Settings: PiHole and Unbound Topic is solved

Having issues with your DietPi installation or found a bug? Post it here.
Post Reply
Klola
Posts: 17
Joined: Tue Jul 20, 2021 5:07 pm

Settings: PiHole and Unbound

Post by Klola »

Hallo,

I used the following instructions and installed Unbound via dietpi-software.
https://docs.pi-hole.net/guides/dns/unbound/

IP from my FritzBox: 192.162.145.1
Range: 192.162.145.20 to .200
DietPi with PiHole: 192.162.145.30 as my DNS-Server
Upstream DNS Servers PiHole: Custom 1: 127.0.0.1#5335
Pi-hole v5.3.1 Web Interface v5.5.1 FTL v5.8.1
DietPi v7.5.2
Some PiHole Blocklists

However, at http://dns-leak.com/ the IP of my provider still appears, not 127.0.0.1 or the IP of my PiHole.
Is it because of my range of the FritzBox? Somehow I can not find my error.

Thank you! :)

Code: Select all

server:
    # If no logfile is specified, syslog is used
    # logfile: "/var/log/unbound/unbound.log"
    verbosity: 0

    interface: 127.0.0.1
    port: 5335
    do-ip4: yes
    do-udp: yes
    do-tcp: yes

    # May be set to yes if you have IPv6 connectivity
    do-ip6: no

    # You want to leave this to no unless you have *native* IPv6. With 6to4 and
    # Terredo tunnels your web browser should favor IPv4 for the same reasons
    prefer-ip6: no

    # Use this only when you downloaded the list of primary root servers!
    # If you use the default dns-root-data package, unbound will find it automatically
    #root-hints: "/var/lib/unbound/root.hints"

    # Trust glue only if it is within the server's authority
    harden-glue: yes

    # Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS
    harden-dnssec-stripped: yes

    # Don't use Capitalization randomization as it known to cause DNSSEC issues sometimes
    # see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 for further details
    use-caps-for-id: no

    # Reduce EDNS reassembly buffer size.
    # Suggested by the unbound man page to reduce fragmentation reassembly problems
    edns-buffer-size: 1472

    # Perform prefetching of close to expired message cache entries
    # This only applies to domains that have been frequently queried
    prefetch: yes

    # One thread should be sufficient, can be increased on beefy machines. In reality for most users running on small networks or on a single machine, it should be unnecessary to seek performance enhancement by increasing num-threads above 1.
    num-threads: 1

    # Ensure kernel buffer is large enough to not lose messages in traffic spikes
    so-rcvbuf: 1m

    # Ensure privacy of local IP ranges
    private-address: 192.168.0.0/16
    private-address: 192.162.0.0/16
    private-address: 169.254.0.0/16
    private-address: 172.16.0.0/12
    private-address: 10.0.0.0/8
    private-address: fd00::/8
    private-address: fe80::/10

Code: Select all

root@DietPi:~# dig pi-hole.net @127.0.0.1 -p 5335

; <<>> DiG 9.11.5-P4-5.1+deb10u5-Raspbian <<>> pi-hole.net @127.0.0.1 -p 5335
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42792
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;pi-hole.net.                   IN      A

;; ANSWER SECTION:
pi-hole.net.            0       IN      A       3.18.136.52

;; Query time: 2 msec
;; SERVER: 127.0.0.1#5335(127.0.0.1)
;; WHEN: Do Sep 09 14:46:33 CEST 2021
;; MSG SIZE  rcvd: 56

Code: Select all

root@DietPi:~# dig sigok.verteiltesysteme.net @127.0.0.1 -p 5335

; <<>> DiG 9.11.5-P4-5.1+deb10u5-Raspbian <<>> sigok.verteiltesysteme.net @127.0.0.1 -p 5335
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19059
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;sigok.verteiltesysteme.net.    IN      A

;; ANSWER SECTION:
sigok.verteiltesysteme.net. 0   IN      A       134.91.78.139

;; Query time: 2 msec
;; SERVER: 127.0.0.1#5335(127.0.0.1)
;; WHEN: Do Sep 09 14:47:11 CEST 2021
;; MSG SIZE  rcvd: 71
ip.png
User avatar
Joulinar
Posts: 5619
Joined: Sat Nov 16, 2019 12:49 am

Re: Settings: PiHole and Unbound

Post by Joulinar »

Hi,
I used the following instructions and installed Unbound via dietpi-software.
https://docs.pi-hole.net/guides/dns/unbound/
Well this is a conflicting statement. If you install unbound via dietpi-software, there wouldn't be any need to follow a guide. Because dietpi-software will configure unbound/PiHole already to work together. ;)

But I don't think there is anything wrong. You simple could switch off unbound and you will see that DNS resolution will stop for clients connected to PiHole ;) Not sure how this web site checks your DNS connection.

To get a deeper look in what unbound is doing, you could install
tcpdump
and trace your DNS request. There you should see DNS resolution between unbound and rootDNS server.

How did you setup your local network. Does your clients use your FritzBox as DNS server and the FritzBox will connect to PiHole? Or does your clients your PiHole directly?
Pls let us know if a solution is working. This could help others if they hit by similar situation. Your DietPi Team
Klola
Posts: 17
Joined: Tue Jul 20, 2021 5:07 pm

Re: Settings: PiHole and Unbound

Post by Klola »

Thanks @Joulinar , I had edited the "/etc/unbound/unbound.conf.d/pi-hole.conf" again to enter my other IP range of the FritzBox.

My FritzBox acts as a DHCP server. In the FritzBox I have entered my RaspberryPi as DNS server.
pihole_2.png
pihole_1.png
fritz_3.png
fritz_2.png
fritz_1.png
fritz_1.png (29.19 KiB) Viewed 153 times
User avatar
Joulinar
Posts: 5619
Joined: Sat Nov 16, 2019 12:49 am

Re: Settings: PiHole and Unbound

Post by Joulinar »

Are you on latest version of DietPi 7.5? And was unbound a fresh install or did you install it on the past already? Because we don't provide

Code: Select all

/etc/unbound/unbound.conf.d/pi-hole.conf
anymore since a couple of version. Our entire configuration is done in

Code: Select all

dietpi.conf
Pls let us know if a solution is working. This could help others if they hit by similar situation. Your DietPi Team
Klola
Posts: 17
Joined: Tue Jul 20, 2021 5:07 pm

Re: Settings: PiHole and Unbound

Post by Klola »

DietPi and PiHole have been installed for a while. Unbound I have installed now afterwards.

I use DietPi v7.5.2
So I delete the /etc/unbound/unbound.conf.d/pi-hole.conf and paste the data in the dietpi.conf?

How do I get the dietpi.conf?
Knew so far only dietpi-config ;)
User avatar
Joulinar
Posts: 5619
Joined: Sat Nov 16, 2019 12:49 am

Re: Settings: PiHole and Unbound

Post by Joulinar »

easiest would be to uninstall unbound and perform a new installation

Code: Select all

dietpi-software uninstall 182
dietpi-software install 182
this should pull the new configuration.
Pls let us know if a solution is working. This could help others if they hit by similar situation. Your DietPi Team
User avatar
trendy
Posts: 360
Joined: Tue Feb 25, 2020 2:54 pm

Re: Settings: PiHole and Unbound

Post by trendy »

Just to point out that there is a typo in the address space you are using.
192.168 is private space. 192.162 is public and used by someone else.
Klola
Posts: 17
Joined: Tue Jul 20, 2021 5:07 pm

Re: Settings: PiHole and Unbound

Post by Klola »

@trendy Thanks for the tip. I did not know that.
Had it then changed from 192.168 to 192.162, as it was recommended by Fritzbox. Although not the .162, but just another range. From VPN to VPN network via the software from Fritzbox.

I will change it to 192.168.176.X
Klola
Posts: 17
Joined: Tue Jul 20, 2021 5:07 pm

Re: Settings: PiHole and Unbound

Post by Klola »

Hey @Joulinar
Thanks, uninstalled Unbound and installed it, should now fit again. Changed network to 192.168.176.X and adjusted all devices.

Every 2 weeks I run the following by hand:

Code: Select all

dietpi-update && sudo apt-get update && sudo apt-get upgrade && pihole -up && pihole -g && sudo apt-get autoremove && sudo apt-get autoclean && dietpi-logclear
I picked this up in a forum once and run it for my updates. Does it fit like this?
If yes: I don't have to care about updates of the root.hints, do I?

Greetings :)
User avatar
Joulinar
Posts: 5619
Joined: Sat Nov 16, 2019 12:49 am

Re: Settings: PiHole and Unbound

Post by Joulinar »

root.hints should be updated automatically.

Regarding your manual command. I don't think this is needed that way if your running default values
  • dietpi-update - a check is done every night automatically. You should be notified on available DietPi updates via login banner
  • apt update - will be done every night automatically. You should be notified on available apt package updates via login banner
  • apt upgrade - can be done based on information given on login banner
  • pihole -up - PiHole is not releasing updates that often. Best is to follow them on twitter to get notified on updates. As well you should be notified on PiHole admin web page. There should be a message on the bottom once an update is available
  • pihole -g - PiHole is updating Gravity database once a week by its own
  • apt autoremove - this is needed only, if you manually uninstall apt packages
  • dietpi-logclear - in a default setup, DietPi is using RAMlog and this will be cleared on hourly basis
Pls let us know if a solution is working. This could help others if they hit by similar situation. Your DietPi Team
Post Reply