anudeepnd / pihole-unbound Goto Github PK
View Code? Open in Web Editor NEWGuide to setup Unbound recursive DNS resolver with Pi-Hole. With additional configs for speed and security!! ๐๐
Guide to setup Unbound recursive DNS resolver with Pi-Hole. With additional configs for speed and security!! ๐๐
Since this guide is almost completely the exact contents of the Pi-hole developer written guide at https://docs.pi-hole.net/guides/unbound/ it's pretty poor taste to add a PayPal link to your copy of our work.
Would it not make sense to add:
enable to not answer id.server and hostname.bind queries.
hide-identity: yes
enable to not answer version.server and version.bind queries.
hide-version: yes
This would prevent host answers from your local lan from the internet (I do not know how to say this in a technical way).
Hi all,
I have an issue after i have installed unbound after the guide. Problem is that add blocker is not working anymore and i have issues in connecting to other dockers. I have searched all internet for solutions, related to dhcpd, resolv.conf, etc.
Below you can find the docker compose part of the pihole:
pihole:
container_name: pihole
hostname: pihole
image: pihole/pihole:latest
ports:
- '53:53/tcp'
- '53:53/udp'
# - '67:67/udp'
- '8182:80'
- '8183:443'
restart: unless-stopped
networks:
t2_proxy:
ipv4_address: 192.168.90.8
volumes:
- $DOCKERDIR/pihole/resolv.conf:/etc/resolv.conf:ro
- $DOCKERDIR/pihole/pihole:/etc/pihole
- $DOCKERDIR/pihole/dnsmasq.d:/etc/dnsmasq.d
- $DOCKERDIR/pihole/hosts:/etc/hosts:ro
# cap_add:
# - NET_ADMIN
environment:
- ServerIP=${SERVER_IP}
- TZ=${TZ}
- WEBPASSWORD=$PI_HOLE_PASS
- PROXY_LOCATION=pihole
- VIRTUAL_HOST=pihole.${DOMAINNAME}
- VIRTUAL_PORT=80
- DNS1=127.0.0.1#5335
- DNS2=no
labels:
- "traefik.enable=true"
## HTTP Routers
- "traefik.http.routers.pihole-rtr.entrypoints=https"
- "traefik.http.routers.pihole-rtr.rule=Host(`pihole.$DOMAINNAME`)"
- "traefik.http.routers.pihole-rtr.tls.certresolver=dns-cloudflare"
## Middlewares
- "traefik.http.routers.pihole-rtr.middlewares=chain-oauth@file"
## HTTP Services
- "traefik.http.routers.pihole-rtr.service=pihole-svc"
- "traefik.http.services.pihole-svc.loadbalancer.server.port=80"
Could you please help me?
Thanks in advance
Setting inside /etc/unbound/unbound.conf.d/pi-hole.conf
For a while the unbound service would fail from start, unable to dig any site. Raw
Fix it but I had also ran into another issue from the config file.
# Minimize logs
# Do not print one line per query to the log
log-queries: no
# Do not print one line per reply to the log
log-replies: no
# Do not print log lines that say why queries return SERVFAIL to clients
logfile: /dev/null
#log-replies: no
โ unbound-resolvconf.service - Unbound DNS server via resolvconf
Loaded: loaded (/lib/systemd/system/unbound-resolvconf.service; enabled; vendor preset: enabled)
Active: active (exited) (Result: exit-code) since Tue 2020-08-04 01:10:31 EDT; 10s ago
Process: 12146 ExecStop=/usr/lib/unbound/package-helper resolvconf_stop (code=exited, status=1/FAILURE)
Process: 12156 ExecStart=/usr/lib/unbound/package-helper resolvconf_start (code=exited, status=1/FAILURE)
Main PID: 12156 (code=exited, status=1/FAILURE)
CPU: 0
CGroup: /system.slice/unbound-resolvconf.service
Aug 04 01:10:31 linuxboard package-helper[12156]: /etc/unbound/unbound.conf.d/pi-hole.conf:142: error: unknown keyword 'log-replies'
Aug 04 01:10:31 linuxboard package-helper[12156]: /etc/unbound/unbound.conf.d/pi-hole.conf:142: error: stray ':'
Aug 04 01:10:31 linuxboard package-helper[12156]: /etc/unbound/unbound.conf.d/pi-hole.conf:142: error: unknown keyword 'no'
Aug 04 01:10:31 linuxboard package-helper[12156]: read /etc/unbound/unbound.conf failed: 3 errors in configuration file
Adding a # sign removed active with no errors. But still have an issue remaining. I'm unable to start pihole, and have no internet.
I can browse the internet on the linux board but anything to pihole is offline from other devices.
Most in this day in age now run on ipv6, I have enabled the first 2 options to yes. I assume for pihole, we enter this to the ipv6 dns slot. ::/0
I found this guide
Is this still applieng with the lasted pihole?
Is there still a requirement download root.host every 4-6 months?
What are the Cache_size in setupVar.conf for and do they need to be set to ZERO as well?
Your guide should mention what to reboot so the setting are applied.
Is there any way to check / test if all is working via unbound?
I've notice that there seem to be a duplicated setting inside /etc/unbound/unbound.conf.d/pi-hole.conf
There're 2
msg-cache-size
rrset-cache-size
# Time to live minimum for RRsets and messages in the cache. If the minimum
# kicks in, the data is cached for longer than the domain owner intended,
# and thus less queries are made to look up the data. Zero makes sure the
# data in the cache is as the domain owner intended, higher values,
# especially more than an hour or so, can lead to trouble as the data in
# the cache does not match up with the actual data anymore
cache-min-ttl: 300
cache-max-ttl: 86400
msg-cache-size: 128m
rrset-cache-size: 256m
# more cache memory. rrset-cache-size should twice what msg-cache-size is.
msg-cache-size: 50m
rrset-cache-size: 100m
is it supposed to be this way? I'm new to this unbound thing
The issue I am facing:
No internet after Pi reboot. After clicking DNS resolver internet begins to work
Details about my system:
Using Unbound DNS
Your debug token is: https://tricorder.pi-hole.net/9ubtfno584
Hi Anudeep, i am your Unbound user since long time.
i have observed that your Unbound version is way too old.
Unbound current version is 1.9.6.
i tried installing using manually from different guides. but no use.
can you pls update the Version in your repository to latest one pls ?
Thanks in Advance
Any Ideas what I can do to fix this or is just normal?
warning: so-rcvbuf 4194304 was not granted. Got 425984. To fix: start with root permissions(linux) or sysctl big May 25 21:25:02 pihole1 unbound[3684]: [1621995902] unbound[3684:0] warning: so-sndbuf 4194304 was not granted. Got 425984. To fix: start with root permissions(linux) or sysctl big
Thanks for this guide on how to configure upbound!
I have a quick question though. I noticed a difference between your configuration and the default pi-hole docs on the edns-buffer-size.
Your conf file sets it at 1232, while the pihole docs set it at 1472 (it says it's recommended by the upbound docs, but I've been unable to find it). Does this difference matter?
Hi anuDeepND,
I've used your Unbound configuration as a base to couple with my Pihole, and I've noticed that Unbound currently also support DNS over TLS and DNS over HTTPS.
It is arguably more secure and privacy friendly than querying the root domain servers (which is unencrypted UDP traffic) based on which upstream DNS you configure. Still somebody could figure out to which website you are visiting based on reverse IP lookups etc, but encrypted DNS allows for less tampering.
Configuring this is quite simple, as you can add the following to the the bottom of your configuration:
tls-cert-bundle:"etc/ssl/certs/ca-certificates.crt" # on Pihole, other systems might have different spots
forward-zone:
name: "."
forward-addr: #########@853 # replace with the DNS of your choice
forward-addr:##########@853 # replace with the DNS of your choice
forward-tls-upstream: yes
some example of Encrypted DNS resolvers can be found here.
Is this something you'd like to include?
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.