Where did you get these settings? I wouldn't expect to see qname-minimsation enabled when using TLS - your requests are not going to the authoritative servers in this configuration.
Output of unbound-checkconf
I have followed this article.
https://bartonbytes.com/posts/configure-pi-hole-for-dns-over-tls/
It asks me to create pi-hole.conf
I do not have this file - Output of
unbound-checkconf
I am using apt get update && apt get install unbound -y to install. For Raspbian OS (Debian Jessie) this is the latest version available.
Am I doing something wrong here?
What is your goal in using TLS with unbound as opposed to running Pi-Hole as its own recursive server? Security, privacy, both?
To be honest, this started out as a project to have personal DNS over TLS server that I can configure in Android phones (Android Developers Blog: DNS over TLS support in Android P Developer Preview).
If DNS responses are altered MiTM can easily occur. Hence I'd like to have a robust DNS system which also support DNS over TLS which I can configure in my android phone. I was hoping to get a certificate from Lets Encrypt once I get the initial secured DNS to work.
Thank you.
Hi, am I going in the right direction here? 
I'm implementing your new configuration right now. 
Following is the status of the service:
● unbound.service - Unbound DNS server (green)
Loaded: loaded (/lib/systemd/system/unbound.service; enabled; vendor preset: enabled)
Active: active (running) since Thu 2019-04-18 19:36:18 IST; 6s ago
Docs: man:unbound(8)
Process: 20999 ExecStartPre=/usr/lib/unbound/package-helper root_trust_anchor_update (code=exited, status=0/SUCCESS)
Process: 20994 ExecStartPre=/usr/lib/unbound/package-helper chroot_setup (code=exited, status=0/SUCCESS)
Main PID: 21004 (unbound)
CGroup: /system.slice/unbound.service
└─21004 /usr/sbin/unbound -d
Apr 18 19:36:18 DNSS-I-RP systemd[1]: Starting Unbound DNS server...
Apr 18 19:36:18 DNSS-I-RP package-helper[20999]: /var/lib/unbound/root.key has content
Apr 18 19:36:18 DNSS-I-RP package-helper[20999]: success: the anchor is ok
Apr 18 19:36:18 DNSS-I-RP systemd[1]: Started Unbound DNS server.
Apr 18 19:36:18 DNSS-I-RP unbound[21004]: [21004:0] notice: init module 0: validator
Apr 18 19:36:18 DNSS-I-RP unbound[21004]: [21004:0] notice: init module 1: iterator
Apr 18 19:36:18 DNSS-I-RP unbound[21004]: [21004:0] info: start of service (unbound 1.6.0).
and output of > unbound -d -vvvv
[1555596474] unbound[21055:0] notice: Start of unbound 1.6.0.
[1555596474] unbound[21055:0] debug: increased limit(open files) from 1024 to 4140
[1555596474] unbound[21055:0] debug: creating udp4 socket 127.0.0.1 5353
[1555596474] unbound[21055:0] debug: creating tcp4 socket 127.0.0.1 5353
[1555596474] unbound[21055:0] error: can't bind socket: Address already in use for 127.0.0.1 port 5353 (len 16)
[1555596474] unbound[21055:0] fatal error: could not open ports
Even if i change the port (5000), I am getting the same error:
[1555597022] unbound[846:0] notice: Start of unbound 1.6.0.
[1555597022] unbound[846:0] debug: increased limit(open files) from 1024 to 4140
[1555597022] unbound[846:0] debug: creating udp4 socket 127.0.0.1 5000
[1555597022] unbound[846:0] debug: creating tcp4 socket 127.0.0.1 5000
[1555597022] unbound[846:0] error: can't bind socket: Address already in use for 127.0.0.1 port 5000 (len 16)
[1555597022] unbound[846:0] fatal error: could not open ports
What am I doing wrong here?
A quick question, original configuration has
ssl-upstream: yes so adding forward-ssl-upstream: yes -- is that for local system sending queries it receives from other clients on the network? Just making sure it's not a point of error.
Now I am getting a new error:
[1555601604] unbound[1605:0] notice: Start of unbound 1.6.0.
[1555601604] unbound[1605:0] error: Could not open /etc/unbound/unbound.conf: No such file or directory
[1555601604] unbound[1605:0] warning: Continuing with default config settings
[1555601604] unbound[1605:0] debug: increased limit(open files) from 1024 to 4152
[1555601604] unbound[1605:0] debug: creating udp6 socket ::1 53
[1555601604] unbound[1605:0] error: can't bind socket: Permission denied for ::1 port 53 (len 28)
[1555601604] unbound[1605:0] fatal error: could not open ports
should i create this directory and put the file there?
Hi, I was uninstalled unbound and reinstalled it using sudo apt install unbound -y. Post installation I do see directory /etc/unbound but there is no default configuration file. There is no .conf file at all.
Here are the contents
.:
total 28
drwxr-xr-x 3 root root 4096 Apr 21 23:38 .
drwxr-xr-x 93 root root 4096 Apr 21 23:38 ..
drwxr-xr-x 2 root root 4096 Apr 21 23:38 unbound.conf.d
-rw------- 1 root root 2455 Apr 21 23:38 unbound_control.key
-rw-r----- 1 root root 1330 Apr 21 23:38 unbound_control.pem
-rw------- 1 root root 2459 Apr 21 23:38 unbound_server.key
-rw-r----- 1 root root 1318 Apr 21 23:38 unbound_server.pem
./unbound.conf.d:
total 8
drwxr-xr-x 2 root root 4096 Apr 21 23:38 .
drwxr-xr-x 3 root root 4096 Apr 21 23:38 ..
Is there any default configuration that I am missing?
Here is the output of netstat
tcp 0 0 0.0.0.0:53 0.0.0.0:* LISTEN 712/pihole-FTL
tcp6 0 0 :::53 :::* LISTEN 712/pihole-FTL
udp 0 0 0.0.0.0:53 0.0.0.0:* 712/pihole-FTL
udp 0 0 0.0.0.0:5353 0.0.0.0:* 443/avahi-daemon: r
udp6 0 0 :::53 :::* 712/pihole-FTL
udp6 0 0 :::5353 :::* 443/avahi-daemon: r
As I can see avahi-deamon is taking up port 5353. I created create a configuration file using a different port (port: 6000). Should Avahi-Deamon be there?
Here is the output of unbound -d -vvvv
[1555870852] unbound[10399:0] notice: Start of unbound 1.6.0.
[1555870852] unbound[10399:0] error: Could not open /etc/unbound/unbound.conf: No such file or directory
[1555870852] unbound[10399:0] warning: Continuing with default config settings
[1555870852] unbound[10399:0] debug: increased limit(open files) from 1024 to 4152
[1555870852] unbound[10399:0] debug: creating udp6 socket ::1 53
[1555870852] unbound[10399:0] error: can't bind socket: Permission denied for ::1 port 53 (len 28)
[1555870852] unbound[10399:0] fatal error: could not open ports
Should I just re-image the card and start over? I am not sure why this simple configuration is causing unnecessary hurdles.
Thank you for your continued assistance. This is suppose to be an important college project but I am lacking behind due to this.
Have a wonderful week ahead.
No. I would put in the required configuration files.
On my unbound install (per the Pi-Hole guide), unbound.conf is an inclusion file only:
cat unbound.conf
# Unbound configuration file for Debian.
#
# See the unbound.conf(5) man page.
#
# See /usr/share/doc/unbound/examples/unbound.conf for a commented
# reference config file.
#
# The following line includes additional configuration files from the
# /etc/unbound/unbound.conf.d directory.
include: "/etc/unbound/unbound.conf.d/*.conf"
In the referenced directory, you should have the following files:
/etc/unbound/unbound.conf.d $ ls -lh
total 12K
-rw-r--r-- 1 root root 2.0K Dec 28 07:52 pi-hole.conf
-rw-r--r-- 1 root root 302 Feb 19 2017 qname-minimisation.conf
-rw-r--r-- 1 root root 190 Feb 19 2017 root-auto-trust-anchor-file.conf
Because unbound can't find its configuration file, it is trying to launch on the default port 53, which is in use by Pi-Hole. Fix the configuration files and you fix this problem.
Can you cat the above 2 files, I will copy paste them. It's odd that my installation is not creating these files anymore. It does say recommended package - AppArmor -- Should I install it?
Where is placement of unbound.conf .. Is it /etc/unbound/?
Yes.
/etc/unbound/unbound.conf.d $ cat qname-minimisation.conf
server:
# Send minimum amount of information to upstream servers to enhance
# privacy. Only sends minimum required labels of the QNAME and sets
# QTYPE to NS when possible.
# See RFC 7816 "DNS Query Name Minimisation to Improve Privacy" for
# details.
qname-minimisation: yes
The pi-hole.conf file is listed here: Redirecting...
For Raspberry pi-hole.conf, should I use the configuration from https://docs.pi-hole.net/guides/unbound/ or from https://bartonbytes.com/posts/configure-pi-hole-for-dns-over-tls/
I have created file /etc/unbound/unbound.conf.d/qname-minimisation.conf with the contents you gave me.
And I also created unbound.conf.
Here is the current output of netstat:
tcp 0 0 0.0.0.0:53 0.0.0.0:* LISTEN 712/pihole-FTL
tcp6 0 0 :::53 :::* LISTEN 712/pihole-FTL
udp 0 0 0.0.0.0:53 0.0.0.0:* 712/pihole-FTL
udp 0 0 0.0.0.0:5353 0.0.0.0:* 443/avahi-daemon: r
udp6 0 0 :::53 :::* 712/pihole-FTL
udp6 0 0 :::5353 :::* 443/avahi-daemon: r
I need to configure some other port as avahi-deamon is running on port 5353. Should I autoremove it?
This is extremely frustrating; But I changed the port to 6000 and I am still getting:
[1555872969] unbound[14437:0] notice: Start of unbound 1.6.0.
[1555872969] unbound[14437:0] debug: increased limit(open files) from 1024 to 4140
[1555872969] unbound[14437:0] debug: creating udp4 socket 127.0.0.1 6000
[1555872969] unbound[14437:0] debug: creating tcp4 socket 127.0.0.1 6000
[1555872969] unbound[14437:0] error: can't bind socket: Address already in use for 127.0.0.1 port 6000 (len 16)
[1555872969] unbound[14437:0] fatal error: could not open ports
Here is the netstat:
tcp 0 0 127.0.0.1:6000 0.0.0.0:* LISTEN 14401/unbound
udp 0 0 127.0.0.1:6000 0.0.0.0:* 14401/unbound
It depends on how you want to run your unbound instance. The Pi-Hole guide sets it up a local recursive resolver. The bartonbytes guide configures it as a forwarder. I would stick to the pi-Hole guide, get unbound running, then change it to a forwarder later if you choose.
Here is the output of test:
dig @127.0.0.1 cloud.maniarfamily.com -p 6000
; <<>> DiG 9.10.3-P4-Raspbian <<>> @127.0.0.1 cloud.maniarfamily.com -p 6000
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached