Version 1.9.6 (changelog) contains many fixes after a security audit.
This release won't work with Pihole on Raspbian Stretch though, right?
Anyone here pls tell me how to update this Unbound to latest version 1.9.6. According to the guide from Unbound installation it sits still at 1.9.0
So is there a simple guide to update or do a fresh installation ? i tried doing it manually but didnt succeed.
Any help is highly appreciated. Thanks
What did you try? Before there are any official builds, you should be able to compile directly from the source code.
git clone https://github.com/NLnetLabs/unbound.git
cd unbound
git checkout release-1.9.6
./configure && make && sudo make install
should be all you need following GitHub - NLnetLabs/unbound: Unbound is a validating, recursive, and caching DNS resolver.
Depending on what is already on your system, you may need to install some building dependencies like
sudo apt install build-essential libssl-dev libexpat1-dev
(this is just an assumption, you may need further packages).
Edit
unbound -V
should now show the 1.9.6 release. After confirming this, run
sudo service unbound restart
to replace the old running unbound by the newer one. You may want to uninstall unbound using apt remove now to avoid your locally compiled variant to be overwritten by updates. If this removes the unbound binary, simply run the sudo make install step from above another time.
1 Like
Hi,
I tried to follow your howto to update unbound on my raspberry.
Installation seams ok, but unbound is unable to start
unbound -v -v -v -v -v -v
[1579337495] unbound[1413:0] notice: Start of unbound 1.9.6.
[1579337495] unbound[1413:0] debug: creating udp6 socket ::1 53
[1579337495] unbound[1413:0] debug: creating tcp6 socket ::1 53
[1579337495] unbound[1413:0] error: can't bind socket: Address already in use for ::1 port 53 (len 28)
[1579337495] unbound[1413:0] fatal error: could not open ports
root@raspberrypi:~#
How does your configuration look like? The description I gave is only expected to work when unbound already worked before.
Hi,
Unbound used to work perfectly in version 1.9.0.
config: would say standard, port: 5335
setting IPv6 off does not help.
GNU nano 3.2 /etc/unbound/unbound.conf.d/pi-hole.conf
server:
# If no logfile is specified, syslog is used
# logfile: "/var/log/unbound/unbound.log"
verbosity: 1
do-ip4: yes
do-udp: yes
do-tcp: yes
# May be set to yes if you have IPv6 connectivity
do-ip6: yes
# Use this only when you downloaded the list of primary root serv$
root-hints: "/var/lib/unbound/root.hints"
# Trust glue only if it is within the servers authority
harden-glue: yes
# Require DNSSEC data for trust-anchored zones, if such data is a$
harden-dnssec-stripped: yes
# Don't use Capitalization randomization as it known to cause DNS$
# see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-$
use-caps-for-id: no
# Reduce EDNS reassembly buffer size.
# Suggested by the unbound man page to reduce fragmentation reass$
edns-buffer-size: 1472
# TTL bounds for cache
cache-min-ttl: 3600
cache-max-ttl: 86400
# Perform prefetching of close to expired message cache entries
# This only applies to domains that have been frequently queried
prefetch: yes
# One thread should be sufficient, can be increased on beefy mach$
num-threads: 1
# Ensure kernel buffer is large enough to not lose messages in tr$
so-rcvbuf: 1m
# Ensure privacy of local IP ranges
private-address: 192.168.0.0/16
private-address: 169.254.0.0/16
private-address: 172.16.0.0/12
private-address: 10.0.0.0/8
private-address: fd00::/8
private-address: fe80::/10
interface: 0.0.0.0@5335
interface: ::0@5335
Where did you get these configuration lines?
Hi,
this was a try an error from my side and recommended in a german forum.
the same error is still here, even if i use the „standard“ config,
GNU nano 3.2 /etc/unbound/unbound.conf.d/pi-hole.conf
server:
# If no logfile is specified, syslog is used
# logfile: "/var/log/unbound/unbound.log"
verbosity: 0
port: 5335
do-ip4: yes
do-udp: yes
do-tcp: yes
# May be set to yes if you have IPv6 connectivity
do-ip6: no
without interface lines
Are there any other files in /etc/unbound/unbound.conf.d?
Do you have a /etc/unbound/unbound.conf file?
Check them as well.
Here we go...
GNU nano 3.2 /etc/unbound/unbound.conf
# Unbound configuration file for Debian.
#
# See the unbound.conf(5) man page.
#
# See /usr/share/doc/unbound/examples/unbound.conf for a commented
# reference config file.
#
# The following line includes additional configuration files from the
# /etc/unbound/unbound.conf.d directory.
include: "/etc/unbound/unbound.conf.d/*.conf" ```
root@raspberrypi:~# ls /etc/unbound/unbound.conf.d
localroot.conf qname-minimisation.conf
pi-hole.conf root-auto-trust-anchor-file.conf
root@raspberrypi:~#
What is in the other config files? Something seems to overwrite your
setting somewhere.
/etc/unbound/unbound.conf.d/qname-minimisation.conf
server:
# Send minimum amount of information to upstream servers to enhan$
# privacy. Only sends minimum required labels of the QNAME and se$
# QTYPE to NS when possible.
# See RFC 7816 "DNS Query Name Minimisation to Improve Privacy" f$
# details.
qname-minimisation: yes ```
/etc/unbound/unbound.conf.d/root-auto-trust-anchor-file.conf
server:
# The following line will configure unbound to perform cryptograp$
# DNSSEC validation using the root trust anchor.
auto-trust-anchor-file: "/var/lib/unbound/root.key"
do you think setting up the whole raspberry, pihole and unbound could solve my issue?
is any other user able to run unbound 1.9.6 on a raspberry successfully?
anything else i can try, bevor starting allover with new setup?
Thank you very much supporting me!
Yes, at least I am able to do this but on another Pi on the other end of the country which I cannot access right now.
How do you try to start unbound? I hope you're using
sudo service unbound restart
and do not try to start it directly as root. This will not work as it doesn't know which config files to read if you start it manually.
Are you sure there is no port: setting hidden somewhere ?
sudo grep 'port:' -R /etc/unbound/unbound.conf*
Last login: Sat Jan 18 16:01:57 2020 from 192.168.178.25
ben2@raspberrypi:~ $ sudo service unbound restart[sudo] password for ben2:
Job for unbound.service failed because the control process exited with error code.
See "systemctl status unbound.service" and "journalctl -xe" for details.
ben2@raspberrypi:~ $ systemctl status unbound.service
â—Ź unbound.service - Unbound DNS server
Loaded: loaded (/lib/systemd/system/unbound.service; enabled; vendo
Active: failed (Result: exit-code) since Sat 2020-01-18 16:30:10 GM
Docs: man:unbound(8)
Process: 2503 ExecStartPre=/usr/lib/unbound/package-helper chroot_se
Process: 2513 ExecStartPre=/usr/lib/unbound/package-helper root_trus
Process: 2517 ExecStart=/usr/sbin/unbound -d $DAEMON_OPTS (code=exit
Main PID: 2517 (code=exited, status=1/FAILURE)
ben2@raspberrypi:~ $ sudo grep 'port:' -R /etc/unbound/unbound.conf*/etc/unbound/unbound.conf.d/pi-hole.conf: port: 5335
ben2@raspberrypi:~ $
What does unbound-checkconf show?
unbound-checkconfunbound-checkconf: no errors in /usr/local/etc/unbound/unbound.conf
ben2@raspberrypi:~ $