When 1.9.0 is working fine, why should you update now?
Wait a while and 1.9.6 will be in the repository and unbound will be upgraded as if by magic.
Since this is a Pi-Hole forum, and our install guide for Pi-Hole installs the stable version that ships with your OS, we aren't really able to provide compiling support for the various software packages people run with Pi-Hole.
For compiling instructions, I would go to
If you look at reply 6 to this thread, there is compiling information already provided to you by one of the devs.
I 100% agree with your comment; if it ainât broken, donât fix it - my slogan 20+ years as IT developer!!
However, the concern is with a few security issues whichâve been addressed by NLnetLabs in their latest version.
Personally, I have given up on Unbound due to a number of issues (Apple related stuff!!) which may or may not be related to my router and or total environment here - therefore I donât care!
Below is assuming you have unbound
already installed and tested according to the guide:
https://docs.pi-hole.net/guides/unbound/
sudo apt install build-essential openssl libssl-dev libexpat1-dev bison
cd ~
git clone https://github.com/NLnetLabs/unbound.git
cd unbound
git checkout release-1.9.6
./configure --prefix=/usr --includedir=/usr/include --mandir=/usr/share/man --infodir=/usr/share/info --sysconfdir=/etc --localstatedir=/var --disable-rpath --with-pidfile=/run/unbound.pid --with-rootkey-file=/var/lib/unbound/root.key --enable-subnet --with-chroot-dir= --libdir=/usr/lib
make
sudo service unbound stop
sudo make install
sudo service unbound start
dehakkelaar@laptop:~$ sudo service unbound status
[..]
Active: active (running) since Mon 2020-01-20 23:32:18 CET; 3min 13s ago
dehakkelaar@laptop:~$ /usr/sbin/unbound -h
[..]
Version 1.9.6
dehakkelaar@laptop:~$ dig +short @127.0.0.1 -p 5353 chaos txt version.bind
"unbound 1.9.6"
dehakkelaar@laptop:~$ dig sigfail.verteiltesysteme.net @127.0.0.1 -p 5353
[..]
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 19704
dehakkelaar@laptop:~$ dig sigok.verteiltesysteme.net @127.0.0.1 -p 5353
[..]
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8770
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
[..]
;; ANSWER SECTION:
sigok.verteiltesysteme.net. 60 IN A 134.91.78.139
To prevent the package unbound
getting updated/upgraded or reinstalled, pin it:
sudo tee /etc/apt/preferences.d/unbound <<< $'Package: unbound\nPin: release *\nPin-Priority: -1'
sudo apt update
apt policy unbound
EDIT: added pinning of unbound
package.
EDIT2: better matching Debians build configure
options.
Ow ps. I think you got the no such file
error because unbound
runs parts chrooted ... I learned by trial & error
It didnt work. Thats why i had to ask once again here.
I tried asking the Devs of Unbound in their website. They also couldnt help me much with Pihole. They just gave a general Instructions on how to compile it from source yourself and try if it works.
i will better wait for Update from a developer who will incorporate the latest version of Unbound to Pihole.
Unbound is not part of Pi-hole, and I guess it will never happen.
i am encountering problem at sudo service unbound start.
it says job for unbound.service failed because a timeout was exceeded.
What should i do now ?
sudo /usr/sbin/unbound -ddd -vvv -c /etc/unbound/unbound.conf
?
EDIT: might want to redact some of the key exchanges from above output !!!
here is the Output:
pi@raspberrypi:/ $ sudo /usr/sbin/unbound -ddd -vvv -c /etc/unbound/unbound.conf
[1579620626] unbound[30592:0] notice: Start of unbound 1.9.6.
[1579620626] unbound[30592:0] warning: unbound is already running as pid 30371.
[1579620626] unbound[30592:0] debug: chdir to /var/lib/unbound
[1579620626] unbound[30592:0] debug: chroot to /var/lib/unbound
[1579620626] unbound[30592:0] debug: chdir to /etc/unbound
[1579620626] unbound[30592:0] debug: drop user privileges, run as unbound
[1579620626] unbound[30592:0] debug: switching log to stderr
[1579620626] unbound[30592:0] debug: module config: "validator iterator"
[1579620626] unbound[30592:0] notice: init module 0: validator
[1579620626] unbound[30592:0] notice: init module 1: iterator
[1579620626] unbound[30592:0] debug: target fetch policy for level 0 is 3
[1579620626] unbound[30592:0] debug: target fetch policy for level 1 is 2
[1579620626] unbound[30592:0] debug: target fetch policy for level 2 is 1
[1579620626] unbound[30592:0] debug: target fetch policy for level 3 is 0
[1579620626] unbound[30592:0] debug: target fetch policy for level 4 is 0
[1579620626] unbound[30592:0] debug: Reading root hints from /root.hints
[1579620626] unbound[30592:0] info: DelegationPoint<.>: 13 names (0 missing), 26 addrs (0 result, 26 avail) parentNS
[1579620626] unbound[30592:0] debug: cache memory msg=33040 rrset=33040 infra=3916 val=33196
[1579620626] unbound[30592:0] info: start of service (unbound 1.9.6).
i think Unbound is running. i checked Sigfail and Sigok. everything is showing the result as it should. but i think i cant edit the Config file or do make changes like in 1.9.0 version.
is there any other way to cross check it that Unbound is working ?
dig +short @127.0.0.1 -p 5353 chaos txt version.bind
ps -o user,pid,cmd -C unbound
pi@raspberrypi:/ $ dig +short @127.0.0.1 -p 5353 chaos txt version.bind
"unbound 1.9.6"
pi@raspberrypi:/ $ ps -o user,cmd -C unbound
USER CMD
unbound /usr/sbin/unbound -d
pi@raspberrypi:/ $
Well looks like its running and responding to DNS queries.
dig sigfail.verteiltesysteme.net @127.0.0.1 -p 5353
dig sigok.verteiltesysteme.net @127.0.0.1 -p 5353
OK, thanks. Where can I edit the config file?
In above command, the -c
argument stands for load following config file /etc/unbound/unbound.conf
.
And conf
files in subfolder:
/etc/unbound/unbound.conf.d
Plus during configure
, below directive was passed to make/compile:
--with-conf-file=/etc/unbound/unbound.conf
Thanks
Sometimes you have to be a bit lucky
The unbound
systemd unit and the package-helper
script (coming with the unbound
package) didnt bother the compiled unbound
binary being another (minor) version:
dehakkelaar@laptop:~$ cat /lib/systemd/system/unbound.service
[Unit]
Description=Unbound DNS server
Documentation=man:unbound(8)
After=network.target
Before=nss-lookup.target
Wants=nss-lookup.target
[Service]
Type=simple
Restart=on-failure
EnvironmentFile=-/etc/default/unbound
ExecStartPre=-/usr/lib/unbound/package-helper chroot_setup
ExecStartPre=-/usr/lib/unbound/package-helper root_trust_anchor_update
ExecStart=/usr/sbin/unbound -d $DAEMON_OPTS
ExecReload=/usr/sbin/unbound-control reload
[Install]
WantedBy=multi-user.target
For the configure options, I compared defaults from the package with the source defaults:
dehakkelaar@laptop:~/unbound$ cat doc/README
[..]
* Make and install: ./configure; make; make install
* --with-libevent=/path/to/libevent
Can be set to either the system install or the build directory.
--with-libevent=no (default) gives a builtin alternative
implementation. libevent is useful when having many (thousands)
of outgoing ports. This improves randomization and spoof
resistance. For the default of 16 ports the builtin alternative
works well and is a little faster.
* --with-libexpat=/path/to/libexpat
Can be set to the install directory of libexpat.
* --without-pthreads
This disables pthreads. Without this option the pthreads library
is detected automatically. Use this option to disable threading
altogether, or, on Solaris, also use --with(out)-solaris-threads.
* --enable-checking
This enables assertions in the code that guard against a variety of
programming errors, among which buffer overflows. The program exits
with an error if an assertion fails (but the buffer did not overflow).
* --enable-static-exe
This enables a debug option to statically link against the
libevent library.
* --enable-lock-checks
This enables a debug option to check lock and unlock calls. It needs
a recent pthreads library to work.
* --enable-alloc-checks
This enables a debug option to check malloc (calloc, realloc, free).
The server periodically checks if the amount of memory used fits with
the amount of memory it thinks it should be using, and reports
memory usage in detail.
* --with-conf-file=filename
Set default location of config file,
the default is /usr/local/etc/unbound/unbound.conf.
* --with-pidfile=filename
Set default location of pidfile,
the default is /usr/local/etc/unbound/unbound.pid.
* --with-run-dir=path
Set default working directory,
the default is /usr/local/etc/unbound.
* --with-chroot-dir=path
Set default chroot directory,
the default is /usr/local/etc/unbound.
* --with-rootkey-file=path
Set the default root.key path. This file is read and written.
the default is /usr/local/etc/unbound/root.key
* --with-rootcert-file=path
Set the default root update certificate path. A builtin certificate
is used if this file is empty or does not exist.
the default is /usr/local/etc/unbound/icannbundle.pem
* --with-username=user
Set default user name to change to,
the default is the "unbound" user.
* --with-pyunbound
Create libunbound wrapper usable from python.
Needs python-devel and swig development tools.
* --with-pythonmodule
Compile the python module that processes responses in the server.
* --disable-sha2
Disable support for RSASHA256 and RSASHA512 crypto.
* --disable-gost
Disable support for GOST crypto, RFC 5933.
* --enable-subnet
Enable EDNS client subnet processing.
* 'make test' runs a series of self checks.
[..]
Ow I changed configure
options a little in my original posting to better match the ones Debian uses.
Yeah easier is better.
Had to remove another configure option because else Raspbian lite wouldn't compile without installing another dependency.
Difficult to find a one size fits all solution
Followed the instructions but I ran into a little problem:
Feb 22 08:49:34 rock64 systemd[1]: Starting Unbound DNS server...
Feb 22 08:49:34 rock64 package-helper[2895]: /var/lib/unbound/root.key has content
Feb 22 08:49:34 rock64 package-helper[2895]: success: the anchor is ok
Feb 22 08:49:34 rock64 unbound[2899]: [1582361374] unbound[2899:0] warning: too many file descriptors requested. The builtinmini-event cannot handle more than 1024. Config for less fds or compile with libevent
Feb 22 08:49:34 rock64 unbound[2899]: [1582361374] unbound[2899:0] warning: continuing with less udp ports: 477
Feb 22 08:49:34 rock64 unbound[2899]: [2899:0] info: start of service (unbound 1.10.1).
How do I get rid of the warnings?
Thanks in advance