SERVFAIL with unbound


I will look into that and did notice that the serialnumber number of the domain was invalid so that could cause that the domain is seen as invalid.

Update: It works here using unbound and what is your config for unbound?



The pasted image of the output shows some settings that are not present in the unbound configuration guide at

From “so-reuseport” down through “so-recbuf” are different or do not appear in the pi-hole setup guide. Why have you used these settings?


Your full configuration is shown in your screen snap.

I see that your settings for so_reuseport, msg-cache-size and rrset-cache-size are the defaults.

Your num-tcp settings are significantly higher than the defaults.



This is a screen shot of the settings recommended by the Pi-Hole guide. These do not match your settings in some respects, as noted above.


Ok, then I will return the TCP amount later, or delete it, but I don’t think it has anything to do with this! hope so!


We are a Pi-Hole forum and can only offer limited advice on unbound, since the developers don’t write that code. I recommend going into the unbound forums to find out what causes SERVFAILs.


I am a little busy late to reply to your test results! Thank you for your guidance!


Can the unbound forum address be given to me?


Google is a good resource.


thk you !!!


The unbound forum has no feedback, only the mail can communicate.


Which version of Unbound are your using and the current one for Jessie and Stretch are extremely outdated and Unbound is now on 1.9.1…yes already a updated version and it is going very fast on the moment with patches. :slight_smile:

If you want to see the debug then use sudo unbound -d -vvvvv to start and stop with CTRL-c or cleaner instead of sudo service unbound restart or start.

There is a bugzilla but I think your problem is something not due to the current version of Unbound because other can resolve the domain despite it is not well formed by Google.

I have the problem the Unbound crashes if there is no connection to the internet and I am waiting for it to do it again so I can give debug info. This is playing since several versions. (#4230 is not fixed in 1.91)

Bugzilla for Unbound:

Maybe you are suffering from bug: #4230: clients seem to erroneously receive no answer with DNS-over-TLS and qname-minimisation.

This was solved in 1.9.1 not yet available in SID or Buster (Debian)


Ok, I am trying to upgrade unbound.



root@rockpi:/opt# unbound -h
usage: unbound [options]
start unbound daemon DNS resolver.
-h this help
-c file config file to read instead of /etc/unbound/unbound.conf
file format is described in unbound.conf(5).
-d do not fork into the background.
-v verbose (more times to increase verbosity)
Version 1.6.7
linked libs: libevent 2.1.8-stable (it uses epoll), OpenSSL 1.1.0g 2 Nov 2017
linked modules: dns64 python subnetcache respip validator iterator
BSD licensed, see LICENSE in source package for details.
Report bugs to unbound-bugs@nlnetlabs.n


That is because unbound is already running and first:

sudo service unbound stop

Here you find the latest version and the maintainers are the same as on Debian.

You could have dependencies going on when updating.

But first try it with the stopping Unbound and start manually to see if there are any config errors.

Also you can run unbound-checkconf to see if there are config errors.


I did not install dnscryptproxy, just a pi hole and unbound


My mistake I and i noticed that you were trying to change directory.

Any luck with starting unbound in the debug mode?