<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p>Make sure you can connect to DoT upstream:</p>
<p><a class="moz-txt-link-freetext" href="https://i.imgur.com/Andpr9t.png">https://i.imgur.com/Andpr9t.png</a></p>
<p>Note: It can be blocked by your ISP or youself on firewall.<br>
</p>
<div class="moz-cite-prefix">02.04.2019 22:36, rollingonchrome via
Unbound-users пишет:<br>
</div>
<blockquote type="cite"
cite="mid:CAB13GNXb6k9TJy_0V5P3tJmJa+e9N6RNAcDckHhioNmCViyEVQ@mail.gmail.com">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">Thank you, Yuri.
<div><br>
</div>
<div>The certificate bundle does exist in the assumed path.</div>
<div><br>
</div>
<div>Any other suggestions would be appreciated. Below is my
config file. Also, here is the error from the log file:</div>
<div><br>
</div>
<div>
<div>Apr 2 09:25:13 raspberrypi_pi-hole unbound[6522]:
/etc/unbound/unbound.conf.d/pi-hole.conf:96: error:
unknown keyword 'tls-cert-bundle'</div>
<div>Apr 2 09:25:13 raspberrypi_pi-hole unbound[6522]:
/etc/unbound/unbound.conf.d/pi-hole.conf:96: error:
stray ':'</div>
<div>Apr 2 09:25:13 raspberrypi_pi-hole unbound[6522]:
/etc/unbound/unbound.conf.d/pi-hole.conf:96: error:
stray '"'</div>
<div>Apr 2 09:25:13 raspberrypi_pi-hole unbound[6522]:
/etc/unbound/unbound.conf.d/pi-hole.conf:96: error:
unknown keyword '/etc/ssl/certs/ca-certificates.crt'</div>
<div>Apr 2 09:25:13 raspberrypi_pi-hole unbound[6522]:
/etc/unbound/unbound.conf.d/pi-hole.conf:96: error:
stray '"'</div>
</div>
<div><br>
</div>
<div>Apologies for partially posting this message twice. I
wasn't sure exactly how to edit the subject to properly
thread my reply.<br>
</div>
<div><br>
<div class="gmail_quote">
<blockquote class="gmail_quote" style="margin:0px 0px
0px 0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
</blockquote>
</div>
</div>
<div>
<div>server:</div>
<div> # If no logfile is specified, syslog is used</div>
<div> # logfile: "/var/log/unbound/unbound.log"</div>
<div> verbosity: 0</div>
<div><br>
</div>
<div> port: 5353</div>
<div> do-ip4: yes</div>
<div> do-udp: yes</div>
<div> do-tcp: yes</div>
<div><br>
</div>
<div> # May be set to yes if you have IPv6 connectivity</div>
<div> do-ip6: no</div>
<div><br>
</div>
<div> # Use this only when you downloaded the list of
primary root servers!</div>
<div> root-hints: "/var/lib/unbound/root.hints"</div>
<div><br>
</div>
<div> # Trust glue only if it is within the servers
authority</div>
<div> harden-glue: yes</div>
<div><br>
</div>
<div> # Require DNSSEC data for trust-anchored zones,
if such data is absent, the zone becomes BOGUS</div>
<div> harden-dnssec-stripped: yes</div>
<div><br>
</div>
<div> # Don't use Capitalization randomization as it
known to cause DNSSEC issues sometimes</div>
<div> # see <a
href="https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378"
moz-do-not-send="true">https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378</a>
for further details</div>
<div> use-caps-for-id: no</div>
<div><br>
</div>
<div> # Reduce EDNS reassembly buffer size.</div>
<div> # Suggested by the unbound man page to reduce
fragmentation reassembly problems</div>
<div> edns-buffer-size: 1472</div>
<div><br>
</div>
<div> # TTL bounds for cache</div>
<div> cache-min-ttl: 3600</div>
<div> cache-max-ttl: 86400</div>
<div><br>
</div>
<div> # Perform prefetching of close to expired message
cache entries</div>
<div> # This only applies to domains that have been
frequently queried</div>
<div> prefetch: yes</div>
<div><br>
</div>
<div> # One thread should be sufficient, can be
increased on beefy machines</div>
<div> num-threads: 1</div>
<div><br>
</div>
<div> # Ensure kernel buffer is large enough to not
lose messages in traffic spikes</div>
<div> so-rcvbuf: 1m</div>
<div><br>
</div>
<div> # Ensure privacy of local IP ranges</div>
<div> private-address: <a href="http://192.168.0.0/16"
moz-do-not-send="true">192.168.0.0/16</a></div>
<div> private-address: <a href="http://169.254.0.0/16"
moz-do-not-send="true">169.254.0.0/16</a></div>
<div> private-address: <a href="http://172.16.0.0/12"
moz-do-not-send="true">172.16.0.0/12</a></div>
<div> private-address: <a href="http://10.0.0.0/8"
moz-do-not-send="true">10.0.0.0/8</a></div>
<div> private-address: fd00::/8</div>
<div> private-address: fe80::/10</div>
<div><br>
</div>
<div># New configuration items</div>
<div>qname-minimisation: yes</div>
<div># fallback-enabled: yes</div>
<div><br>
</div>
<div># DNS over TLS: <a
href="https://www.reddit.com/r/pihole/comments/969vhh/any_downside_to_using_unbound_with_dns_over_tls/"
moz-do-not-send="true">https://www.reddit.com/r/pihole/comments/969vhh/any_downside_to_using_unbound_with_dns_over_tls/</a></div>
<div><br>
</div>
<div>access-control: <a href="http://10.0.0.0/8"
moz-do-not-send="true">10.0.0.0/8</a> allow</div>
<div>access-control: <a href="http://127.0.0.0/8"
moz-do-not-send="true">127.0.0.0/8</a> allow</div>
<div>access-control: <a href="http://192.168.0.0/16"
moz-do-not-send="true">192.168.0.0/16</a> allow</div>
<div>hide-identity: yes</div>
<div>hide-version: yes</div>
<div>minimal-responses: yes</div>
<div>rrset-roundrobin: yes</div>
<div>ssl-upstream: yes</div>
<div>forward-zone:</div>
<div> name: "."</div>
<div> # Quad9</div>
<div> # forward-addr: 2620:fe::fe@853#<a
href="http://dns.quad9.net" moz-do-not-send="true">dns.quad9.net</a></div>
<div> forward-addr: 9.9.9.9@853#<a
href="http://dns.quad9.net" moz-do-not-send="true">dns.quad9.net</a></div>
<div> # forward-addr: 2620:fe::9@853#<a
href="http://dns.quad9.net" moz-do-not-send="true">dns.quad9.net</a></div>
<div> forward-addr: 149.112.112.112@853#<a
href="http://dns.quad9.net" moz-do-not-send="true">dns.quad9.net</a></div>
<div> # Cloudflare DNS</div>
<div> # forward-addr: 2606:4700:4700::1111@853#<a
href="http://cloudflare-dns.com"
moz-do-not-send="true">cloudflare-dns.com</a> </div>
<div> forward-addr: 1.1.1.1@853#<a
href="http://cloudflare-dns.com"
moz-do-not-send="true">cloudflare-dns.com</a></div>
<div> # forward-addr: 2606:4700:4700::1001@853#<a
href="http://cloudflare-dns.com"
moz-do-not-send="true">cloudflare-dns.com</a> </div>
<div> forward-addr: 1.0.0.1@853#<a
href="http://cloudflare-dns.com"
moz-do-not-send="true">cloudflare-dns.com</a></div>
<div> # Google Public DNS</div>
<div> # forward-addr:
<a class="moz-txt-link-abbreviated" href="mailto:2001:4860:4860::8888@853#dns.google">2001:4860:4860::8888@853#dns.google</a> </div>
<div> # forward-addr: <a class="moz-txt-link-abbreviated" href="mailto:8.8.8.8@853#dns.google">8.8.8.8@853#dns.google</a></div>
<div> # forward-addr: <a class="moz-txt-link-abbreviated" href="mailto:2001:4860:4860::8844@853#dns.google">2001:4860:4860::8844@853#dns.google</a></div>
<div> # forward-addr: <a class="moz-txt-link-abbreviated" href="mailto:8.8.4.4@853#dns.google">8.8.4.4@853#dns.google</a></div>
<div> # Cleanbrowsing Security Filter</div>
<div> # forward-addr: 2a0d:2a00:1::2@853#<a
href="http://security-filter-dns.cleanbrowsing.org"
moz-do-not-send="true">security-filter-dns.cleanbrowsing.org</a></div>
<div> forward-addr: 185.228.168.9@853#<a
href="http://security-filter-dns.cleanbrowsing.org"
moz-do-not-send="true">security-filter-dns.cleanbrowsing.org</a></div>
<div> # forward-addr: 2a0d:2a00:2::2@853#<a
href="http://security-filter-dns.cleanbrowsing.org"
moz-do-not-send="true">security-filter-dns.cleanbrowsing.org</a></div>
<div> forward-addr: 185.228.169.9@853#<a
href="http://security-filter-dns.cleanbrowsing.org"
moz-do-not-send="true">security-filter-dns.cleanbrowsing.org</a></div>
<div> # Tenta DNS</div>
<div> # ICANN</div>
<div> forward-addr: 99.192.182.200@853#<a
href="http://iana.tenta.io" moz-do-not-send="true">iana.tenta.io</a></div>
<div> forward-addr: 99.192.182.201@853#<a
href="http://iana.tenta.io" moz-do-not-send="true">iana.tenta.io</a></div>
<div> # OpenNIC </div>
<div> forward-addr: 99.192.182.100@853#<a
href="http://opennic.tenta.io" moz-do-not-send="true">opennic.tenta.io</a></div>
<div> forward-addr: 99.192.182.101@853#<a
href="http://opennic.tenta.io" moz-do-not-send="true">opennic.tenta.io</a> </div>
<div>tls-cert-bundle: "/etc/ssl/certs/ca-certificates.crt"</div>
<div># tls-cert-bundle feature not available until Unbound
1.7.1</div>
<div># Actually secure DNS over TLS in Unbound <a
href="https://www.ctrl.blog/entry/unbound-tls-forwarding"
moz-do-not-send="true">https://www.ctrl.blog/entry/unbound-tls-forwarding</a></div>
</div>
</div>
</div>
</div>
</blockquote>
<pre class="moz-signature" cols="72">--
"C++ seems like a language suitable for firing other people's legs."
*****************************
* C++20 : Bug to the future *
*****************************</pre>
</body>
</html>