10 17:30:45 unbound[1251242:0] info: validated DS net. DS IN
Apr 10 17:30:45 unbound[1251242:0] info: resolving net. DNSKEY IN
Apr 10 17:30:45 unbound[1251242:0] info: response for net. DNSKEY IN
Apr 10 17:30:45 unbound[1251242:0] info: reply from <net.> 192.31.80.30#53
Apr 10 17:30:45 unbound[1251242:0] info: query response was ANSWER
Apr 10 17:30:45 unbound[1251242:0] info: validated DNSKEY net. DNSKEY IN
Apr 10 17:30:45 unbound[1251242:0] info: NSEC3s for the referral proved no DS.
Apr 10 17:30:45 unbound[1251242:0] info: Verified that unsigned response is INSECURE

Root Canary - Test

Internet.nl - Connection Test

So, with that information, I have a few questions:

  • Based on the above info, does it look like Unbound is working properly? (Note: I have IPv6 turned off at the Router & Pi-Hole Level)


  • Does anyone know if there is some type of GUI or CLI where I can check Unbound Stats? I attempted to run PADD on a different Pi that has a touchscreen attached to it, but I was unable to successfully get it running - I assume it has to be installed and used on the same Pi that Pi-Hole and Unbound are running on, but I do not want to use this touchscreen solely for PADD viewing.


  • I am not very well versed on encryption protocols, but I assume running Unbound is better than not. Is there any other software that the community recommends to increase the security of my network other than Unbound? DNS-over-TLS, No-IP, Let’s Encrypt, Fail2Ban, HAProxy, HTTPS, TLS, SSL, etc…


  • I am also finding myself having to SSH into my Pi to restart Unbound every once in a while… not sure why, but does anyone know of issues with Unbound that would cause the service to “corrupt” itself and stop working?

Thanks in advance!

let me try to answer you questions one by one

Based on the above info, does it look like Unbound is working properly?

Basically, if unbound would not be working, your DNS resolution would fail and you would have issues to reach the internet :wink:

Another test could be to install tcpdump. This way you could watch the DNS traffic from clients to Pihole, Pihole to unbound and unbound to upstream DNS server

tcpdump -i any -c500 -nn port 53

this could be a larger output, depending on number of devices in your network. It will stop after 500 lines captured.

Does anyone know if there is some type of GUI or CLI where I can check Unbound Stats?

To view some unbound statistics, you would need to install some additional tool. There are 2 options descripted on unbound documentation https://nlnetlabs.nl/documentation/unbound/howto-statistics/

I am not very well versed on encryption protocols, but I assume running Unbound is better than not.

you can activate DoT quite easily on unbound. just follow the instructions on our online docs DNS Servers Options - DietPi.com Docs

I am also finding myself having to SSH into my Pi to restart Unbound every once in a while

usually this should not happen. In this case it would be needed to investigate what cause unbound to fail.

This guy has a pretty good walkthru explanation

https://www.youtube.com/watch?v=FnFtWsZ8IP0

Down in the information provides links and a few config files that work

Well you can have a look to our blog as well. https://dietpi.com/blog/?p=564

Very nice!

Note that DoT, DoH, DNSCrypt etc, while encrypting your DNS requests, break the initial intention of Unbound to skip a pubic DNS provider, as discussed in our docs as well.

No-IP is a dynamic DNS provider, which you can use to get a static hostname/domain for your dynamic public IP, but it has nothing to do with security. Once you have a static domain, Let’s Encrypt can be used to get TLS (successor of deprecated SSL) certificates to access your website via HTTPS, if you have one.

Fail2ban is especially highly recommended when you open/forward the SSH port publicly, to protect it from brute-force attacks. It can be configured to protect any other application with login interface, if that application has no internal protection/login limits already.

HAProxy is a load balancer, which has nothing to do with security, but it can split website request across multiple webservers/machines if a single one could not handle the traffic online. In case of home networks it’s instead mostly used as regular proxy to e.g. forwards HTTP traffic from port 80/443 to internal applications that listen on other ports. AFAIK, if no real webserver is required, HAProxy is the more lightweight option.

Can you expand on this? I do not understand what you mean by “[it will] break the initial intention of Unbound to skip a public dns provider…

And thanks to everyone for their responses - I have been traveling recently and haven’t had a free moment to really do anything. I’ll be checking out those docs once I get back to the home base.

By default unbound is not using any public DNS provider as it is using the global DNS root server. This will increase your privacy as you will not be tracked by a DNS provider or your ISP. However your DNS traffic will be unencrypted, which is the standard in most cases if you use standard configurations on your router etc.

However you could encrypt DNS as well. Similar to http where the encryption is HTTPS. In DNS world you have 2 possibilities. DoT or DoH. At the moment unbound is supporting DoT. The benefit is, you DNS traffic will be encrypted and can not be read by someone like your ISP. Downside, you would need a public DNS provider who support encryption. This will work against the idea to use the root DNS provider.

Hope this explains it a little bit.

Or in a scheme:

Unbound as recursive DNS resolver (default):

       53         53
client => Unbound => DNS root servers



  • Both unencrypted traffic on port 53, hence a man-in-the-middle or ISP could theoretically read it.

Unbound with DoT:

       53         853                    53
client => Unbound => public DNS provider => DNS root servers



  • Encrypted traffic between Unbound and the public DNS provider, so your ISP cannot read.
  • But one party more involved that doesn’t even need to be sneaky to read your traffic, and still two unencrypted requests between the client and Unbound and from the public DNS provider to DNS root servers, as DNS natively is unencrypted on port 53.

it depends on personal requirements. In all causes, there will be someone who could read the DNS request. :slight_smile:

In dietpi configured unbound.conf, we are using root.hints file but not root.key file.
is root.key added some sort of security in our installation & processing process? in unbound documentation it is written something about root.key which updated many times in a day. i do not figure out yet what is the functioning of that process. is it any disadvantage to us not using that thing in standard dietpi installation.

not sure what you mean but on my system root.key is located at /var/lib/unbound

root@DietPiProd:~# ls -la /var/lib/unbound
total 16
drwxr-xr-x  2 unbound unbound 4096 May  3 14:52 .
drwxr-xr-x 25 root    root    4096 Apr 17 12:13 ..
-rw-r--r--  1 root    root    3313 May  1 01:52 root.hints
-rw-r--r--  1 unbound unbound  758 May  3 14:52 root.key
root@DietPiProd:~#

configuration is done with /etc/unbound/unbound.conf.d/root-auto-trust-anchor-file.conf

root@DietPiProd:~# cat /etc/unbound/unbound.conf.d/root-auto-trust-anchor-file.conf
server:
    # The following line will configure unbound to perform cryptographic
    # DNSSEC validation using the root trust anchor.
    auto-trust-anchor-file: "/var/lib/unbound/root.key"
root@DietPiProd:~#

thanks for information.

Sorry for digging up this thread but i have some questions regarding the Advanced DNS settings in Pi-hole while using Unbound.

I know that the “Use DNSSEC” setting should be off because Unbound handles DNSSEC already. (correct me if i am wrong)

What about the other two settings ( “Never forward non-FQDN A and AAAA queries” and “Never forward reverse lookups for private IP ranges”), do they affect the Unbound setup at all?

Also one final question, should i disable the Pi-hole cashing (aka DNS cache size)? It is currently set to 10000. Should i set it to 0 because Unbound does the cashing already too, or it doesn’t hurt?

Thank you

EDIT: FYI I don’t use Pi-hole as DHCP server.

these are pure PiHole related questions, and it might be better to ask directly to PiHole community :slight_smile:

1 Like