Trying to install unbound on Raspberry pi - Non Pihole issue (do i remove avahi?)

cyanide77 · December 2, 2021, 1:06pm

My pi was actining weird so today I have reset everything, fresh install from raspberry pi builder, fresh install of pihole & teleported my settings in and all is working fine....
now id never used unbound before but I like the idea of it so though after seeing how simple it looks to setup tried following this guide, not sure if its ok to post here, if not please feel free to delete
https://docs.pi-hole.net/guides/dns/unbound/

fresh install latest Raspeberry Pi & Pihole - no other apps

when i run install of unbound i get the errors below.... im wondering as i found something called avahi already listening on 5353 do i even need that with pihole? (i read it comes as default with pi install?)


Linux raspberrypi 5.10.82-v7+ #1493 SMP Wed Dec 1 11:35:18 GMT 2021 armv7l

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Thu Dec  2 12:11:59 2021 from 192.168.99.108
pi@raspberrypi:~ $ sudo apt install unbound
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Suggested packages:
  apparmor
The following NEW packages will be installed:
  unbound
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 744 kB of archives.
After this operation, 3,966 kB of additional disk space will be used.
Get:1 http://raspbian.mirror.uk.sargasso.net/raspbian bullseye/main armhf unbound armhf 1.13.1-1 [744 kB]
Fetched 744 kB in 6s (131 kB/s)
Selecting previously unselected package unbound.
(Reading database ... 42275 files and directories currently installed.)
Preparing to unpack .../unbound_1.13.1-1_armhf.deb ...
Unpacking unbound (1.13.1-1) ...
Setting up unbound (1.13.1-1) ...
Job for unbound.service failed because the control process exited with error code.
See "systemctl status unbound.service" and "journalctl -xe" for details.
Job for unbound.service failed because the control process exited with error code.
See "systemctl status unbound.service" and "journalctl -xe" for details.
invoke-rc.d: initscript unbound, action "restart" failed.
● unbound.service - Unbound DNS server
     Loaded: loaded (/lib/systemd/system/unbound.service; enabled; vendor preset: enabled)
     Active: activating (auto-restart) (Result: exit-code) since Thu 2021-12-02 12:57:34 GMT; 77ms ago
       Docs: man:unbound(8)
    Process: 6279 ExecStartPre=/usr/lib/unbound/package-helper chroot_setup (code=exited, status=0/SUCCESS)
    Process: 6282 ExecStartPre=/usr/lib/unbound/package-helper root_trust_anchor_update (code=exited, status=0/SUCCESS)
    Process: 6285 ExecStart=/usr/sbin/unbound -d -p $DAEMON_OPTS (code=exited, status=1/FAILURE)
    Process: 6286 ExecStopPost=/usr/lib/unbound/package-helper chroot_teardown (code=exited, status=0/SUCCESS)
   Main PID: 6285 (code=exited, status=1/FAILURE)
        CPU: 205ms
Processing triggers for man-db (2.9.4-2) ...
pi@raspberrypi:~ $ netstat -a | less
pi@raspberrypi:~ $ unbound-checkconf
unbound-checkconf: no errors in /etc/unbound/unbound.conf
pi@raspberrypi:~ $ udo grep -v '#\|^$' -R /etc/unbound/unbound.conf*
-bash: udo: command not found
pi@raspberrypi:~ $ sudo grep -v '#\|^$' -R /etc/unbound/unbound.conf*
/etc/unbound/unbound.conf:include-toplevel: "/etc/unbound/unbound.conf.d/*.conf"
/etc/unbound/unbound.conf.d/resolvconf_resolvers.conf:forward-zone:
/etc/unbound/unbound.conf.d/resolvconf_resolvers.conf:  name: "."
/etc/unbound/unbound.conf.d/resolvconf_resolvers.conf:  forward-addr: 208.67.222.222
/etc/unbound/unbound.conf.d/resolvconf_resolvers.conf:  forward-addr: 208.67.220.220
/etc/unbound/unbound.conf.d/root-auto-trust-anchor-file.conf:server:
/etc/unbound/unbound.conf.d/root-auto-trust-anchor-file.conf:    auto-trust-anchor-file: "/var/lib/unbound/root.key"
pi@raspberrypi:~ $ sudo netstat -nltup | grep 'Proto\|:53 \|:5053 \|:5353 \|:5335 \|:8953 \|:67 \|:80 \|:471'
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 127.0.0.1:4711          0.0.0.0:*               LISTEN      570/pihole-FTL
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      528/lighttpd
tcp        0      0 0.0.0.0:53              0.0.0.0:*               LISTEN      570/pihole-FTL
tcp6       0      0 ::1:4711                :::*                    LISTEN      570/pihole-FTL
tcp6       0      0 :::80                   :::*                    LISTEN      528/lighttpd
tcp6       0      0 :::53                   :::*                    LISTEN      570/pihole-FTL
udp        0      0 0.0.0.0:53              0.0.0.0:*                           570/pihole-FTL
udp        0      0 0.0.0.0:5353            0.0.0.0:*                           308/avahi-daemon: r
udp6       0      0 :::53                   :::*                                570/pihole-FTL
udp6       0      0 :::5353                 :::*                                308/avahi-daemon: r
pi@raspberrypi:~ $ sudo netstat -nltup | grep 'Proto\|:53 \|:5053 \|:5353 \|:5335 \|:8953 \|:67 \|:80 \|:471'

Bucking_Horn · December 2, 2021, 1:15pm

It would seem you just completed the first step of the guide (i.e. sudo apt install unbound).

I'd ignore the error for now and continue with Configure unbound from the guide.

(Also note that avahi (5353) and unbound (5335) would run on different ports if you follow our guide)

cyanide77 · December 2, 2021, 1:26pm

ah great thankyou!! seems to be working but when i do a "whats my dns server test i get

US OPENDNS - Cisco OpenDNS, LLC 208.69.34.64

US OPENDNS - Cisco OpenDNS, LLC 208.69.34.65

im guessing something to do with Disable resolvconf for unbound (optional) section?

Linux raspberrypi 5.10.82-v7+ #1493 SMP Wed Dec 1 11:35:18 GMT 2021 armv7l

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Thu Dec  2 13:20:59 2021 from 192.168.99.108
pi@raspberrypi:~ $ sudo systemctl disable unbound-resolvconf.service
pi@raspberrypi:~ $ sudo systemctl stop unbound-resolvconf.service
pi@raspberrypi:~ $ sudo systemctl restart dhcpcd
pi@raspberrypi:~ $ cat /etc/resolv.conf
# Generated by resolvconf
nameserver 208.67.222.222
nameserver 208.67.220.220
pi@raspberrypi:~ $

Bucking_Horn · December 2, 2021, 1:32pm

What's the output of:

sudo grep -nv '#\|^$' -R /etc/unbound/unbound.conf*

cyanide77 · December 2, 2021, 1:37pm

thanks i had just gone through and disabled the
I also edited the resolv.conf file putting a # before the nameservers and saving it then restarting the service (but i still get open dns when i test)

have ran your command and shows below

Using username "pi".
pi@192.168.65.252's password:
Linux raspberrypi 5.10.82-v7+ #1493 SMP Wed Dec 1 11:35:18 GMT 2021 armv7l

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Thu Dec  2 13:30:52 2021 from 192.168.99.108
pi@raspberrypi:~ $ cat /etc/resolv.conf
# Generated by resolvconf
nameserver 208.67.222.222
nameserver 208.67.220.220
pi@raspberrypi:~ $ sudo nano /etc/resolv.conf
pi@raspberrypi:~ $ cat /etc/resolv.conf
# Generated by resolvconf
#nameserver 208.67.222.222
#nameserver 208.67.220.220
pi@raspberrypi:~ $ sudo service unbound restart
pi@raspberrypi:~ $ cat /etc/resolv.conf
# Generated by resolvconf
#nameserver 208.67.222.222
#nameserver 208.67.220.220
pi@raspberrypi:~ $ sudo grep -nv '#\|^$' -R /etc/unbound/unbound.conf*
/etc/unbound/unbound.conf:10:include-toplevel: "/etc/unbound/unbound.conf.d/*.co                                                                                                                                                             nf"
/etc/unbound/unbound.conf.d/resolvconf_resolvers.conf:3:forward-zone:
/etc/unbound/unbound.conf.d/resolvconf_resolvers.conf:4:        name: "."
/etc/unbound/unbound.conf.d/resolvconf_resolvers.conf:5:        forward-addr: 20                                                                                                                                                             8.67.222.222
/etc/unbound/unbound.conf.d/resolvconf_resolvers.conf:6:        forward-addr: 20                                                                                                                                                             8.67.220.220
/etc/unbound/unbound.conf.d/root-auto-trust-anchor-file.conf:1:server:
/etc/unbound/unbound.conf.d/root-auto-trust-anchor-file.conf:4:    auto-trust-an                                                                                                                                                             chor-file: "/var/lib/unbound/root.key"
/etc/unbound/unbound.conf.d/pi-hole.conf:1:server:
/etc/unbound/unbound.conf.d/pi-hole.conf:4:    verbosity: 0
/etc/unbound/unbound.conf.d/pi-hole.conf:6:    interface: 127.0.0.1
/etc/unbound/unbound.conf.d/pi-hole.conf:7:    port: 5335
/etc/unbound/unbound.conf.d/pi-hole.conf:8:    do-ip4: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:9:    do-udp: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:10:    do-tcp: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:13:    do-ip6: no
/etc/unbound/unbound.conf.d/pi-hole.conf:17:    prefer-ip6: no
/etc/unbound/unbound.conf.d/pi-hole.conf:24:    harden-glue: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:27:    harden-dnssec-stripped: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:31:    use-caps-for-id: no
/etc/unbound/unbound.conf.d/pi-hole.conf:35:    edns-buffer-size: 1472
/etc/unbound/unbound.conf.d/pi-hole.conf:39:    prefetch: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:42:    num-threads: 1
/etc/unbound/unbound.conf.d/pi-hole.conf:45:    so-rcvbuf: 1m
/etc/unbound/unbound.conf.d/pi-hole.conf:48:    private-address: 192.168.0.0/16
/etc/unbound/unbound.conf.d/pi-hole.conf:49:    private-address: 169.254.0.0/16
/etc/unbound/unbound.conf.d/pi-hole.conf:50:    private-address: 172.16.0.0/12
/etc/unbound/unbound.conf.d/pi-hole.conf:51:    private-address: 10.0.0.0/8
/etc/unbound/unbound.conf.d/pi-hole.conf:52:    private-address: fd00::/8
/etc/unbound/unbound.conf.d/pi-hole.conf:53:    private-address: fe80::/10
pi@raspberrypi:~ $

cyanide77 · December 2, 2021, 1:40pm

updated after editing i # out the 2 nameservers, but now no dns is working lol

pihole shows as bogus
|2021-12-02 13:42:19|A|www.google.com|192.168.65.23|OK, sent to localhost#5335

BOGUS


pi@raspberrypi:~ $ sudo grep -nv '#\|^$' -R /etc/unbound/unbound.conf*
/etc/unbound/unbound.conf:10:include-toplevel: "/etc/unbound/unbound.conf.d/*.conf"
/etc/unbound/unbound.conf.d/resolvconf_resolvers.conf:3:forward-zone:
/etc/unbound/unbound.conf.d/resolvconf_resolvers.conf:4:        name: "."
/etc/unbound/unbound.conf.d/root-auto-trust-anchor-file.conf:1:server:
/etc/unbound/unbound.conf.d/root-auto-trust-anchor-file.conf:4:    auto-trust-anchor-file: "/var/lib/unbound/root.key"
/etc/unbound/unbound.conf.d/pi-hole.conf:1:server:
/etc/unbound/unbound.conf.d/pi-hole.conf:4:    verbosity: 0
/etc/unbound/unbound.conf.d/pi-hole.conf:6:    interface: 127.0.0.1
/etc/unbound/unbound.conf.d/pi-hole.conf:7:    port: 5335
/etc/unbound/unbound.conf.d/pi-hole.conf:8:    do-ip4: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:9:    do-udp: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:10:    do-tcp: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:13:    do-ip6: no
/etc/unbound/unbound.conf.d/pi-hole.conf:17:    prefer-ip6: no
/etc/unbound/unbound.conf.d/pi-hole.conf:24:    harden-glue: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:27:    harden-dnssec-stripped: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:31:    use-caps-for-id: no
/etc/unbound/unbound.conf.d/pi-hole.conf:35:    edns-buffer-size: 1472
/etc/unbound/unbound.conf.d/pi-hole.conf:39:    prefetch: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:42:    num-threads: 1
/etc/unbound/unbound.conf.d/pi-hole.conf:45:    so-rcvbuf: 1m
/etc/unbound/unbound.conf.d/pi-hole.conf:48:    private-address: 192.168.0.0/16
/etc/unbound/unbound.conf.d/pi-hole.conf:49:    private-address: 169.254.0.0/16
/etc/unbound/unbound.conf.d/pi-hole.conf:50:    private-address: 172.16.0.0/12
/etc/unbound/unbound.conf.d/pi-hole.conf:51:    private-address: 10.0.0.0/8
/etc/unbound/unbound.conf.d/pi-hole.conf:52:    private-address: fd00::/8
/etc/unbound/unbound.conf.d/pi-hole.conf:53:    private-address: fe80::/10
pi@raspberrypi:~ $

Bucking_Horn · December 2, 2021, 1:47pm

cyanide77:

/etc/unbound/unbound.conf:10:include-toplevel: "/etc/unbound/unbound.conf.d/*.co                                                                                                                                                             nf"
/etc/unbound/unbound.conf.d/resolvconf_resolvers.conf:3:forward-zone:
/etc/unbound/unbound.conf.d/resolvconf_resolvers.conf:4:        name: "."
/etc/unbound/unbound.conf.d/resolvconf_resolvers.conf:5:        forward-addr: 20                                                                                                                                                             8.67.222.222
/etc/unbound/unbound.conf.d/resolvconf_resolvers.conf:6:        forward-addr: 20                                                                                                                                                             8.67.220.220

See Pihole + Unbound not working as it should - #12 by jfb

cyanide77 · December 2, 2021, 1:51pm

cyanide77:

/etc/unbound/unbound.conf.d/resolvconf_resolvers.conf:5:        forward-addr: 20                                                                                                                                                             8.67.222.222
/etc/unbound/unbound.conf.d/resolvconf_resolvers.conf:6:        forward-addr: 20

thanks after i removed those nameservers... DNS doesnt resolve at all and pihole reports "bogus"

i also now get serverfail for both the dig tests (unless i add those 2 opendns nameservers in)

pi@raspberrypi:~ $ dig sigfail.verteiltesysteme.net @127.0.0.1 -p 5335
dig sigok.verteiltesysteme.net @127.0.0.1 -p 5335

; <<>> DiG 9.16.22-Raspbian <<>> sigfail.verteiltesysteme.net @127.0.0.1 -p 5335
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 34634
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1472
;; QUESTION SECTION:
;sigfail.verteiltesysteme.net.  IN      A

;; Query time: 0 msec
;; SERVER: 127.0.0.1#5335(127.0.0.1)
;; WHEN: Thu Dec 02 13:47:54 GMT 2021
;; MSG SIZE  rcvd: 57


; <<>> DiG 9.16.22-Raspbian <<>> sigok.verteiltesysteme.net @127.0.0.1 -p 5335
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 56860
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1472
;; QUESTION SECTION:
;sigok.verteiltesysteme.net.    IN      A

;; Query time: 0 msec
;; SERVER: 127.0.0.1#5335(127.0.0.1)
;; WHEN: Thu Dec 02 13:47:55 GMT 2021
;; MSG SIZE  rcvd: 55

pi@raspberrypi:~ $

Bucking_Horn · December 2, 2021, 1:58pm

The post I've linked above recommends to alter a file and delete another and then restart unbound - but it does not recommend to remove nameservers individually?

Please read carefully through the linked post again.

cyanide77 · December 2, 2021, 2:11pm

ah Sorry i totally missed the link below!

Ive followed that, (commenting out the line and deleting the file, then restarting and now all seems to be working as expected!

now when i do a test at https://www.whatsmydnsserver.com/ it shows only my WAN address.

Many thanks for all your help!!

system · December 23, 2021, 2:11pm

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.