02.04.2019 22:36, rollingonchrome via Unbound-users пишет: > Thank you, Yuri. > > The certificate bundle does exist in the assumed path. > > Any other suggestions would be appreciated. Below is my config file. > Also, here is the error from the log file: > > Apr 2 09:25:13 raspberrypi_pi-hole unbound[6522]: > /etc/unbound/unbound.conf.d/pi-hole.conf:96: error: unknown keyword > 'tls-cert-bundle' > Apr 2 09:25:13 raspberrypi_pi-hole unbound[6522]: > /etc/unbound/unbound.conf.d/pi-hole.conf:96: error: stray ':' > Apr 2 09:25:13 raspberrypi_pi-hole unbound[6522]: > /etc/unbound/unbound.conf.d/pi-hole.conf:96: error: stray '"' > Apr 2 09:25:13 raspberrypi_pi-hole unbound[6522]: > /etc/unbound/unbound.conf.d/pi-hole.conf:96: error: unknown keyword > '/etc/ssl/certs/ca-certificates.crt' > Apr 2 09:25:13 raspberrypi_pi-hole unbound[6522]: > /etc/unbound/unbound.conf.d/pi-hole.conf:96: error: stray '"' > > Apologies for partially posting this message twice. I wasn't sure > exactly how to edit the subject to properly thread my reply. > > server: > # If no logfile is specified, syslog is used > # logfile: "/var/log/unbound/unbound.log" > verbosity: 0 > > port: 5353 > do-ip4: yes > do-udp: yes > do-tcp: yes > > # May be set to yes if you have IPv6 connectivity > do-ip6: no > > # Use this only when you downloaded the list of primary root servers! > root-hints: "/var/lib/unbound/root.hints" > > # Trust glue only if it is within the servers authority > harden-glue: yes > > # Require DNSSEC data for trust-anchored zones, if such data is > absent, the zone becomes BOGUS > harden-dnssec-stripped: yes > > # Don't use Capitalization randomization as it known to cause > DNSSEC issues sometimes > # see > https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 > for further details > use-caps-for-id: no > > # Reduce EDNS reassembly buffer size. > # Suggested by the unbound man page to reduce fragmentation > reassembly problems > edns-buffer-size: 1472 > > # TTL bounds for cache > cache-min-ttl: 3600 > cache-max-ttl: 86400 > > # Perform prefetching of close to expired message cache entries > # This only applies to domains that have been frequently queried > prefetch: yes > > # One thread should be sufficient, can be increased on beefy machines > num-threads: 1 > > # Ensure kernel buffer is large enough to not lose messages in > traffic spikes > so-rcvbuf: 1m > > # Ensure privacy of local IP ranges > private-address: 192.168.0.0/16 <http://192.168.0.0/16> > private-address: 169.254.0.0/16 <http://169.254.0.0/16> > private-address: 172.16.0.0/12 <http://172.16.0.0/12> > private-address: 10.0.0.0/8 <http://10.0.0.0/8> > private-address: fd00::/8 > private-address: fe80::/10 > > # New configuration items > qname-minimisation: yes > # fallback-enabled: yes > > # DNS over TLS: > https://www.reddit.com/r/pihole/comments/969vhh/any_downside_to_using_unbound_with_dns_over_tls/ > > access-control: 10.0.0.0/8 <http://10.0.0.0/8> allow > access-control: 127.0.0.0/8 <http://127.0.0.0/8> allow > access-control: 192.168.0.0/16 <http://192.168.0.0/16> allow > hide-identity: yes > hide-version: yes > minimal-responses: yes > rrset-roundrobin: yes > ssl-upstream: yes # request upstream over TLS (with plain DNS inside the TLS stream). # Default is no. Can be turned on and off with unbound-control. # tls-upstream: no Non-required, but parameter error for 1.9.x > forward-zone: > name: "." > # Quad9 > # forward-addr: 2620:fe::fe@853#dns.quad9.net <http://dns.quad9.net> > forward-addr: 9.9.9.9@853#dns.quad9.net <http://dns.quad9.net> > # forward-addr: 2620:fe::9@853#dns.quad9.net <http://dns.quad9.net> > forward-addr: 149.112.112.112@853#dns.quad9.net <http://dns.quad9.net> > # Cloudflare DNS > # forward-addr: 2606:4700:4700::1111@853#cloudflare-dns.com > <http://cloudflare-dns.com> > forward-addr: 1.1.1.1@853#cloudflare-dns.com <http://cloudflare-dns.com> > # forward-addr: 2606:4700:4700::1001@853#cloudflare-dns.com > <http://cloudflare-dns.com> > forward-addr: 1.0.0.1@853#cloudflare-dns.com <http://cloudflare-dns.com> > # Google Public DNS > # forward-addr: 2001:4860:4860::8888@853#dns.google > # forward-addr: 8.8.8.8@853#dns.google > # forward-addr: 2001:4860:4860::8844@853#dns.google > # forward-addr: 8.8.4.4@853#dns.google > # Cleanbrowsing Security Filter > # forward-addr: > 2a0d:2a00:1::2@853#security-filter-dns.cleanbrowsing.org > <http://security-filter-dns.cleanbrowsing.org> > forward-addr: > 185.228.168.9@853#security-filter-dns.cleanbrowsing.org > <http://security-filter-dns.cleanbrowsing.org> > # forward-addr: > 2a0d:2a00:2::2@853#security-filter-dns.cleanbrowsing.org > <http://security-filter-dns.cleanbrowsing.org> > forward-addr: > 185.228.169.9@853#security-filter-dns.cleanbrowsing.org > <http://security-filter-dns.cleanbrowsing.org> > # Tenta DNS > # ICANN > forward-addr: 99.192.182.200@853#iana.tenta.io <http://iana.tenta.io> > forward-addr: 99.192.182.201@853#iana.tenta.io <http://iana.tenta.io> > # OpenNIC > forward-addr: 99.192.182.100@853#opennic.tenta.io > <http://opennic.tenta.io> > forward-addr: 99.192.182.101@853#opennic.tenta.io > <http://opennic.tenta.io> > tls-cert-bundle: "/etc/ssl/certs/ca-certificates.crt" > # tls-cert-bundle feature not available until Unbound 1.7.1 > # Actually secure DNS over TLS in Unbound > https://www.ctrl.blog/entry/unbound-tls-forwarding Ok, do you have 853 port open to outside on firewall? Can you connect from device to any upstream using telnet via 853 port?
-- "C++ seems like a language suitable for firing other people's legs." ***************************** * C++20 : Bug to the future * *****************************
signature.asc
Description: OpenPGP digital signature
