Unbound 1.9.6 available

Version 1.9.6 (changelog) contains many fixes after a security audit.

Holy moly that are a lot fixes. Great work by both teams.

This release won’t work with Pihole on Raspbian Stretch though, right?

On what do you base that?

Anyone here pls tell me how to update this Unbound to latest version 1.9.6. According to the guide from Unbound installation it sits still at 1.9.0
So is there a simple guide to update or do a fresh installation ? i tried doing it manually but didnt succeed.
Any help is highly appreciated. Thanks

@msatter, you seem to be expert here. Can you help with @manohar_basavaraju’s question?

What did you try? Before there are any official builds, you should be able to compile directly from the source code.

git clone https://github.com/NLnetLabs/unbound.git
cd unbound
git checkout release-1.9.6
./configure && make && sudo make install

should be all you need following https://github.com/NLnetLabs/unbound#compiling

Depending on what is already on your system, you may need to install some building dependencies like

sudo apt install build-essential libssl-dev libexpat1-dev

(this is just an assumption, you may need further packages).


unbound -V

should now show the 1.9.6 release. After confirming this, run

sudo service unbound restart

to replace the old running unbound by the newer one. You may want to uninstall unbound using apt remove now to avoid your locally compiled variant to be overwritten by updates. If this removes the unbound binary, simply run the sudo make install step from above another time.

1 Like


I tried to follow your howto to update unbound on my raspberry.

Installation seams ok, but unbound is unable to start

unbound -v -v -v -v -v -v
[1579337495] unbound[1413:0] notice: Start of unbound 1.9.6.
[1579337495] unbound[1413:0] debug: creating udp6 socket ::1 53
[1579337495] unbound[1413:0] debug: creating tcp6 socket ::1 53
[1579337495] unbound[1413:0] error: can’t bind socket: Address already in use for ::1 port 53 (len 28)
[1579337495] unbound[1413:0] fatal error: could not open ports

How does your configuration look like? The description I gave is only expected to work when unbound already worked before.


Unbound used to work perfectly in version 1.9.0.

config: would say standard, port: 5335

setting IPv6 off does not help.

 GNU nano 3.2   /etc/unbound/unbound.conf.d/pi-hole.conf             
    # If no logfile is specified, syslog is used                      
    # logfile: "/var/log/unbound/unbound.log"                         
    verbosity: 1                                                      
    do-ip4: yes                                                       
    do-udp: yes                                                       
    do-tcp: yes                                                       
    # May be set to yes if you have IPv6 connectivity                 
    do-ip6: yes                                                       
    # Use this only when you downloaded the list of primary root serv$
    root-hints: "/var/lib/unbound/root.hints"                         
    # Trust glue only if it is within the servers authority           
    harden-glue: yes                                                  
    # Require DNSSEC data for trust-anchored zones, if such data is a$
    harden-dnssec-stripped: yes                                       
    # Don't use Capitalization randomization as it known to cause DNS$
    # see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-$
    use-caps-for-id: no                                               
    # Reduce EDNS reassembly buffer size.                             
    # Suggested by the unbound man page to reduce fragmentation reass$
    edns-buffer-size: 1472                                            
    # TTL bounds for cache                                            
    cache-min-ttl: 3600              
    cache-max-ttl: 86400                                              
    # Perform prefetching of close to expired message cache entries   
    # This only applies to domains that have been frequently queried  
    prefetch: yes                                                     
    # One thread should be sufficient, can be increased on beefy mach$
    num-threads: 1                                                    
    # Ensure kernel buffer is large enough to not lose messages in tr$
    so-rcvbuf: 1m                                                     
    # Ensure privacy of local IP ranges                               
    private-address: fd00::/8
    private-address: fe80::/10

interface: ::0@5335


Where did you get these configuration lines?


this was a try an error from my side and recommended in a german forum.

the same error is still here, even if i use the „standard“ config,

  GNU nano 3.2   /etc/unbound/unbound.conf.d/pi-hole.conf             
    # If no logfile is specified, syslog is used                      
    # logfile: "/var/log/unbound/unbound.log"                         
    verbosity: 0                                                      
    port: 5335                                                        
    do-ip4: yes                                                       
    do-udp: yes                                                       
    do-tcp: yes                                                       
    # May be set to yes if you have IPv6 connectivity                 
    do-ip6: no                                  

without interface lines

Are there any other files in /etc/unbound/unbound.conf.d?
Do you have a /etc/unbound/unbound.conf file?

Check them as well.

Here we go…

  GNU nano 3.2          /etc/unbound/unbound.conf                     
# Unbound configuration file for Debian.                              
# See the unbound.conf(5) man page.                                   
# See /usr/share/doc/unbound/examples/unbound.conf for a commented    
# reference config file.                                              
# The following line includes additional configuration files from the 
# /etc/unbound/unbound.conf.d directory.                              
include: "/etc/unbound/unbound.conf.d/*.conf"          ```

root@raspberrypi:~# ls /etc/unbound/unbound.conf.d
localroot.conf qname-minimisation.conf
pi-hole.conf root-auto-trust-anchor-file.conf

What is in the other config files? Something seems to overwrite your

setting somewhere.

    # Send minimum amount of information to upstream servers to enhan$
    # privacy. Only sends minimum required labels of the QNAME and se$
    # QTYPE to NS when possible.                                      
    # See RFC 7816 "DNS Query Name Minimisation to Improve Privacy" f$
    # details.                                                        
    qname-minimisation: yes                                            ```


# The following line will configure unbound to perform cryptograp$
# DNSSEC validation using the root trust anchor.
auto-trust-anchor-file: “/var/lib/unbound/root.key”

do you think setting up the whole raspberry, pihole and unbound could solve my issue?

is any other user able to run unbound 1.9.6 on a raspberry successfully?

anything else i can try, bevor starting allover with new setup?

Thank you very much supporting me!

Yes, at least I am able to do this but on another Pi on the other end of the country which I cannot access right now.

How do you try to start unbound? I hope you’re using

sudo service unbound restart

and do not try to start it directly as root. This will not work as it doesn’t know which config files to read if you start it manually.

Are you sure there is no port: setting hidden somewhere ?

sudo grep 'port:' -R /etc/unbound/unbound.conf*

Last login: Sat Jan 18 16:01:57 2020 from
ben2@raspberrypi:~ $ sudo service unbound restart[sudo] password for ben2: 
Job for unbound.service failed because the control process exited with error code.
See "systemctl status unbound.service" and "journalctl -xe" for details.
ben2@raspberrypi:~ $ systemctl status unbound.service
● unbound.service - Unbound DNS server
   Loaded: loaded (/lib/systemd/system/unbound.service; enabled; vendo
   Active: failed (Result: exit-code) since Sat 2020-01-18 16:30:10 GM
     Docs: man:unbound(8)
  Process: 2503 ExecStartPre=/usr/lib/unbound/package-helper chroot_se
  Process: 2513 ExecStartPre=/usr/lib/unbound/package-helper root_trus
  Process: 2517 ExecStart=/usr/sbin/unbound -d $DAEMON_OPTS (code=exit
 Main PID: 2517 (code=exited, status=1/FAILURE)
ben2@raspberrypi:~ $ sudo grep 'port:' -R /etc/unbound/unbound.conf*/etc/unbound/unbound.conf.d/pi-hole.conf:    port: 5335
ben2@raspberrypi:~ $