Unbound breaking FTLDNS?

I have Pi-hole (FTLDNS) running in an Ubuntu 16.04 Server VM. I wanted to configure it as my own recursive server instead of having upstream servers like Google/Cloudflare.

I followed this tutorial: Pi hole as recursive DNS server · pi-hole/pi-hole Wiki · GitHub but at 'Start your local recursive server and test that it's operational:' it didn't respond like it should.

Expected Behaviour:

Pi-hole (FTLDNS) working together happily with unbound, as i want to be my own recursive DNS.

Actual Behaviour:

At first unbound was not working (could not start i guess) as the 'dig' command from the wiki gave a timeout. After a reboot it did, but then FTLDNS was broken.

Before reboot:

May 12 13:35:07 pihole-vm systemd[1]: Starting unbound.service...
May 12 13:35:07 pihole-vm unbound[2768]:  * Starting DNS server unbound
May 12 13:35:07 pihole-vm unbound-anchor[2788]: /var/lib/unbound/root.key does not exist, copying from /usr/share/dns/root.key
May 12 13:35:07 pihole-vm unbound-anchor[2788]: /var/lib/unbound/root.key has content
May 12 13:35:07 pihole-vm unbound-anchor[2788]: success: the anchor is ok
May 12 13:35:07 pihole-vm unbound[2768]: [1526124907] unbound[2798:0] error: can't bind socket: Address already in use for ::1
May 12 13:35:07 pihole-vm unbound[2768]: [1526124907] unbound[2798:0] fatal error: could not open ports
May 12 13:35:07 pihole-vm unbound[2768]:    ...fail!
May 12 13:35:07 pihole-vm systemd[1]: Started unbound.service.
May 12 13:35:58 pihole-vm systemd[1]: Started unbound.service.

So unbound cannot start because the socket is already in use. The 'dig' test from wiki is not working (which makes sense, as unbound is not running).

I did a reboot of the VM and unbound seemed to work, as did the dig test (it now resolved).
However, pihole/FTLDNS seems to be broken. It displayed 'Lost connection to API' and 'FTL offline' in the webinterface. Ads are also displayed again. When i run dnsleaktest.com i still see Cloudflare (which was the resolver before messing with Unbound) where it should have shown my ISP as i am now my own resolver.

I checked the status of FTL and it is not running:

frank@pihole-vm:~$ service pihole-FTL status
● pihole-FTL.service - LSB: pihole-FTL daemon
   Loaded: loaded (/etc/init.d/pihole-FTL; bad; vendor preset: enabled)
   Active: active (exited) since Sat 2018-05-12 12:19:06 CEST; 1min 40s ago
     Docs: man:systemd-sysv-generator(8)
  Process: 3551 ExecStop=/etc/init.d/pihole-FTL stop (code=exited, status=0/SUCCESS)
  Process: 3560 ExecStart=/etc/init.d/pihole-FTL start (code=exited, status=0/SUCCESS)

May 12 12:19:05 pihole-vm systemd[1]: Starting LSB: pihole-FTL daemon...
May 12 12:19:05 pihole-vm pihole-FTL[3560]: Not running
May 12 12:19:05 pihole-vm pihole-FTL[3560]: chown: cannot access '/etc/pihole/dhcp.leases': No such file or directory
May 12 12:19:05 pihole-vm su[3587]: Successful su for pihole by root
May 12 12:19:05 pihole-vm su[3587]: + ??? root:pihole
May 12 12:19:05 pihole-vm su[3587]: pam_unix(su:session): session opened for user pihole by (uid=0)
May 12 12:19:06 pihole-vm pihole-FTL[3560]: dnsmasq: failed to create listening socket for port 53: Address already in use
May 12 12:19:06 pihole-vm systemd[1]: Started LSB: pihole-FTL daemon.
May 12 12:20:35 pihole-vm systemd[1]: Started LSB: pihole-FTL daemon.
frank@pihole-vm:~$

It seems unbound is keeping port 53 or some socket hostage. But i don't understand why, as i copy/pasted the config file from the wiki, where it says that unbound should only listen to 5353. After a reboot i think unbound is being started earlier than FTLDNS, so that is why unbound is working now, but FTLDNS not?

Debug Token:

jjuqcpf7yp

I've tested both the dnsmasq and the FTLDNS version with unbound, no problems detected. For starters, I used the same wiki you did, but made a few small modifications (among others, there is a log file!), you can read it here. Just follow the unbound section, and of course, only 1 resolver in pihole's server configuration. You'll have to edit the files, this method doesn't work using pihole's web interface (different IP address).
By just adding the log file setting, you may be able to detect what is wrong.

Thanks for responding. But as i understand correctly, your thread is more about gaining extra security/performance. That is something i might have a look at later. I first want the basics to be running, but that is not working when i follow the advised steps.

So something is going wrong, but where? And what do i need to do to have unbound and FTLDNS play together nicely instead of fighting over ports in use etc ?

Just add the log setting to your existing configuration. There might be a hint in the logs, as to what is going wrong.
add, the following line before 'verbosity: 1':

    logfile: /var/log/unbound.log

and then

sudo service unbound restart

There might be an error message regarding the log file, after you added the parameter, not quite sure why this happens. If the logfile error does appear, then enter the following commands:

sudo touch /var/log/unbound.log
sudo chmod 646 /var/log/unbound.log

and (re)start the service again.

Hope this helps...

Thanks. Unfortunately the log isn't telling me very much:

frank@pihole-vm:~$ cat /var/log/unbound.log
[1526140810] unbound[3954:0] notice: init module 0: validator
[1526140810] unbound[3954:0] notice: init module 1: iterator
[1526140810] unbound[3954:0] info: start of service (unbound 1.5.8).
[1526140999] unbound[3954:0] info: service stopped (unbound 1.5.8).
[1526140999] unbound[3954:0] info: server stats for thread 0: 40 queries, 1 answers from cache, 39 recursions, 0 prefetch
[1526140999] unbound[3954:0] info: server stats for thread 0: requestlist max 5 avg 1.64103 exceeded 0 jostled 0
[1526140999] unbound[3954:0] info: average recursion processing time 0.178528 sec
[1526140999] unbound[3954:0] info: histogram of recursion processing times
[1526140999] unbound[3954:0] info: [25%]=0.0319488 median[50%]=0.0867388 [75%]=0.124326
[1526140999] unbound[3954:0] info: lower(secs) upper(secs) recursions
[1526140999] unbound[3954:0] info:    0.008192    0.016384 5
[1526140999] unbound[3954:0] info:    0.016384    0.032768 5
[1526140999] unbound[3954:0] info:    0.032768    0.065536 4
[1526140999] unbound[3954:0] info:    0.065536    0.131072 17
[1526140999] unbound[3954:0] info:    0.131072    0.262144 3
[1526140999] unbound[3954:0] info:    0.262144    0.524288 2
[1526140999] unbound[3954:0] info:    0.524288    1.000000 2
[1526140999] unbound[3954:0] info:    2.000000    4.000000 1
[1526141023] unbound[1482:0] notice: init module 0: validator
[1526141023] unbound[1482:0] notice: init module 1: iterator
[1526141023] unbound[1482:0] info: start of service (unbound 1.5.8).
frank@pihole-vm:~$

Unbound seems to be running OK (as tests indicate that DNSSEC is working) but it is blocking FTLDNS in some way.

frank@pihole-vm:~$ sudo service pihole-FTL status
● pihole-FTL.service - LSB: pihole-FTL daemon
   Loaded: loaded (/etc/init.d/pihole-FTL; bad; vendor preset: enabled)
   Active: active (exited) since Sat 2018-05-12 18:03:30 CEST; 14min ago
     Docs: man:systemd-sysv-generator(8)
  Process: 1241 ExecStart=/etc/init.d/pihole-FTL start (code=exited, status=0/SUCCESS)
    Tasks: 0
   Memory: 0B
      CPU: 0

May 12 18:03:28 pihole-vm systemd[1]: Starting LSB: pihole-FTL daemon...
May 12 18:03:28 pihole-vm pihole-FTL[1241]: Not running
May 12 18:03:28 pihole-vm pihole-FTL[1241]: chown: cannot access '/etc/pihole/dhcp.leases': No such file or directory
May 12 18:03:29 pihole-vm su[1458]: Successful su for pihole by root
May 12 18:03:29 pihole-vm su[1458]: + ??? root:pihole
May 12 18:03:29 pihole-vm su[1458]: pam_unix(su:session): session opened for user pihole by (uid=0)
May 12 18:03:30 pihole-vm pihole-FTL[1241]: dnsmasq: failed to create listening socket for port 53: Address already in use
May 12 18:03:30 pihole-vm systemd[1]: Started LSB: pihole-FTL daemon.

I'm not sure where this 'dnsmasq' that is listed is coming from. Not FTLDNS as it indicated it could not start...

frank@pihole-vm:~$ sudo netstat -lpn | grep :53
tcp        0      0 127.0.0.1:5353          0.0.0.0:*               LISTEN      1482/unbound
tcp        0      0 0.0.0.0:53              0.0.0.0:*               LISTEN      1114/dnsmasq
tcp6       0      0 :::53                   :::*                    LISTEN      1114/dnsmasq
udp        0      0 0.0.0.0:53              0.0.0.0:*                           1114/dnsmasq
udp        0      0 127.0.0.1:5353          0.0.0.0:*                           1482/unbound
udp6       0      0 :::53

When stopping the dnsmasq i was able to restart pihole-FTL and everything is fine:

frank@pihole-vm:~$ sudo service dnsmasq stop
frank@pihole-vm:~$ sudo service pihole-FTL restart
frank@pihole-vm:~$ sudo netstat -lpn | grep :53
tcp        0      0 127.0.0.1:5353          0.0.0.0:*               LISTEN      1482/unbound
tcp        0      0 0.0.0.0:53              0.0.0.0:*               LISTEN      2714/pihole-FTL
tcp6       0      0 :::53                   :::*                    LISTEN      2714/pihole-FTL
udp        0      0 0.0.0.0:53              0.0.0.0:*                           2714/pihole-FTL
udp        0      0 127.0.0.1:5353          0.0.0.0:*                           1482/unbound
udp6       0      0 :::53                   :::*                                2714/pihole-FTL
frank@pihole-vm:~$

But ofcourse as soon as i reboot the VM, the dnsmasq is running again and pihole-FTL cannot start.

So both dnsmasq and FTLDNS try to start. There is a similar (identical) topic here

They solved it, by simply removing dnsmasq. on Raspbian, that is 'sudo apt-get remove dnsmasq'. It's safe to do, you can always reinstall it later, if you want to revert to the dnsmasq configuration.

@DL6ER how does the installer actually enable FTLDNS and disable dnsmasq? and vice versa, if you revert to dnsmasq. Thanks.

Forwarding this to @PromoFaux, I'm currently in the Netherlands (without computer)

So in the FTLDNS enabled branches (development/FTLDNS), the installer simply checks for the existence of dnsmasq, and if finds it (and it is active) it will stop and disable the service.

Switching back to master will just enable the service again at the end of the installer, after the non-resolving FTL 3.0 has been installed.

Hope that makes sense!

I think somehow the disabling of the dnsmasq service didn't went good and thus is causing problems.
I have removed dnsmasq from the system and after a reboot everything looks good.

However, i have decided to let my upstream system (pfSense) do the recursing/resolving. So i will go back to FTLDNS without the unbound part :stuck_out_tongue:

1 Like

Just as a side note: We do not recommend going the unbound way in general. It's only for the privacy concerned having no extra hardware at hand that can do it for them. In fact, using upstream providers will still also be the default in Pi-hole v4.0 as using the large providers has many benefits, especially in terms of speed (asking once for potentially cached domains instead of doing all the recursive walking and DNSSEC verifying on our own).

1 Like

Will this remove unbound?

sudo service unbound stop
sudo apt-get remove unbound

Or do I need to use purge?

LE: I was supposed to do also:
sudo apt-get autoremove

To uninstall incl. removing configuration files use

sudo apt-get autoremove --purge unbound

2 Likes

remove is totally sufficient to remove a service from a system. It will leave some config files intact in case you want to revisit this package later again so you don't have to start from zero. These config files, however, are obviously useless without the service itself, so they don't harm. purge will delete these in addition to removing the service itself.

1 Like

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.