Settings: PiHole and Unbound

Troubleshooting
1

Hallo,

I used the following instructions and installed Unbound via dietpi-software.
https://docs.pi-hole.net/guides/dns/unbound/

IP from my FritzBox: 192.162.145.1
Range: 192.162.145.20 to .200
DietPi with PiHole: 192.162.145.30 as my DNS-Server
Upstream DNS Servers PiHole: Custom 1: 127.0.0.1#5335
Pi-hole v5.3.1 Web Interface v5.5.1 FTL v5.8.1
DietPi v7.5.2
Some PiHole Blocklists

However, at http://dns-leak.com/ the IP of my provider still appears, not 127.0.0.1 or the IP of my PiHole.
Is it because of my range of the FritzBox? Somehow I can not find my error.

Thank you! :slight_smile:

server:
    # If no logfile is specified, syslog is used
    # logfile: "/var/log/unbound/unbound.log"
    verbosity: 0

    interface: 127.0.0.1
    port: 5335
    do-ip4: yes
    do-udp: yes
    do-tcp: yes

    # May be set to yes if you have IPv6 connectivity
    do-ip6: no

    # You want to leave this to no unless you have *native* IPv6. With 6to4 and
    # Terredo tunnels your web browser should favor IPv4 for the same reasons
    prefer-ip6: no

    # Use this only when you downloaded the list of primary root servers!
    # If you use the default dns-root-data package, unbound will find it automatically
    #root-hints: "/var/lib/unbound/root.hints"

    # Trust glue only if it is within the server's authority
    harden-glue: yes

    # Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS
    harden-dnssec-stripped: yes

    # Don't use Capitalization randomization as it known to cause DNSSEC issues sometimes
    # see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 for further details
    use-caps-for-id: no

    # Reduce EDNS reassembly buffer size.
    # Suggested by the unbound man page to reduce fragmentation reassembly problems
    edns-buffer-size: 1472

    # Perform prefetching of close to expired message cache entries
    # This only applies to domains that have been frequently queried
    prefetch: yes

    # One thread should be sufficient, can be increased on beefy machines. In reality for most users running on small networks or on a single machine, it should be unnecessary to seek performance enhancement by increasing num-threads above 1.
    num-threads: 1

    # Ensure kernel buffer is large enough to not lose messages in traffic spikes
    so-rcvbuf: 1m

    # Ensure privacy of local IP ranges
    private-address: 192.168.0.0/16
    private-address: 192.162.0.0/16
    private-address: 169.254.0.0/16
    private-address: 172.16.0.0/12
    private-address: 10.0.0.0/8
    private-address: fd00::/8
    private-address: fe80::/10




root@DietPi:~# dig pi-hole.net @127.0.0.1 -p 5335

; <<>> DiG 9.11.5-P4-5.1+deb10u5-Raspbian <<>> pi-hole.net @127.0.0.1 -p 5335
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42792
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;pi-hole.net.                   IN      A

;; ANSWER SECTION:
pi-hole.net.            0       IN      A       3.18.136.52

;; Query time: 2 msec
;; SERVER: 127.0.0.1#5335(127.0.0.1)
;; WHEN: Do Sep 09 14:46:33 CEST 2021
;; MSG SIZE  rcvd: 56




root@DietPi:~# dig sigok.verteiltesysteme.net @127.0.0.1 -p 5335

; <<>> DiG 9.11.5-P4-5.1+deb10u5-Raspbian <<>> sigok.verteiltesysteme.net @127.0.0.1 -p 5335
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19059
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;sigok.verteiltesysteme.net.    IN      A

;; ANSWER SECTION:
sigok.verteiltesysteme.net. 0   IN      A       134.91.78.139

;; Query time: 2 msec
;; SERVER: 127.0.0.1#5335(127.0.0.1)
;; WHEN: Do Sep 09 14:47:11 CEST 2021
;; MSG SIZE  rcvd: 71

ip.jpg
ip.jpg1239×1011 89.4 KB

2

Hi,

I used the following instructions and installed Unbound via dietpi-software.
unbound - Pi-hole documentation

Well this is a conflicting statement. If you install unbound via dietpi-software, there wouldn’t be any need to follow a guide. Because dietpi-software will configure unbound/PiHole already to work together. :wink:

But I don’t think there is anything wrong. You simple could switch off unbound and you will see that DNS resolution will stop for clients connected to PiHole :wink: Not sure how this web site checks your DNS connection.

To get a deeper look in what unbound is doing, you could install tcpdump and trace your DNS request. There you should see DNS resolution between unbound and rootDNS server.

How did you setup your local network. Does your clients use your FritzBox as DNS server and the FritzBox will connect to PiHole? Or does your clients your PiHole directly?

3

Thanks Joulinar , I had edited the “/etc/unbound/unbound.conf.d/pi-hole.conf” again to enter my other IP range of the FritzBox.

My FritzBox acts as a DHCP server. In the FritzBox I have entered my RaspberryPi as DNS server.

pihole_1.png
pihole_1.png1256×1028 97.4 KB

pihole_2.png
pihole_2.png1253×1039 62.3 KB

fritz_1.png
fritz_1.png783×479 23.8 KB

fritz_2.png
fritz_2.png1047×601 38.5 KB

fritz_3.png
fritz_3.png1684×341 28.6 KB

4

Are you on latest version of DietPi 7.5? And was unbound a fresh install or did you install it on the past already? Because we don’t provide

/etc/unbound/unbound.conf.d/pi-hole.conf

anymore since a couple of version. Our entire configuration is done in

dietpi.conf
5

DietPi and PiHole have been installed for a while. Unbound I have installed now afterwards.

I use DietPi v7.5.2
So I delete the /etc/unbound/unbound.conf.d/pi-hole.conf and paste the data in the dietpi.conf?

How do I get the dietpi.conf?
Knew so far only dietpi-config :wink:

6

easiest would be to uninstall unbound and perform a new installation

dietpi-software uninstall 182
dietpi-software install 182

this should pull the new configuration.

7

Just to point out that there is a typo in the address space you are using.
192.16**8** is private space. 192.16**2** is public and used by someone else.

8

trendy Thanks for the tip. I did not know that.
Had it then changed from 192.168 to 192.162, as it was recommended by Fritzbox. Although not the .162, but just another range. From VPN to VPN network via the software from Fritzbox.

I will change it to 192.168.176.X

9

Hey Joulinar
Thanks, uninstalled Unbound and installed it, should now fit again. Changed network to 192.168.176.X and adjusted all devices.

Every 2 weeks I run the following by hand:

dietpi-update && sudo apt-get update && sudo apt-get upgrade && pihole -up && pihole -g && sudo apt-get autoremove && sudo apt-get autoclean && dietpi-logclear

I picked this up in a forum once and run it for my updates. Does it fit like this?
If yes: I don’t have to care about updates of the root.hints, do I?

Greetings :slight_smile:

10

root.hints should be updated automatically.

Regarding your manual command. I don’t think this is needed that way if your running default values

  • dietpi-update - a check is done every night automatically. You should be notified on available DietPi updates via login banner
  • apt update - will be done every night automatically. You should be notified on available apt package updates via login banner
  • apt upgrade - can be done based on information given on login banner
  • pihole -up - PiHole is not releasing updates that often. Best is to follow them on twitter to get notified on updates. As well you should be notified on PiHole admin web page. There should be a message on the bottom once an update is available
  • pihole -g - PiHole is updating Gravity database once a week by its own
  • apt autoremove - this is needed only, if you manually uninstall apt packages
  • dietpi-logclear - in a default setup, DietPi is using RAMlog and this will be cleared on hourly basis