Hi all, just making sure this is working. I saw a youtube video where the guy said to go to dnsleaktest.com when done and do the extended test. And that each round should have just 1 server on them. Mine are 5-6 per round (all Google). Also are there command lines I can run to check the stats for the unbound via SSH? Thanks as always
I don’t believe that is normal no. Mine only shows 1 server. Are you sure all the DNS requests are correctly going through your pihole?
It should be 1
Do an ifconfig/ipconfig and see what dns serves are showing up. If it’s anything other than pihole something isn’t configured correctly
It should show just the one.
Your devices are still getting google DNS servers somehow. My guess is you have the IPv4 Pihole DNS set in the router, but not the IPv6 so the router is still passing on those from Google. But that’s a guess.
As others said, something is wonky.
The only address that should show when using unbound is the static/dynamic IP you get from your ISP.
I wonder if you have it set up as a forwarder instead of a resolver.
You need to make sure your unbound is in recursive mode vs forwarding mode. In forwarding mode it’ll just forward to the usual suspects. In recursive mode it’ll query the TLD servers only and cache results.
did you get this resolved? I just realized my piholes were leaking and I think it was due to my upgrade to Bullseye (Debian 11) OS. If you check the unbound page on the PiHole website Here starting where it says “Disable resolvconf.conf entry for unbound (Required for Debian Bullseye+ releases)” and follow those instructions, you might resolve your issue, assuming you’re using Bullseye and not a previous version of Debian/Raspbian.
I have my router set to my pihole IP for primary and secondary, and all devices should be using it. I suppose I may have a device or two that has hardcoded 8.8.8.8 to bypass
Interesting, I definitely never touched anything related to IPv6 so perhaps this is part of it. Ill need to look into how to do on my tplink router. Thanks
Where might I check the forwarder/resolver settings?
I’m a little more convinced it’s IPv6 that’s getting through now (or… you’ve got no IPv6 on your network at all, and it’s just not set up right). Your pi doesn’t have IPv6 networking happening. That IPv6 address that starts with fe80 is a “link local” address… the interface just makes that automatically. It would be getting a 2XXX:… and possibly another fXXX:… address if it was configured for IPv6 with the router.
Do other devices (like your smartphone on the wifi) have more IPv6 addresses, i.e. have IPv6 set up and working?
I’m gonna install unbound (again… for reasons I started fresh on this pi yesterday) right now. DM me or chat if you wanna chat about it…
Also, is your unbound configuration using ipv6? You can dig @::1 -p 5335 -6 google.com (I’m assuming you used 5335) on the pi and verify that unbound accepts IPv6 requests in the first place.
Here’s basically my entire unbound.conf file. You should have no references to other DNS servers or forwarding anywhere in there… You don’t necessarily have to use this as-is, but it should illustrate that there IS no forwarder settings. The below config results in an entirely recursive unbound config.
FYI this config is the one present in cdrocker/unbound:latest docker image (IMO the best recursive docker image for unbound, no config required.)
server:
access-control: 0.0.0.0/0 allow
cache-max-negative-ttl: 10
cache-max-ttl: 86400
cache-min-ttl: 321
do-ip4: yes
do-ip6: no
do-not-query-localhost: no
do-tcp: yes
do-udp: yes
edns-buffer-size: 4096
extended-statistics: yes
harden-dnssec-stripped: yes
harden-large-queries: yes
harden-short-bufsize: yes
interface: 0.0.0.0
logfile: ""
minimal-responses: no
msg-buffer-size: 8192
msg-cache-size: 32m
msg-cache-slabs: 4
num-queries-per-thread: 1024
outgoing-port-permit: "10240-65335"
pidfile: "/var/run/unbound.pid"
port: 53
prefetch: yes
root-hints: /etc/unbound/root.hints
rrset-roundrobin: yes
so-reuseport: yes
statistics-cumulative: yes
statistics-interval: 24300
target-fetch-policy: "2 1 0 0 0 0"
trust-anchor: ". IN DS 20326 8 2 E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D"
username: "unbound"
verbosity: 1
I was wrong! But OP and I got there.
