Ubuntu Pi-hole + Unbound

Help Community Help
1

So I'm struggling with the setup of unbound. I followed the guide. I have installed Pi-hole first, then unbound. I've added the /etc/unbound/unbound.conf.d/pi-hole.conf as shown in the guide.

But when I try to start it as stated in the guide, I get this:

sudo systemctl restart unbound
Job for unbound.service failed because the control process exited with error code.
See "systemctl status unbound.service" and "journalctl -xeu unbound.service" for details.

If I check the status:

unbound.service - Unbound DNS server
     Loaded: loaded (/usr/lib/systemd/system/unbound.service; enabled; preset: enabled)
     Active: failed (Result: exit-code) since Wed 2024-11-13 18:24:58 CET; 3s ago
   Duration: 6min 1.533s
       Docs: man:unbound(8)
    Process: 27549 ExecStartPre=/usr/libexec/unbound-helper chroot_setup (code=exited, status=0/SUCCESS)
    Process: 27551 ExecStartPre=/usr/libexec/unbound-helper root_trust_anchor_update (code=exited, status=0/SUCCESS)
    Process: 27554 ExecStart=/usr/sbin/unbound -d -p $DAEMON_OPTS (code=exited, status=1/FAILURE)
    Process: 27557 ExecStopPost=/usr/libexec/unbound-helper chroot_teardown (code=exited, status=0/SUCCESS)
   Main PID: 27554 (code=exited, status=1/FAILURE)
        CPU: 168ms

Any Idea why this happens? Did I missed something or did something wrong?

Details about my system:

I'm using Ubuntu 24.04.1. It is a fresh install.

2

Did the journal logs reveal anything?

Also, please share the output of

unbound-checkconf

sudo grep -v '#\|^$' -R /etc/unbound/unbound.conf.d
3

The config check is clear
unbound-checkconf: no errors in /etc/unbound/unbound.conf

This is what I've got with the other command:

sudo grep -v '#\|^$' -R /etc/unbound/unbound.conf.d
/etc/unbound/unbound.conf.d/pi-hole.conf:server:
/etc/unbound/unbound.conf.d/pi-hole.conf:    verbosity: 0
/etc/unbound/unbound.conf.d/pi-hole.conf:    interface: 127.0.0.1
/etc/unbound/unbound.conf.d/pi-hole.conf:    port: 5335
/etc/unbound/unbound.conf.d/pi-hole.conf:    do-ip4: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:    do-udp: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:    do-tcp: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:    do-ip6: no
/etc/unbound/unbound.conf.d/pi-hole.conf:    prefer-ip6: no
/etc/unbound/unbound.conf.d/pi-hole.conf:    harden-glue: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:    harden-dnssec-stripped: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:    use-caps-for-id: no
/etc/unbound/unbound.conf.d/pi-hole.conf:    edns-buffer-size: 1232
/etc/unbound/unbound.conf.d/pi-hole.conf:    prefetch: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:    num-threads: 1
/etc/unbound/unbound.conf.d/pi-hole.conf:    so-rcvbuf: 1m
/etc/unbound/unbound.conf.d/pi-hole.conf:    private-address: 192.168.0.0/16
/etc/unbound/unbound.conf.d/pi-hole.conf:    private-address: 169.254.0.0/16
/etc/unbound/unbound.conf.d/pi-hole.conf:    private-address: 172.16.0.0/12
/etc/unbound/unbound.conf.d/pi-hole.conf:    private-address: 10.0.0.0/8
/etc/unbound/unbound.conf.d/pi-hole.conf:    private-address: fd00::/8
/etc/unbound/unbound.conf.d/pi-hole.conf:    private-address: fe80::/10
/etc/unbound/unbound.conf.d/root-auto-trust-anchor-file.conf:server:
/etc/unbound/unbound.conf.d/root-auto-trust-anchor-file.conf:    auto-trust-anchor-file: "/var/lib/unbound/root.key"
/etc/unbound/unbound.conf.d/remote-control.conf:remote-control:
/etc/unbound/unbound.conf.d/remote-control.conf:  control-enable: yes
/etc/unbound/unbound.conf.d/remote-control.conf:  control-interface: /run/unbound.ctl

I think it's a problem with port 53 for some reason. I rebooted the system and unbound started before pihole and pihole couldn't start because of port 53. Had to do systemctl stop unbound . Now pihole is running again but unbound is not.

4

unbound is configured for port 5335.
If there is a conflict over port 53, then some other process is claiming it.

Your unbound configuration looks OK.

What did your journal logs reveal?

5

Before I stopped unbound I've used this to look what is using port 53. It shows unbound used it.

sudo ss -tulpn sport = 53
Netid   State    Recv-Q   Send-Q     Local Address:Port     Peer Address:Port   Process                                                                         
udp     UNCONN   0        0                0.0.0.0:53            0.0.0.0:*       users:(("unbound",pid=3664,fd=17))                                             
udp     UNCONN   0        0                0.0.0.0:53            0.0.0.0:*       users:(("unbound",pid=3664,fd=13))                                             
udp     UNCONN   0        0                0.0.0.0:53            0.0.0.0:*       users:(("unbound",pid=3664,fd=9))                                              
udp     UNCONN   0        0                0.0.0.0:53            0.0.0.0:*       users:(("unbound",pid=3664,fd=5))                                              
udp     UNCONN   0        0                   [::]:53               [::]:*       users:(("unbound",pid=3664,fd=3))                                              
udp     UNCONN   0        0                   [::]:53               [::]:*       users:(("unbound",pid=3664,fd=7))                                              
udp     UNCONN   0        0                   [::]:53               [::]:*       users:(("unbound",pid=3664,fd=11))                                             
udp     UNCONN   0        0                   [::]:53               [::]:*       users:(("unbound",pid=3664,fd=15))                                             
tcp     LISTEN   0        256              0.0.0.0:53            0.0.0.0:*       users:(("unbound",pid=3664,fd=18))                                             
tcp     LISTEN   0        256              0.0.0.0:53            0.0.0.0:*       users:(("unbound",pid=3664,fd=14))                                             
tcp     LISTEN   0        256              0.0.0.0:53            0.0.0.0:*       users:(("unbound",pid=3664,fd=10))                                             
tcp     LISTEN   0        256              0.0.0.0:53            0.0.0.0:*       users:(("unbound",pid=3664,fd=6))                                              
tcp     LISTEN   0        256                 [::]:53               [::]:*       users:(("unbound",pid=3664,fd=4))                                              
tcp     LISTEN   0        256                 [::]:53               [::]:*       users:(("unbound",pid=3664,fd=8))                                              
tcp     LISTEN   0        256                 [::]:53               [::]:*       users:(("unbound",pid=3664,fd=12))                                             
tcp     LISTEN   0        256                 [::]:53               [::]:*       users:(("unbound",pid=3664,fd=16))

How can I access them?

6

By the command suggested by systemctl, from your initial post?

That is unexpected, as your configuration files do have port 5335, and your attempts to start unbound failed.

It would indicate that another unbound process is already running on your machine, and that is ignoring the usual configuration files.

What does which unbound return?

How did you install unbound?

7

This:

which unbound
/usr/sbin/unbound

As stated by the guide. sudo apt install unbound

If I just use systemctl it gives me a huge list. But I assume I found what you are looking for.

ā— unbound-resolvconf.service                                                                            loaded failed     failed    Unbound asyncronous resolvconf update helper
ā— unbound.service                                                                                       loaded failed     failed    Unbound DNS server
8

The command you've quoted in your first post would filter for unbound.service, so I'd stick with exactly that.

9

Oh so you meant journalctl -xeu unbound.service?

Nov 14 10:14:13 johnny-K53BY systemd[1]: Starting unbound.service - Unbound DNS server...
ā–‘ā–‘ Subject: A start job for unit unbound.service has begun execution
ā–‘ā–‘ Defined-By: systemd
ā–‘ā–‘ Support: http://www.ubuntu.com/support
ā–‘ā–‘ 
ā–‘ā–‘ A start job for unit unbound.service has begun execution.
ā–‘ā–‘ 
ā–‘ā–‘ The job identifier is 19449.
Nov 14 10:14:14 johnny-K53BY (unbound)[17146]: unbound.service: Referenced but unset environment variable evaluates to an empty string: DAEMON_OPTS
Nov 14 10:14:14 johnny-K53BY unbound[17146]: [1731575654] unbound[17146:0] error: can't bind socket: Address already in use for :: port 53
Nov 14 10:14:14 johnny-K53BY unbound[17146]: [1731575654] unbound[17146:0] fatal error: could not open ports
Nov 14 10:14:14 johnny-K53BY systemd[1]: unbound.service: Main process exited, code=exited, status=1/FAILURE
ā–‘ā–‘ Subject: Unit process exited
ā–‘ā–‘ Defined-By: systemd
ā–‘ā–‘ Support: http://www.ubuntu.com/support
ā–‘ā–‘ 
ā–‘ā–‘ An ExecStart= process belonging to unit unbound.service has exited.
ā–‘ā–‘ 
ā–‘ā–‘ The process' exit code is 'exited' and its exit status is 1.
Nov 14 10:14:14 johnny-K53BY systemd[1]: unbound.service: Failed with result 'exit-code'.
ā–‘ā–‘ Subject: Unit failed
ā–‘ā–‘ Defined-By: systemd
ā–‘ā–‘ Support: http://www.ubuntu.com/support
ā–‘ā–‘ 
ā–‘ā–‘ The unit unbound.service has entered the 'failed' state with result 'exit-code'.
Nov 14 10:14:14 johnny-K53BY systemd[1]: Failed to start unbound.service - Unbound DNS server.
ā–‘ā–‘ Subject: A start job for unit unbound.service has failed
ā–‘ā–‘ Defined-By: systemd
ā–‘ā–‘ Support: http://www.ubuntu.com/support
ā–‘ā–‘ 
ā–‘ā–‘ A start job for unit unbound.service has finished with a failure.
ā–‘ā–‘ 
ā–‘ā–‘ The job identifier is 19449 and the job result is failed.
Nov 14 10:14:14 johnny-K53BY systemd[1]: unbound.service: Scheduled restart job, restart counter is at 1.
ā–‘ā–‘ Subject: Automatic restarting of a unit has been scheduled
ā–‘ā–‘ Defined-By: systemd
ā–‘ā–‘ Support: http://www.ubuntu.com/support
ā–‘ā–‘ 
ā–‘ā–‘ Automatic restarting of the unit unbound.service has been scheduled, as the result for
ā–‘ā–‘ the configured Restart= setting for the unit.
Nov 14 10:14:14 johnny-K53BY systemd[1]: Starting unbound.service - Unbound DNS server...
ā–‘ā–‘ Subject: A start job for unit unbound.service has begun execution
ā–‘ā–‘ Defined-By: systemd
ā–‘ā–‘ Support: http://www.ubuntu.com/support
ā–‘ā–‘ 
ā–‘ā–‘ A start job for unit unbound.service has begun execution.
ā–‘ā–‘ 
ā–‘ā–‘ The job identifier is 19632.
Nov 14 10:14:14 johnny-K53BY (unbound)[17178]: unbound.service: Referenced but unset environment variable evaluates to an empty string: DAEMON_OPTS
Nov 14 10:14:14 johnny-K53BY unbound[17178]: [1731575654] unbound[17178:0] error: can't bind socket: Address already in use for :: port 53
Nov 14 10:14:14 johnny-K53BY unbound[17178]: [1731575654] unbound[17178:0] fatal error: could not open ports
Nov 14 10:14:14 johnny-K53BY systemd[1]: unbound.service: Main process exited, code=exited, status=1/FAILURE
ā–‘ā–‘ Subject: Unit process exited
ā–‘ā–‘ Defined-By: systemd
ā–‘ā–‘ Support: http://www.ubuntu.com/support
ā–‘ā–‘ 
ā–‘ā–‘ An ExecStart= process belonging to unit unbound.service has exited.
ā–‘ā–‘ 
ā–‘ā–‘ The process' exit code is 'exited' and its exit status is 1.
Nov 14 10:14:14 johnny-K53BY systemd[1]: unbound.service: Failed with result 'exit-code'.
ā–‘ā–‘ Subject: Unit failed
ā–‘ā–‘ Defined-By: systemd
ā–‘ā–‘ Support: http://www.ubuntu.com/support
ā–‘ā–‘ 
ā–‘ā–‘ The unit unbound.service has entered the 'failed' state with result 'exit-code'.
Nov 14 10:14:14 johnny-K53BY systemd[1]: Failed to start unbound.service - Unbound DNS server.
ā–‘ā–‘ Subject: A start job for unit unbound.service has failed
ā–‘ā–‘ Defined-By: systemd
ā–‘ā–‘ Support: http://www.ubuntu.com/support
ā–‘ā–‘ 
ā–‘ā–‘ A start job for unit unbound.service has finished with a failure.
ā–‘ā–‘ 
ā–‘ā–‘ The job identifier is 19632 and the job result is failed.
Nov 14 10:14:14 johnny-K53BY systemd[1]: unbound.service: Scheduled restart job, restart counter is at 2.
ā–‘ā–‘ Subject: Automatic restarting of a unit has been scheduled
ā–‘ā–‘ Defined-By: systemd
ā–‘ā–‘ Support: http://www.ubuntu.com/support
ā–‘ā–‘ 
ā–‘ā–‘ Automatic restarting of the unit unbound.service has been scheduled, as the result for
ā–‘ā–‘ the configured Restart= setting for the unit.
Nov 14 10:14:14 johnny-K53BY systemd[1]: Starting unbound.service - Unbound DNS server...
ā–‘ā–‘ Subject: A start job for unit unbound.service has begun execution
ā–‘ā–‘ Defined-By: systemd
ā–‘ā–‘ Support: http://www.ubuntu.com/support
ā–‘ā–‘ 
ā–‘ā–‘ A start job for unit unbound.service has begun execution.
ā–‘ā–‘ 
ā–‘ā–‘ The job identifier is 19816.
Nov 14 10:14:15 johnny-K53BY (unbound)[17202]: unbound.service: Referenced but unset environment variable evaluates to an empty string: DAEMON_OPTS
Nov 14 10:14:15 johnny-K53BY unbound[17202]: [1731575655] unbound[17202:0] error: can't bind socket: Address already in use for :: port 53
Nov 14 10:14:15 johnny-K53BY unbound[17202]: [1731575655] unbound[17202:0] fatal error: could not open ports
Nov 14 10:14:15 johnny-K53BY systemd[1]: unbound.service: Main process exited, code=exited, status=1/FAILURE
ā–‘ā–‘ Subject: Unit process exited
ā–‘ā–‘ Defined-By: systemd
ā–‘ā–‘ Support: http://www.ubuntu.com/support
ā–‘ā–‘ 
ā–‘ā–‘ An ExecStart= process belonging to unit unbound.service has exited.
ā–‘ā–‘ 
ā–‘ā–‘ The process' exit code is 'exited' and its exit status is 1.
Nov 14 10:14:15 johnny-K53BY systemd[1]: unbound.service: Failed with result 'exit-code'.
ā–‘ā–‘ Subject: Unit failed
ā–‘ā–‘ Defined-By: systemd
ā–‘ā–‘ Support: http://www.ubuntu.com/support
ā–‘ā–‘ 
ā–‘ā–‘ The unit unbound.service has entered the 'failed' state with result 'exit-code'.
Nov 14 10:14:15 johnny-K53BY systemd[1]: Failed to start unbound.service - Unbound DNS server.
ā–‘ā–‘ Subject: A start job for unit unbound.service has failed
ā–‘ā–‘ Defined-By: systemd
ā–‘ā–‘ Support: http://www.ubuntu.com/support
ā–‘ā–‘ 
ā–‘ā–‘ A start job for unit unbound.service has finished with a failure.
ā–‘ā–‘ 
ā–‘ā–‘ The job identifier is 19816 and the job result is failed.
Nov 14 10:14:15 johnny-K53BY systemd[1]: unbound.service: Scheduled restart job, restart counter is at 3.
ā–‘ā–‘ Subject: Automatic restarting of a unit has been scheduled
ā–‘ā–‘ Defined-By: systemd
ā–‘ā–‘ Support: http://www.ubuntu.com/support
ā–‘ā–‘ 
ā–‘ā–‘ Automatic restarting of the unit unbound.service has been scheduled, as the result for
ā–‘ā–‘ the configured Restart= setting for the unit.
Nov 14 10:14:15 johnny-K53BY systemd[1]: Starting unbound.service - Unbound DNS server...
ā–‘ā–‘ Subject: A start job for unit unbound.service has begun execution
ā–‘ā–‘ Defined-By: systemd
ā–‘ā–‘ Support: http://www.ubuntu.com/support
ā–‘ā–‘ 
ā–‘ā–‘ A start job for unit unbound.service has begun execution.
ā–‘ā–‘ 
ā–‘ā–‘ The job identifier is 20000.
Nov 14 10:14:15 johnny-K53BY (unbound)[17227]: unbound.service: Referenced but unset environment variable evaluates to an empty string: DAEMON_OPTS
Nov 14 10:14:15 johnny-K53BY unbound[17227]: [1731575655] unbound[17227:0] error: can't bind socket: Address already in use for :: port 53
Nov 14 10:14:15 johnny-K53BY unbound[17227]: [1731575655] unbound[17227:0] fatal error: could not open ports
Nov 14 10:14:15 johnny-K53BY systemd[1]: unbound.service: Main process exited, code=exited, status=1/FAILURE
ā–‘ā–‘ Subject: Unit process exited
ā–‘ā–‘ Defined-By: systemd
ā–‘ā–‘ Support: http://www.ubuntu.com/support
ā–‘ā–‘ 
ā–‘ā–‘ An ExecStart= process belonging to unit unbound.service has exited.
ā–‘ā–‘ 
ā–‘ā–‘ The process' exit code is 'exited' and its exit status is 1.
Nov 14 10:14:15 johnny-K53BY systemd[1]: unbound.service: Failed with result 'exit-code'.
ā–‘ā–‘ Subject: Unit failed
ā–‘ā–‘ Defined-By: systemd
ā–‘ā–‘ Support: http://www.ubuntu.com/support
ā–‘ā–‘ 
ā–‘ā–‘ The unit unbound.service has entered the 'failed' state with result 'exit-code'.
Nov 14 10:14:15 johnny-K53BY systemd[1]: Failed to start unbound.service - Unbound DNS server.
ā–‘ā–‘ Subject: A start job for unit unbound.service has failed
ā–‘ā–‘ Defined-By: systemd
ā–‘ā–‘ Support: http://www.ubuntu.com/support
ā–‘ā–‘ 
ā–‘ā–‘ A start job for unit unbound.service has finished with a failure.
ā–‘ā–‘ 
ā–‘ā–‘ The job identifier is 20000 and the job result is failed.
Nov 14 10:14:15 johnny-K53BY systemd[1]: unbound.service: Scheduled restart job, restart counter is at 4.
ā–‘ā–‘ Subject: Automatic restarting of a unit has been scheduled
ā–‘ā–‘ Defined-By: systemd
ā–‘ā–‘ Support: http://www.ubuntu.com/support
ā–‘ā–‘ 
ā–‘ā–‘ Automatic restarting of the unit unbound.service has been scheduled, as the result for
ā–‘ā–‘ the configured Restart= setting for the unit.
Nov 14 10:14:15 johnny-K53BY systemd[1]: Starting unbound.service - Unbound DNS server...
ā–‘ā–‘ Subject: A start job for unit unbound.service has begun execution
ā–‘ā–‘ Defined-By: systemd
ā–‘ā–‘ Support: http://www.ubuntu.com/support
ā–‘ā–‘ 
ā–‘ā–‘ A start job for unit unbound.service has begun execution.
ā–‘ā–‘ 
ā–‘ā–‘ The job identifier is 20184.
Nov 14 10:14:16 johnny-K53BY (unbound)[17253]: unbound.service: Referenced but unset environment variable evaluates to an empty string: DAEMON_OPTS
Nov 14 10:14:16 johnny-K53BY unbound[17253]: [1731575656] unbound[17253:0] error: can't bind socket: Address already in use for :: port 53
Nov 14 10:14:16 johnny-K53BY unbound[17253]: [1731575656] unbound[17253:0] fatal error: could not open ports
Nov 14 10:14:16 johnny-K53BY systemd[1]: unbound.service: Main process exited, code=exited, status=1/FAILURE
ā–‘ā–‘ Subject: Unit process exited
ā–‘ā–‘ Defined-By: systemd
ā–‘ā–‘ Support: http://www.ubuntu.com/support
ā–‘ā–‘ 
ā–‘ā–‘ An ExecStart= process belonging to unit unbound.service has exited.
ā–‘ā–‘ 
ā–‘ā–‘ The process' exit code is 'exited' and its exit status is 1.
Nov 14 10:14:16 johnny-K53BY systemd[1]: unbound.service: Failed with result 'exit-code'.
ā–‘ā–‘ Subject: Unit failed
ā–‘ā–‘ Defined-By: systemd
ā–‘ā–‘ Support: http://www.ubuntu.com/support
ā–‘ā–‘ 
ā–‘ā–‘ The unit unbound.service has entered the 'failed' state with result 'exit-code'.
Nov 14 10:14:16 johnny-K53BY systemd[1]: Failed to start unbound.service - Unbound DNS server.
ā–‘ā–‘ Subject: A start job for unit unbound.service has failed
ā–‘ā–‘ Defined-By: systemd
ā–‘ā–‘ Support: http://www.ubuntu.com/support
ā–‘ā–‘ 
ā–‘ā–‘ A start job for unit unbound.service has finished with a failure.
ā–‘ā–‘ 
ā–‘ā–‘ The job identifier is 20184 and the job result is failed.
Nov 14 10:14:16 johnny-K53BY systemd[1]: unbound.service: Scheduled restart job, restart counter is at 5.
ā–‘ā–‘ Subject: Automatic restarting of a unit has been scheduled
ā–‘ā–‘ Defined-By: systemd
ā–‘ā–‘ Support: http://www.ubuntu.com/support
ā–‘ā–‘ 
ā–‘ā–‘ Automatic restarting of the unit unbound.service has been scheduled, as the result for
ā–‘ā–‘ the configured Restart= setting for the unit.
Nov 14 10:14:16 johnny-K53BY systemd[1]: unbound.service: Start request repeated too quickly.
Nov 14 10:14:16 johnny-K53BY systemd[1]: unbound.service: Failed with result 'exit-code'.
ā–‘ā–‘ Subject: Unit failed
ā–‘ā–‘ Defined-By: systemd
ā–‘ā–‘ Support: http://www.ubuntu.com/support
ā–‘ā–‘ 
ā–‘ā–‘ The unit unbound.service has entered the 'failed' state with result 'exit-code'.
Nov 14 10:14:16 johnny-K53BY systemd[1]: Failed to start unbound.service - Unbound DNS server.
ā–‘ā–‘ Subject: A start job for unit unbound.service has failed
ā–‘ā–‘ Defined-By: systemd
ā–‘ā–‘ Support: http://www.ubuntu.com/support
ā–‘ā–‘ 
ā–‘ā–‘ A start job for unit unbound.service has finished with a failure.
ā–‘ā–‘ 
ā–‘ā–‘ The job identifier is 20368 and the job result is failed.
10

It seems that your unbound is not aware of your configuration files when starting, and tries to continue with a default of port 53.

Please share the output of:

cat /etc/systemd/system/unbound.service

ls -lahR /etc/unbound/
11

That's strange.

cat /etc/systemd/system/unbound.service
cat: /etc/systemd/system/unbound.service: No such file or directory

ls -lahR /etc/unbound/
/etc/unbound/:
total 24K
drwxr-xr-x   3 root root 4,0K Nov 13 18:21 .
drwxr-xr-x 147 root root  12K Nov 14 04:02 ..
-rw-r--r--   1 root root  806 Nov 13 18:21 unbound.conf
drwxr-xr-x   2 root root 4,0K Nov 14 04:21 unbound.conf.d

/etc/unbound/unbound.conf.d:
total 20K
drwxr-xr-x 2 root root 4,0K Nov 14 04:21 .
drwxr-xr-x 3 root root 4,0K Nov 13 18:21 ..
-rw-r--r-- 1 root root 3,0K Nov 13 18:13 pi-hole.conf
-rw-r--r-- 1 root root  194 Nov 14 04:21 remote-control.conf
-rw-r--r-- 1 root root  190 Sep  5 09:47 root-auto-trust-anchor-file.conf
12

I'm not that familiar with Ubuntu, the unit files may be in different locations.
You should be able to get a hold of the correct unit file by running:

sudo systemctl show unbound.service | grep Path

Permissions on your unbound conf files look correct.
What's the contents of /etc/unbound/unbound.conf?

13 
server:
    # can be uncommented if you do not need user privilege protection
    # username: ""

    # can be uncommented if you do not need file access protection
    # chroot: ""

    # location of the trust anchor file that enables DNSSEC. note that
    # the location of this file can be elsewhere
    auto-trust-anchor-file: "/usr/local/etc/unbound/root.key"
    # auto-trust-anchor-file: "/var/lib/unbound/root.key"

    # send minimal amount of information to upstream servers to enhance privacy
    qname-minimisation: yes

    # specify the interface to answer queries from by ip-address.
    interface: 0.0.0.0
    # interface: ::0

    # addresses from the IP range that are allowed to connect to the resolver
    access-control: 192.168.0.0/16 allow
    # access-control: 2001:DB8/64 allow
14 
sudo systemctl show unbound.service | grep Path
FragmentPath=/usr/lib/systemd/system/unbound.service
15

Your unbound.conf is causing this.

You should replace its entire contents by:

# The following line includes additional configuration files from the
# /etc/unbound/unbound.conf.d directory.
include-toplevel: "/etc/unbound/unbound.conf.d/*.conf"

After restarting the unbound service, this should include the files in the /etc/unbound/unbound.conf.d/ directory, and thus apply the settings from your pi-hole.conf.

16

Oh wow. It works now. This should be added to the guide. Or at least as a note.

17

I'm not ready to add that on the base of just one report.

What's more, from the looks of it, your unbound.conf seems to have been manually edited, and if so, it would of course be deviating from the package installation defaults.

Adding some arbitrary access-control ranges is unlikely to happen automatically, as IP ranges would be specific to a network. Furthermore, the ranges are inconsistent for IPv4 and IPv6: One is allowing a private IPv4 range, the other tries to allow a public IPv6 one, and that line contains an entirely invalid IPv6 address, which would have prevented parsing if activated.
It would be very unlikely for a package installation script to pick a set of such incoherent values.

In any case, I'm glad it's working for you now. :wink:

18

I downed the deb package file for Ubuntu 24.04.1 (Noble) from below:

$ wget http://security.ubuntu.com/ubuntu/pool/universe/u/unbound/unbound_1.19.2-1ubuntu3.3_amd64.deb
[..]
2024-11-14 19:13:37 (1.83 MB/s) - unbound_1.19.2-1ubuntu3.3_amd64.deb saved [957052/957052]

Extracted it:

$ dpkg-deb -xv unbound_1.19.2-1ubuntu3.3_amd64.deb .
[..]
./etc/unbound/
./etc/unbound/unbound.conf
./etc/unbound/unbound.conf.d/
./etc/unbound/unbound.conf.d/remote-control.conf
./etc/unbound/unbound.conf.d/root-auto-trust-anchor-file.conf

Which seems to confirm your presumption:

$ cat etc/unbound/unbound.conf
# Unbound configuration file for Debian.
#
# See the unbound.conf(5) man page.
#
# See /usr/share/doc/unbound/examples/unbound.conf for a commented
# reference config file.
#
# The following line includes additional configuration files from the
# /etc/unbound/unbound.conf.d directory.
include-toplevel: "/etc/unbound/unbound.conf.d/*.conf"