Unbound 1.9.6 available

I followed your steps, but it still shows 1.9.0.
What am i doing wrong ?

pi@raspberrypi:/etc/unbound/unbound $ unbound -V
unbound: invalid option -- 'V'
usage: unbound [options]
start unbound daemon DNS resolver.
-h this help
-c file config file to read instead of /etc/unbound/unbound.conf
file format is described in unbound.conf(5).
-d do not fork into the background.
-p do not create a pidfile.
-v verbose (more times to increase verbosity)
Version 1.9.0
linked libs: libevent 2.1.8-stable (it uses epoll), OpenSSL 1.1.1d 10 Sep 2019
linked modules: dns64 python subnetcache respip validator iterator
BSD licensed, see LICENSE in source package for details.
Report bugs to unbound-bugs@nlnetlabs.nl

If you installed Unbound via your distributions repository (Debian/Ubuntu/Raspian) then version 1.9.0 is the latest one. See here.

For 1.9.6 you have to compile it yourself.

I need the steps to do it myself pls.
i tried following many guides, but couldnt succeed. i am missing something or there are many changes in file structure. thats why i am not able to do it successfully.

Pls any dev guide me. Thanks in advance

When 1.9.0 is working fine, why should you update now?
Wait a while and 1.9.6 will be in the repository and unbound will be upgraded as if by magic.

Since this is a Pi-Hole forum, and our install guide for Pi-Hole installs the stable version that ships with your OS, we aren't really able to provide compiling support for the various software packages people run with Pi-Hole.

For compiling instructions, I would go to

If you look at reply 6 to this thread, there is compiling information already provided to you by one of the devs.

I 100% agree with your comment; if it ain’t broken, don’t fix it - my slogan 20+ years as IT developer!!

However, the concern is with a few security issues which’ve been addressed by NLnetLabs in their latest version.

Personally, I have given up on Unbound due to a number of issues (Apple related stuff!!) which may or may not be related to my router and or total environment here - therefore I don’t care!

Below is assuming you have unbound already installed and tested according to the guide:


sudo apt install build-essential openssl libssl-dev libexpat1-dev bison

cd ~

git clone https://github.com/NLnetLabs/unbound.git

cd unbound

git checkout release-1.9.6

./configure --prefix=/usr --includedir=/usr/include --mandir=/usr/share/man --infodir=/usr/share/info --sysconfdir=/etc --localstatedir=/var --disable-rpath --with-pidfile=/run/unbound.pid --with-rootkey-file=/var/lib/unbound/root.key --enable-subnet --with-chroot-dir= --libdir=/usr/lib


sudo service unbound stop

sudo make install

sudo service unbound start

dehakkelaar@laptop:~$ sudo service unbound status
   Active: active (running) since Mon 2020-01-20 23:32:18 CET; 3min 13s ago

dehakkelaar@laptop:~$ /usr/sbin/unbound -h
Version 1.9.6

dehakkelaar@laptop:~$ dig +short @ -p 5353 chaos txt version.bind
"unbound 1.9.6"

dehakkelaar@laptop:~$ dig sigfail.verteiltesysteme.net @ -p 5353
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 19704

dehakkelaar@laptop:~$ dig sigok.verteiltesysteme.net @ -p 5353
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8770
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
sigok.verteiltesysteme.net. 60  IN      A

To prevent the package unbound getting updated/upgraded or reinstalled, pin it:

sudo tee /etc/apt/preferences.d/unbound <<< $'Package: unbound\nPin: release *\nPin-Priority: -1'

sudo apt update

apt policy unbound

EDIT: added pinning of unbound package.
EDIT2: better matching Debians build configure options.


Ow ps. I think you got the no such file error because unbound runs parts chrooted ... I learned by trial & error :wink:

It didnt work. Thats why i had to ask once again here.
I tried asking the Devs of Unbound in their website. They also couldnt help me much with Pihole. They just gave a general Instructions on how to compile it from source yourself and try if it works.
i will better wait for Update from a developer who will incorporate the latest version of Unbound to Pihole.

Unbound is not part of Pi-hole, and I guess it will never happen.

i am encountering problem at sudo service unbound start.
it says job for unbound.service failed because a timeout was exceeded.
What should i do now ?

sudo /usr/sbin/unbound -ddd -vvv -c /etc/unbound/unbound.conf


EDIT: might want to redact some of the key exchanges from above output !!!

here is the Output:

pi@raspberrypi:/ $ sudo /usr/sbin/unbound -ddd -vvv -c /etc/unbound/unbound.conf
[1579620626] unbound[30592:0] notice: Start of unbound 1.9.6.
[1579620626] unbound[30592:0] warning: unbound is already running as pid 30371.
[1579620626] unbound[30592:0] debug: chdir to /var/lib/unbound
[1579620626] unbound[30592:0] debug: chroot to /var/lib/unbound
[1579620626] unbound[30592:0] debug: chdir to /etc/unbound
[1579620626] unbound[30592:0] debug: drop user privileges, run as unbound
[1579620626] unbound[30592:0] debug: switching log to stderr
[1579620626] unbound[30592:0] debug: module config: "validator iterator"
[1579620626] unbound[30592:0] notice: init module 0: validator
[1579620626] unbound[30592:0] notice: init module 1: iterator
[1579620626] unbound[30592:0] debug: target fetch policy for level 0 is 3
[1579620626] unbound[30592:0] debug: target fetch policy for level 1 is 2
[1579620626] unbound[30592:0] debug: target fetch policy for level 2 is 1
[1579620626] unbound[30592:0] debug: target fetch policy for level 3 is 0
[1579620626] unbound[30592:0] debug: target fetch policy for level 4 is 0
[1579620626] unbound[30592:0] debug: Reading root hints from /root.hints
[1579620626] unbound[30592:0] info: DelegationPoint<.>: 13 names (0 missing), 26 addrs (0 result, 26 avail) parentNS
[1579620626] unbound[30592:0] debug: cache memory msg=33040 rrset=33040 infra=3916 val=33196
[1579620626] unbound[30592:0] info: start of service (unbound 1.9.6).

i think Unbound is running. i checked Sigfail and Sigok. everything is showing the result as it should. but i think i cant edit the Config file or do make changes like in 1.9.0 version.
is there any other way to cross check it that Unbound is working ?

dig +short @ -p 5353 chaos txt version.bind

ps -o user,pid,cmd -C unbound

pi@raspberrypi:/ $ dig +short @ -p 5353 chaos txt version.bind
"unbound 1.9.6"
pi@raspberrypi:/ $ ps -o user,cmd -C unbound
unbound /usr/sbin/unbound -d
pi@raspberrypi:/ $

Well looks like its running and responding to DNS queries.

dig sigfail.verteiltesysteme.net @ -p 5353

dig sigok.verteiltesysteme.net @ -p 5353

OK, thanks. Where can I edit the config file?

In above command, the -c argument stands for load following config file /etc/unbound/unbound.conf.
And conf files in subfolder:


Plus during configure, below directive was passed to make/compile:



1 Like

Sometimes you have to be a bit lucky :wink:
The unbound systemd unit and the package-helper script (coming with the unbound package) didnt bother the compiled unbound binary being another (minor) version:

dehakkelaar@laptop:~$ cat /lib/systemd/system/unbound.service
Description=Unbound DNS server

ExecStartPre=-/usr/lib/unbound/package-helper chroot_setup
ExecStartPre=-/usr/lib/unbound/package-helper root_trust_anchor_update
ExecStart=/usr/sbin/unbound -d $DAEMON_OPTS
ExecReload=/usr/sbin/unbound-control reload


For the configure options, I compared defaults from the package with the source defaults:

dehakkelaar@laptop:~/unbound$ cat doc/README
* Make and install: ./configure; make; make install
  * --with-libevent=/path/to/libevent
        Can be set to either the system install or the build directory.
        --with-libevent=no (default) gives a builtin alternative
        implementation. libevent is useful when having many (thousands)
        of outgoing ports. This improves randomization and spoof
        resistance. For the default of 16 ports the builtin alternative
        works well and is a little faster.
  * --with-libexpat=/path/to/libexpat
        Can be set to the install directory of libexpat.
  * --without-pthreads
        This disables pthreads. Without this option the pthreads library
        is detected automatically. Use this option to disable threading
        altogether, or, on Solaris, also use --with(out)-solaris-threads.
  * --enable-checking
        This enables assertions in the code that guard against a variety of
        programming errors, among which buffer overflows.  The program exits
        with an error if an assertion fails (but the buffer did not overflow).
  * --enable-static-exe
        This enables a debug option to statically link against the
        libevent library.
  * --enable-lock-checks
        This enables a debug option to check lock and unlock calls. It needs
        a recent pthreads library to work.
  * --enable-alloc-checks
        This enables a debug option to check malloc (calloc, realloc, free).
        The server periodically checks if the amount of memory used fits with
        the amount of memory it thinks it should be using, and reports
        memory usage in detail.
  * --with-conf-file=filename
        Set default location of config file,
        the default is /usr/local/etc/unbound/unbound.conf.
  * --with-pidfile=filename
        Set default location of pidfile,
        the default is /usr/local/etc/unbound/unbound.pid.
  * --with-run-dir=path
        Set default working directory,
        the default is /usr/local/etc/unbound.
  * --with-chroot-dir=path
        Set default chroot directory,
        the default is /usr/local/etc/unbound.
  * --with-rootkey-file=path
        Set the default root.key path.  This file is read and written.
        the default is /usr/local/etc/unbound/root.key
  * --with-rootcert-file=path
        Set the default root update certificate path.  A builtin certificate
        is used if this file is empty or does not exist.
        the default is /usr/local/etc/unbound/icannbundle.pem
  * --with-username=user
        Set default user name to change to,
        the default is the "unbound" user.
  * --with-pyunbound
        Create libunbound wrapper usable from python.
        Needs python-devel and swig development tools.
  * --with-pythonmodule
        Compile the python module that processes responses in the server.
  * --disable-sha2
        Disable support for RSASHA256 and RSASHA512 crypto.
  * --disable-gost
        Disable support for GOST crypto, RFC 5933.
  * --enable-subnet
        Enable EDNS client subnet processing.

* 'make test' runs a series of self checks.