I’m really banging my head into a wall on this one. I installed Unbound on my secondary PiHole but I can’t get the conf files on my primary. I’ve tried uninstall and —reinstall but the files won’t populate. Would it be easier for me to just make the files or is there a way I can force them to download.
Which conf files exactly ?!
If you read the official guide : unbound - Pi-hole documentation
You will see that the Unbound config @ /etc/unbound/unbound.conf.d/pi-hole.conf needs to be created by you anyway 
Yes, I have created it but I had to manually input the rest of unbound.conf.d which leads me to believe that everything else hasn’t been created
I’m getting 3 errors stating that the communication to 127.0.0.1#5335: connection refused
; <<>> DiG 9.20.18-1~deb13u1-Debian <<>> pi-hole.net @127.0.0.1 -p 5335
;; global options: +cmd
;; no servers could be reached
pi@orangepi3-lts:/$ systemctl status unbound.service
× unbound.service - Unbound DNS server
Loaded: loaded (/usr/lib/systemd/system/unbound.service; enabled; preset: enabled)
Active: failed (Result: exit-code) since Mon 2026-02-16 11:26:27 EST; 1min 25s ago
Invocation: 27c292b0eded49838d645862a9a8f603
Docs: man:unbound(8)
Process: 2657 ExecStartPre=/usr/libexec/unbound-helper chroot_setup (code=exited, status=1/FAILURE)
Process: 2660 ExecStartPre=/usr/libexec/unbound-helper root_trust_anchor_update (code=exited, status=1/FAILURE)
Process: 2663 ExecStart=/usr/sbin/unbound -d -p $DAEMON_OPTS (code=exited, status=1/FAILURE)
Process: 2665 ExecStopPost=/usr/libexec/unbound-helper chroot_teardown (code=exited, status=1/FAILURE)
Main PID: 2663 (code=exited, status=1/FAILURE)
Feb 16 11:26:27 orangepi3-lts systemd[1]: unbound.service: Scheduled restart job, restart counter is at 5.
Feb 16 11:26:27 orangepi3-lts systemd[1]: unbound.service: Start request repeated too quickly.
Feb 16 11:26:27 orangepi3-lts systemd[1]: unbound.service: Failed with result 'exit-code'.
Feb 16 11:26:27 orangepi3-lts systemd[1]: Failed to start unbound.service - Unbound DNS server.
The process' exit code is 'exited' and its exit status is 1.
Feb 16 11:26:27 orangepi3-lts unbound-helper[2666]: /etc/unbound/unbound.conf.d/root-auto-trust-anchor-file.conf:2: error: unknown keyword 'auto-trust-anchor-file'
Feb 16 11:26:27 orangepi3-lts unbound-helper[2666]: /etc/unbound/unbound.conf.d/root-auto-trust-anchor-file.conf:2: error: stray '"'
Feb 16 11:26:27 orangepi3-lts unbound-helper[2666]: /etc/unbound/unbound.conf.d/root-auto-trust-anchor-file.conf:2: error: unknown keyword '/var/lib/unbound/root.key'
Feb 16 11:26:27 orangepi3-lts unbound-helper[2666]: /etc/unbound/unbound.conf.d/root-auto-trust-anchor-file.conf:2: error: stray '"'
Feb 16 11:26:27 orangepi3-lts unbound-helper[2666]: read /etc/unbound/unbound.conf failed: 4 errors in configuration file
Feb 16 11:26:27 orangepi3-lts systemd[1]: unbound.service: Failed with result 'exit-code'.
You have got some invalid config lines it seems…
Here are my config files =>
# cat /etc/unbound/unbound.conf
# Unbound configuration file for Debian.
#
# See the unbound.conf(5) man page.
#
# See /usr/share/doc/unbound/examples/unbound.conf for a commented
# reference config file.
#
# The following line includes additional configuration files from the
# /etc/unbound/unbound.conf.d directory.
include-toplevel: "/etc/unbound/unbound.conf.d/*.conf"
# cat /etc/unbound/unbound.conf.d/remote-control.conf
remote-control:
control-enable: yes
# by default the control interface is is 127.0.0.1 and ::1 and port 8953
# it is possible to use a unix socket too
control-interface: /run/unbound.ctl
# cat /etc/unbound/unbound.conf.d/root-auto-trust-anchor-file.conf
server:
# The following line will configure unbound to perform cryptographic
# DNSSEC validation using the root trust anchor.
auto-trust-anchor-file: "/var/lib/unbound/root.key"
# cat /etc/unbound/unbound.conf.d/unbound_for_pi-hole.conf
server:
# If no logfile is specified, syslog is used
# logfile: "/var/log/unbound/unbound.log"
verbosity: 0
interface: 127.0.0.1
port: 5335
do-ip4: yes
do-udp: yes
do-tcp: yes
# May be set to no if you don't have IPv6 connectivity
do-ip6: yes
# You want to leave this to no unless you have *native* IPv6. With 6to4 and
# Terredo tunnels your web browser should favor IPv4 for the same reasons
prefer-ip6: no
# Use this only when you downloaded the list of primary root servers!
# If you use the default dns-root-data package, unbound will find it automatically
#root-hints: "/var/lib/unbound/root.hints"
# Trust glue only if it is within the server's authority
harden-glue: yes
# Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS
harden-dnssec-stripped: yes
# Don't use Capitalization randomization as it known to cause DNSSEC issues sometimes
# see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 for further details
use-caps-for-id: no
# Reduce EDNS reassembly buffer size.
# IP fragmentation is unreliable on the Internet today, and can cause
# transmission failures when large DNS messages are sent via UDP. Even
# when fragmentation does work, it may not be secure; it is theoretically
# possible to spoof parts of a fragmented DNS message, without easy
# detection at the receiving end. Recently, there was an excellent study
# >>> Defragmenting DNS - Determining the optimal maximum UDP response size for DNS <<<
# by Axel Koolhaas, and Tjeerd Slokker (https://indico.dns-oarc.net/event/36/contributions/776/)
# in collaboration with NLnet Labs explored DNS using real world data from the
# the RIPE Atlas probes and the researchers suggested different values for
# IPv4 and IPv6 and in different scenarios. They advise that servers should
# be configured to limit DNS messages sent over UDP to a size that will not
# trigger fragmentation on typical network links. DNS servers can switch
# from UDP to TCP when a DNS response is too big to fit in this limited
# buffer size. This value has also been suggested in DNS Flag Day 2020.
edns-buffer-size: 1232
# Perform prefetching of close to expired message cache entries
# This only applies to domains that have been frequently queried
prefetch: yes
# One thread should be sufficient, can be increased on beefy machines. In reality for most users running on small networks or on a single machine, it should be unnecessary to seek performance enhancement by increasing num-threads above 1.
num-threads: 1
# Ensure kernel buffer is large enough to not lose messages in traffic spikes
so-rcvbuf: 1m
# Ensure privacy of local IP ranges
private-address: 192.168.0.0/16
private-address: 169.254.0.0/16
private-address: 172.16.0.0/12
private-address: 10.0.0.0/8
private-address: fd00::/8
private-address: fe80::/10
The above !! HAS TO WORK !! since it works for me for many months now 
Problem I’m facing is that NONE of the directories or files were created upon installing Unbound lol. Like absolutely nothing besides the unbound.conf and the unbound.conf.d. I had zero issues with my secondary orange pi. I’m guessing at this point I have to just start from scratch which was what I was trying to avoid lol.
I did not get that from your previous reply… LOL! 
Hope your next attempt goes as it should
After Unbound is installed, you can inspect what files should have been installed with below:
dpkg -L unbound
If you dont have Unbound installed, you can list all files in a package with below:
apt-file list unbound
The apt-file command is contained in the apt-file package.
To restore/reinstall all config files from the Unbound package:
sudo rm -r /etc/unbound
sudo apt -o Dpkg::Options::="--force-confmiss" install --reinstall unbound
I could kiss you right now LOL. I even went to Unbound git and they were stumped. Your a damn life saver thank you so much