Setting up pihole with unbound

So I'm trying to make my raspberry pi into a DNS Resolver (unbound). I'm following this guide and I have some questions about it:

If you are installing unbound from a package manager, it should install the root.hints file automatically with the dependency dns-root-data . The root hints will then be automatically updated by your package manager.

If I install unbound with apt (I have raspberry pi os lite, so headless), does that mean that I don't need to manually download the root.hints file? Correct me if I'm wrong, but isn't apt considered a package manager?

If the answer to the above question is no, why is manual downloading of the file made "optional"? I mean, without it how can unbound be unbound?

#Use this only when you downloaded the list of primary root servers!
#If you use the default dns-root-data package, unbound will find it automatically
#root-hints: "/var/lib/unbound/root.hints"

I also don't know if I need this or not. I guess it depends on the answer to my question above.

The unbound package can come with a systemd service called unbound-resolvconf.service and default enabled. It instructs resolvconf to write unbound 's own DNS service at nameserver 127.0.0.1 , but without the 5335 port, into the file /etc/resolv.conf . That /etc/resolv.conf file is used by local services/processes to determine DNS servers configured. If you configured /etc/dhcpcd.conf with a static domain_name_servers= line, these DNS server(s) will be ignored/overruled by this service.

I understand that this service will automatically edit /etc/resolv.conf to nameserver 127.0.0.1 but isn't that we want, for the local services to still go through the pihole dnsmasq instead of going direct to another upstream DNS server? I'm not using the DHCP service of pihole so I have an upstream DNS server (pfsense) that it uses if you disable this service.

Also, ever since I installed pihole (even before installing unbound), the domain entry in /etc/resolv.conf is gone. My DHCP server advertises the domain name to use to all my other clients. Does this mean that pihole is somehow preventing the domain entry on the resolv.conf file?

That should be all for now. Thanks.

Any help here please?

My advice would be to follow our guide to completion. If unbound works, you are done. If not, then you can look at the root.hints and other features you discussed.

With Raspberry Pi Lite, our guide should work fine. I've installed Pi-hole multiple times on Raspbian/Raspberry Pi OS and didn't change anything from the guide. I didn't use the apt manager root.hints and I didn't need to modify any resolv.conf files either.

Yes, Advanced Package Tool or APT is Debian's main package manager.

The rest of your root hint questions is already answered by the guide.

That's your decision.
Pi-hole's clients are not affected by those settings.

However, having unbound altering resolv.conf may counteract your own DNS configuration for the host. The guide states how to get rid of it if it does.

It's a good idea to (also) provide a public DNS server for your Pi-hole host. That would allow that host machine to still resolve DNS and update or upgrade packeges if Pi-hole should be inoperative for any reason.

If you opted for creation of a static IPv4 address during Pi-hole's installation, Pi-hole's installation script would have added some respective lines for your chosen interface to /etc/dhcpcd.conf.

Once a static IPv4 is successfully set on-device, the host will not request a DHCP lease through your DHCP server anymore.

It's not that I don't trust the guide, I do but it's not as simple as following guides blindly. Working in the IT industry, I'm used to understanding everything before implementation. So even though this is just for home use, I still wanted to ask those questions anyway.

Thanks for answering my questions. They completely make sense except for one thing: I did not set pet Pi-Hole do a static IPv4 config during installation. I've specifically stated to use DHCP because I prefer DHCP reservation for my home servers. So I still don't understand why my resolv.conf file does not have the domain in it. Is there a specific line in dhcpd.conf that I'm looking for to verify? Sorry, I'm a Linux beginner but I learned a lot since I started a couple of years back.

@Bucking_Horn

So the pihole installation definitely assigned a static IP address:

pi@pi:~ $ cat /etc/dhcpcd.conf
# A sample configuration for dhcpcd.
# See dhcpcd.conf(5) for details.

# Allow users of this group to interact with dhcpcd via the control socket.
#controlgroup wheel

# Inform the DHCP server of our hostname for DDNS.
hostname

# Use the hardware address of the interface for the Client ID.
clientid
# or
# Use the same DUID + IAID as set in DHCPv6 for DHCPv4 ClientID as per RFC4361.
# Some non-RFC compliant DHCP servers do not reply with this set.
# In this case, comment out duid and enable clientid above.
#duid

# Persist interface configuration when dhcpcd exits.
persistent

# Rapid commit support.
# Safe to enable by default because it requires the equivalent option set
# on the server to actually work.
option rapid_commit

# A list of options to request from the DHCP server.
option domain_name_servers, domain_name, domain_search, host_name
option classless_static_routes
# Respect the network MTU. This is applied to DHCP routes.
option interface_mtu

# Most distributions have NTP support.
#option ntp_servers

# A ServerID is required by RFC2131.
require dhcp_server_identifier

# Generate SLAAC address using the Hardware Address of the interface
#slaac hwaddr
# OR generate Stable Private IPv6 Addresses based from the DUID
slaac private

# Example static IP configuration:
#interface eth0
#static ip_address=192.168.0.10/24
#static ip6_address=fd51:42f8:caae:d92e::ff/64
#static routers=192.168.0.1
#static domain_name_servers=192.168.0.1 8.8.8.8 fd51:42f8:caae:d92e::1

# It is possible to fall back to a static IP if DHCP fails:
# define static profile
#profile static_eth0
#static ip_address=192.168.1.23/24
#static routers=192.168.1.1
#static domain_name_servers=192.168.1.1

# fallback to static profile on eth0
#interface eth0
#fallback static_eth0
interface eth0
        static ip_address=192.168.50.50/24
        static routers=192.168.50.1
        static domain_name_servers=192.168.10.1 192.168.10.1

Why does it do that even though I told the pihole installation to use DHCP? Also, I have two other Debian Buster boxes (not Raspberry Pi OS) that do not have /etc/dhcpcd.conf. Was that file somehow installed by pihole or raspbian?

Since I don't have the rpi physically with me now, I'm not able to reinstall everything. However, I watched an install video and it looks like I hit Yes when asked if I wanted to use the current IP config as a static IP profile. So that was my bad.

My question now is, to revert to using DHCP, do I just delete those static IP profile entries in the dhcpcd.conf file?

Likely because you are experiencing the very eventuality that the guide accounts for in Disable resolvconf for unbound (optional).

Roy Marples' dhcpcd5 is the default network configuration tool for Raspberry Pi OS.
Debian uses a mix of tools, e.g. dhclient and NetworkManager.

Pi-hole would install dhcpcd5 as a dependency on OSs where that's not already present.

I cannot know that.
On a machine already running Raspberry Pi OS, the mere presence of those lines wouldn't allow to cleanly deduce whether those would have been added by Pi-hole or by some other party. You also may indeed have opted to set a static address during installation.

If you'd want to go with a DHCP lease reservation as configured in your router instead, just delete those 4 lines (edit: for interface eth0) from dhcpcd.conf and reboot your RPi.

Before you do that, make sure your router indeed has a DHCP lease reservation for your RPi with an IPv4 address that matches your current Pi-hole's IP, or you will lose DNS resolution as soon as your RPi switches to a new IP.
You may check your current IPv4s on your RPi via

ip -4 address

Got it. I did install unbound before posting in this forum but I've reinstalled the Pi OS since then. So now I only have Pihole. I'm installing unbound now using the guide and I think all my questions are answered for now. If I have any hiccups during the installation, I'll definitely post back. Thank you again for the help.