Thank you, Yuri.
The certificate bundle does exist in the assumed path.
Any other suggestions would be appreciated. Below is my config file. Also,
here is the error from the log file:
Apr 2 09:25:13 raspberrypi_pi-hole unbound[6522]:
/etc/unbound/unbound.conf.d/pi-hole.conf:96: error: unknown keyword
'tls-cert-bundle'
Apr 2 09:25:13 raspberrypi_pi-hole unbound[6522]:
/etc/unbound/unbound.conf.d/pi-hole.conf:96: error: stray ':'
Apr 2 09:25:13 raspberrypi_pi-hole unbound[6522]:
/etc/unbound/unbound.conf.d/pi-hole.conf:96: error: stray '"'
Apr 2 09:25:13 raspberrypi_pi-hole unbound[6522]:
/etc/unbound/unbound.conf.d/pi-hole.conf:96: error: unknown keyword
'/etc/ssl/certs/ca-certificates.crt'
Apr 2 09:25:13 raspberrypi_pi-hole unbound[6522]:
/etc/unbound/unbound.conf.d/pi-hole.conf:96: error: stray '"'
Apologies for partially posting this message twice. I wasn't sure exactly
how to edit the subject to properly thread my reply.
server:
# If no logfile is specified, syslog is used
# logfile: "/var/log/unbound/unbound.log"
verbosity: 0
port: 5353
do-ip4: yes
do-udp: yes
do-tcp: yes
# May be set to yes if you have IPv6 connectivity
do-ip6: no
# Use this only when you downloaded the list of primary root servers!
root-hints: "/var/lib/unbound/root.hints"
# Trust glue only if it is within the servers authority
harden-glue: yes
# Require DNSSEC data for trust-anchored zones, if such data is absent,
the zone becomes BOGUS
harden-dnssec-stripped: yes
# Don't use Capitalization randomization as it known to cause DNSSEC
issues sometimes
# see
https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 for
further details
use-caps-for-id: no
# Reduce EDNS reassembly buffer size.
# Suggested by the unbound man page to reduce fragmentation reassembly
problems
edns-buffer-size: 1472
# TTL bounds for cache
cache-min-ttl: 3600
cache-max-ttl: 86400
# Perform prefetching of close to expired message cache entries
# This only applies to domains that have been frequently queried
prefetch: yes
# One thread should be sufficient, can be increased on beefy machines
num-threads: 1
# Ensure kernel buffer is large enough to not lose messages in traffic
spikes
so-rcvbuf: 1m
# Ensure privacy of local IP ranges
private-address: 192.168.0.0/16
private-address: 169.254.0.0/16
private-address: 172.16.0.0/12
private-address: 10.0.0.0/8
private-address: fd00::/8
private-address: fe80::/10
# New configuration items
qname-minimisation: yes
# fallback-enabled: yes
# DNS over TLS:
https://www.reddit.com/r/pihole/comments/969vhh/any_downside_to_using_unbound_with_dns_over_tls/
access-control: 10.0.0.0/8 allow
access-control: 127.0.0.0/8 allow
access-control: 192.168.0.0/16 allow
hide-identity: yes
hide-version: yes
minimal-responses: yes
rrset-roundrobin: yes
ssl-upstream: yes
forward-zone:
name: "."
# Quad9
# forward-addr: 2620:fe::fe@853#dns.quad9.net
forward-addr: 9.9.9.9@853#dns.quad9.net
# forward-addr: 2620:fe::9@853#dns.quad9.net
forward-addr: 149.112.112.112@853#dns.quad9.net
# Cloudflare DNS
# forward-addr: 2606:4700:4700::1111@853#cloudflare-dns.com
forward-addr: 1.1.1.1@853#cloudflare-dns.com
# forward-addr: 2606:4700:4700::1001@853#cloudflare-dns.com
forward-addr: 1.0.0.1@853#cloudflare-dns.com
# Google Public DNS
# forward-addr: 2001:4860:4860::8888@853#dns.google
# forward-addr: 8.8.8.8@853#dns.google
# forward-addr: 2001:4860:4860::8844@853#dns.google
# forward-addr: 8.8.4.4@853#dns.google
# Cleanbrowsing Security Filter
# forward-addr: 2a0d:2a00:1::2@853#security-filter-dns.cleanbrowsing.org
forward-addr: 185.228.168.9@853#security-filter-dns.cleanbrowsing.org
# forward-addr: 2a0d:2a00:2::2@853#security-filter-dns.cleanbrowsing.org
forward-addr: 185.228.169.9@853#security-filter-dns.cleanbrowsing.org
# Tenta DNS
# ICANN
forward-addr: 99.192.182.200@853#iana.tenta.io
forward-addr: 99.192.182.201@853#iana.tenta.io
# OpenNIC
forward-addr: 99.192.182.100@853#opennic.tenta.io
forward-addr: 99.192.182.101@853#opennic.tenta.io
tls-cert-bundle: "/etc/ssl/certs/ca-certificates.crt"
# tls-cert-bundle feature not available until Unbound 1.7.1
# Actually secure DNS over TLS in Unbound
https://www.ctrl.blog/entry/unbound-tls-forwarding
