Pi-Hole + Unbound

Janek · February 16, 2026, 4:09pm

Hello, I’m asking for help. I’ve been trying to solve my Pi-Hole problem with AI for several days now, and I seem to be giving up. Everything seems to be working fine, but Pi-Hole keeps throwing an error: Connection error (172.20.0.2#53): TCP connection failed while receiving payload length from upstream (Connection prematurely closed by remote server).

I have a network based on Omada OC200 with a TP-Link ER605 V2 router with IP address 192.168.0.1 and IP address 192.168.0.9 entered as the DNS server. I have a server with truenas community version 25.04.2.6 with IP address 192.168.0.3:880 and physical LAN interface eno1 and one eno1 bridge named br0 and the DNS server set to IP 192.168.0.9. On truenas I installed Nginx proxy manager plus version 1.0 at IP address 192.168.0.3:30360. On Truenas I installed the dockge application at 192.168.0.3:31014. In docgke I started Pi-Hole V6 at 192.168.0.9 and DNS server 172.20.0.2#53 and with Unbound entering the following code:

services:
pi-hole:
container_name: pi-hole
hostname: Pi-Hole
image: pihole/pihole:latest
user: root
networks:
internal_unbound:
ipv4_address: 172.20.0.3
home_network:
ipv4_address: 192.168.0.9
environment:

TZ=Europe/Warsaw
FTLCONF_webserver_api_password=F
PIHOLE_DNS1=172.20.0.2#53
volumes:
/mnt/Media/APPS/Pi-Hole/etc-pihole:/etc/pihole
/mnt/Media/APPS/Pi-Hole/etc-dnsmasq.d:/etc/dnsmasq.d
cap_add:
NET_ADMIN
restart: unless-stopped
unbound:
container_name: unbound
image: mvance/unbound:latest
networks:
internal_unbound:
ipv4_address: 172.20.0.2
volumes:
/mnt/Media/APPS/Unbound:/opt/unbound/etc/unbound
cap_add:
NET_ADMIN
restart: unless-stopped
networks:
home_network:
driver: macvlan
driver_opts:
parent: br0
ipam:
config:
subnet: 192.168.0.0/24
gateway: 192.168.0.1
ip_range: 192.168.0.9/32
internal_unbound:
driver: bridge
ipam:
config:
subnet: 172.20.0.0/24

This is the content of unbound.conf

server:
interface: 0.0.0.0
port: 53
do-ip4: yes
do-udp: yes
do-tcp: yes
access-control: 127.0.0.1/8 allow
access-control: 172.20.0.0/24 allow
access-control: 192.168.0.0/24 allow
hide-identity: yes
hide-version: yes
cache-min-ttl: 3600
cache-max-ttl: 86400
prefetch: yes

Janek · February 16, 2026, 5:48pm

Now I noticed that DSN works on Pi-Hole but proxying with Nginx does not work.

Glitch01 · February 16, 2026, 6:56pm

If you are doing recursive must have pihole talk to itself first over port 5335. Pihole cannot use 53 since it is already in use for regular dns traffic. Set recursive 127.0.0.1#5335 first, then all other DNS resolvers.

Janek · February 16, 2026, 7:24pm

After changing to 5335, it’s exactly the same. I’ve already checked this, but this shouldn’t be an issue for me because I use PiHole and Unbound in separate dockge containers and have different IP pools.

Glitch01 · February 16, 2026, 7:57pm

Is pihole resolving urls? Pihole does get errors when resolving insecure connections sometimes. If you can browse and resolve dns, it should be fine. I wouldn’t worry too much about error messages from time to time.

Janek · February 16, 2026, 8:04pm

PiHole is working fine. There’s no problem with DNS, just this error message. I also just recently stopped working on Pi-Hole and started configuring Nginx Proxy Manager, and I see it’s not working. I suspect I need to enter an IP address and port number somewhere in Pi-Hole so that, in addition to unbound, PiHole also sends DNS queries to Nginx. I’d also like to ask about Pi-Hole’s RAM usage. Mine is around 90%, supposedly I don’t have a loop, and I don’t know what’s going on. Is this information about the RAM usage of the entire TrueNAS, with ZFS taking up most of the memory, or do I actually have a loop?

Glitch01 · February 16, 2026, 9:04pm

Other things you might need to look at is bridging or FW rules.

Janek · February 16, 2026, 9:09pm

Where and how can I check this? Sorry, this may be a stupid question, but I’m just learning about this.

Glitch01 · February 16, 2026, 9:14pm

You will need to create a bridge for vms & containers to talk to each other in TrueNAS. Depending on your firewall, your may need to open port 53 to allow traffic across subnets or within the subnet.

Janek · February 16, 2026, 9:21pm

AI gave me the following response to the TrueNAS Shell command:

ip link add macvlan-shim link br0 type macvlan mode bridge
ip addr add 192.168.0.10/32 dev macvlan-shim
ip link set macvlan-shim up
ip route add 192.168.0.9 dev macvlan-shim

Is this a good solution?
I still need to change unbound.conf:

access-control: 0.0.0.0/0 allow

Glitch01 · February 16, 2026, 10:29pm

The ips will be based on your subnet. There are some YouTube videos that will show you how to create a bridge from the UI.

Glitch01 · February 17, 2026, 4:05pm

Janek · March 7, 2026, 9:10pm

This piece of code in Unbound.conf solved the problem.

do-tcp: yes
tcp-upstream: no
tcp-idle-timeout: 30000
incoming-num-tcp: 1000

Glitch01 · March 7, 2026, 9:58pm

Isn’t the unbound config copied to “/etc/unbound/unbound.conf.d/pi-hole.conf”?

Here is the guide - unbound - Pi-hole documentation

Topic		Replies	Views
Pi-Hole running in TrueNas Community Edition, but not working as DNS server Apps and Virtualization	9	236	January 11, 2026
TrueNas Scale in Proxmox VM TrueNAS General SCALE	16	506	January 17, 2025
How to get nginx proxy manager app to listen on specific ports or get own IP Apps and Virtualization	12	4364	March 12, 2025
Nginx Proxy Manager - Configuration Tips (especially if you are stuck at Deploying) Apps and Virtualization	62	17079	January 18, 2026
RESOLVED Difficulty understanding and configuring a bridge on truenas scale TrueNAS General SCALE , Networking , Tailscale	0	97	January 9, 2026

Pi-Hole + Unbound

Related topics