I have Unbound up and running.
I want to confirm how to add the pihole into the mix.
To keep things simple I have reset everything to defaults with no other serviees installed/running (no vpn etc)
Do I just add the pihole address under Network>Interfaces>lan>Advanced settings>Use custom dns servers?
Of course I have the pihole upstreamdns set to 127.0.0.1#1053.
Thankks
how are you running pihole on openwrt ?
Im not. Its on the lan.
Then how can it's upstream DNS be 127.0.0.1 ?
Where does Unbound and OpenWRT come into the picture?
For recursive dns, I believe you have to set the local host as the upstream dns?
I am going by this post
Using unbound without upstream DNS servers - #2 by bobafetthotmail
This is if unbound is on the same host as dnsmasq, not a remote pi-hole.
If you have an off router DNS, use option 6 to point the clients directly to it - https://openwrt.org/docs/guide-user/base-system/dhcp_configuration#dhcp_options, but it won't solve your pi-hole upstream DNS IP issue.
Down the road you'll probably need https://openwrt.org/docs/guide-user/firewall/fw3_configurations/intercept_dns too.
To clarify, I have unbound installed on my OpenWRT router, not on the pihole.
I may have spoken too soon that Unbound is up and working. It seems to work for a while but I am having issues with clients internet connections after disconnecting so I think I should review the setup before trying to add the pihole, if thats ok.
Using the above thread as a gude, after installling Unbound, I set;
dnsmasqUsing dns leak tests, Unbound was confirmed to be working as my own ip was shown as the dns server.
But noticing clients lose internet connection.
Did I miss any steps?
One or the other from README
That's why you were told 127.0.0.1 was a no go.
Probably, but you'll have to post your config to find out...
I think thats whats needed.
How do I get my config?
Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
ubus call system board
cat /etc/config/dhcp
cat /etc/config/unbound
Here you go
oot@OpenWrt:~# ubus call system board
{
"kernel": "5.15.167",
"hostname": "OpenWrt",
"system": "Intel(R) Celeron(R) N4100 CPU @ 1.10GHz",
"model": "ZOTAC ZBOX-CI329NANO",
"board_name": "zotac-zbox-ci329nano",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "23.05.5",
"revision": "r24106-10cc5fcd00",
"target": "x86/64",
"description": "OpenWrt 23.05.5 r24106-10cc5fcd00"
}
}
root@OpenWrt:~# cat /etc/config/dhcp
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option cachesize '1000'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option localservice '1'
option ednspacket_max '1232'
option port '1053'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
list ra_flags 'managed-config'
list ra_flags 'other-config'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
root@OpenWrt:~# cat /etc/config/unbound
config unbound 'ub_main'
option dhcp_link 'dnsmasq'
option dns64 '0'
option domain 'lan'
option edns_size '1232'
option extended_stats '0'
option hide_binddata '1'
option interface_auto '1'
option listen_port '53'
option localservice '1'
option manual_conf '0'
option num_threads '1'
option protocol 'default'
option rate_limit '0'
option rebind_localhost '0'
option rebind_protection '1'
option recursion 'default'
option resource 'default'
option root_age '9'
option ttl_min '120'
option ttl_neg_max '1000'
option unbound_control '0'
option validator '0'
option verbosity '1'
list iface_wan 'wan'
option enabled '1'
list iface_trig 'lan'
list iface_trig 'wan'
config zone 'auth_icann'
option enabled '0'
option fallback '1'
option url_dir 'https://www.internic.net/domain/'
option zone_type 'auth_zone'
list server 'lax.xfr.dns.icann.org'
list server 'iad.xfr.dns.icann.org'
list zone_name '.'
list zone_name 'arpa.'
list zone_name 'in-addr.arpa.'
list zone_name 'ip6.arpa.'
config zone 'fwd_isp'
option enabled '0'
option fallback '1'
option resolv_conf '1'
option zone_type 'forward_zone'
list zone_name 'isp-bill.example.com.'
list zone_name 'isp-mail.example.net.'
config zone 'fwd_google'
option enabled '0'
option fallback '1'
option tls_index 'dns.google'
option tls_upstream '1'
option zone_type 'forward_zone'
list server '8.8.4.4'
list server '8.8.8.8'
list server '2001:4860:4860::8844'
list server '2001:4860:4860::8888'
list zone_name '.'
config zone 'fwd_cloudflare'
option enabled '0'
option fallback '1'
option tls_index 'cloudflare-dns.com'
option tls_upstream '1'
option zone_type 'forward_zone'
list server '1.1.1.1'
list server '1.0.0.1'
list server '2606:4700:4700::1111'
list server '2606:4700:4700::1001'
list zone_name '.'
I don't use unbound, but it would seem none of your upstream DNS resolvers is actually enabled ?
You don't seem to point to the pi-hole anywhare in your config, unless the pi-hole is the DHCP (this is fine too), but then dnsmasq should be disabled completely.
Until I get unbound working, I am going to leave the pihole out of the mix.
Any idea why google and cloudflare are in there?
simply defaults ?
is unbound supposed to be used for securing DNS access only, or do you need additional features ?
Just for dns via root servers.
do they support DoH ?
in that case, https-dns-proxy is lightweight, and a lot easier to set up.
I think so but I'm not really concerned about doh yet.
More interested in having recursive dns via root servers.
Thanks
So any idea why unbound stops working?
checked the logs ?
in my world, i shouldn't work at all, since it doesn't apper to have a upstream resolver enabled.
but then again, I've never used it.