DNS SERVFAIL

[t-zxvf]

Problem

I installed unbound and pihole following the instructions of the docker compose. In particular, I followed the post https://www.xfelix.com/2020/09/pihole-unbound-docker-setup-on-raspberry-pi/

Then I change the file in /etc/resolv.conf with namerserver 192.168.1.100 that is the IP of my rasp. When i ping google.com the request is being sent to pihole GUI (Query Log) but with SERVFAIL reply. The DNS is setted ad recursive DNS with Custom 1 192.168.92.35#5053

Docker compose

pihole:
hostname: pihole
image: pihole/pihole:latest
container_name: pihole
networks:
mylan:
ipv4_address: 192.168.92.34
ports:

• "192.168.1.100:53:53/tcp"
• "192.168.1.100:53:53/udp"
• "9200:80/tcp"
• "9201:443/tcp"
  environment:
• 'TZ=Europe/Rome'
• 'WEBPASSWORD=mypass'
• 'DNS1=192.168.92.35#5053'
• 'DNS2=no'
• 'ServerIP=192.168.1.100'
  cap_add:
• NET_ADMIN
  volumes:
  - '/homedir/pihole/etc-pihole/:/etc/pihole/'
  - '/homedir/pihole/etc-dnsmasq.d/:/etc/dnsmasq.d/'
  restart: always
  unbound:
  container_name: unbound
  image: mvance/unbound-rpi:latest
  environment:
• TZ=Europe/Rome
• PUID=1000
• PGID=1000
  networks:
  mylan:
  ipv4_address: 192.168.92.35
  volumes:
• /homedir/unbound/:/opt/unbound/etc/unbound/
  ports:
• "5053:5053/tcp"
• "5053:5053/udp"
  healthcheck:
  disable: true
  restart: always

Log Unbound

cp: cannot create special file '/opt/unbound/etc/unbound/dev/random': Operation not permitted
cp: cannot create special file '/opt/unbound/etc/unbound/dev/urandom': Operation not permitted
cp: cannot create special file '/opt/unbound/etc/unbound/dev/null': Operation not permitted
[1668876135] unbound[1:0] warning: so-rcvbuf 1048576 was not granted. Got 425984. To fix: start with root permissions(linux) or sysctl bigger net.core.rmem_max(linux) or kern.ipc.maxsockbuf(bsd) values.

Doubts

Until now I'm aware that the flow is to put pihole docker to receive all the dns request and then send them to unbound. However, in the /etc/resolve.conf I have to put 192.168.1.100 with the port 53 exposed from the pihole docker in order to make the DNS available for all my LAN devices (not the docker LAN =192.168.92.0/24 that is unreachable by them).

What I am doing wrong?

[MatthewVance]

Hi. It looks like you're using a volume mount. Be sure you're providing the right files as briefly discussed at #21 (comment).

You may also want to take a look at https://github.com/origamiofficial/docker-pihole-unbound.

[t-zxvf]

Hi. Yes, I have provided the right files (the 3 ones) inside unbound folder.

unbound.conf

server:
# If no logfile is specified, syslog is used
# logfile: "/var/log/unbound/unbound.log"
verbosity: 0
 
access-control: 172.16.0.0/12 allow
access-control: 127.0.0.0/8 allow
access-control: 10.0.0.0/8 allow
access-control: 192.168.0.0/16 allow
interface: 0.0.0.0
port: 53
do-ip4: yes
do-udp: yes
do-tcp: yes
 
# May be set to yes if you have IPv6 connectivity
do-ip6: no
 
# You want to leave this to no unless you have *native* IPv6. With 6to4 and
# Terredo tunnels your web browser should favor IPv4 for the same reasons
prefer-ip6: no
 
# Use this only when you downloaded the list of primary root servers!
# If you use the default dns-root-data package, unbound will find it automatically
# I have to quote out this root-hints, as it causing container endless restarting for a new installation. You can add root-hints back after first run. 
#root-hints: “/opt/unbound/etc/unbound/root.hints”
 
# Trust glue only if it is within the server's authority
harden-glue: yes
 
# Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS
harden-dnssec-stripped: yes
 
# Don't use Capitalization randomization as it known to cause DNSSEC issues sometimes
# see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 for further details
use-caps-for-id: no
 
# Reduce EDNS reassembly buffer size.
# Suggested by the unbound man page to reduce fragmentation reassembly problems
edns-buffer-size: 1472
 
# Perform prefetching of close to expired message cache entries
# This only applies to domains that have been frequently queried
prefetch: yes
 
# One thread should be sufficient, can be increased on beefy machines. In reality for most users running on small networks or on a single machine, it should be unnecessary to seek performance enhancement by increasing num-threads above 1.
num-threads: 1
 
# Ensure kernel buffer is large enough to not lose messages in traffic spikes
so-rcvbuf: 1m
 
# Ensure privacy of local IP ranges
private-address: 192.168.0.0/16
private-address: 169.254.0.0/16
private-address: 172.16.0.0/12
private-address: 10.0.0.0/8
private-address: fd00::/8
private-address: fe80::/10

[MatthewVance]

In your unbound.conf, try using chroot like this:

unbound-docker-rpi/1.17.0/data/unbound.sh

Line 158 in ac2a980

chroot: "/opt/unbound/etc/unbound"

Alternatively, try modifying the volume mount:

volumes:
/homedir/unbound/:/etc/unbound/

[MatthewVance]

You may also want to ensure your directory setting in unbound.conf matches:

unbound-docker-rpi/1.17.0/data/unbound.sh

Line 61 in ac2a980

directory: "/opt/unbound/etc/unbound"