<html>
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
  </head>
  <body text="#000000" bgcolor="#FFFFFF">
    <p>Make sure you can connect to DoT upstream:</p>
    <p><a class="moz-txt-link-freetext" href="https://i.imgur.com/Andpr9t.png">https://i.imgur.com/Andpr9t.png</a></p>
    <p>Note: It can be blocked by your ISP or youself on firewall.<br>
    </p>
    <div class="moz-cite-prefix">02.04.2019 22:36, rollingonchrome via
      Unbound-users пишет:<br>
    </div>
    <blockquote type="cite"
cite="mid:CAB13GNXb6k9TJy_0V5P3tJmJa+e9N6RNAcDckHhioNmCViyEVQ@mail.gmail.com">
      <meta http-equiv="content-type" content="text/html; charset=UTF-8">
      <div dir="ltr">
        <div dir="ltr">
          <div dir="ltr">Thank you, Yuri.
            <div><br>
            </div>
            <div>The certificate bundle does exist in the assumed path.</div>
            <div><br>
            </div>
            <div>Any other suggestions would be appreciated. Below is my
              config file. Also, here is the error from the log file:</div>
            <div><br>
            </div>
            <div>
              <div>Apr  2 09:25:13 raspberrypi_pi-hole unbound[6522]:
                /etc/unbound/unbound.conf.d/pi-hole.conf:96: error:
                unknown keyword 'tls-cert-bundle'</div>
              <div>Apr  2 09:25:13 raspberrypi_pi-hole unbound[6522]:
                /etc/unbound/unbound.conf.d/pi-hole.conf:96: error:
                stray ':'</div>
              <div>Apr  2 09:25:13 raspberrypi_pi-hole unbound[6522]:
                /etc/unbound/unbound.conf.d/pi-hole.conf:96: error:
                stray '"'</div>
              <div>Apr  2 09:25:13 raspberrypi_pi-hole unbound[6522]:
                /etc/unbound/unbound.conf.d/pi-hole.conf:96: error:
                unknown keyword '/etc/ssl/certs/ca-certificates.crt'</div>
              <div>Apr  2 09:25:13 raspberrypi_pi-hole unbound[6522]:
                /etc/unbound/unbound.conf.d/pi-hole.conf:96: error:
                stray '"'</div>
            </div>
            <div><br>
            </div>
            <div>Apologies for partially posting this message twice. I
              wasn't sure exactly how to edit the subject to properly
              thread my reply.<br>
            </div>
            <div><br>
              <div class="gmail_quote">
                <blockquote class="gmail_quote" style="margin:0px 0px
                  0px 0.8ex;border-left:1px solid
                  rgb(204,204,204);padding-left:1ex">
                </blockquote>
              </div>
            </div>
            <div>
              <div>server:</div>
              <div>    # If no logfile is specified, syslog is used</div>
              <div>    # logfile: "/var/log/unbound/unbound.log"</div>
              <div>    verbosity: 0</div>
              <div><br>
              </div>
              <div>    port: 5353</div>
              <div>    do-ip4: yes</div>
              <div>    do-udp: yes</div>
              <div>    do-tcp: yes</div>
              <div><br>
              </div>
              <div>    # May be set to yes if you have IPv6 connectivity</div>
              <div>    do-ip6: no</div>
              <div><br>
              </div>
              <div>    # Use this only when you downloaded the list of
                primary root servers!</div>
              <div>    root-hints: "/var/lib/unbound/root.hints"</div>
              <div><br>
              </div>
              <div>    # Trust glue only if it is within the servers
                authority</div>
              <div>    harden-glue: yes</div>
              <div><br>
              </div>
              <div>    # Require DNSSEC data for trust-anchored zones,
                if such data is absent, the zone becomes BOGUS</div>
              <div>    harden-dnssec-stripped: yes</div>
              <div><br>
              </div>
              <div>    # Don't use Capitalization randomization as it
                known to cause DNSSEC issues sometimes</div>
              <div>    # see <a
href="https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378"
                  moz-do-not-send="true">https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378</a>
                for further details</div>
              <div>    use-caps-for-id: no</div>
              <div><br>
              </div>
              <div>    # Reduce EDNS reassembly buffer size.</div>
              <div>    # Suggested by the unbound man page to reduce
                fragmentation reassembly problems</div>
              <div>    edns-buffer-size: 1472</div>
              <div><br>
              </div>
              <div>    # TTL bounds for cache</div>
              <div>    cache-min-ttl: 3600</div>
              <div>    cache-max-ttl: 86400</div>
              <div><br>
              </div>
              <div>    # Perform prefetching of close to expired message
                cache entries</div>
              <div>    # This only applies to domains that have been
                frequently queried</div>
              <div>    prefetch: yes</div>
              <div><br>
              </div>
              <div>    # One thread should be sufficient, can be
                increased on beefy machines</div>
              <div>    num-threads: 1</div>
              <div><br>
              </div>
              <div>    # Ensure kernel buffer is large enough to not
                lose messages in traffic spikes</div>
              <div>    so-rcvbuf: 1m</div>
              <div><br>
              </div>
              <div>    # Ensure privacy of local IP ranges</div>
              <div>    private-address: <a href="http://192.168.0.0/16"
                  moz-do-not-send="true">192.168.0.0/16</a></div>
              <div>    private-address: <a href="http://169.254.0.0/16"
                  moz-do-not-send="true">169.254.0.0/16</a></div>
              <div>    private-address: <a href="http://172.16.0.0/12"
                  moz-do-not-send="true">172.16.0.0/12</a></div>
              <div>    private-address: <a href="http://10.0.0.0/8"
                  moz-do-not-send="true">10.0.0.0/8</a></div>
              <div>    private-address: fd00::/8</div>
              <div>    private-address: fe80::/10</div>
              <div><br>
              </div>
              <div># New configuration items</div>
              <div>qname-minimisation: yes</div>
              <div># fallback-enabled: yes</div>
              <div><br>
              </div>
              <div># DNS over TLS: <a
href="https://www.reddit.com/r/pihole/comments/969vhh/any_downside_to_using_unbound_with_dns_over_tls/"
                  moz-do-not-send="true">https://www.reddit.com/r/pihole/comments/969vhh/any_downside_to_using_unbound_with_dns_over_tls/</a></div>
              <div><br>
              </div>
              <div>access-control: <a href="http://10.0.0.0/8"
                  moz-do-not-send="true">10.0.0.0/8</a> allow</div>
              <div>access-control: <a href="http://127.0.0.0/8"
                  moz-do-not-send="true">127.0.0.0/8</a> allow</div>
              <div>access-control: <a href="http://192.168.0.0/16"
                  moz-do-not-send="true">192.168.0.0/16</a> allow</div>
              <div>hide-identity: yes</div>
              <div>hide-version: yes</div>
              <div>minimal-responses: yes</div>
              <div>rrset-roundrobin: yes</div>
              <div>ssl-upstream: yes</div>
              <div>forward-zone:</div>
              <div>  name: "."</div>
              <div>  # Quad9</div>
              <div>  # forward-addr: 2620:fe::fe@853#<a
                  href="http://dns.quad9.net" moz-do-not-send="true">dns.quad9.net</a></div>
              <div>  forward-addr: 9.9.9.9@853#<a
                  href="http://dns.quad9.net" moz-do-not-send="true">dns.quad9.net</a></div>
              <div>  # forward-addr: 2620:fe::9@853#<a
                  href="http://dns.quad9.net" moz-do-not-send="true">dns.quad9.net</a></div>
              <div>  forward-addr: 149.112.112.112@853#<a
                  href="http://dns.quad9.net" moz-do-not-send="true">dns.quad9.net</a></div>
              <div>  # Cloudflare DNS</div>
              <div>  # forward-addr: 2606:4700:4700::1111@853#<a
                  href="http://cloudflare-dns.com"
                  moz-do-not-send="true">cloudflare-dns.com</a>  </div>
              <div>  forward-addr: 1.1.1.1@853#<a
                  href="http://cloudflare-dns.com"
                  moz-do-not-send="true">cloudflare-dns.com</a></div>
              <div>  # forward-addr: 2606:4700:4700::1001@853#<a
                  href="http://cloudflare-dns.com"
                  moz-do-not-send="true">cloudflare-dns.com</a>  </div>
              <div>  forward-addr: 1.0.0.1@853#<a
                  href="http://cloudflare-dns.com"
                  moz-do-not-send="true">cloudflare-dns.com</a></div>
              <div>  # Google Public DNS</div>
              <div>  # forward-addr:
                <a class="moz-txt-link-abbreviated" href="mailto:2001:4860:4860::8888@853#dns.google">2001:4860:4860::8888@853#dns.google</a>  </div>
              <div>  # forward-addr: <a class="moz-txt-link-abbreviated" href="mailto:8.8.8.8@853#dns.google">8.8.8.8@853#dns.google</a></div>
              <div>  # forward-addr: <a class="moz-txt-link-abbreviated" href="mailto:2001:4860:4860::8844@853#dns.google">2001:4860:4860::8844@853#dns.google</a></div>
              <div>  # forward-addr: <a class="moz-txt-link-abbreviated" href="mailto:8.8.4.4@853#dns.google">8.8.4.4@853#dns.google</a></div>
              <div>  # Cleanbrowsing Security Filter</div>
              <div>  # forward-addr: 2a0d:2a00:1::2@853#<a
                  href="http://security-filter-dns.cleanbrowsing.org"
                  moz-do-not-send="true">security-filter-dns.cleanbrowsing.org</a></div>
              <div>  forward-addr: 185.228.168.9@853#<a
                  href="http://security-filter-dns.cleanbrowsing.org"
                  moz-do-not-send="true">security-filter-dns.cleanbrowsing.org</a></div>
              <div>  # forward-addr: 2a0d:2a00:2::2@853#<a
                  href="http://security-filter-dns.cleanbrowsing.org"
                  moz-do-not-send="true">security-filter-dns.cleanbrowsing.org</a></div>
              <div>  forward-addr: 185.228.169.9@853#<a
                  href="http://security-filter-dns.cleanbrowsing.org"
                  moz-do-not-send="true">security-filter-dns.cleanbrowsing.org</a></div>
              <div>  # Tenta DNS</div>
              <div>  # ICANN</div>
              <div>  forward-addr: 99.192.182.200@853#<a
                  href="http://iana.tenta.io" moz-do-not-send="true">iana.tenta.io</a></div>
              <div>  forward-addr: 99.192.182.201@853#<a
                  href="http://iana.tenta.io" moz-do-not-send="true">iana.tenta.io</a></div>
              <div>  # OpenNIC </div>
              <div>  forward-addr: 99.192.182.100@853#<a
                  href="http://opennic.tenta.io" moz-do-not-send="true">opennic.tenta.io</a></div>
              <div>  forward-addr: 99.192.182.101@853#<a
                  href="http://opennic.tenta.io" moz-do-not-send="true">opennic.tenta.io</a> </div>
              <div>tls-cert-bundle: "/etc/ssl/certs/ca-certificates.crt"</div>
              <div># tls-cert-bundle feature not available until Unbound
                1.7.1</div>
              <div># Actually secure DNS over TLS in Unbound <a
                  href="https://www.ctrl.blog/entry/unbound-tls-forwarding"
                  moz-do-not-send="true">https://www.ctrl.blog/entry/unbound-tls-forwarding</a></div>
            </div>
          </div>
        </div>
      </div>
    </blockquote>
    <pre class="moz-signature" cols="72">-- 
"C++ seems like a language suitable for firing other people's legs."

*****************************
* C++20 : Bug to the future *
*****************************</pre>
  </body>
</html>