anudeepnd / pihole-unbound Goto Github PK

View Code? Open in Web Editor NEW

319.0 24.0 28.0 65 KB

Guide to setup Unbound recursive DNS resolver with Pi-Hole. With additional configs for speed and security!! 🚀🔒

pi-hole raspberry-pi unbound dns adblock dns-server recursive-server privacy dnssec

pihole-unbound's People

Contributors

Stargazers

Watchers

pihole-unbound's Issues

Remove the paypal links

Since this guide is almost completely the exact contents of the Pi-hole developer written guide at https://docs.pi-hole.net/guides/unbound/ it's pretty poor taste to add a PayPal link to your copy of our work.

Add hide-version and hide-identity

Would it not make sense to add:

    enable to not answer id.server and hostname.bind queries.
    hide-identity: yes

    enable to not answer version.server and version.bind queries.
    hide-version: yes

This would prevent host answers from your local lan from the internet (I do not know how to say this in a technical way).

Docker Pihole and Unbound not working

Hi all,

I have an issue after i have installed unbound after the guide. Problem is that add blocker is not working anymore and i have issues in connecting to other dockers. I have searched all internet for solutions, related to dhcpd, resolv.conf, etc.

Below you can find the docker compose part of the pihole:

  pihole:
    container_name: pihole
    hostname: pihole
    image: pihole/pihole:latest
    ports:
      - '53:53/tcp'
      - '53:53/udp'
#      - '67:67/udp'
      - '8182:80'
      - '8183:443'
    restart: unless-stopped
    networks:
      t2_proxy:
        ipv4_address: 192.168.90.8
    volumes:
      - $DOCKERDIR/pihole/resolv.conf:/etc/resolv.conf:ro
      - $DOCKERDIR/pihole/pihole:/etc/pihole
      - $DOCKERDIR/pihole/dnsmasq.d:/etc/dnsmasq.d
      - $DOCKERDIR/pihole/hosts:/etc/hosts:ro
#    cap_add:
#      - NET_ADMIN
    environment:
      - ServerIP=${SERVER_IP}
      - TZ=${TZ}
      - WEBPASSWORD=$PI_HOLE_PASS
      - PROXY_LOCATION=pihole
      - VIRTUAL_HOST=pihole.${DOMAINNAME}
      - VIRTUAL_PORT=80
      - DNS1=127.0.0.1#5335
      - DNS2=no
    labels:
      - "traefik.enable=true"
      ## HTTP Routers
      - "traefik.http.routers.pihole-rtr.entrypoints=https"
      - "traefik.http.routers.pihole-rtr.rule=Host(`pihole.$DOMAINNAME`)"
      - "traefik.http.routers.pihole-rtr.tls.certresolver=dns-cloudflare"
      ## Middlewares
      - "traefik.http.routers.pihole-rtr.middlewares=chain-oauth@file" 
      ## HTTP Services
      - "traefik.http.routers.pihole-rtr.service=pihole-svc"
      - "traefik.http.services.pihole-svc.loadbalancer.server.port=80"

Could you please help me?

Thanks in advance

Potential Log-Replies Configuration Error

Setting inside /etc/unbound/unbound.conf.d/pi-hole.conf

For a while the unbound service would fail from start, unable to dig any site. Raw
Fix it but I had also ran into another issue from the config file.

# Minimize logs
    # Do not print one line per query to the log
    log-queries: no
    # Do not print one line per reply to the log
    log-replies: no
    # Do not print log lines that say why queries return SERVFAIL to clients
    logfile: /dev/null
	

 #log-replies: no

	
	● unbound-resolvconf.service - Unbound DNS server via resolvconf
   Loaded: loaded (/lib/systemd/system/unbound-resolvconf.service; enabled; vendor preset: enabled)
   Active: active (exited) (Result: exit-code) since Tue 2020-08-04 01:10:31 EDT; 10s ago
  Process: 12146 ExecStop=/usr/lib/unbound/package-helper resolvconf_stop (code=exited, status=1/FAILURE)
  Process: 12156 ExecStart=/usr/lib/unbound/package-helper resolvconf_start (code=exited, status=1/FAILURE)
 Main PID: 12156 (code=exited, status=1/FAILURE)
      CPU: 0
   CGroup: /system.slice/unbound-resolvconf.service

Aug 04 01:10:31 linuxboard package-helper[12156]: /etc/unbound/unbound.conf.d/pi-hole.conf:142: error: unknown keyword 'log-replies'
Aug 04 01:10:31 linuxboard package-helper[12156]: /etc/unbound/unbound.conf.d/pi-hole.conf:142: error: stray ':'
Aug 04 01:10:31 linuxboard package-helper[12156]: /etc/unbound/unbound.conf.d/pi-hole.conf:142: error: unknown keyword 'no'
Aug 04 01:10:31 linuxboard package-helper[12156]: read /etc/unbound/unbound.conf failed: 3 errors in configuration file

Adding a # sign removed active with no errors. But still have an issue remaining. I'm unable to start pihole, and have no internet.
I can browse the internet on the linux board but anything to pihole is offline from other devices.

Most in this day in age now run on ipv6, I have enabled the first 2 options to yes. I assume for pihole, we enter this to the ipv6 dns slot. ::/0

Update guide

I found this guide

Is this still applieng with the lasted pihole?

Is there still a requirement download root.host every 4-6 months?

What are the Cache_size in setupVar.conf for and do they need to be set to ZERO as well?

Your guide should mention what to reboot so the setting are applied.

Is there any way to check / test if all is working via unbound?

decent version of pi-hole has no support of local ns on custom port

Potential duplicate configuration inside Configure unbound section

I've notice that there seem to be a duplicated setting inside /etc/unbound/unbound.conf.d/pi-hole.conf

There're 2

msg-cache-size
rrset-cache-size

# Time to live minimum for RRsets and messages in the cache. If the minimum
# kicks in, the data is cached for longer than the domain owner intended,
# and thus less queries are made to look up the data. Zero makes sure the
# data in the cache is as the domain owner intended, higher values,
# especially more than an hour or so, can lead to trouble as the data in
# the cache does not match up with the actual data anymore
cache-min-ttl: 300
cache-max-ttl: 86400
msg-cache-size: 128m
rrset-cache-size: 256m

# more cache memory. rrset-cache-size should twice what msg-cache-size is.
msg-cache-size: 50m
rrset-cache-size: 100m

is it supposed to be this way? I'm new to this unbound thing

No internet after Pihole reboot

The issue I am facing:
No internet after Pi reboot. After clicking DNS resolver internet begins to work

Details about my system:
Using Unbound DNS

Your debug token is: https://tricorder.pi-hole.net/9ubtfno584

Unbound

Pls update to latest Version 1.9.6

Hi Anudeep, i am your Unbound user since long time.
i have observed that your Unbound version is way too old.
Unbound current version is 1.9.6.
i tried installing using manually from different guides. but no use.
can you pls update the Version in your repository to latest one pls ?

Thanks in Advance

Kernel Buffer warning

Any Ideas what I can do to fix this or is just normal?

warning: so-rcvbuf 4194304 was not granted. Got 425984. To fix: start with root permissions(linux) or sysctl big May 25 21:25:02 pihole1 unbound[3684]: [1621995902] unbound[3684:0] warning: so-sndbuf 4194304 was not granted. Got 425984. To fix: start with root permissions(linux) or sysctl big

edns-buffer-size difference: does it matter?

Thanks for this guide on how to configure upbound!

I have a quick question though. I noticed a difference between your configuration and the default pi-hole docs on the edns-buffer-size.

Your conf file sets it at 1232, while the pihole docs set it at 1472 (it says it's recommended by the upbound docs, but I've been unable to find it). Does this difference matter?

DNS over TLS support?

Hi anuDeepND,

I've used your Unbound configuration as a base to couple with my Pihole, and I've noticed that Unbound currently also support DNS over TLS and DNS over HTTPS.

It is arguably more secure and privacy friendly than querying the root domain servers (which is unencrypted UDP traffic) based on which upstream DNS you configure. Still somebody could figure out to which website you are visiting based on reverse IP lookups etc, but encrypted DNS allows for less tampering.

Configuring this is quite simple, as you can add the following to the the bottom of your configuration:

        tls-cert-bundle:"etc/ssl/certs/ca-certificates.crt" # on Pihole, other systems might have different spots

forward-zone:
        name: "."
	forward-addr: #########@853 # replace with the DNS of your choice 
        forward-addr:##########@853 # replace with the DNS of your choice
	forward-tls-upstream: yes

some example of Encrypted DNS resolvers can be found here.

Is this something you'd like to include?

anudeepnd / pihole-unbound Goto Github PK

pihole-unbound's People

Contributors

Stargazers

Watchers

Forkers

pihole-unbound's Issues

Recommend Projects

Recommend Topics

Recommend Org