Hi !
I installed a docker pihole working with unbound with DNSSEC & DoT.
all this is ok, but I can’t ament resolv.conf that makes a fallback to my ISP’s box
➜ ~ cat /etc/resolv.conf
# Generated by NetworkManager
search home
nameserver 127.0.0.1
# Fallback DNS servers
nameserver 192.168.1.1
nameserver 2a01:cb04:417:8700:670:56ff:fe40:b457
➜ ~
What can I do ?
Depends what you are using.
(probably openresolv
even though its old, inferior, and annoying)
See this I suppose;
https://wiki.archlinux.org/title/Domain_name_resolution#Overwriting_of_/etc/resolv.conf
1 Like
Hi @nam1962,
It has to be some settting by you, because I don’t have it:
$ cat /etc/resolv.conf
# Generated by NetworkManager
search http\058\047\047disc.world.pihole
nameserver 10.0.0.254
nameserver 1.1.1.3
I’ve also checked, it doesn’t seem to be immutable:
$ lsattr /etc/resolv.conf
--------------e------- /etc/resolv.conf
One method is using systemd-resolved - which NetworkManager will use when it is active
Create a drop-in config
sudo touch /etc/systemd/resolved.conf.d/fallback_dns.conf
With content
[Resolve]
FallbackDNS=
Then restart the resolver
sudo systemctl restart systemd-resolved
– [root tip] [How To] NordVPN on Manjaro
Second methid is to remove resolvconf.conv and replace the /etc/resolv.conf with a static version.
Third method is to resolvconf.conf → see man resolvconf.conf
2 Likes
Hi and thank U for caring.
Right now it seems to work !
I disabled systemd-resolved
And here are the files
pihole docker-compose:
services:
pihole:
container_name: pihole
image: pihole/pihole:latest
network_mode: host
env_file:
- .env
volumes:
- './etc-pihole:/etc/pihole'
- './etc-dnsmasq.d:/etc/dnsmasq.d'
- './adlists.list:/etc/pihole/adlists.list'
cap_add:
- NET_ADMIN
restart: unless-stopped
deploy:
resources:
limits:
cpus: '0.5'
memory: 512M
reservations:
cpus: '0.2'
memory: 256M
Docker .env
WEBPASSWORD=password123456
TZ=Europe/Paris
PIHOLE_DNS_=127.0.0.1#5335
unbound.conf
cat /etc/unbound/unbound.conf
server:
interface: 0.0.0.0
port: 5335
do-ip4: yes
do-ip6: yes
do-udp: yes
do-tcp: yes
access-control: 127.0.0.0/8 allow
access-control: ::1/128 allow
access-control: 172.24.0.0/16 allow # Docker network
access-control: 192.168.0.0/16 allow # Common home network range
access-control: 10.0.0.0/8 allow # For potential VPN or other
verbosity: 1
root-hints: root.hints
trust-anchor-file: trusted-key.key
tls-cert-bundle: "/etc/ssl/certs/ca-certificates.crt"
tls-ciphersuites: "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256"
tls-ciphers: "HIGH:!aNULL:!MD5:!3DES"
hide-identity: yes
hide-version: yes
harden-glue: yes
harden-dnssec-stripped: yes
use-caps-for-id: yes
edns-buffer-size: 1472
prefetch: yes
prefetch-key: yes
qname-minimisation: yes
qname-minimisation-strict: yes
rrset-cache-size: 200m
msg-cache-size: 100m
serve-expired: yes
cache-min-ttl: 300
cache-max-ttl: 86400
minimal-responses: yes
harden-algo-downgrade: yes
harden-short-bufsize: yes
aggressive-nsec: yes
ratelimit: 1000
num-threads: 2
outgoing-range: 8192
so-rcvbuf: 4m
so-sndbuf: 4m
module-config: "iterator"
forward-zone:
name: "."
forward-tls-upstream: yes
# UncensoredDNS
forward-addr: 89.233.43.71@853#unicast.censurfridns.dk
forward-addr: 91.239.100.100@853#anycast.censurfridns.dk
forward-addr: 2a01:3a0:53:53::@853#unicast.censurfridns.dk
forward-addr: 2001:67c:28a4::@853#anycast.censurfridns.dk
# OpenNIC
forward-addr: 185.121.177.177@853#ns1.any.dns.opennic.glue
forward-addr: 161.97.219.84@853#ns2.any.dns.opennic.glue
forward-addr: 2a05:dfc7:5::53@853#ns1.any.dns.opennic.glue
forward-addr: 2a05:dfc7:5353::53@853#ns2.any.dns.opennic.glue
with a symlink to unbound:
sudo ln -sf /etc/ssl/certs/ca-certificates.crt /etc/unbound/etc/ssl/certs/ca-certificates.crt
It works, but is it clean or barbaric ?
That is not what was suggested.
And I rather doubt you were using systemd-resolved
if any of this is new to you.
What did you actually do ?
I certainly went too far.
Had to try 5354:53 for pihole
➜ ~ cat /etc/systemd/resolved.conf
# This file is part of systemd.
#
# systemd is free software; you can redistribute it and/or modify it under the
# terms of the GNU Lesser General Public License as published by the Free
# Software Foundation; either version 2.1 of the License, or (at your option)
# any later version.
#
# Entries in this file show the compile time defaults. Local configuration
# should be created by either modifying this file (or a copy of it placed in
# /etc/ if the original file is shipped in /usr/), or by creating "drop-ins" in
# the /etc/systemd/resolved.conf.d/ directory. The latter is generally
# recommended. Defaults can be restored by simply deleting the main
# configuration file and all drop-ins located in /etc/.
#
# Use 'systemd-analyze cat-config systemd/resolved.conf' to display the full config.
#
# See resolved.conf(5) for details.
[Resolve]
# Some examples of DNS servers which may be used for DNS= and FallbackDNS=:
# Cloudflare: 1.1.1.1#cloudflare-dns.com 1.0.0.1#cloudflare-dns.com 2606:4700:4700::1111#cloudflare-dns.com 2606:4700:4700::1001#cloudflare-dns.com
# Google: 8.8.8.8#dns.google 8.8.4.4#dns.google 2001:4860:4860::8888#dns.google 2001:4860:4860::8844#dns.google
# Quad9: 9.9.9.9#dns.quad9.net 149.112.112.112#dns.quad9.net 2620:fe::fe#dns.quad9.net 2620:fe::9#dns.quad9.net
#DNS=
#FallbackDNS=1.1.1.1#cloudflare-dns.com 9.9.9.9#dns.quad9.net 8.8.8.8#dns.google 2606:4700:4700::1111#cloudflare-dns.com 2620:fe::9#dns.quad9.net 2001:4860:4860::8888#dns.google
#Domains=
DNSSEC=yes
DNSOverTLS=opportunistic
#MulticastDNS=yes
#LLMNR=yes
#Cache=yes
#CacheFromLocalhost=no
#DNSStubListener=yes
#DNSStubListenerExtra=
#ReadEtcHosts=yes
#ResolveUnicastSingleLabel=no
#StaleRetentionSec=0
DNS=127.0.0.1#5354
FallbackDNS=
➜ ~
But I ultimately falled back with
sudo systemctl disable systemd-resolved
sudo systemctl stop systemd-resolved
The real question staying is : what I ultimately did and that seem to work correct ?
The first question is what do you have / what is in use?
pacman -Qs resolv
I would bet you are using openresolv and keep neglecting to manage or remove it.
Thank U for caring.
Here you are:
➜ ~ pacman -Qs resolv
local/geoip 1.6.12-3
Non-DNS IP-to-country resolver C library & utils
local/libmicrodns 0.2.0-2
Minimal mDNS resolver library
local/perl-net-dns 1.45-1
Perl Module: Interface to the DNS resolver
local/python-geoip 1.3.2-15
Python bindings for the GeoIP IP-to-country resolver library
local/unbound 1.20.0-2
Validating, recursive, and caching DNS resolver
➜ ~