I'm trying to get DoH working and am missing something. When I disable "DNS Query Forwarding" in Unbound, I get SERVFAILs back with "BOGUS (refused upstream)" for the queries.
Pihole Query Log:
(https://i.imgur.com/rJTggmf.png)
My set up is Pihole -> Unbound -> DNSCrypt with mullvad & nextdns servers
I have the following in /usr/local/etc/unbound.opnsense.d/dnsCrypt-forward.conf:
server:
do-not-query-localhost: no
forward-zone:
name: "."
forward-addr: 127.0.0.1@5353
forward-addr: ::1@5353
Content of /usr/local/etc/dnscrypt-proxy/dnscrypt-proxy.toml:
server_names = ['mullvad-doh','mullvad-adblock-doh','nextdns']
listen_addresses = ['127.0.0.1:5353','[::1]:5353']
max_clients = 250
ipv4_servers = true
ipv6_servers = true
dnscrypt_servers = true
doh_servers = true
require_dnssec = true
require_nolog = true
require_nofilter = false
force_tcp = false
timeout = 2500
keepalive = 30
log_level = 2
log_file = '/var/log/dnscrypt-proxy/dnscrypt-proxy.log'
use_syslog = false
cert_refresh_delay = 240
dnscrypt_ephemeral_keys = false
tls_disable_session_tickets = false
fallback_resolver = '193.138.218.74:53'
ignore_system_dns = false
netprobe_timeout = 30
log_files_max_size = 10
log_files_max_age = 7
log_files_max_backups = 1
block_ipv6 = false
forwarding_rules = 'forwarding-rules.txt'
cloaking_rules = 'cloaking-rules.txt'
cache = true
cache_size = 2048
cache_min_ttl = 600
cache_max_ttl = 86400
cache_neg_min_ttl = 60
cache_neg_max_ttl = 600
[query_log]
file = '/var/log/dnscrypt-proxy/query.log'
format = 'tsv'
[nx_log]
file = '/var/log/dnscrypt-proxy/nx.log'
format = 'tsv'
[whitelist]
whitelist_file = 'whitelist.txt'
log_file = '/var/log/dnscrypt-proxy/whitelisted.log'
log_format = 'tsv'
[sources]
[sources.'public-resolvers']
urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v2/public-resolvers.md', 'https://download.dnscrypt.info/resolvers-list/v2/public-resolvers.md']
cache_file = 'public-resolvers.md'
minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
refresh_delay = 72
prefix = ''
[static]
Contents of /var/unbound/unbound.conf:
##########################
# Unbound Configuration
##########################
##
# Server configuration
##
server:
chroot: /var/unbound
username: unbound
directory: /var/unbound
pidfile: /var/run/unbound.pid
root-hints: /var/unbound/root.hints
use-syslog: yes
port: 53
verbosity: 3
extended-statistics: yes
log-queries: yes
hide-identity: no
hide-version: no
harden-referral-path: no
do-ip4: yes
do-ip6: yes
do-udp: yes
do-tcp: yes
do-daemonize: yes
so-reuseport: yes
module-config: "validator iterator"
cache-max-ttl: 86400
cache-min-ttl: 0
harden-dnssec-stripped: no
serve-expired: no
outgoing-num-tcp: 10
incoming-num-tcp: 10
num-queries-per-thread: 4096
outgoing-range: 8192
infra-host-ttl: 900
infra-cache-numhosts: 10000
unwanted-reply-threshold: 0
jostle-timeout: 200
msg-cache-size: 20m
rrset-cache-size: 40m
num-threads: 4
msg-cache-slabs: 8
rrset-cache-slabs: 8
infra-cache-slabs: 8
key-cache-slabs: 8
qname-minimisation: yes
qname-minimisation-strict: yes
auto-trust-anchor-file: /var/unbound/root.key
prefetch: yes
prefetch-key: no
# Interface IP(s) to bind to
interface: 0.0.0.0
interface: ::
interface-automatic: yes
# DNS Rebinding
# Access lists
include: /var/unbound/access_lists.conf
# Static host entries
include: /var/unbound/host_entries.conf
# DHCP leases (if configured)
include: /var/unbound/dhcpleases.conf
# Domain overrides
include: /var/unbound/domainoverrides.conf
# Custom includes
include: /var/unbound/etc/*.conf
# Forwarding
forward-zone:
name: "."
forward-addr: 193.138.218.74
forward-addr: 10.0.8.1
forward-addr: 9.9.9.9
remote-control:
control-enable: yes
control-interface: 127.0.0.1
control-port: 953
server-key-file: /var/unbound/unbound_server.key
server-cert-file: /var/unbound/unbound_server.pem
control-key-file: /var/unbound/unbound_control.key
control-cert-file: /var/unbound/unbound_control.pem
I'm unsure what else to provide for insight. Any help would be greatly appreciated.