Hey guys. I’m having some issues compiling the latest Unbound w/ DOH (1.12) and I was hoping one of the Unbound Gurus can chime in and help me out. I’ve manually compiled Unbound from scratch through several updates without issues, I’m sure I’m missing something on the Debian (Buster) side of things. When trying to compile Unbound with ./configure —with-nghttp2 I get an error during compilation that “nghttp2” cannot be found. On the Debian Buster side of things I tried installing nghttp2 client/server/reverse proxy using sudo apt-get install nghttp2 and all packages and dependencies are installed but I still get the error during Unbound compilation. The documentation on nghttp2 on Unbound and Buster man pages is very limited and I can’t even locate the proper command, if any is needed, to start the nghttp2 service. This may not even be my issue, but I’m assuming the error during compilation of unbound is because the service itself isn’t running on the client (Raspberry pi 4). Has anyone attempted to get this going with pihole and dns over https in Unbound. I managed to update to unbound 1.12 with no issues, but without the nghttp2 configuration, therefore I’m not using DOH at the moment, although I would like to. Any help would be greatly appreciated.
This sounds like an unbound exclusive question.
I suspect you'll increase your chances of having an unbound guru answer your call if you search where those gurus are, i.e at unbound support. 
I have a better chance here honestly as many PiHole users compile Unbound from scratch and many use raspberry pi. I tried signing up on the Unbound forums and it isn’t an exactly user friendly space. You need to have a degree in computer science to even post in those forums.
I'm in a generous mood:
Did you install libnghttp2-dev to get the development headers for the libraries you'll need? (May need libnghtt2-14 but the development package should pull in all required dependencies.
Thanks Dan!!!! I’m grateful for your generous mood today. 
I haven’t tried those packages, I tried the default Debian packages using “apt-get install nghttp2”. Didn’t try the packages you mentioned above. I’ll give it a shot when I’m out of work. So basically I can substitute the command with this: “sudo apt-get install libnghttp2-dev“?
That would be awesome. But most of the time the Debian package is stripped of some of Unbound’s capabilities/features. For instance if you want to use DNS Tap or other features, maybe even DOH, you need to compile from scratch and configure Unbound with these capabilities while compiling. The Debian version is usually stripped down to the basic configurations.
Agreed on your point @anon94500823, I was lucky enough that a member here shared a step by step approach to compile Unbound, to counter the issue you describe.
@ChurchOfNoise Funny thing, I learned how to compile Unbound here as well. The Unbound forums are for wayyyyyyyyy advanced users that actually tweak Unbound and improve upon it. I once asked a general question and didn’t even get a response. 
Yeah I learned that very early on which is why I sought out instruction on how to compile unbound myself. Way more powerful features available when you compile. I kinda figured the Debian version wouldn’t have DoH as it didn’t have DNS Tap capabilities baked in either. Thanks for looking that up. That might help some users in the future if they’re racking their brain on why these features don’t work straight away with the Debian version of Unbound. @msatter
Thanks Dan. That managed to fix the errors during compiling. Couldn’t start Unbound, but at least it compiled. When I removed the 443 port and the tls-service key and pen options from the conf file I was able to get up and running again. I reached out to the Unbound devs on Twitter and I’m awaiting a response there, if I get one.
Have u managed to get DoH working on your install? I managed to compile after adding the proper package/dependencies, but Unbound refuses to start on port 443.
Haven't tried yet, I prefer to keep using the authoritative DNS servers (use Unbound as recursive server), and these can't be approached using DoH if I understood correctly.
Isn't Lighttpd using port 443? Never thought about this, I guess DoH to public providers requires to use port 443, hence the webserver cannot use HTTPS anymore the regular way. Another argument for DoT?
I’m not sure if it does, and don’t know how to confirm either. But, that’s most likely the issue, some other service is using port 443. I believe in Unbound you can change the default DoH port, looking into that.
lsof -i :443
Why even do this? Why being depended on a foreign provider and tell them everything about you by using them exclusively as your DNS (Google and Cloudflare are the worst) when you already have a recursive resolver in position for doing the same job independently and without a massive data harvester in between? If you want to/have to hide from your government, just run the recursive resolver over a VPN. Still better than doing things over DoH.
Let's stick with original topic, the DoH/DoT discussion has been fought on multiple other places on this forum. If someone needs to hide DNS requests from local ISP (while public provider is okay), encryption is required, that's it.
This indeed is an option, though not that easy to setup, via split tunnelling e.g., maybe someone writes a guide on this . Although, then you need to trust the VPN provider, aside of the costs this usually implies. In the end you always need to trust someone, and if there is a public DNS provider you do, maybe not Google or Cloudflare, but maybe Quad9, then this is a free of cost way to cover DNS requests from local ISP 
.
Thank you!!! I ran that command u provided above and it didn’t yield any results. @MichaIng
Okay, then at least nothing is bound to port 443 
. Another thing is permissions, at least there are no reasons why unbound should run as privileged user or even root, so probably it's running as unbound UNIX user which requires some permission elevation to bind to ports <=999? Let me check which that was.
or: https://www.reddit.com/r/pihole/comments/gsxdmn/pihole_pivpn_wireguard_entirely_on_vps_free_tier/
for recursive resolver over a VPN?