Pihole + Unbound on NAS


I am using pihole for sometime with my NAS on a docker container.
Today I tried to setup also Unbound from the docker image mvance/unbound with the following steps:

1- Save the root.hints on the shared container folder with:
wget https://www.internic.net/domain/named.root -qO- | sudo tee root.hints

2- create the unbound.conf as per the official doc:

ash-4.3# cat unbound.conf

    # If no logfile is specified, syslog is used
    logfile: "unbound.log"
    verbosity: 1
    port: 5335
    do-ip4: yes
    do-udp: yes
    do-tcp: yes
    # May be set to yes if you have IPv6 connectivity
    do-ip6: no
    # You want to leave this to no unless you have *native* IPv6. With 6to4 and
    # Terredo tunnels your web browser should favor IPv4 for the same reasons
    prefer-ip6: no
    # Use this only when you downloaded the list of primary root servers!
    # If you use the default dns-root-data package, unbound will find it automatically
    root-hints: "root.hints"
    # Trust glue only if it is within the server's authority
    harden-glue: yes
    # Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS
    harden-dnssec-stripped: yes
    # Don't use Capitalization randomization as it known to cause DNSSEC issues sometimes
    # see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378for further details
    use-caps-for-id: no
    # Reduce EDNS reassembly buffer size.
    # Suggested by the unbound man page to reduce fragmentation reassembly problems
    edns-buffer-size: 1472
    # Perform prefetching of close to expired message cache entries
    # This only applies to domains that have been frequently queried
    prefetch: yes
    # One thread should be sufficient, can be increased on beefy machines. In reality for most users running on small networks or on a single machine, it should be unnecessary to seek performance enhancement by increasing num-threads above 1.
    num-threads: 1
    # Ensure kernel buffer is large enough to not lose messages in traffic spikes
    so-rcvbuf: 1m
    # Ensure privacy of local IP ranges
    private-address: fd00::/8
    private-address: fe80::/10

Now if i try to dig:

dig sigfail.verteiltesysteme.net@ -p 5335
dig sigok.verteiltesysteme.net@ -p 5335

Both work which shouldn't happen. Only the second one should work.
I thought then I was missing the root.key since this is a non standard install of unbound and the file isn't auto generated. So I generated it:


ash-4.3# docker exec -it unbound bash
root@unbound:/# cd /opt/unbound/etc/unbound
root@unbound:/opt/unbound/etc/unbound# unbound-anchor -a root.key

With this step from the logs everything seems ok but if I try now the dig:
dig sigfail.verteiltesysteme.net@ -p 5335
The unbound container just crashes.

Has anyone succeeded in making this work on a docker setup?
Also I will need to find a way to auto update the root.key and root.hints inside the unbound docker container after making it work.


What's the exact output of

dig sigfail.verteiltesysteme.net@ -p 5335
dig sigok.verteiltesysteme.net@ -p 5335

What official doc did you follow?

Sorry missed the link this one: https://docs.pi-hole.net/guides/unbound/

Regarding the outputs from dig now I can't do any because as I mentioned after inserting the root.key in the unbound cfg file the container just crashes before having a response

That configuration file from Pi-hole's unbound guide is meant for a bare metal installation where Pi-hole and unbound reside on the same machine.

I'd be careful using it for your Docker based configuration - it'll most likely fail.

You're now running both unbound as well as Pi-hole into their own containers.
By default, Docker would isolate them into their own networks, i.e. in Pi-hole would be specific to its container and inaccessible from unbound's container and vice versa.
This isn't your issue yet, but it would become so if you tried to configure Pi-hole to use unbound as upstream via

Also, as unbound defaults to allowing localhost/ traffic only, you'd have problems passing DNS requests into the container.

Therefore, my guess would be the default unbound.conf as supplied by your Docker image would have contained a less restrictive interface, maybe even to allow all.
Also, there may be additional settings involved, I am not an unbound professional.

By supplying Pi-hole's bare metal configuration, you likely have overwritten the config values that allowed unbound to work from a container.

I'd recommend reverting to the original config as supplied by the Docker image.
You could then check that configuration line-by-line against Pi-hole's bare metal unbound.conf and adopt and adjust it manually as required.

I will try but the default wouldn't be suitable.
Also I am using net host network for the containers.
And the local host shouldn't be the issue because the Server ENV variable already takes that in account so that I can insert my "real" LAN IP of the host 192.x.x.x