search

MatthewVance / unbound-docker-rpi

Run Unbound with latest version of OpenSSL on Raspberry Pi with Docker.
MIT License
136 stars 23 forks source link

Pi-hole logs all replies from unbound as "N/A" but dig test works #33

Closed lokety closed 1 year ago

lokety commented 1 year ago

I have pi-hole 5.11.4 and unbound-docker-rpi latest both running in docker containers on a RPI 4B host.

When I look at the pi-hole query log against the unbound DNS as 127.0.0.1:5335, the replies are all "N/A". If I configure this as my only DNS, all my clients will time out.

When I do a dig from localhost or from another client (another RPI 4B), I get valid responses like:

dig adobe.com @127.0.0.1 -p 5335

; <<>> DiG 9.16.27-Debian <<>> adobe.com @127.0.0.1 -p 5335
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37295
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;adobe.com.                     IN      A

;; ANSWER SECTION:
adobe.com.              86      IN      A       123.253.148.51
adobe.com.              86      IN      A       123.253.148.59

;; Query time: 3 msec
;; SERVER: 127.0.0.1#5335(127.0.0.1)
;; WHEN: Mon Aug 29 01:06:00 NZST 2022
;; MSG SIZE  rcvd: 70

I followed the instructions to set up the unbound container with only this customization for forward-records.conf:

cat forward-records.conf
forward-zone:
    # Forward all queries (except those in cache and local zone) to
    # upstream recursive servers
    name: "."
    # Queries to this forward zone use TLS
    forward-tls-upstream: yes

    # https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Test+Servers

    ## Cloudflare
    forward-addr: 1.1.1.1@853#cloudflare-dns.com
    forward-addr: 1.0.0.1@853#cloudflare-dns.com
    forward-addr: 2606:4700:4700::1111@853#cloudflare-dns.com
    forward-addr: 2606:4700:4700::1001@853#cloudflare-dns.com

    ## Quad9
    forward-addr: 9.9.9.9@853#dns.quad9.net
    forward-addr: 149.112.112.112@853#dns.quad9.net
    forward-addr: 2620:fe::fe@853#dns.quad9.net
    forward-addr: 2620:fe::9@853#dns.quad9.net

Any help? Thanks.

MatthewVance commented 1 year ago

My best guess without diving into it and knowing all the details is that it is a container networking issue. Why are you checking against 127.0.0.1? If Unbound is a different container than Pi-hole, it’ll need to use the addressable address of the Unbound instance.

On Aug 28, 2022, at 8:24 AM, lokety @.***> wrote:  When I look at the pi-hole query log against the unbound DNS as 127.0.0.1:5335, the replies are all "N/A". If I configure this as my only DNS, all my clients will time out. When I do a dig from localhost (RPI 4B) or from another client (another RPI 4B), I get valid responses like:

dig adobe.com @127.0.0.1 -p 5335

; <<>> DiG 9.16.27-Debian <<>> adobe.com @127.0.0.1 -p 5335 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37295 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ;; QUESTION SECTION: ;adobe.com. IN A

;; ANSWER SECTION: adobe.com. 86 IN A 123.253.148.51 adobe.com. 86 IN A 123.253.148.59

;; Query time: 3 msec ;; SERVER: 127.0.0.1#5335(127.0.0.1) ;; WHEN: Mon Aug 29 01:06:00 NZST 2022 ;; MSG SIZE rcvd: 70 I followed the instructions to set up the unbound container with only this customization for forward-records.conf:

cat forward-records.conf forward-zone:

Forward all queries (except those in cache and local zone) to

# upstream recursive servers
name: "."
# Queries to this forward zone use TLS
forward-tls-upstream: yes

# https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Test+Servers

## Cloudflare
forward-addr: ***@***.***#cloudflare-dns.com
forward-addr: ***@***.***#cloudflare-dns.com
forward-addr: ***@***.***#cloudflare-dns.com
forward-addr: ***@***.***#cloudflare-dns.com

## Quad9
forward-addr: ***@***.***#dns.quad9.net
forward-addr: ***@***.***#dns.quad9.net
forward-addr: ***@***.***#dns.quad9.net
forward-addr: ***@***.***#dns.quad9.net

Any help? Thanks.

— Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you are subscribed to this thread.

MatthewVance commented 1 year ago

Closing due to no response. Please re-open if needed.