Issues with unbound DNS resolving

[leprejohn]

Hi everyone, I was hoping to get some assistance on here with the all in one container. I've always ran pi-hole on a VM or bare mental so I'm quite new to docker so please forgive my lack of knowledge and understanding of docker.

If I was to change my DNS on my docker pi-hole gui to say cloudflare it works fine however when using unbound recursive DNS I can't seem to get it to work. I was hoping to get some help on troubleshooting the issues.

I've copied and pasted the container stuff below:

Env
0 FTLCONF_LOCAL_IPV4=10.1.1.177
1 TZ=Europe/London
2 WEBPASSWORD=
3 WEBTHEME=default-darker
4 PIHOLE_DNS_=127.0.0.1#5335
5 DNSSEC="true"
6 DNSMASQ_LISTENING=single
7 PATH=/opt/pihole:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
8 phpver=php
9 PHP_ENV_CONFIG=/etc/lighttpd/conf-enabled/15-fastcgi-php.conf
10 PHP_ERROR_LOG=/var/log/lighttpd/error-pihole.log
11 IPv6=True
12 S6_KEEP_ENV=1
13 S6_BEHAVIOUR_IF_STAGE2_FAILS=2
14 S6_CMD_WAIT_FOR_SERVICES_MAXTIME=0
15 FTL_CMD=no-daemon
16 DNSMASQ_USER=pihole
ExposedPorts
443/tcp { }
53/tcp { }
53/udp { }
5335/tcp { }
67/udp { }
80/tcp { }
Mounts
Name /Pi-Hole
NetworkSettings
Bridge
EndpointID 686639b5d84f6927d92354030557f2683b5916dd4d397eb8aaf08015173b7b73
Gateway 172.17.0.1
GlobalIPv6Address
GlobalIPv6PrefixLen 0
HairpinMode false
IPAddress 172.17.0.7
IPPrefixLen 16
IPv6Gateway
LinkLocalIPv6Address
LinkLocalIPv6PrefixLen 0
MacAddress 02:42:ac:11:00:07
Networks
bridge
Aliases
DriverOpts
EndpointID 686639b5d84f6927d92354030557f2683b5916dd4d397eb8aaf08015173b7b73
Gateway 172.17.0.1
GlobalIPv6Address
GlobalIPv6PrefixLen 0
IPAMConfig { }
IPAddress 172.17.0.7
IPPrefixLen 16
IPv6Gateway
Links
MacAddress 02:42:ac:11:00:07
NetworkID 1b2fba1f3419b170d01f4c7ae47316fc8e7186ae6efab0704b3dd35a6acf15ba

[pluim003]

What do logfiles say? Or what do you see in the web-interface?

[leprejohn]

Hi I've taken a screenshot of the web gui please see below

[pluim003]

The bottom ones use Cloudflare but the entries saying sent to 127.0.0.1#5335 use your unbound-server. I don't see anything wrong here, but I might be mistaken. In my query log I see the same.

[leprejohn]

The bottom ones use Cloudflare but the entries saying sent to 127.0.0.1#5335 use your unbound-server. I don't see anything wrong here, but I might be mistaken. In my query log I see the same.

the issue that I have is using unbound I get no DNS however with cloud flare I get DNS queries answered

[pluim003]

Aha, I see. In my query log I actually almost only see:

What I notice above is that you haven't set up REV_SERVER:

Is the Unbond-service up?

$ docker exec -it pihole-unbound bash
root@pihole:/# service unbound status
up (pid 277) 2018 seconds

[leprejohn]

The service is running

root@f8ac1a4712f0:/# service unbound status up (pid 334) 27803 seconds root@f8ac1a4712f0:/#

Edit: so I did a bit of troubleshooting and checking my unbound config and everything is fine, the same as I set it up on bare metal

`root@f8ac1a4712f0:/# dig google.com
; <<>> DiG 9.16.33-Debian <<>> google.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51534
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;google.com. IN A

;; ANSWER SECTION:
google.com. 218 IN A 172.217.169.14

;; Query time: 24 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Sat Nov 19 17:50:50 GMT 2022
;; MSG SIZE rcvd: 55

root@f8ac1a4712f0:/# dig pi-hole.net @127.0.0.1 -p 5335

; <<>> DiG 9.16.33-Debian <<>> pi-hole.net @127.0.0.1 -p 5335
;; global options: +cmd
;; connection timed out; no servers could be reached

root@f8ac1a4712f0:/#`

`oot@f8ac1a4712f0:/etc/unbound/unbound.conf.d# cat pi-hole.conf

Config pulled from https://docs.pi-hole.net/guides/unbound/

server:
# If no logfile is specified, syslog is used
# logfile: "/var/log/unbound/unbound.log"
verbosity: 0

interface: 127.0.0.1
port: 5335
do-ip4: yes
do-udp: yes
do-tcp: yes

# May be set to yes if you have IPv6 connectivity
do-ip6: no

# You want to leave this to no unless you have *native* IPv6. With 6to4 and
# Terredo tunnels your web browser should favor IPv4 for the same reasons
prefer-ip6: no

# Use this only when you downloaded the list of primary root servers!
# If you use the default dns-root-data package, unbound will find it automat    ically
#root-hints: "/var/lib/unbound/root.hints"

# Trust glue only if it is within the server's authority
harden-glue: yes

# Require DNSSEC data for trust-anchored zones, if such data is absent, the     zone becomes BOGUS
harden-dnssec-stripped: yes

# Don't use Capitalization randomization as it known to cause DNSSEC issues     sometimes
# see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378     for further details
use-caps-for-id: no

# Reduce EDNS reassembly buffer size.
# Suggested by the unbound man page to reduce fragmentation reassembly probl    ems
edns-buffer-size: 1232

# Perform prefetching of close to expired message cache entries
# This only applies to domains that have been frequently queried
prefetch: yes

# One thread should be sufficient, can be increased on beefy machines. In re    ality for most users running on small networks or on a single machine, it should     be unnecessary to seek performance enhancement by increasing num-threads above     1.
num-threads: 1

# Ensure kernel buffer is large enough to not lose messages in traffic spike    s
# Be aware that if enabled (requires CAP_NET_ADMIN or privileged), the kerne    l buffer must have the defined amount of memory, if not, a warning will be raise    d.
#so-rcvbuf: 1m

# Ensure privacy of local IP ranges
private-address: 192.168.0.0/16
private-address: 169.254.0.0/16
private-address: 172.16.0.0/12
private-address: 10.0.0.0/8
private-address: fd00::/8
private-address: fe80::/10

root@f8ac1a4712f0:/etc/unbound/unbound.conf.d#`

`root@f8ac1a4712f0:/etc/unbound/unbound.conf.d# dig fail01.dnssec.works @127.0.0.1 -p 5335

; <<>> DiG 9.16.33-Debian <<>> fail01.dnssec.works @127.0.0.1 -p 5335
;; global options: +cmd
;; connection timed out; no servers could be reached

root@f8ac1a4712f0:/etc/unbound/unbound.conf.d# dig dnssec.works @127.0.0.1 -p 5335

; <<>> DiG 9.16.33-Debian <<>> dnssec.works @127.0.0.1 -p 5335
;; global options: +cmd
;; connection timed out; no servers could be reached

root@f8ac1a4712f0:/etc/unbound/unbound.conf.d#`

[pluim003]

Unfortunately I don't have a clue. Same test here:

root@pihole:/# dig fail01.dnssec.works @127.0.0.1 -p 5335

; <<>> DiG 9.16.33-Debian <<>> fail01.dnssec.works @127.0.0.1 -p 5335
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 57894
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;fail01.dnssec.works.           IN      A

;; Query time: 343 msec
;; SERVER: 127.0.0.1#5335(127.0.0.1)
;; WHEN: Sat Nov 19 22:34:50 CET 2022
;; MSG SIZE  rcvd: 48

root@pihole:/# dig dnssec.works @127.0.0.1 -p 5335

; <<>> DiG 9.16.33-Debian <<>> dnssec.works @127.0.0.1 -p 5335
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21920
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;dnssec.works.                  IN      A

;; ANSWER SECTION:
dnssec.works.           3600    IN      A       5.45.107.88

;; Query time: 47 msec
;; SERVER: 127.0.0.1#5335(127.0.0.1)
;; WHEN: Sat Nov 19 22:35:01 CET 2022
;; MSG SIZE  rcvd: 57

The only differences I see is that I have the REV_SERVER-stuff and I use my own image (forked from this repo) which uses a newer version of Unbound but that shouldn't make a difference).

root@pihole:/# dig google.com

; <<>> DiG 9.16.33-Debian <<>> google.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33789
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;google.com.                    IN      A

;; ANSWER SECTION:
google.com.             285     IN      A       142.250.179.142

;; Query time: 3 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sat Nov 19 22:38:49 CET 2022
;; MSG SIZE  rcvd: 55

How does the following look like on your site?

As I don't get unbound logging in syslog (or thought I didn't got it) I enabled it:

server:
    # If no logfile is specified, syslog is used
    logfile: "/var/log/unbound/unbound.log"
    verbosity: 2
    log-time-ascii: yes

    interface: 127.0.0.1
    port: 5335
    do-ip4: yes
    do-udp: yes
    do-tcp: yes

Maybe that can give a better clue?

[pluim003]

Another thing: FTL_CONFIG_LOCAL_IPV4 points to your host where your docker-container is running?

[leprejohn]

Hi Pluim003, FTL_CONFIG_LOCAL_IPV4 points to my docker which shares the same IP as my pi-hole

I also changed my settings to match yours REV_Server but having the same issues

[pluim003]

Ok. Sounds/looks good. Then I'm afraid I can't help you any further. Hopefully someone else?

[Huelsi]

Let‘s give it a try. I was running into similar issues because of different VLANs I use. Have you tried the setting „permit all origins“ in the interface settings.

[leprejohn]

Let‘s give it a try. I was running into similar issues because of different VLANs I use. Have you tried the setting „permit all origins“ in the interface settings.

So I tried this however I'm still not getting any DNS while using unbound

[Huelsi]

Do you, by any chance use Ubiquiti hardware? If so, have you tried to deactivate DNS for IPS? I‘ll also try to find my notes that I took when installing piHole. I ran in exactly the same issues and there was another thing that I had to configure to make it work. Have you also tried if it works in host network mode instead of bridge? Maybe your docker instance blocks some traffic using bridge mode.

[leprejohn]

Do you, by any chance use Ubiquiti hardware? If so, have you tried to deactivate DNS for IPS? I‘ll also try to find my notes that I took when installing piHole. I ran in exactly the same issues and there was another thing that I had to configure to make it work. Have you also tried if it works in host network mode instead of bridge? Maybe your docker instance blocks some traffic using bridge mode.

The only Ubiquiti hardware I have is my AP, the rest of my set up is mostly cisco, TP link 5 port switch and my opnsense firewall which does my DHCP.

I'll try the host network mode and see what happens.