Pihole+Unbound prevents one single device from accessing the internet

Help
1

Expected Behaviour:

Pihole+Unbound allows all devices on my network to access the internet

Actual Behaviour:

Since getting my Pihole+Unbound working again, my doorbell camera refuses to access the internet with Unbound turned on. It does have local network access (I can see it in my Unifi controller) with Unbound enabled. When I go into the Pihole and uncheck 127.0.0.1#5335 disabling Unbound and then check any of the other Upstream services, my camera gets instant internet access.

There doesn't seem to be anything that's obvious blocking this specific device. All other devices on my network (iPhones, iPads, TVs, Laptops, etc) can access the internet with Unbound running and set in the Pihole with the Pihole being the DNS for everything. I have also tried using the Group Management in the Pihole to exclude this specific device, using the IP, from all of the block lists but I don't think that's the issue since nothing changed when I did that.

The only change occurred when I turned off Unbound.

**Note: this has worked in the past without issue. I had this exact setup (same Unifi equipment, same Raspberry Pi running the same install of Pihole, same doorbell camera) But for some reason, when I moved this network and the equipment to my new home, this one device is being prevented from accessing the Internet and it seems to be Unbound causing it.

It also seems Unbound is dragging every device down on my network. With it enabled, my devices are sluggish and slow to respond. With it disabled and any other Upstream provider selected, all devices behave normally.

Debug Token:

S9STBbap

2

Update:

I managed to get the device connected when Unbound was turned off and then when turning Unbound back on the device stayed connected but it's connection is really slow and laggy. It's a doorbell camera, so the feed isn't instant like when Unbound is turned off.

And like I mentioned in the OP, when Unbound is turned on, all of my wireless devices seem to suffer. I know the 'Experience" in the Unifi console isn't the greatest metric to go by but it does at least indicate when devices aren't connecting at their optimal speeds. And with Unbound off...every device is 99%-100%. With Unbound on...nearly all devices, even when 1-2 feet from the AP, show 60%-80%.

What role does Unbound play in this? It seems to be the only prime mover in what's affecting these devices. Are there any equivalent alternatives to Unbound? It's really messing up my network performance.

3

Update #2:

I think...we may be good now. I set the DNS cache size on the Pihole to 0, found some config options to add to the /etc/unbound/unbound.conf, and restarted the Unbound service. Since doing this, everything seems to be running as expected.

4

Could you post output for below ones pls?

hostnamectl | grep 'Operating System'

grep nameserver /etc/resolv.conf

resolvconf -l | grep -v 'domain\|search'

sudo systemctl is-enabled unbound-resolvconf.service

sudo rgrep -v '^ *#\|^$' /etc/unbound/unbound.conf*

Those are the standard ones to check if any DNS loop or partial loop exists which can cause unbound or the pihole-FTL daemon to respond "sluggish".

5

hostnamectl | grep 'Operating System'

Operating System: Raspbian GNU/Linux 10 (buster)

grep nameserver /etc/resolv.conf

nameserver 127.0.0.1

resolvconf -l | grep -v 'domain\|search'

resolvconf: Error: Command not recognized
Usage: resolvconf (-d IFACE|-a IFACE|-u|--enable-updates|--disable-updates|--updates-are-enabled)

sudo systemctl is-enabled unbound-resolvconf.service

enabled

sudo rgrep -v '^ *#\|^' /etc/unbound/unbound.conf*

/etc/unbound/unbound.conf:include: "/etc/unbound/unbound.conf.d/*.conf"
/etc/unbound/unbound.conf.d/root-auto-trust-anchor-file.conf:server:
/etc/unbound/unbound.conf.d/root-auto-trust-anchor-file.conf:    auto-trust-anchor-file: "/var/lib/unbound/root.key"
/etc/unbound/unbound.conf.d/qname-minimisation.conf:server:
/etc/unbound/unbound.conf.d/qname-minimisation.conf:    qname-minimisation: yes
/etc/unbound/unbound.conf.d/use-own-identity.conf:server:
/etc/unbound/unbound.conf.d/use-own-identity.conf:    hide-identity: no
/etc/unbound/unbound.conf.d/use-own-identity.conf:    identity: ""
/etc/unbound/unbound.conf.d/use-own-identity.conf:    hide-version: no
/etc/unbound/unbound.conf.d/use-own-identity.conf:    version: ""
/etc/unbound/unbound.conf.d/use-own-identity.conf:    hide-trustanchor: no
/etc/unbound/unbound.conf.d/use-expired-records.conf:server:
/etc/unbound/unbound.conf.d/use-expired-records.conf:
/etc/unbound/unbound.conf.d/use-expired-records.conf:
/etc/unbound/unbound.conf.d/use-expired-records.conf:    serve-expired: yes
/etc/unbound/unbound.conf.d/use-expired-records.conf:    serve-expired-ttl: 0
/etc/unbound/unbound.conf.d/use-expired-records.conf:    serve-expired-ttl-reset: yes
/etc/unbound/unbound.conf.d/use-multithreaded-udp.conf:server:
/etc/unbound/unbound.conf.d/use-multithreaded-udp.conf:    so-reuseport: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:server:
/etc/unbound/unbound.conf.d/pi-hole.conf:    verbosity: 0
/etc/unbound/unbound.conf.d/pi-hole.conf:    interface: 127.0.0.1
/etc/unbound/unbound.conf.d/pi-hole.conf:    port: 5335
/etc/unbound/unbound.conf.d/pi-hole.conf:    do-ip4: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:    do-udp: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:    do-tcp: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:    do-ip6: no
/etc/unbound/unbound.conf.d/pi-hole.conf:    prefer-ip6: no
/etc/unbound/unbound.conf.d/pi-hole.conf:    root-hints: "/var/lib/unbound/root.hints"
/etc/unbound/unbound.conf.d/pi-hole.conf:    harden-glue: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:    harden-dnssec-stripped: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:    use-caps-for-id: no
/etc/unbound/unbound.conf.d/pi-hole.conf:    edns-buffer-size: 1232
/etc/unbound/unbound.conf.d/pi-hole.conf:    prefetch: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:    num-threads: 1
/etc/unbound/unbound.conf.d/pi-hole.conf:    so-rcvbuf: 1m
/etc/unbound/unbound.conf.d/pi-hole.conf:    private-address: 192.168.0.0/16
/etc/unbound/unbound.conf.d/pi-hole.conf:    private-address: 169.254.0.0/16
/etc/unbound/unbound.conf.d/pi-hole.conf:    private-address: 172.16.0.0/12
/etc/unbound/unbound.conf.d/pi-hole.conf:    private-address: 10.0.0.0/8
/etc/unbound/unbound.conf.d/pi-hole.conf:    private-address: fd00::/8
/etc/unbound/unbound.conf.d/pi-hole.conf:    private-address: fe80::/10
/etc/unbound/unbound.conf.d/use-large-buffers.conf:server:
/etc/unbound/unbound.conf.d/use-large-buffers.conf:    so-rcvbuf: 8m
/etc/unbound/unbound.conf.d/use-large-buffers.conf:    so-sndbuf: 8m
/etc/unbound/unbound.conf.d/use-safe-edns-buffer.conf:server:
/etc/unbound/unbound.conf.d/use-safe-edns-buffer.conf:    edns-buffer-size: 1472
/etc/unbound/unbound.conf.d/unbound.conf:server:
/etc/unbound/unbound.conf.d/unbound.conf:    verbosity: 0
/etc/unbound/unbound.conf.d/unbound.conf:    prefetch: yes
/etc/unbound/unbound.conf.d/unbound.conf:    serve-expired: yes
/etc/unbound/unbound.conf.d/unbound.conf:    msg-cache-size: 16m
/etc/unbound/unbound.conf.d/unbound.conf:    rrset-cache-size: 16m
/etc/unbound/unbound.conf.d/unbound.conf:
/etc/unbound/unbound.conf.d/unbound.conf:    interface: 127.0.0.1
/etc/unbound/unbound.conf.d/unbound.conf:    port: 5335
/etc/unbound/unbound.conf.d/unbound.conf:    do-ip4: yes
/etc/unbound/unbound.conf.d/unbound.conf:    do-tcp: yes
/etc/unbound/unbound.conf.d/unbound.conf:    do-udp: yes
/etc/unbound/unbound.conf.d/unbound.conf:    root-hints: "/var/lib/unbound/root.hints"
/etc/unbound/unbound.conf.d/unbound.conf:    harden-glue: yes
/etc/unbound/unbound.conf.d/unbound.conf:    harden-dnssec-stripped: yes
/etc/unbound/unbound.conf.d/unbound.conf:    use-caps-for-id: no
/etc/unbound/unbound.conf.d/unbound.conf:    edns-buffer-size: 1472
/etc/unbound/unbound.conf.d/unbound.conf:    prefetch: yes
/etc/unbound/unbound.conf.d/unbound.conf:    num-threads: 1
/etc/unbound/unbound.conf.d/unbound.conf:    so-rcvbuf: 1m
/etc/unbound/unbound.conf.d/unbound.conf:    private-address: 192.168.0.0/16
/etc/unbound/unbound.conf.d/unbound.conf:    private-address: 169.254.0.0/16
/etc/unbound/unbound.conf.d/unbound.conf:    private-address: 172.16.0.0/12
/etc/unbound/unbound.conf.d/unbound.conf:    private-address: 10.0.0.0/8
/etc/unbound/unbound.conf.d/unbound.conf:    private-address: fd00::/8
/etc/unbound/unbound.conf.d/unbound.conf:    private-address: fe80::/10
/etc/unbound/unbound.conf.d/use-optimized-threads.conf:server:
/etc/unbound/unbound.conf.d/use-optimized-threads.conf:    num-threads: 4
/etc/unbound/unbound.conf.d/use-prefetch.conf:server:
/etc/unbound/unbound.conf.d/use-prefetch.conf:    prefetch: yes
/etc/unbound/unbound.conf.d/use-prefetch.conf:    prefetch-key: yes
/etc/unbound/unbound.conf.d/use-optimized-caches.conf:server:
/etc/unbound/unbound.conf.d/use-optimized-caches.conf:    msg-cache-slabs: 4
/etc/unbound/unbound.conf.d/use-optimized-caches.conf:    rrset-cache-slabs: 4
/etc/unbound/unbound.conf.d/use-optimized-caches.conf:    infra-cache-slabs: 4
/etc/unbound/unbound.conf.d/use-optimized-caches.conf:    key-cache-slabs: 4
/etc/unbound/unbound.conf.d/use-optimized-caches.conf:    rrset-cache-size: 128m
/etc/unbound/unbound.conf.d/use-optimized-caches.conf:    msg-cache-size: 64m
/etc/unbound/unbound.conf.d/use-optimized-caches.conf:    key-cache-size: 64m
/etc/unbound/unbound.conf.d/use-optimized-caches.conf:    neg-cache-size: 64m
/etc/unbound/unbound.conf.d/use-unbound-control.conf:remote-control:
/etc/unbound/unbound.conf.d/use-unbound-control.conf:    control-enable: yes
/etc/unbound/unbound.conf.d/use-unbound-control.conf:    server-key-file: /etc/unbound/unbound_server.key
/etc/unbound/unbound.conf.d/use-unbound-control.conf:    server-cert-file: /etc/unbound/unbound_server.pem
/etc/unbound/unbound.conf.d/use-unbound-control.conf:    control-key-file: /etc/unbound/unbound_control.key
/etc/unbound/unbound.conf.d/use-unbound-control.conf:    control-cert-file: /etc/unbound/unbound_control.pem
/etc/unbound/unbound.conf.d/use-extended-statistics.conf:server:
/etc/unbound/unbound.conf.d/use-extended-statistics.conf:    verbosity: 1
/etc/unbound/unbound.conf.d/use-extended-statistics.conf:    statistics-interval: 600
/etc/unbound/unbound.conf.d/use-extended-statistics.conf:    extended-statistics: yes
/etc/unbound/unbound.conf.d/use-extended-statistics.conf:    statistics-cumulative: yes
6

Try disable above with below:

sudo systemctl disable --now unbound-resolvconf.service

After a reboot, check if below has changed now in a sensible DNS server instead of the own host 127.0.0.1:

grep nameserver /etc/resolv.conf

I cant help you with that much customisation.
If you could revert back to the defaults from the official guide (except maybe for the remote-control config), I could be of better assistance.
Else if suspect Unbound is the culprit, ask on their support channels.

https://docs.pi-hole.net/guides/dns/unbound/

pi@ph5a:~ $ hostnamectl | grep 'Operating System'
  Operating System: Raspbian GNU/Linux 10 (buster)

pi@ph5a:~ $ grep nameserver /etc/resolv.conf
nameserver 10.0.0.1

pi@ph5a:~ $ sudo rgrep -v '^ *#\|^$' /etc/unbound/unbound.conf*
/etc/unbound/unbound.conf:include: "/etc/unbound/unbound.conf.d/*.conf"
/etc/unbound/unbound.conf.d/remote-control.conf:remote-control:
/etc/unbound/unbound.conf.d/remote-control.conf:    control-enable: yes
/etc/unbound/unbound.conf.d/qname-minimisation.conf:server:
/etc/unbound/unbound.conf.d/qname-minimisation.conf:    qname-minimisation: yes
/etc/unbound/unbound.conf.d/root-auto-trust-anchor-file.conf:server:
/etc/unbound/unbound.conf.d/root-auto-trust-anchor-file.conf:    auto-trust-anchor-file: "/var/lib/unbound/root.key"
/etc/unbound/unbound.conf.d/pi-hole.conf:server:
/etc/unbound/unbound.conf.d/pi-hole.conf:    verbosity: 0
/etc/unbound/unbound.conf.d/pi-hole.conf:    interface: 127.0.0.1
/etc/unbound/unbound.conf.d/pi-hole.conf:    port: 5335
/etc/unbound/unbound.conf.d/pi-hole.conf:    do-ip4: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:    do-udp: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:    do-tcp: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:    do-ip6: no
/etc/unbound/unbound.conf.d/pi-hole.conf:    prefer-ip6: no
/etc/unbound/unbound.conf.d/pi-hole.conf:    harden-glue: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:    harden-dnssec-stripped: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:    use-caps-for-id: no
/etc/unbound/unbound.conf.d/pi-hole.conf:    edns-buffer-size: 1232
/etc/unbound/unbound.conf.d/pi-hole.conf:    prefetch: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:    num-threads: 1
/etc/unbound/unbound.conf.d/pi-hole.conf:    so-rcvbuf: 1m
/etc/unbound/unbound.conf.d/pi-hole.conf:    private-address: 192.168.0.0/16
/etc/unbound/unbound.conf.d/pi-hole.conf:    private-address: 169.254.0.0/16
/etc/unbound/unbound.conf.d/pi-hole.conf:    private-address: 172.16.0.0/12
/etc/unbound/unbound.conf.d/pi-hole.conf:    private-address: 10.0.0.0/8
/etc/unbound/unbound.conf.d/pi-hole.conf:    private-address: fd00::/8
/etc/unbound/unbound.conf.d/pi-hole.conf:    private-address: fe80::/10
7

If I do this, what will it achieve? I realize it means disabling the resolveconf.service but if I disable that, what will change regarding Unbound?

When you say 'sensible DNS server', does that mean using a different upstream other than Unbound?

And honestly, I'm not really trying to customize anything with Pihole or Unbound outside of the defaults that just "work".

The only things I added to the config were from this thread: https://www.reddit.com/r/pihole/comments/d9j1z6/unbound_as_recursive_dns_server_slow_performance/f1jnuq1/

8

That unit configures resolv.conf to point to the own host 127.0.0.1 for DNS resolution:

pi@ph5a:~ $ systemctl cat unbound-resolvconf.service
# /lib/systemd/system/unbound-resolvconf.service
[Unit]
Description=Unbound DNS server via resolvconf

Expecting that Unbound is default listening on 127.0.0.1 port 53.
But its not bc the guide has changed the default 53 port into 5335 instead.
So the whole purpose of that unit is broken if change the default.

Yes.
Can be your router IP if it doesnt close a DNS loop, your ISP provided DNS servers or public DNS providers like Google Cloudflare, Quad9 etc.
Reason, if you break Unbound or Pi-hole while tweaking/updating etc, you wont break DNS resolution for the processes on the Pi-hole host.
If you break Unbound or Pi-hole, you wouldn't even be able to upload a Pi-hole debug log.

Cant help you with that.

9

Sorry, two more questions:

1). By doing this, will it no longer use Unbound for DNS resolving and begin using the different upstream provider or will it just use the different upstream provider as a secondary DNS?

Currently, my setup looks like this: Unifi controller is set as DHCP > Pihole is set as DNS > Using Unbound > And then I have conditional forwarding in the Pihole pointing back to my router - the Unifi controller (not sure if that matters in this conversation)

2). In my Pihole, the DNS is set to 127.0.0.1#5335. How can I tell if Unbound is currently listening on port 53 or on port 5335? I followed the latest guide for installing Unbound, so the settings from there are what I have. The "customizations" in the config file I added today based on others saying they helped with the "sluggishness" of Unbound. But honestly, I can't tell if they're doing anything.

10

If you disable that unbound-resolvconf.service, DNS settings will revert back to those that were configured before installing Unbound (might need a reboot).

pi@ph5b:~ $ sudo ss -nltup "sport = 53 || sport = 5335"
Netid           State            Recv-Q           Send-Q                     Local Address:Port                     Peer Address:Port          Process
udp             UNCONN           0                0                                0.0.0.0:53                            0.0.0.0:*              users:(("pihole-FTL",pid=19678,fd=6))
udp             UNCONN           0                0                              127.0.0.1:5335                          0.0.0.0:*              users:(("unbound",pid=19820,fd=3))
udp             UNCONN           0                0                                      *:53                                  *:*              users:(("pihole-FTL",pid=19678,fd=8))
tcp             LISTEN           0                32                               0.0.0.0:53                            0.0.0.0:*              users:(("pihole-FTL",pid=19678,fd=7))
tcp             LISTEN           0                256                            127.0.0.1:5335                          0.0.0.0:*              users:(("unbound",pid=19820,fd=4))
tcp             LISTEN           0                32                                  [::]:53                               [::]:*              users:(("pihole-FTL",pid=19678,fd=9))
11

sudo ss -nltup "sport = 53 || sport = 5335"

root@DietPi:/etc# sudo ss -nltup "sport = 53 || sport = 5335"
Netid   State    Recv-Q   Send-Q     Local Address:Port     Peer Address:Port   
udp     UNCONN   0        0                0.0.0.0:53            0.0.0.0:*       users:(("pihole-FTL",pid=28499,fd=4))
udp     UNCONN   0        0              127.0.0.1:5335          0.0.0.0:*       users:(("unbound",pid=28563,fd=5))
udp     UNCONN   0        0              127.0.0.1:5335          0.0.0.0:*       users:(("unbound",pid=28563,fd=3))
udp     UNCONN   0        0                      *:53                  *:*       users:(("pihole-FTL",pid=28499,fd=6))
tcp     LISTEN   0        32               0.0.0.0:53            0.0.0.0:*       users:(("pihole-FTL",pid=28499,fd=5))
tcp     LISTEN   0        256            127.0.0.1:5335          0.0.0.0:*       users:(("unbound",pid=28563,fd=6))
tcp     LISTEN   0        256            127.0.0.1:5335          0.0.0.0:*       users:(("unbound",pid=28563,fd=4))
tcp     LISTEN   0        32                  [::]:53               [::]:*       users:(("pihole-FTL",pid=28499,fd=7))

Does this look okay?

12

Looks dandy

13

Bit awkward though that unbound with PID 28563 is listening twice on the same socket.

14

Yeah...not sure why that is.

15

You have duplicates below:

That might explain and might also be the cause of your initial issues :wink:

16

Hmmm....so which one should be the "master" config?

17

I realized you have lots of duplicates when checking the rgrep output.
I think you'll have to sort that out first.

I would stick with the guides recommendations and remove the duplicate ones:

https://docs.pi-hole.net/guides/dns/unbound/#configure-unbound

Thats why I asked you to revert to the guides defaults ... its a bit messy right now :wink:
From there on you could always expand.

18

Ow you have mine to compare:

pi@ph5a:~ $ sudo rgrep -v '^ *#\|^$' /etc/unbound/unbound.conf*
/etc/unbound/unbound.conf:include: "/etc/unbound/unbound.conf.d/*.conf"
/etc/unbound/unbound.conf.d/remote-control.conf:remote-control:
/etc/unbound/unbound.conf.d/remote-control.conf:    control-enable: yes
/etc/unbound/unbound.conf.d/qname-minimisation.conf:server:
/etc/unbound/unbound.conf.d/qname-minimisation.conf:    qname-minimisation: yes
/etc/unbound/unbound.conf.d/root-auto-trust-anchor-file.conf:server:
/etc/unbound/unbound.conf.d/root-auto-trust-anchor-file.conf:    auto-trust-anchor-file: "/var/lib/unbound/root.key"
/etc/unbound/unbound.conf.d/pi-hole.conf:server:
/etc/unbound/unbound.conf.d/pi-hole.conf:    verbosity: 0
/etc/unbound/unbound.conf.d/pi-hole.conf:    interface: 127.0.0.1
/etc/unbound/unbound.conf.d/pi-hole.conf:    port: 5335
/etc/unbound/unbound.conf.d/pi-hole.conf:    do-ip4: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:    do-udp: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:    do-tcp: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:    do-ip6: no
/etc/unbound/unbound.conf.d/pi-hole.conf:    prefer-ip6: no
/etc/unbound/unbound.conf.d/pi-hole.conf:    harden-glue: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:    harden-dnssec-stripped: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:    use-caps-for-id: no
/etc/unbound/unbound.conf.d/pi-hole.conf:    edns-buffer-size: 1232
/etc/unbound/unbound.conf.d/pi-hole.conf:    prefetch: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:    num-threads: 1
/etc/unbound/unbound.conf.d/pi-hole.conf:    so-rcvbuf: 1m
/etc/unbound/unbound.conf.d/pi-hole.conf:    private-address: 192.168.0.0/16
/etc/unbound/unbound.conf.d/pi-hole.conf:    private-address: 169.254.0.0/16
/etc/unbound/unbound.conf.d/pi-hole.conf:    private-address: 172.16.0.0/12
/etc/unbound/unbound.conf.d/pi-hole.conf:    private-address: 10.0.0.0/8
/etc/unbound/unbound.conf.d/pi-hole.conf:    private-address: fd00::/8
/etc/unbound/unbound.conf.d/pi-hole.conf:    private-address: fe80::/10
19

sudo ss -nltup "sport = 53 || sport = 5335" 

Netid   State    Recv-Q   Send-Q     Local Address:Port     Peer Address:Port   
udp     UNCONN   0        0                0.0.0.0:53            0.0.0.0:*       users:(("pihole-FTL",pid=1868,fd=4))
udp     UNCONN   0        0              127.0.0.1:5335          0.0.0.0:*       users:(("unbound",pid=2747,fd=3))
udp     UNCONN   0        0                      *:53                  *:*       users:(("pihole-FTL",pid=1868,fd=6))
tcp     LISTEN   0        32               0.0.0.0:53            0.0.0.0:*       users:(("pihole-FTL",pid=1868,fd=5))
tcp     LISTEN   0        256            127.0.0.1:5335          0.0.0.0:*       users:(("unbound",pid=2747,fd=4))
tcp     LISTEN   0        32                  [::]:53               [::]:*       users:(("pihole-FTL",pid=1868,fd=7))

Yay - looks like yours now.

I deleted the "extra" config file unbound.conf that was in /etc/unbound/unbound.conf.d and now the only config file being read in /etc/unbound/unbound.conf.d is the pi-hole.conf.

The only thing I don't have that you do is the:

/etc/unbound/unbound.conf.d/remote-control.conf:remote-control:
/etc/unbound/unbound.conf.d/remote-control.conf:    control-enable: yes
20

You did have before:

Its not part of the official guide though.