From bfab0dd034bd182034f1ffb05e45018ec9c85373 Mon Sep 17 00:00:00 2001 From: TowyTowy <85077986+TowyTowy@users.noreply.github.com> Date: Thu, 9 Jul 2026 03:28:40 +0200 Subject: [PATCH] fix(pihole): repair Unbound DNS-over-TLS (DoT) forwarding config (#15654) When the optional Unbound install is chosen with DoT forwarding, the script truncated (>) /etc/unbound/unbound.conf.d/pi-hole.conf and rewrote it starting with an indented "tls-cert-bundle:" option that has no "server:" section header. unbound-checkconf rejects this ("syntax error, is there no section start"), so "systemctl restart unbound" exits 1 and the install aborts (line 153). The overwrite also dropped the interface/port 5335 settings Pi-hole forwards to. Append (>>) the DoT additions to the existing recursive server block instead, under a proper "server:" section (unbound merges multiple server: clauses), so the tls-cert-bundle and forward-zone are valid and the resolver keeps listening on 127.0.0.1:5335. Recursive (non-DoT) mode is unchanged. Co-authored-by: Claude Fable 5 --- install/pihole-install.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/install/pihole-install.sh b/install/pihole-install.sh index c88a7c997..547d79f23 100644 --- a/install/pihole-install.sh +++ b/install/pihole-install.sh @@ -119,7 +119,8 @@ edns-packet-max=1232 EOF if [[ ${prompt,,} =~ ^(y|yes)$ ]]; then - cat </etc/unbound/unbound.conf.d/pi-hole.conf + cat <>/etc/unbound/unbound.conf.d/pi-hole.conf +server: tls-cert-bundle: "/etc/ssl/certs/ca-certificates.crt" forward-zone: name: "."