Below is assuming you have unbound
already installed and tested according to the guide:
https://docs.pi-hole.net/guides/unbound/
sudo apt install build-essential openssl libssl-dev libexpat1-dev bison
cd ~
git clone https://github.com/NLnetLabs/unbound.git
cd unbound
git checkout release-1.9.6
./configure --prefix=/usr --includedir=/usr/include --mandir=/usr/share/man --infodir=/usr/share/info --sysconfdir=/etc --localstatedir=/var --disable-rpath --with-pidfile=/run/unbound.pid --with-rootkey-file=/var/lib/unbound/root.key --enable-subnet --with-chroot-dir= --libdir=/usr/lib
make
sudo service unbound stop
sudo make install
sudo service unbound start
dehakkelaar@laptop:~$ sudo service unbound status
[..]
Active: active (running) since Mon 2020-01-20 23:32:18 CET; 3min 13s ago
dehakkelaar@laptop:~$ /usr/sbin/unbound -h
[..]
Version 1.9.6
dehakkelaar@laptop:~$ dig +short @127.0.0.1 -p 5353 chaos txt version.bind
"unbound 1.9.6"
dehakkelaar@laptop:~$ dig sigfail.verteiltesysteme.net @127.0.0.1 -p 5353
[..]
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 19704
dehakkelaar@laptop:~$ dig sigok.verteiltesysteme.net @127.0.0.1 -p 5353
[..]
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8770
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
[..]
;; ANSWER SECTION:
sigok.verteiltesysteme.net. 60 IN A 134.91.78.139
To prevent the package unbound
getting updated/upgraded or reinstalled, pin it:
sudo tee /etc/apt/preferences.d/unbound <<< $'Package: unbound\nPin: release *\nPin-Priority: -1'
sudo apt update
apt policy unbound
EDIT: added pinning of unbound
package.
EDIT2: better matching Debians build configure
options.