Failed to start unbound

While trying to install unbound i get error, tried to re-install & searched around with no luck

this is the error i get

sudo service unbound status
● unbound.service - Unbound DNS server
     Loaded: loaded (/lib/systemd/system/unbound.service; enabled; vendor prese>
     Active: failed (Result: exit-code) since Tue 2022-07-05 15:05:41 CEST; 4mi>
       Docs: man:unbound(8)
    Process: 22874 ExecStartPre=/usr/lib/unbound/package-helper chroot_setup (c>
    Process: 22877 ExecStartPre=/usr/lib/unbound/package-helper root_trust_anch>
    Process: 22880 ExecStart=/usr/sbin/unbound -d -p $DAEMON_OPTS (code=exited,>
    Process: 22881 ExecStopPost=/usr/lib/unbound/package-helper chroot_teardown>
   Main PID: 22880 (code=exited, status=1/FAILURE)
        CPU: 198ms

Jul 05 15:05:41 homepi systemd[1]: unbound.service: Scheduled restart job, rest>
Jul 05 15:05:41 homepi systemd[1]: Stopped Unbound DNS server.
Jul 05 15:05:41 homepi systemd[1]: unbound.service: Start request repeated too >
Jul 05 15:05:41 homepi systemd[1]: unbound.service: Failed with result 'exit-co>
Jul 05 15:05:41 homepi systemd[1]: Failed to start Unbound DNS server.

That failure may be expected - if you ran that status straight after installing unbound on a machine where Pi-hole is already present, unbound would fail because port 53 is already taken by Pi-hole.

That would be curable by adopting unbound's configuration for a different port.
For having unbound work in collaboration with Pi-hole, see e.g. unbound - Pi-hole documentation.

Please post the output of the following command from the Pi terminal:

sudo grep -v ‘#\|^$’ -R /etc/unbound/unbound.conf*

this worked, but during following the instruction, the first one should be SERVFAIL and the second NOERROR, but in both cases i get SERVFAIL is this normal

Please provide the results as well as the commands that produced them exactly as you've run them, and please also comply with jfb's earlier request.

pi@homepi:~ $ sudo grep -v ‘#\|^$’ -R /etc/unbound/unbound.conf*
/etc/unbound/unbound.conf:# Unbound configuration file for Debian.
/etc/unbound/unbound.conf:#
/etc/unbound/unbound.conf:# See the unbound.conf(5) man page.
/etc/unbound/unbound.conf:#
/etc/unbound/unbound.conf:# See /usr/share/doc/unbound/examples/unbound.conf for a commented
/etc/unbound/unbound.conf:# reference config file.
/etc/unbound/unbound.conf:#
/etc/unbound/unbound.conf:# The following line includes additional configuration files from the
/etc/unbound/unbound.conf:# /etc/unbound/unbound.conf.d directory.
/etc/unbound/unbound.conf:include-toplevel: "/etc/unbound/unbound.conf.d/*.conf"
/etc/unbound/unbound.conf.d/root-auto-trust-anchor-file.conf:server:
/etc/unbound/unbound.conf.d/root-auto-trust-anchor-file.conf:    # The following line will configure unbound to perform cryptographic
/etc/unbound/unbound.conf.d/root-auto-trust-anchor-file.conf:    # DNSSEC validation using the root trust anchor.
/etc/unbound/unbound.conf.d/root-auto-trust-anchor-file.conf:    auto-trust-anchor-file: "/var/lib/unbound/root.key"
/etc/unbound/unbound.conf.d/resolvconf_resolvers.conf:# Generated by resolvconf
/etc/unbound/unbound.conf.d/resolvconf_resolvers.conf:
/etc/unbound/unbound.conf.d/resolvconf_resolvers.conf:forward-zone:
/etc/unbound/unbound.conf.d/resolvconf_resolvers.conf:	name: "."
/etc/unbound/unbound.conf.d/resolvconf_resolvers.conf:	forward-addr: fdf7:e7d9:6000::1
/etc/unbound/unbound.conf.d/pi-hole.conf:server:
/etc/unbound/unbound.conf.d/pi-hole.conf:    # If no logfile is specified, syslog is used
/etc/unbound/unbound.conf.d/pi-hole.conf:    # logfile: "/var/log/unbound/unbound.log"
/etc/unbound/unbound.conf.d/pi-hole.conf:    verbosity: 0
/etc/unbound/unbound.conf.d/pi-hole.conf:
/etc/unbound/unbound.conf.d/pi-hole.conf:    interface: 127.0.0.1
/etc/unbound/unbound.conf.d/pi-hole.conf:    port: 5335
/etc/unbound/unbound.conf.d/pi-hole.conf:    do-ip4: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:    do-udp: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:    do-tcp: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:
/etc/unbound/unbound.conf.d/pi-hole.conf:    # May be set to yes if you have IPv6 connectivity
/etc/unbound/unbound.conf.d/pi-hole.conf:    do-ip6: no
/etc/unbound/unbound.conf.d/pi-hole.conf:
/etc/unbound/unbound.conf.d/pi-hole.conf:    # You want to leave this to no unless you have *native* IPv6. With 6to4 and
/etc/unbound/unbound.conf.d/pi-hole.conf:    # Terredo tunnels your web browser should favor IPv4 for the same reasons
/etc/unbound/unbound.conf.d/pi-hole.conf:    prefer-ip6: no
/etc/unbound/unbound.conf.d/pi-hole.conf:
/etc/unbound/unbound.conf.d/pi-hole.conf:    # Use this only when you downloaded the list of primary root servers!
/etc/unbound/unbound.conf.d/pi-hole.conf:    # If you use the default dns-root-data package, unbound will find it automatically
/etc/unbound/unbound.conf.d/pi-hole.conf:    #root-hints: "/var/lib/unbound/root.hints"
/etc/unbound/unbound.conf.d/pi-hole.conf:
/etc/unbound/unbound.conf.d/pi-hole.conf:    # Trust glue only if it is within the server's authority
/etc/unbound/unbound.conf.d/pi-hole.conf:    harden-glue: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:
/etc/unbound/unbound.conf.d/pi-hole.conf:    # Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS
/etc/unbound/unbound.conf.d/pi-hole.conf:    harden-dnssec-stripped: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:
/etc/unbound/unbound.conf.d/pi-hole.conf:    # Don't use Capitalization randomization as it known to cause DNSSEC issues sometimes
/etc/unbound/unbound.conf.d/pi-hole.conf:    # see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 for further details
/etc/unbound/unbound.conf.d/pi-hole.conf:    use-caps-for-id: no
/etc/unbound/unbound.conf.d/pi-hole.conf:
/etc/unbound/unbound.conf.d/pi-hole.conf:    # Reduce EDNS reassembly buffer size.
/etc/unbound/unbound.conf.d/pi-hole.conf:    # IP fragmentation is unreliable on the Internet today, and can cause
/etc/unbound/unbound.conf.d/pi-hole.conf:    # transmission failures when large DNS messages are sent via UDP. Even
/etc/unbound/unbound.conf.d/pi-hole.conf:    # when fragmentation does work, it may not be secure; it is theoretically
/etc/unbound/unbound.conf.d/pi-hole.conf:    # possible to spoof parts of a fragmented DNS message, without easy
/etc/unbound/unbound.conf.d/pi-hole.conf:    # detection at the receiving end. Recently, there was an excellent study
/etc/unbound/unbound.conf.d/pi-hole.conf:    # >>> Defragmenting DNS - Determining the optimal maximum UDP response size for DNS <<<
/etc/unbound/unbound.conf.d/pi-hole.conf:    # by Axel Koolhaas, and Tjeerd Slokker (https://indico.dns-oarc.net/event/36/contributions/776/)
/etc/unbound/unbound.conf.d/pi-hole.conf:    # in collaboration with NLnet Labs explored DNS using real world data from the
/etc/unbound/unbound.conf.d/pi-hole.conf:    # the RIPE Atlas probes and the researchers suggested different values for
/etc/unbound/unbound.conf.d/pi-hole.conf:    # IPv4 and IPv6 and in different scenarios. They advise that servers should
/etc/unbound/unbound.conf.d/pi-hole.conf:    # be configured to limit DNS messages sent over UDP to a size that will not
/etc/unbound/unbound.conf.d/pi-hole.conf:    # trigger fragmentation on typical network links. DNS servers can switch
/etc/unbound/unbound.conf.d/pi-hole.conf:    # from UDP to TCP when a DNS response is too big to fit in this limited
/etc/unbound/unbound.conf.d/pi-hole.conf:    # buffer size. This value has also been suggested in DNS Flag Day 2020.
/etc/unbound/unbound.conf.d/pi-hole.conf:    edns-buffer-size: 1232
/etc/unbound/unbound.conf.d/pi-hole.conf:
/etc/unbound/unbound.conf.d/pi-hole.conf:    # Perform prefetching of close to expired message cache entries
/etc/unbound/unbound.conf.d/pi-hole.conf:    # This only applies to domains that have been frequently queried
/etc/unbound/unbound.conf.d/pi-hole.conf:    prefetch: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:
/etc/unbound/unbound.conf.d/pi-hole.conf:    # One thread should be sufficient, can be increased on beefy machines. In reality for most users running on small networks or on a single machine, it should be unnecessary to seek performance enhancement by increasing num-threads above 1.
/etc/unbound/unbound.conf.d/pi-hole.conf:    num-threads: 1
/etc/unbound/unbound.conf.d/pi-hole.conf:
/etc/unbound/unbound.conf.d/pi-hole.conf:    # Ensure kernel buffer is large enough to not lose messages in traffic spikes
/etc/unbound/unbound.conf.d/pi-hole.conf:    so-rcvbuf: 1m
/etc/unbound/unbound.conf.d/pi-hole.conf:
/etc/unbound/unbound.conf.d/pi-hole.conf:    # Ensure privacy of local IP ranges
/etc/unbound/unbound.conf.d/pi-hole.conf:    private-address: 192.168.0.0/16
/etc/unbound/unbound.conf.d/pi-hole.conf:    private-address: 169.254.0.0/16
/etc/unbound/unbound.conf.d/pi-hole.conf:    private-address: 172.16.0.0/12
/etc/unbound/unbound.conf.d/pi-hole.conf:    private-address: 10.0.0.0/8
/etc/unbound/unbound.conf.d/pi-hole.conf:    private-address: fd00::/8
/etc/unbound/unbound.conf.d/pi-hole.conf:    private-address: fe80::/10

i am trying this step

Test validation¶

You can test DNSSEC validation using

dig sigfail.verteiltesysteme.net @127.0.0.1 -p 5335
dig sigok.verteiltesysteme.net @127.0.0.1 -p 5335

The first command should give a status report of SERVFAIL and no IP address. The second should give NOERROR plus an IP address.

this is my result below

dig sigfail.verteiltesysteme.net @127.0.0.1 -p 5335
dig sigok.verteiltesysteme.net @127.0.0.1 -p 5335

; <<>> DiG 9.16.27-Raspbian <<>> sigfail.verteiltesysteme.net @127.0.0.1 -p 5335
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 42733
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;sigfail.verteiltesysteme.net.	IN	A

;; Query time: 0 msec
;; SERVER: 127.0.0.1#5335(127.0.0.1)
;; WHEN: Tue Jul 05 15:47:39 CEST 2022
;; MSG SIZE  rcvd: 57


; <<>> DiG 9.16.27-Raspbian <<>> sigok.verteiltesysteme.net @127.0.0.1 -p 5335
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 64239
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;sigok.verteiltesysteme.net.	IN	A

;; Query time: 0 msec
;; SERVER: 127.0.0.1#5335(127.0.0.1)
;; WHEN: Tue Jul 05 15:47:39 CEST 2022
;; MSG SIZE  rcvd: 55

pi@homepi:~ $ dig sigfail.verteiltesysteme.net @127.0.0.1 -p 5335

; <<>> DiG 9.16.27-Raspbian <<>> sigfail.verteiltesysteme.net @127.0.0.1 -p 5335
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 13579
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;sigfail.verteiltesysteme.net.	IN	A

;; Query time: 0 msec
;; SERVER: 127.0.0.1#5335(127.0.0.1)
;; WHEN: Tue Jul 05 15:48:28 CEST 2022
;; MSG SIZE  rcvd: 57

1. Edit file /etc/resolvconf.conf and comment out the last line which should then read:

#unbound_conf=/etc/unbound/unbound.conf.d/resolvconf_resolvers.conf

2. Delete the unwanted unbound configuration file:

sudo rm /etc/unbound/unbound.conf.d/resolvconf_resolvers.conf

3. Restart unbound:

sudo service unbound restart

everything is working as it should thanks for the help @jfb @Bucking_Horn.

just curious how do i know that the pihole-unbound are working, when i check dnsleaktest i see that i'm using my ISP's DNS ?

You are likely seeing the IP of your modem or ISP. This is normal with unbound in recursive mode - your DNS server is running at your home IP.

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.