Cache Question - Unbound vs Pi-Hole

dmginc670 · December 3, 2020, 2:23am

If someone is using Unbound and it's normal DNS caching function, is it safe to edit /etc/dnsmasq.d/01-pihole.conf and set the cache-size there to 0? I haven't noticed any ill effects of doing so, but wasn't sure if it could have repercussions that I'm just not seeing.

jfb · December 3, 2020, 2:25am

It is "safe" but not recommended. The developers recommend leaving the Pi-hole cache enabled at all times.

Let each cache operate and they will get along fine.

dmginc670 · December 3, 2020, 2:28am

Gotcha. Wasn't sure if there would be an issue with competing caches leading to stale cache issues or anything.

jfb · December 3, 2020, 2:29am

I run all my Pi-holes with unbound and all (six of them) have both caches enabled and never a problem.

wd9895 · December 4, 2020, 6:52pm

Hi jfb,

can you tell us how to update Unbound to actual release 1.13.0 ?

Cheers
B.

deHakkelaar · December 4, 2020, 7:19pm

Why ?

If your distribution package manager has a package for unbound you can skip this step, just install the package with your package manager.
NLnet Labs Documentation - Unbound - Howto Setup and Install

pi@ph5:~ $ sudo apt update
[..]
21 packages can be upgraded. Run 'apt list --upgradable' to see them.

pi@ph5:~ $ apt policy unbound
unbound:
  Installed: 1.9.0-2+deb10u2
  Candidate: 1.9.0-2+deb10u2
  Version table:
 *** 1.9.0-2+deb10u2 500
        500 http://raspbian.raspberrypi.org/raspbian buster/main armhf Packages
        100 /var/lib/dpkg/status

wd9895 · December 4, 2020, 8:33pm

Just to use the latest release.
Does'nt it make sense ?

deHakkelaar · December 4, 2020, 10:28pm

Latest release is not always the best release.
New bugs or security risks might have been introduced unnoticed yet.
Thats one of the reasons the "stable" release for most distro's trail behind a bit to evaluate.

giuliomagnifico · December 5, 2020, 3:55pm

Latest apt package is 1.9 on my Raspbian RPi. Is the 1.13 way better that is worth compile it or just wait?

HvdW · December 5, 2020, 7:16pm

Is it worth living on the edge?
Go mainstream to avoid problems.
Even more, there are apps where I wait a while before upgrading like Domoticz on my RPI.

wd9895 · December 8, 2020, 6:32pm

Ok ... fine. I'll wait.

I just asked for updates not bcause of new features but to be more secure using newer routines.
The Pi is online 24/7 so it's likely that it will be compromised somewhen.
That's my concern.

jfb · December 8, 2020, 6:36pm

How so? Do you have untrusted software or users on your LAN?

wd9895 · December 8, 2020, 7:40pm

No. But do you think your network is safe ?

jfb · December 8, 2020, 7:46pm

Yes, I do.

Edit - safe enough for my purposes.

DanSchaper · December 8, 2020, 7:48pm

What's your threat model? Trying to keep the kids off TikTok or trying to be the next Edward Snowden and are worried about State-level actors?

I'm no stranger to the tin-foil but you have to know who your adversary is in order to know what actions you need to take.

deHakkelaar · December 8, 2020, 8:09pm

No network is safe.
If you want to keep unbound on latest release, you should also consider compiling latest releases for the other software (and their dependencies) that unbound depends on including the kernel:

pi@ph5:~ $ apt depends unbound
unbound
  Depends: adduser
  Depends: dns-root-data
  Depends: lsb-base (>= 3.0-6)
  Depends: openssl
  Depends: unbound-anchor
  Depends: libc6 (>= 2.28)
  Depends: libevent-2.1-6 (>= 2.1.8-stable)
  Depends: libfstrm0 (>= 0.2.0)
  Depends: libprotobuf-c1 (>= 1.0.1)
  Depends: libpython3.7 (>= 3.7.0)
  Depends: libssl1.1 (>= 1.1.1)
  Depends: libsystemd0
  Suggests: apparmor
  Enhances: munin-node

DanSchaper · December 8, 2020, 8:42pm

That's called Gentoo.

wd9895 · December 9, 2020, 6:28pm

Thank you all for your answers.

system · December 30, 2020, 6:28pm

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.