Unbound doesn't work on new Pi-hole installation

lemon · March 19, 2022, 5:13pm

Hi all.
I'm doing a fresh install of Pi-hole + Unbound on a RPi Zero, following the documentation. Note that I've done this successfully at least 2-3 times in the past, always by following the docs.

Pi-hole gets installed as it should but Unbound shows the following errors.

After installing unbound:

● unbound.service - Unbound DNS server
     Loaded: loaded (/lib/systemd/system/unbound.service; enabled; vendor preset: enabled)
     Active: activating (auto-restart) (Result: exit-code) since Sat 2022-03-19 17:39:09 EET; 243ms ago
       Docs: man:unbound(8)
    Process: 1613 ExecStartPre=/usr/lib/unbound/package-helper chroot_setup (code=exited, status=0/SUCCESS)
    Process: 1616 ExecStartPre=/usr/lib/unbound/package-helper root_trust_anchor_update (code=exited, status=0/SUCCESS)
    Process: 1619 ExecStart=/usr/sbin/unbound -d -p $DAEMON_OPTS (code=exited, status=1/FAILURE)
    Process: 1620 ExecStopPost=/usr/lib/unbound/package-helper chroot_teardown (code=exited, status=0/SUCCESS)
   Main PID: 1619 (code=exited, status=1/FAILURE)
        CPU: 297ms

Mar 19 17:39:09 raspberrypi systemd[1]: unbound.service: Scheduled restart job, restart counter is at 3.

Note: the above error didn't appear when I tried installing unbound before Pi-hole, but then I ended up having the same problem (a servfail where I should have a noerror).

Also, here's the output of unbound -d -v:

[1647705854] unbound[1054:0] notice: Start of unbound 1.13.1.
[1647705854] unbound[1054:0] error: can't bind socket: Address already in use for 127.0.0.1 port 8953
[1647705854] unbound[1054:0] error: cannot open control interface 127.0.0.1 8953
[1647705854] unbound[1054:0] fatal error: could not open ports

This doesn't look good, but I haven't found a way to troubleshoot it.

I've searched the forum and the internet and found many people having a similar issue, but none of the recommendations on those threads helped me (most of them were on this forum).

Among the things I've tried were making sure the Pi is on the correct timezone; I also tried manually installing the root.hints file per the docs, and made sure to uncomment the appropriate line in pi-hole.conf. It didn't make any difference, although I suppose it shouldn't have since I'm installing unbound through apt and this step was optional. unbound-checkconf says there are no erros in the configuration.

I'm at my wit's end. Thanks in advance for any help.

Expected Behaviour:

Hardware: Raspberry Pi Zero W v 1.1
OS: Raspbian (latest)

Unbound should be working upon installation.

Actual Behaviour:

Unbound doesn't seem to be working judging from the outputs of the following 2 commands (both return a SERVFAIL):

dig sigfail.verteiltesysteme.net @127.0.0.1 -p 5335
dig sigok.verteiltesysteme.net @127.0.0.1 -p 5335

Debug Token:

https://tricorder.pi-hole.net/FNUqk4sI/

Bucking_Horn · March 19, 2022, 6:16pm

If that happened right after sudo apt install unbound, that would be expected, as unbound would be configured for port 53, conflicting with Pi-hole.
That would be resolved as soon as you'd have created /etc/unbound/unbound.conf.d/pi-hole.conf and restarted unbound as detailed in our guide.

Since you are using Raspberry Pi OS Bullseye, you may be affected by a loop introduced by unbound's package defaults - let's check for that.

Run from your Pi-hole host machine, what's the output of:

sudo grep -v '#\|^$' -R /etc/unbound/unbound.conf*

lemon · March 19, 2022, 6:51pm

I created the /etc/unbound/unbound.conf.d/pi-hole.conf file and added the default configuration that is in the guide. Then I restarted the unbound service. Wouldn't that make it run on port 5335 (so not conflict)?

Here's the output:

/etc/unbound/unbound.conf:include-toplevel: "/etc/unbound/unbound.conf.d/*.conf"
/etc/unbound/unbound.conf.d/root-auto-trust-anchor-file.conf:server:
/etc/unbound/unbound.conf.d/root-auto-trust-anchor-file.conf:    auto-trust-anchor-file: "/var/lib/unbound/root.key"
/etc/unbound/unbound.conf.d/pi-hole.conf:server:
/etc/unbound/unbound.conf.d/pi-hole.conf:    verbosity: 0
/etc/unbound/unbound.conf.d/pi-hole.conf:    interface: 127.0.0.1
/etc/unbound/unbound.conf.d/pi-hole.conf:    port: 5335
/etc/unbound/unbound.conf.d/pi-hole.conf:    do-ip4: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:    do-udp: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:    do-tcp: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:    do-ip6: no
/etc/unbound/unbound.conf.d/pi-hole.conf:    prefer-ip6: no
/etc/unbound/unbound.conf.d/pi-hole.conf:    harden-glue: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:    harden-dnssec-stripped: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:    use-caps-for-id: no
/etc/unbound/unbound.conf.d/pi-hole.conf:    edns-buffer-size: 1232
/etc/unbound/unbound.conf.d/pi-hole.conf:    prefetch: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:    num-threads: 1
/etc/unbound/unbound.conf.d/pi-hole.conf:    so-rcvbuf: 1m
/etc/unbound/unbound.conf.d/pi-hole.conf:    private-address: 192.168.0.0/16
/etc/unbound/unbound.conf.d/pi-hole.conf:    private-address: 169.254.0.0/16
/etc/unbound/unbound.conf.d/pi-hole.conf:    private-address: 172.16.0.0/12
/etc/unbound/unbound.conf.d/pi-hole.conf:    private-address: 10.0.0.0/8
/etc/unbound/unbound.conf.d/pi-hole.conf:    private-address: fd00::/8
/etc/unbound/unbound.conf.d/pi-hole.conf:    private-address: fe80::/10
/etc/unbound/unbound.conf.d/resolvconf_resolvers.conf:forward-zone:
/etc/unbound/unbound.conf.d/resolvconf_resolvers.conf:  name: "."
/etc/unbound/unbound.conf.d/resolvconf_resolvers.conf:  forward-addr: fe80::a26:97ff:fed4:26c0%wlan0

Bucking_Horn · March 19, 2022, 7:00pm

Please try

Edit file /etc/resolvconf.conf and comment out the last line which should read:

unbound_conf=/etc/unbound/unbound.conf.d/resolvconf_resolvers.conf

Delete the unwanted unbound configuration file:

sudo rm /etc/unbound/unbound.conf.d/resolvconf_resolvers.conf

Restart unbound:

sudo service unbound restart

lemon · March 19, 2022, 7:15pm

Yep. Now the sigok subdomain returns a NOERROR. Could you please explain to me what happened? Is it something that is reflected in the docs and I failed to follow it?

jfb · March 19, 2022, 7:16pm

Raspbian Bullseye installed this configuration by default. Not something you did. You didn't miss anything in the docs.

lemon · March 19, 2022, 7:18pm

Thanks for clarifying that, and thank you all for your answers. I've marked the solution.

Bucking_Horn · March 19, 2022, 7:19pm

As mentioned, you were affected by a DNS loop created between your upstream unbound and Pi-hole, introduced by unbound's default configuration rolled out with Bullseye packaging. For a complete background, see WARNING: Raspbian October 2021 release bullseye + unbound

lemon · March 19, 2022, 7:23pm

Thanks a lot. I'll make sure to follow this stuff more closely from now on.

system · April 9, 2022, 7:24pm

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.