Compiling Unbound from Source / Getting Unbound to work with DNS-over-TLS?

JAW · April 8, 2019, 12:00am

Hello – I know this is a Pi-hole forum, but I've struck out on the Unbound users email list and there seem to be a lot of Unbound fans here.

I would like to use Unbound on my Pi-hole using DNS-over-TLS.

I'm curious if anyone has successfully gotten DNS-over-TLS to work on Unbound on Raspbian using a TLS certificate bundle, either by compiling from source or another method.

Unbound on Raspbian Stretch is version 1.6.0 which doesn't support a TLS certificate bundle

I've not had good luck compiling the current stable version 1.9.1 from source following this guide. I cannot get the boot script to work.

Any thoughts would be welcome.

Best.

JAW

jpgpi250 · April 8, 2019, 7:02am

´edit´
This only works if unbount isn't already on your system, uninstall & purge older versions before continuing!
/edit

compile:

#!/bin/bash

sudo apt-get -y install libssl-dev
sudo apt-get -y install libexpat1-dev

sudo groupadd -g 991 unbound
sudo useradd -c "unbound-1.9.1" -d /var/lib/unbound -u 991 -g unbound -s /bin/false unbound

file=unbound-1.9.1
mkdir -p unbound
cd unbound
wget https://nlnetlabs.nl/downloads/unbound/$file.tar.gz
tar xzf $file.tar.gz 
cd $file

sudo ./configure --prefix=/usr --sysconfdir=/etc --disable-static --with-pidfile=/run/unbound.pid
sudo make
sudo make install
cd ..
cd ..

dnssec:

# dnssec
sudo chown unbound:unbound /etc/unbound
sudo /usr/sbin/unbound-anchor -a /etc/unbound/root.key -v

remote control:

#remote control
sudo /usr/sbin/unbound-control-setup

create /lib/systemd/system/unbound.service, content:

Description=Validating, recursive, and caching DNS resolver
Documentation=man:unbound(8)
Requires=network.target
After=network.target
Before=network-online.target nss-lookup.target
Wants=nss-lookup.target

[Install]
WantedBy=multi-user.target

[Service]
ExecStartPre=-/usr/sbin/unbound-anchor -a /etc/unbound/root.key -v
ExecStart=/usr/sbin/unbound -d -v
ExecReload=/bin/kill -HUP $MAINPID
Restart=always
RestartSec=360

systemctl:

sudo systemctl daemon-reload
sudo systemctl enable unbound.service
sudo systemctl start unbound.service

JAW · April 8, 2019, 7:32am

Thank you, @jpgpi250! I will give this a try.

system · April 29, 2019, 8:39am

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.