Dont need to have a cron job updating the root.hints.
When install unbound via the APT packaging system, it already comes with root.hints:
pi@ph5:~ $ apt depends unbound
[..]
Depends: dns-root-data
[..]
pi@ph5:~ $ dpkg -L dns-root-data
[..]
/usr/share/dns/root.hints
[..]
root.hints doesn't change that often so you just have to keep your distro updated to also update the root.hints:
sudo apt update && sudo apt upgrade
Also opening 80/443 to the public is not recommended for security reasons.
While the Pi-hole web GUI is safe to run at home, it isnt hardened against attacks etc when exposed to the Internet.
Yes is required.
Not because of unbound but because systemd-resolved is also a caching DNS forwarder same as Pi-hole.
The two would conflict fighting over ports 53 UDP + TCP if dont disable systemd-resolved:
pi@ph5:~ $ sudo netstat -nltup | grep 'Proto\|pihole-FTL '
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:53 0.0.0.0:* LISTEN 2207/pihole-FTL
tcp 0 0 127.0.0.1:4711 0.0.0.0:* LISTEN 2207/pihole-FTL
tcp6 0 0 :::53 :::* LISTEN 2207/pihole-FTL
tcp6 0 0 ::1:4711 :::* LISTEN 2207/pihole-FTL
udp 0 0 0.0.0.0:53 0.0.0.0:* 2207/pihole-FTL
udp6 0 0 :::53 :::* 2207/pihole-FTL
Did you alter /etc/systemd/resolved.conf and why ?
Is date/time in sync/not too far of ?
timedatectl
What do below two output from the official unbound guide ?
dig +noall +comments @127.0.0.1 -p 5335 sigfail.verteiltesysteme.net
dig +noall +comments +answer @127.0.0.1 -p 5335 sigok.verteiltesysteme.net
To up verbosity for the loggings and display on screen, you could stop unbound:
sudo service unbound stop
Run here manually with below:
sudo /usr/sbin/unbound -ddd -vvv -c /etc/unbound/unbound.conf
Run the two dig commands again posted above and take note of any errors/warnings.
You can stop unbound again by pressing CTRL-C.
And start here up again using systemd:
sudo service unbound start