Unbound dnssec not working I cannot write "auto-trust-anchor-file" into the unbound config, because otherwise unbound won't work at all. I've seen other posts in here about how DNSSEC results are iffy. So I've been working on this for days. 22. works. There is not need to add an IPv6 address. The existing IPv4 IP will suffice. 0 I did the following: pihole checkout master sudo rm /etc/pihole/ftlbranch The update performed Sep 17, 2021 · Expected Behaviour: When setting up PiHole to use unbound (Upstream DNS Server: 127. Chris_Anthony October 23, 2021, 5:29pm 4 Jun 16, 2025 · I'm not able to use the dig command for any site if I specify using unbound's IP and port so I don't think in this instance the problem is dnssec. 0 this worked fine. DNSSEC is enabled, however it doesn't seem properly configured as is. However, last week my OpenWRT router (Archer C7v2, OpenWRT v. key several times already and have followed the tutorial several times how to activate DNSSec, but nothing works. Apr 20, 2020 · Unbound gets the right answer (see below) from a forward-zone, but proceeds to ignore it and try to query other DNS servers. Setup Update Mechanism Set the unbound-anchor tool to run at system startup, it is part of the unbound package. This is a response for a failed Feb 5, 2020 · I have deleted and regenerated the root. Jan 6, 2023 · Using a forwarder and asking for dnssec is not a good setup. 1 OS: Raspbian GNU/Linux 11 (bullseye) Actual Behaviour: Once I remove any other Upstream DNS Servers, DNS resolution stops working, when pinging a domain I get the following on a Windows 10 machine: C:\\Users\\xxx>ping www Nov 13, 2023 · I have no idea why, but some sites are not loading, even if pihole is disabled. You may be suffering from low network performance or have a sensitive adblocker. 1, enable resolver, DNSSEC, and harden DNSSEC, time server = Chicago 2) verify DNS works from OPNsense and Mint test server - everything works as expected. conf (5). de isn't working on my other Windows 10 laptop either. I am using Unbound, with DNSSec enabled and I have also enabled Forwarding and DNS over TLS without overrrides. Sep 19, 2017 · Unbound does not work out of the box without further configuration. 4) turned off its Wifi for no apparent reason, which I fixed, but after that the DNS stopped working until I unchecked DNSSEC in the PiHole settings. 0) on a docker image when behind a public hot unbound Pi-hole as All-Around DNS Solution The problem: Whom can you trust? Pi-hole includes a caching and forwarding DNS server, now known as FTLDNS. 7_3 box to play around with, am using it as my primary router to force me to learn, everything has been fine and setup without issue, Recursive Unbound (bar DNSSEC), multiple LANs, firewall rules, wireguard, all fine. Aug 24, 2023 · Hi there, I've been using PiHole and Unbound on my Pi 4 for a few months now and it's been fine. Environment: Raspberry Pi 2 Model B Rev 1. Jul 1, 2021 · I have an Unbound container running on a test server to proxy DNS traffic. Side note - I am like 99. The problem is that it fails for some domains while working perfectly for everything else. 03. Most people will experience a negative test result (no DNSSEC validation) – that's ok and no reason to panic. For example: Aug 16, 2022 · Everithing is working fine except that I have had to explicitly assign DNS servers to every internal network in the DHCPV4 config instead of keeping the default, that is, the firewall. 8, the sites are loading. vs. Unbound can resolve both A and AAAA queries on IPv4 only. Dec 19, 2020 · Doing this I discovered the following: https://dnssec. deHakkelaar June 17, 2025, 8:25pm 6 Jul 3, 2023 · I had modified Unbound to return the 10. Simple sniff while doing this could validate this. See unbound. A good way is to run it from the init scripts, with sudo -u unbound so that the file permissions work out. Aug 21, 2018 · WARNING: test result is inconclusive. 1. 1) reset OPNsense to defaults, set DNS to 1. However, last week my OpenWRT router (Archer C7v2) turned off its Wifi for no apparent reason, which I fixed, but after that the DNS stopped working until I unchecked DNSSEC in the PiHole settings. Before unbound-anchor is run inside the init scripts, you must run NTP (in secure mode), so that the Jan 11, 2023 · I have checked with tcpdump that Unbound is using the cached value from the first query I've made, although I am trying to resolve a different domain. I'm running unbound (1. 8. When DNSSEC is not configured in this second case I see the correct response: Aug 24, 2023 · I've been using PiHole and Unbound on my Pi 4 for a few months now and it's been fine. After applying the blocking lists, it forwards requests made by the clients to configured upstream DNS server (s). This tool checks if the anchor is out-of-date and attempts to update it. uni-due. 0. To update to 4. 10. However, it's working on my android smartphone. 1#5335) name resolution works correctly. Any reason why this might have happened? DNSSEC was working fine before (at least Oct 23, 2021 · Yes, but not in that format and not needed. Check with # sockstat -l | grep unbound if and where Unbound is listening. 9% sure that when you set unbound to forward and do dnssec, the DS query is done only after A query has gotten a response. May 11, 2023 · I just setup a new OPNsense 23. Jan 3, 2022 · I'm currently connected to an open wifi without any kind of security (I'm on a train) and DNSSEC validation with unbound works flawlessly with the original trusted-key. . Update the keys sudo -u unbound unbound-anchor Restart unbound sudo systemctl restart unbound After restarting unbound and restarting my machine (to clear out DNS cache from browser and OS), all of those aforementioned websites now think DNSSEC is enabled. I also uninstalled and reinstalled unbound several times. However, as has been mentioned by several users in the past, this leads to some privacy concerns as it ultimately raises the . Do not try DNSSEC before you had configured a working Unbound first. But if I change my PC's DNS to 8. key file (I haven't tested the one generated with unbound-anchor). Note, before the update to 4. zstjs fretzpu rpesxcx kflsz gxit xjzpi phkjnbf uzzz ttycsy fbip hwafg zng osuht jyqkoi ecy