Setting up recursive DNS on a new pi hole

red_death_gtv · March 26, 2024, 6:33pm

Hey everyone!

I'm moving my pi hole from an old laptop to a container in my proxmox. Furthermore I want to use it as a recursive DNS so I'm setting up unbound. I got the pi hole setup and unbound up and running listening to port 5335 but when I test the dig command:

dig @127.0.0.1 -p 5335 dnssec.works

It fails.

I edited the unbound file /etc/unbound/unbound.conf.d/pi-hole.conf using nano and remove the hashtag so that it is listening to Port 5335.

I verified that unbound is running, I verified that it's listening to the port but the dig command continues to fail. I can ping the address from the container.

Pfsense is my router and configure to push all DNS queries to my current pi hole at a static IP.

I haven't switched over to the new DNS yet but I kind of want to make sure that the dig command is working before I go through the steps of assigning the static IP to the new pi hole container.

Not sure where I missed here would appreciate some insight.

Thanks.

red_death_gtv · March 26, 2024, 6:36pm

This is my netstats:

@Pi-Hole-New:~# netstat -tuln
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp        0      0 127.0.0.1:5335          0.0.0.0:*               LISTEN     
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN     
tcp        0      0 127.0.0.1:4711          0.0.0.0:*               LISTEN     
tcp        0      0 0.0.0.0:53              0.0.0.0:*               LISTEN     
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN     
tcp6       0      0 ::1:25                  :::*                    LISTEN     
tcp6       0      0 ::1:4711                :::*                    LISTEN     
tcp6       0      0 :::53                   :::*                    LISTEN     
tcp6       0      0 :::22                   :::*                    LISTEN     
tcp6       0      0 :::80                   :::*                    LISTEN     
udp        0      0 127.0.0.1:5335          0.0.0.0:*                          
udp        0      0 0.0.0.0:53              0.0.0.0:*                          
udp6       0      0 :::53                   :::*

DanSchaper · March 26, 2024, 6:53pm

Something is listening on 5335, most likely unbound.

The guide doesn't have that line commented out to begin with, how did you create that file?

ping won't do much to help with DNS troubleshooting, what is the exact output of your dig commands? Do other DNS queries work, like pi-hole.net and only dnssec.works is failing?

red_death_gtv · March 26, 2024, 7:02pm

Hey Dan,

All dig commands fail this is the error message:

@Pi-Hole-New:~# dig @127.0.0.1 -p 5335 google.com  
;; communications error to 127.0.0.1#5335: timed out
;; communications error to 127.0.0.1#5335: timed out
;; communications error to 127.0.0.1#5335: timed out

nano /etc/unbound/unbound.conf.d/pi-hole.conf

I got the text from the unbound documentation:

server:
    # If no logfile is specified, syslog is used
    # logfile: "/var/log/unbound/unbound.log"
    verbosity: 0

    interface: 127.0.0.1
    port: 5335
    do-ip4: yes
    do-udp: yes
    do-tcp: yes

    # May be set to yes if you have IPv6 connectivity
    do-ip6: no

    # You want to leave this to no unless you have *native* IPv6. With 6to4 and
    # Terredo tunnels your web browser should favor IPv4 for the same reasons
    prefer-ip6: no

    # Use this only when you downloaded the list of primary root servers!
    # If you use the default dns-root-data package, unbound will find it automatically
    root-hints: "/var/lib/unbound/root.hints"

    # Trust glue only if it is within the server's authority
    harden-glue: yes

    # Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS
    harden-dnssec-stripped: yes

    # Don't use Capitalization randomization as it known to cause DNSSEC issues sometimes
    # see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 for further details
    use-caps-for-id: no

    # Reduce EDNS reassembly buffer size.
    # IP fragmentation is unreliable on the Internet today, and can cause
    # transmission failures when large DNS messages are sent via UDP. Even
    # when fragmentation does work, it may not be secure; it is theoretically
    # possible to spoof parts of a fragmented DNS message, without easy
    # detection at the receiving end. Recently, there was an excellent study
    # >>> Defragmenting DNS - Determining the optimal maximum UDP response size for DNS <<<
    # by Axel Koolhaas, and Tjeerd Slokker (https://indico.dns-oarc.net/event/36/contributions/776/)
    # in collaboration with NLnet Labs explored DNS using real world data from the
# the RIPE Atlas probes and the researchers suggested different values for
    # IPv4 and IPv6 and in different scenarios. They advise that servers should
    # be configured to limit DNS messages sent over UDP to a size that will not
    # trigger fragmentation on typical network links. DNS servers can switch
    # from UDP to TCP when a DNS response is too big to fit in this limited
    # buffer size. This value has also been suggested in DNS Flag Day 2020.
    edns-buffer-size: 1232

    # Perform prefetching of close to expired message cache entries
    # This only applies to domains that have been frequently queried
    prefetch: yes

    # One thread should be sufficient, can be increased on beefy machines. In reality for most users running on small>
    num-threads: 1

    # Ensure kernel buffer is large enough to not lose messages in traffic spikes
    so-rcvbuf: 1m

    # Ensure privacy of local IP ranges
    private-address: 192.168.0.0/16
    private-address: 169.254.0.0/16
    private-address: 172.16.0.0/12
    private-address: 10.0.0.0/8
    private-address: fd00::/8
    private-address: fe80::/10

NGr · March 26, 2024, 7:43pm

red_death_gtv:

# Use this only when you downloaded the list of primary root servers!
    # If you use the default dns-root-data package, unbound will find it automatically
    root-hints: "/var/lib/unbound/root.hints"

Leave this commented out, unless you have manually downloaded the list.

red_death_gtv · March 26, 2024, 8:15pm

I did manually download it.

NGr · March 26, 2024, 8:29pm

What is the output of:

sudo ss -tulpn sport = 5335

It should tell you what process is bound to the port.

DanSchaper · March 26, 2024, 8:52pm

How did you install unbound? Did you use the package manager?

red_death_gtv · March 26, 2024, 8:56pm

Correct I used: apt install unbound

DanSchaper · March 26, 2024, 8:57pm

Then comment that line out again and allow the package management to handle the root hints.

red_death_gtv · March 26, 2024, 8:57pm

@Pi-Hole-New:~# ss -tulpn sport = 5335        
Netid    State     Recv-Q    Send-Q       Local Address:Port         Peer Address:Port    Process                                                                                   
udp      UNCONN    0         0                127.0.0.1:5335              0.0.0.0:*        users:(("unbound",pid=605,fd=3))                                                         
tcp      LISTEN    0         256              127.0.0.1:5335              0.0.0.0:*        users:(("unbound",pid=605,fd=4))

red_death_gtv · March 27, 2024, 1:26pm

Still not working. Reading the unbound documentation I think I need to set interface-automatic: <yes or no> to yes. something about changing the listening interface.

Bucking_Horn · March 27, 2024, 10:37pm

Please upload a debug log and post just the token URL that is generated after the log is uploaded by running the following command from the Pi-hole host terminal:

pihole -d

or do it through the Web interface:

Tools > Generate Debug Log

system · April 17, 2024, 10:38pm

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.