there is a deb package but not of the updated version you would need to compile from source
If you don't care about security and new features, e.g. latest version, you can follow this guide from the pihole developers. You will NOT be able to use the more recent features, since the version in Raspbian (and probably in Debian) distributions aren't the most recent ones (read old...).
The guides I mentioned, opening this topic, assume a compiled version, never tested if they would work on the version included with Raspbian.
Is unbound 1.6x (ships with Stretch), insecure?
Look at the number of bug fixes, made to unbound, since the release of 1.6 (hit toggle older versions). I would assume the latest version is the better choice.
Assume? From this you conclude that if you don't run the latest version, you don't care about security?
I was the OP on this post that prompted the detailed instructions on compiling from source.
I care about security. Quite a bit. But I also care about convenience. I don't want to have to uninstall/purge and backup/restore my settings each time there is an update.
What does one need to do to encourage an updated Raspian/Debian package for Unbound?
It seems like this community has a large enough critical mass of Unbound users to encourage one.
Change.org petition anyone? I jest. But only slightly.
I sent the following to the Unbound Debian/Raspbian package maintainers via email:
Hello,
I'm a user of Unbound on Raspbian (in concert with a Pi-hole).
I noticed that Unbound has recently been updated to version 1.9.2, however the stable version available on Raspbian Stretch is still 1.6.0.
Is there any possibility that this package will be updated to a more current version of Unbound sometime soon?
There is a large community of Unbound users on Raspbian due to the Pi-hole. I know many would appreciate an updated package.
Please let me know if this is possible and likely. Thank you.
Best,
JAW
1 Like
The Raspbian update frequency isn't impressive at all. The release dates, since I started using pihole:
2016-11-25-raspbian-jessie-lite.img
2017-01-11-raspbian-jessie-lite.img
2017-02-16-raspbian-jessie-lite.img
2017-03-02-raspbian-jessie-lite.img
2017-04-10-raspbian-jessie-lite.img
2017-06-21-raspbian-jessie-lite.img
2017-07-05-raspbian-jessie-lite.img
2017-08-16-raspbian-stretch-lite.img
2017-09-07-raspbian-stretch-lite.img
2017-11-29-raspbian-stretch-lite.img
2018-03-13-raspbian-stretch-lite.img
2018-04-18-raspbian-stretch-lite.img
2018-06-27-raspbian-stretch-lite.img
2018-10-09-raspbian-stretch-lite.img
2018-11-13-raspbian-stretch-lite.img
2019-04-08-raspbian-stretch-lite.img
2017: 9 releases
2018: 5 releases
2019: 1 release
Of course you have to sudo apt-get update && sudo DEBIAN_FRONTEND=noninteractive apt-get -yq upgrade to keep your OS current, OR implement auto updating, using webmin (see my manual here, chapter 4, section 11), but this will NOT solve the old versions problem.
Raspbian includes a lot of external software, such as unbound, which is great for testing purposes, but if you're going to run these in a "production" environment, you should use compiled software, whenever possible, that is, if you want current releases.
Thanks for your contributions.
If you don't mind sharing; what would one need to do to (i) preserve their Unbound configuration and (ii) uninstall/purge completely before following the compiling instructions you provided earlier?
I'm afraid I cannot help you there.
Whenever there is a new release of Raspbian, unbound, pihole, knot-resolver, … I setup a new pihole, using another SD card, thus rotating them (3 of them), so I can always fall back on a working SD card, holding the previous working configuration.
In order to do that, I've setup WAMP on one of my windows computers, holding all the configuration files and scripts, needed to make this as easy as possible, transferring them to the new SD card with wget. Currently 31 scripts to execute, total execution time about an hour.
Don't ask, I cannot share the scripts, as they contain passwords and SSH keys, needed to make it all work. You'll have to make your own, but in the end, this will lead to a fast and error free setup, using the latest software.
example of such a script:
#!/bin/bash
# Make sure only root can run our script
if [ "$(id -u)" != "0" ]; then
echo "This script must be run as root" 1>&2
exit 1
fi
# ntp
sudo apt-get -yq install ntp
file=/etc/ntp.conf
#sudo sed -i 's/debian.pool.ntp.org/europe.pool.ntp.org/g' $file
sudo sed -i 's/.*debian.pool.ntp.org/#&/' $file
sudo sed -i '/You do need to talk to an NTP server/aserver 192.168.xxx.yyy' $file
sudo timedatectl set-timezone Europe/Brussels
sudo /etc/init.d/ntp stop
sudo ntpd -gq
sudo /etc/init.d/ntp start
sudo wget http://192.168.xxx.zzz/raspbian/home/pi/ntpcheck.sh -O /home/pi/ntpcheck.sh
sudo chmod +x /home/pi/ntpcheck.sh
sudo wget http://192.168.xxx.zzz/raspbian/etc/cron.d/ntpcheck -O /etc/cron.d/ntpcheck
Thanks for the input. I'll sic my 15-year-old on the scripting.
I like your approach and am considering setting up a second Pi-hole for redundancy.
Debian has their own release schedule and there really is nothing that will change that. The reason people choose Debian is for this policy. When running on a server you want packages that are stable, tested, used, tested, and stable. (Redundancy intended.) But that doesn't mean that packages are completely frozen in place once they release. If a security issue is found then Debian will release updates with fixes picked and ported. See https://metadata.ftp-master.debian.org/changelogs//main/u/unbound/unbound_1.6.0-3+deb9u2_changelog for unbound and notice all the upstream security fixes that are backported.
New features are not typically a reason for a package update once the release has frozen.
2 Likes
meaning ?
reference?
I can't seem to get qname minimization to work when compiling 1.9.2. Never tested it with earlier versions though. When running "dig txt qnamemintest.internet.nl" it says it's not working, it works with Knot. Any ideas?
Too bad Unbound seems stalled in Debian, now with Buster being released soon as well.
unbound (127.10.10.2 -p 5552):
dig @127.10.10.2 -p 5552 txt qnamemintest.internet.nl
; <<>> DiG 9.10.3-P4-Raspbian <<>> @127.10.10.2 -p 5552 txt qnamemintest.internet.nl
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7577
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1472
;; QUESTION SECTION:
;qnamemintest.internet.nl. IN TXT
;; ANSWER SECTION:
qnamemintest.internet.nl. 3600 IN CNAME a.b.qnamemin-test.internet.nl.
a.b.qnamemin-test.internet.nl. 3600 IN TXT "HOORAY - QNAME minimisation is enabled on your resolver :)!"
;; AUTHORITY SECTION:
a.b.qnamemin-test.internet.nl. 3600 IN NS ns.a.b.qnamemin-test.internet.nl.
;; ADDITIONAL SECTION:
ns.a.b.qnamemin-test.internet.nl. 3600 IN AAAA 2a04:b900::8:0:0:63
ns.a.b.qnamemin-test.internet.nl. 3600 IN A 185.49.140.63
;; Query time: 132 msec
;; SERVER: 127.10.10.2#5552(127.10.10.2)
;; WHEN: Thu Jun 20 16:42:54 CEST 2019
;; MSG SIZE rcvd: 218
knot-resolver (127.10.10.5 -p 5555):
dig @127.10.10.5 -p 5555 txt qnamemintest.internet.nl
; <<>> DiG 9.10.3-P4-Raspbian <<>> @127.10.10.5 -p 5555 txt qnamemintest.internet.nl
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 425
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;qnamemintest.internet.nl. IN TXT
;; ANSWER SECTION:
qnamemintest.internet.nl. 3361 IN CNAME a.b.qnamemin-test.internet.nl.
a.b.qnamemin-test.internet.nl. 3361 IN TXT "HOORAY - QNAME minimisation is enabled on your resolver :)!"
;; Query time: 0 msec
;; SERVER: 127.10.10.5#5555(127.10.10.5)
;; WHEN: Thu Jun 20 16:43:53 CEST 2019
;; MSG SIZE rcvd: 157
content of /etc/unbound/unbound.conf.d/qname-minimisation.conf:
server:
# Send minimum amount of information to upstream servers to enhance
# privacy. Only sends minimum required labels of the QNAME and sets
# QTYPE to NS when possible.
# See RFC 7816 "DNS Query Name Minimisation to Improve Privacy" for
# details.
# https://ripe72.ripe.net/presentations/120-unbound_qnamemin_ripe72.pdf
# test: drill txt qnamemintest.internet.nl
# result: "HOORAY - QNAME minimisation is enabled on your resolver :)!"
qname-minimisation: yes
harden-below-nxdomain: yes
Thanks, I had exactly that config but it was on a Diet-Pi installation. I will try with normal Raspbian light as well.
Got it working now, weird!
Any idea why I get a bunch of these in my logs?
Jun 20 17:37:40 unbound[403:0] info: error sending query to auth server 198.97.190.53 port 53
Jun 20 17:37:40 unbound[403:0] info: error sending query to auth server 193.0.14.129 port 53
Jun 20 17:37:40 unbound[403:0] info: error sending query to auth server 193.0.14.129 port 53
Jun 20 17:37:40 unbound[403:0] info: error sending query to auth server 198.97.190.53 port 53
Jun 20 17:37:40 unbound[403:0] info: error sending query to auth server 192.203.230.10 port 53
Jun 20 17:37:40 unbound[403:0] info: error sending query to auth server 192.203.230.10 port 53
Jun 20 17:37:40 unbound[403:0] info: error sending query to auth server 192.36.148.17 port 53
Jun 20 17:37:40 unbound[403:0] info: error sending query to auth server 192.33.4.12 port 53
Jun 20 17:37:40 unbound[403:0] info: error sending query to auth server 193.0.14.129 port 53
Jun 20 17:37:40 unbound[403:0] info: error sending query to auth server 192.203.230.10 port 53
NOT in my logs.
What is your verbose setting?
Verbosity is set to 1. If I delete root.zone and start over it looks fine I think, then if I reboot the log messages start to appear.