How to setup pihole/unbound avoiding fallbacks and interferences with legacy on Manjaro?

nam1962 · 22 July 2024 19:33

Hi !
I installed a docker pihole working with unbound with DNSSEC & DoT.
all this is ok, but I can’t ament resolv.conf that makes a fallback to my ISP’s box

➜  ~ cat /etc/resolv.conf
# Generated by NetworkManager
search home
nameserver 127.0.0.1
# Fallback DNS servers
nameserver 192.168.1.1
nameserver 2a01:cb04:417:8700:670:56ff:fe40:b457

➜  ~

What can I do ?

cscs · 22 July 2024 19:51

Depends what you are using.
(probably openresolv even though its old, inferior, and annoying)

See this I suppose;
https://wiki.archlinux.org/title/Domain_name_resolution#Overwriting_of_/etc/resolv.conf

Mirdarthos · 23 July 2024 13:01

Hi @nam1962,

It has to be some settting by you, because I don’t have it:

$ cat /etc/resolv.conf
# Generated by NetworkManager
search http\058\047\047disc.world.pihole
nameserver 10.0.0.254
nameserver 1.1.1.3

I’ve also checked, it doesn’t seem to be immutable:

$ lsattr /etc/resolv.conf
--------------e------- /etc/resolv.conf

linux-aarhus · 23 July 2024 13:01

One method is using systemd-resolved - which NetworkManager will use when it is active

Create a drop-in config

sudo touch /etc/systemd/resolved.conf.d/fallback_dns.conf

With content

[Resolve]
FallbackDNS=

Then restart the resolver

sudo systemctl restart systemd-resolved

– [root tip] [How To] NordVPN on Manjaro

Second methid is to remove resolvconf.conv and replace the /etc/resolv.conf with a static version.

Third method is to resolvconf.conf → see man resolvconf.conf

nam1962 · 23 July 2024 19:02

Hi and thank U for caring.

Right now it seems to work !
I disabled systemd-resolved

And here are the files

pihole docker-compose:

services:
  pihole:
    container_name: pihole
    image: pihole/pihole:latest
    network_mode: host
    env_file:
      - .env
    volumes:
      - './etc-pihole:/etc/pihole'
      - './etc-dnsmasq.d:/etc/dnsmasq.d'
      - './adlists.list:/etc/pihole/adlists.list'
    cap_add:
      - NET_ADMIN
    restart: unless-stopped
    deploy:
      resources:
        limits:
          cpus: '0.5'
          memory: 512M
        reservations:
          cpus: '0.2'
          memory: 256M

Docker .env

WEBPASSWORD=password123456
TZ=Europe/Paris
PIHOLE_DNS_=127.0.0.1#5335

unbound.conf

cat /etc/unbound/unbound.conf

server:
    interface: 0.0.0.0
    port: 5335
    do-ip4: yes
    do-ip6: yes
    do-udp: yes
    do-tcp: yes
    access-control: 127.0.0.0/8 allow
    access-control: ::1/128 allow
    access-control: 172.24.0.0/16 allow  # Docker network
    access-control: 192.168.0.0/16 allow # Common home network range
    access-control: 10.0.0.0/8 allow     # For potential VPN or other 
    verbosity: 1
    root-hints: root.hints
    trust-anchor-file: trusted-key.key
    tls-cert-bundle: "/etc/ssl/certs/ca-certificates.crt"
    tls-ciphersuites: "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256"
    tls-ciphers: "HIGH:!aNULL:!MD5:!3DES"
    hide-identity: yes
    hide-version: yes
    harden-glue: yes
    harden-dnssec-stripped: yes
    use-caps-for-id: yes
    edns-buffer-size: 1472
    prefetch: yes
    prefetch-key: yes
    qname-minimisation: yes
    qname-minimisation-strict: yes
    rrset-cache-size: 200m
    msg-cache-size: 100m
    serve-expired: yes
    cache-min-ttl: 300
    cache-max-ttl: 86400
    minimal-responses: yes
    harden-algo-downgrade: yes
    harden-short-bufsize: yes
    aggressive-nsec: yes
    ratelimit: 1000
    num-threads: 2
    outgoing-range: 8192
    so-rcvbuf: 4m
    so-sndbuf: 4m
    module-config: "iterator"

forward-zone:
    name: "."
    forward-tls-upstream: yes
    # UncensoredDNS
    forward-addr: 89.233.43.71@853#unicast.censurfridns.dk
    forward-addr: 91.239.100.100@853#anycast.censurfridns.dk
    forward-addr: 2a01:3a0:53:53::@853#unicast.censurfridns.dk
    forward-addr: 2001:67c:28a4::@853#anycast.censurfridns.dk
    # OpenNIC
    forward-addr: 185.121.177.177@853#ns1.any.dns.opennic.glue
    forward-addr: 161.97.219.84@853#ns2.any.dns.opennic.glue
    forward-addr: 2a05:dfc7:5::53@853#ns1.any.dns.opennic.glue
    forward-addr: 2a05:dfc7:5353::53@853#ns2.any.dns.opennic.glue

with a symlink to unbound:

sudo ln -sf /etc/ssl/certs/ca-certificates.crt /etc/unbound/etc/ssl/certs/ca-certificates.crt

It works, but is it clean or barbaric ?

cscs · 23 July 2024 19:23

That is not what was suggested.
And I rather doubt you were using systemd-resolved if any of this is new to you.

What did you actually do ?

nam1962 · 23 July 2024 20:21

I certainly went too far.

Had to try 5354:53 for pihole

➜  ~ cat /etc/systemd/resolved.conf
#  This file is part of systemd.
#
#  systemd is free software; you can redistribute it and/or modify it under the
#  terms of the GNU Lesser General Public License as published by the Free
#  Software Foundation; either version 2.1 of the License, or (at your option)
#  any later version.
#
# Entries in this file show the compile time defaults. Local configuration
# should be created by either modifying this file (or a copy of it placed in
# /etc/ if the original file is shipped in /usr/), or by creating "drop-ins" in
# the /etc/systemd/resolved.conf.d/ directory. The latter is generally
# recommended. Defaults can be restored by simply deleting the main
# configuration file and all drop-ins located in /etc/.
#
# Use 'systemd-analyze cat-config systemd/resolved.conf' to display the full config.
#
# See resolved.conf(5) for details.

[Resolve]
# Some examples of DNS servers which may be used for DNS= and FallbackDNS=:
# Cloudflare: 1.1.1.1#cloudflare-dns.com 1.0.0.1#cloudflare-dns.com 2606:4700:4700::1111#cloudflare-dns.com 2606:4700:4700::1001#cloudflare-dns.com
# Google:     8.8.8.8#dns.google 8.8.4.4#dns.google 2001:4860:4860::8888#dns.google 2001:4860:4860::8844#dns.google
# Quad9:      9.9.9.9#dns.quad9.net 149.112.112.112#dns.quad9.net 2620:fe::fe#dns.quad9.net 2620:fe::9#dns.quad9.net
#DNS=
#FallbackDNS=1.1.1.1#cloudflare-dns.com 9.9.9.9#dns.quad9.net 8.8.8.8#dns.google 2606:4700:4700::1111#cloudflare-dns.com 2620:fe::9#dns.quad9.net 2001:4860:4860::8888#dns.google
#Domains=
DNSSEC=yes
DNSOverTLS=opportunistic
#MulticastDNS=yes
#LLMNR=yes
#Cache=yes
#CacheFromLocalhost=no
#DNSStubListener=yes
#DNSStubListenerExtra=
#ReadEtcHosts=yes
#ResolveUnicastSingleLabel=no
#StaleRetentionSec=0
DNS=127.0.0.1#5354
FallbackDNS=
➜  ~

But I ultimately falled back with

sudo systemctl disable systemd-resolved
sudo systemctl stop systemd-resolved

The real question staying is : what I ultimately did and that seem to work correct ?

cscs · 23 July 2024 20:40

The first question is what do you have / what is in use?

pacman -Qs resolv

I would bet you are using openresolv and keep neglecting to manage or remove it.

nam1962 · 24 July 2024 09:32

Thank U for caring.

Here you are:

➜  ~ pacman -Qs resolv
local/geoip 1.6.12-3
    Non-DNS IP-to-country resolver C library & utils
local/libmicrodns 0.2.0-2
    Minimal mDNS resolver library
local/perl-net-dns 1.45-1
    Perl Module: Interface to the DNS resolver
local/python-geoip 1.3.2-15
    Python bindings for the GeoIP IP-to-country resolver library
local/unbound 1.20.0-2
    Validating, recursive, and caching DNS resolver
➜  ~