unbound install error? Topic is solved

[Joulinar]

ATM there is a big German ISP testing around with DoH (DoT will follow). If they are not trustworthy, who should it be?

[neo-2020]

I would like to thank you again for the great amount of help and information!
I will try both and find the best for me.
The setup doesn't look difficult, I hope there won't be any major problems! (in DietPi)

[neo-2020]

Another hint about Unbound config: Remove /etc/unbound/unbound.conf.d/dietpi-pihole.conf and apply interface and port directly in /etc/unbound/unbound.conf.d/dietpi.conf. We did falsely assume that dietpi-pihole.conf would override dietpi.conf, but actually it adds that ip/port binding, so Unbound would then listen on two ports. This is fixed with next release already.

If you want to use DoT, with Unbound the following should work: https://www.dnsknowledge.com/unbound/co ... -on-linux/

dietpi-pihole.conf was deleted and port 5353 and interface 127.0.0.1 added to dietpi.conf
dietpi-dot.conf was created with the CODE content!
So DoT it seems to be working!
1: How do I check / test this best?

• tcpdump -vv -x -X -s 1500 -i eth0 'port 853' work
• host google.com 192.168.178.25 work
• dig @127.0.0.1 -p 5353 google.com work

2: For DoT, what should be in Configuring Pi-hole > upstream DNS server > Custom 1 (IPv4)?

• 127.0.0.1#5353 or 127.0.0.1#853

3: Can Recent Queries (showing queries for client) be viewed in Pi-Hole GUI with DoT or DoH?

4: Must be changed to 5053 for DoH in dietpi.conf port?

I couldn't test DoH via tcpdump -vv -x -X -s 1500 -i eth0 'port 5053' no output probably dietpi-dot.conf has to be removed first, together it doesn't seem to work.
DoH dig @ 127.0.0.1 -p 5053 google.com is working

dnsleaktest output now:

Code: Select all

You use 3 DNS servers:
74.63.24.239 [United States of America AS42 WOODYNET-1]
74.63.24.242 [United States of America AS42 WOODYNET-1]
162.158.201.26 [AS13335 CLOUDFLARENET]

How do you check / test whether the packets are routed via DoT or DoH? What should / may be listed in the Pi-Hole GUI, how should it look?

[MichaIng]

Note that Pi-hole does not know anything about how DNS requests are resolved upstream. It forwards requests to Unbound, cloudflared or whichever upstream is configured, gets an answer, and logs both, no matter if the upstream server was a recursive server or forwarded requests via DoT or DoH.

For DoT via Unbound, 127.0.0.1#5353 is still correct yes. That port is independent from the method/protocol Unbound uses to resolve incoming requests.

For DoH via cloudflared according to Pi-hole docs, 127.0.0.1#5053 is correct in Pi-hole, and Unbound (dietpi.conf) is not involved at all, so you could uninstall or disable/mask it, to not have an unnecessary service running : systemctl mask unbound

[neo-2020]

Perfect, then it seems that I did everything right and it works!

Thank you again!