Unbound : unable to issue

I formatted and start over a few time, as I keep having mix results.
at this stage unbound don't seems to work at all but when I go back to cloudflare, PiHole is resolving again.

I did follow the instruction on my Raspberry Pi 4 and my conf should pretty much look like this

server:
    # If no logfile is specified, syslog is used
    # logfile: "/var/log/unbound/unbound.log"
    verbosity: 0

    interface: 127.0.0.1
    port: 5335
    do-ip4: yes
    do-udp: yes
    do-tcp: yes

    # May be set to yes if you have IPv6 connectivity
    do-ip6: yes

    # You want to leave this to no unless you have *native* IPv6. With 6to4 and
    # Terredo tunnels your web browser should favor IPv4 for the same reasons
    prefer-ip6: yes

    # Use this only when you downloaded the list of primary root servers!
    root-hints: "/var/lib/unbound/root.hints"

    # Trust glue only if it is within the server's authority
    harden-glue: yes

    # Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS
    harden-dnssec-stripped: yes

    # Don't use Capitalization randomization as it known to cause DNSSEC issues sometimes
    # see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 for further details
    use-caps-for-id: no

    # Reduce EDNS reassembly buffer size.
    # Suggested by the unbound man page to reduce fragmentation reassembly problems
    edns-buffer-size: 1472

    # Perform prefetching of close to expired message cache entries
    # This only applies to domains that have been frequently queried
    prefetch: yes

    # One thread should be sufficient, can be increased on beefy machines. In reality for most users running on small networks or on a single machine, it should be unnecessary to seek performance enhancement by increasing num-threads above 1.
    num-threads: 1

    # Ensure kernel buffer is large enough to not lose messages in traffic spikes
    so-rcvbuf: 1m

    # Ensure privacy of local IP ranges
    private-address: 192.168.0.0/16
    private-address: 169.254.0.0/16
    private-address: 172.16.0.0/12
    private-address: 10.0.0.0/8
    private-address: fd00::/8
    private-address: fe80::/10

PS: I tried to set "prefer-ip6" to no to test, but same result.

Firewall everything is running fine with my second PiHole (DoT this time)
all firewall are in the same IP group

(GateWay : UniFi UDM PRO)
Local IN
Allow DNS Servers out > Accept > Source GROUP DNS SERVER > DESTINATION * Groups: Local VLAN, DNS Port

Allow DNS Servers out > Accept > Source GROUP LOCALVLAN > DESTINATION * Groups: DNSSERVER, DNS Port

Drop Block DNS Serverst > Accept > Source GROUP DNSPORT

IPV6 Rule
2500 Accept Established Accept All
2501 Drop invalid Drop All

DNSPORT : 5353, 53
LOCALVLAN : 192.168.1.0/24, 192.168.3.0/24,192.168.4.0/24,192.168.7.0/24
DNSSERVER : 1.1.1.1, 1.0.0.1, 192.168.1.59, 192.168.1.149

PiHole settings :
With UnBound (resolver)
127.0.0.1#5335
::1#5335

without (resolver)
1.1.1.1
1.0.0.1

Listen on all interface
Never Forward non-FDQNs
Never Forward reverse lookups for prive IP ranges

Try adding log output to unbound to see what's going on:

Add in /etc/unbound/unbound.conf.d/pi-hole.conf

    logfile: "/var/log/unbound/unbound.log"
    log-time-ascii: yes
    verbosity: 2

Create the file and change permissions to unbound user

touch /var/log/unbound/unbound.log
sudo chown unbound /var/log/unbound/unbound.log 

restart unbound

sudo service unbound restart

And look in the log

cat /var/log/unbound/unbound.log

Independent of your unbound issue, that doesn't look right:

I would try (bold what I changed)

Allow DNS Servers out > Accept > Source GROUP DNS SERVER > DESTINATION Groups: DNS Port

Allow DNS to DNS Servers > Accept > Source GROUP LOCALVLAN > DESTINATION Groups: DNSSERVER, DNS Port

Drop all other DNS Servers > Drop > Source GROUP LOCALVLAN > DESTINATION GROUP DNSPORT

DNSPORT : 5353, 53

Thank you, I add the log in the config file

but I can do the second step
No such file or directory

I restarted unbound thinking the config file would create the actual log file but it don't seems to work this way.

Should I just create the file so? (can't seems to be able to create a file with nano /var/log/unbound/unbound.log too)

Try

sudo touch /var/log/unbound/unbound.log

pi@raspberrypi:~ $ sudo touch /var/log/unbound/unbound.log
touch: cannot touch '/var/log/unbound/unbound.log': No such file or directory
pi@raspberrypi:~ $

pi@raspberrypi:~ $ sudo su
root@raspberrypi:/home/pi# chown unbound /var/log/unbound/unbound.log 
chown: cannot access '/var/log/unbound/unbound.log': No such file or directory

sudo mkdir /var/log/unbound
sudo touch /var/log/unbound/unbound.log
sudo chown unbound /var/log/unbound/unbound.log 

Thank for your help, I give up. for months I didn't managed to have unbound working, I add the log file in unbound config but it didn't log anything.... anyway , just keep CloudFlare, I guess it's not that bad.

PS when deleting / re installing unbound, I release I always gave an error

Linux raspberrypi 4.19.118-v7l+ #1311 SMP Mon Apr 27 14:26:42 BST 2020 armv7l
(Reading database ... 41248 files and directories currently installed.)
Removing unbound (1.9.0-2+deb10u2) ...
Processing triggers for man-db (2.8.5-2) ...
pi@raspberrypi:~ $ sudo apt install unbound
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following package was automatically installed and is no longer required:
  rpi-eeprom-images
Use 'sudo apt autoremove' to remove it.
Suggested packages:
  apparmor
The following NEW packages will be installed:
  unbound
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 671 kB of archives.
After this operation, 3,637 kB of additional disk space will be used.
Get:1 http://ftp.acc.umu.se/mirror/raspbian/raspbian buster/main armhf unbound armhf 1.9.0-2+deb10u2 [671 kB]
Fetched 671 kB in 1s (776 kB/s)
Selecting previously unselected package unbound.
(Reading database ... 41216 files and directories currently installed.)
Preparing to unpack .../unbound_1.9.0-2+deb10u2_armhf.deb ...
Unpacking unbound (1.9.0-2+deb10u2) ...
Setting up unbound (1.9.0-2+deb10u2) ...
Job for unbound.service failed because the control process exited with error code.
See "systemctl status unbound.service" and "journalctl -xe" for details.
Job for unbound.service failed because the control process exited with error code.
See "systemctl status unbound.service" and "journalctl -xe" for details.
invoke-rc.d: initscript unbound, action "restart" failed.
● unbound.service - Unbound DNS server
   Loaded: loaded (/lib/systemd/system/unbound.service; enabled; vendor preset: enabled)
   Active: activating (auto-restart) (Result: exit-code) since Sat 2020-07-11 20:18:58 BST; 24ms ago
     Docs: man:unbound(8)
  Process: 1352 ExecStartPre=/usr/lib/unbound/package-helper chroot_setup (code=exited, status=1/FAILURE)
  Process: 1355 ExecStartPre=/usr/lib/unbound/package-helper root_trust_anchor_update (code=exited, status=1/FAILURE)
  Process: 1358 ExecStart=/usr/sbin/unbound -d $DAEMON_OPTS (code=exited, status=1/FAILURE)
 Main PID: 1358 (code=exited, status=1/FAILURE)
Processing triggers for man-db (2.8.5-2) ...
Processing triggers for systemd (241-7~deb10u4+rpi1) ...
pi@raspberrypi:~ $

Not even the start of the unbound service?

What is the output of

sudo unbound-checkconf

and

sudo service unbound status

I have a few error, it's probably not installed properly at the first place

pi@raspberrypi:~ $ sudo unbound-checkconf
/etc/unbound/unbound.conf.d/pi-hole.conf:13: error: expected yes or no.
read /etc/unbound/unbound.conf failed: 1 errors in configuration file
pi@raspberrypi:~ $


file
pi@raspberrypi:~ $ sudo service unbound status
● unbound.service - Unbound DNS server
   Loaded: loaded (/lib/systemd/system/unbound.service; enabled; vendor preset: enabl   Active: failed (Result: exit-code) since Sat 2020-07-11 20:19:00 BST; 2min 15s ago     Docs: man:unbound(8)
  Process: 1448 ExecStartPre=/usr/lib/unbound/package-helper chroot_setup (code=exite  Process: 1451 ExecStartPre=/usr/lib/unbound/package-helper root_trust_anchor_update  Process: 1454 ExecStart=/usr/sbin/unbound -d $DAEMON_OPTS (code=exited, status=1/FA Main PID: 1454 (code=exited, status=1/FAILURE)

Jul 11 20:19:00 raspberrypi systemd[1]: unbound.service: Service RestartSec=100ms expJul 11 20:19:00 raspberrypi systemd[1]: unbound.service: Scheduled restart job, restaJul 11 20:19:00 raspberrypi systemd[1]: Stopped Unbound DNS server.
Jul 11 20:19:00 raspberrypi systemd[1]: unbound.service: Start request repeated too qJul 11 20:19:00 raspberrypi systemd[1]: unbound.service: Failed with result 'exit-codJul 11 20:19:00 raspberrypi systemd[1]: Failed to start Unbound DNS server.
lines 1-15/15 (END)...skipping...
● unbound.service - Unbound DNS server
   Loaded: loaded (/lib/systemd/system/unbound.service; enabled; vendor preset: enabl   Active: failed (Result: exit-code) since Sat 2020-07-11 20:19:00 BST; 2min 15s ago     Docs: man:unbound(8)
  Process: 1448 ExecStartPre=/usr/lib/unbound/package-helper chroot_setup (code=exite  Process: 1451 ExecStartPre=/usr/lib/unbound/package-helper root_trust_anchor_update  Process: 1454 ExecStart=/usr/sbin/unbound -d $DAEMON_OPTS (code=exited, status=1/FA Main PID: 1454 (code=exited, status=1/FAILURE)

Jul 11 20:19:00 raspberrypi systemd[1]: unbound.service: Service RestartSec=100ms expJul 11 20:19:00 raspberrypi systemd[1]: unbound.service: Scheduled restart job, restaJul 11 20:19:00 raspberrypi systemd[1]: Stopped Unbound DNS server.
Jul 11 20:19:00 raspberrypi systemd[1]: unbound.service: Start request repeated too qJul 11 20:19:00 raspberrypi systemd[1]: unbound.service: Failed with result 'exit-codJul 11 20:19:00 raspberrypi systemd[1]: Failed to start Unbound DNS server.
~

Unbound doesn't start because of an error at line 13 in /etc/unbound/unbound.conf.d/pi-hole.conf

What's at line 13 in your current config?

Additionally:

Please post the output of:

cat /var/lib/unbound/root.hints

I removed /etc/unbound/unbound.conf.d/pi-hole.conf and wrote a new file (config below)

server:
    # If no logfile is specified, syslog is used
    logfile: "/var/log/unbound/unbound.log"
    verbosity: 0

    interface: 127.0.0.1
    port: 5335
    do-ip4: yes
    do-udp: yes
    do-tcp: yes

    # May be set to yes if you have IPv6 connectivity
    do-ip6: yes

    # You want to leave this to no unless you have *native* IPv6. With 6to4 and
    # Terredo tunnels your web browser should favor IPv4 for the same reasons
    prefer-ip6: yes

    # Use this only when you downloaded the list of primary root servers!
    root-hints: "/var/lib/unbound/root.hints"

    # Trust glue only if it is within the server's authority
    harden-glue: yes

    # Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS
    harden-dnssec-stripped: yes

    # Don't use Capitalization randomization as it known to cause DNSSEC issues sometimes
    # see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 for further details
    use-caps-for-id: no

    # Reduce EDNS reassembly buffer size.
    # Suggested by the unbound man page to reduce fragmentation reassembly problems
    edns-buffer-size: 1472

    # Perform prefetching of close to expired message cache entries
    # This only applies to domains that have been frequently queried
    prefetch: yes

    # One thread should be sufficient, can be increased on beefy machines. In reality for most users running on small networks or on a single machine, it should be unnecessary to seek performance enhancement by increasing num-threads above 1.
    num-threads: 1

    # Ensure kernel buffer is large enough to not lose messages in traffic spikes
    so-rcvbuf: 1m

    # Ensure privacy of local IP ranges
    private-address: 192.168.0.0/16
    private-address: 169.254.0.0/16
    private-address: 172.16.0.0/12
    private-address: 10.0.0.0/8
    private-address: fd00::/8
    private-address: fe80::/10

I still get the error in the config

pi@raspberrypi:~ $ sudo unbound-checkconf
/etc/unbound/unbound.conf.d/pi-hole.conf:17: error: expected yes or no.
read /etc/unbound/unbound.conf failed: 1 errors in configuration file
pi@raspberrypi:~ $ cat /var/lib/unbound/root.hints
cat: /var/lib/unbound/root.hints: No such file or directory
pi@raspberrypi:~ $

prefer-ip6: tes

This file does not exist. Have a look at the guide again how to download:
https://docs.pi-hole.net/guides/unbound/#setting-up-pi-hole-as-a-recursive-dns-server-solution
(It's right before " Configure unbound")

This is the problem:

Edit: And really, you don't need prefer ipv6 at all, it's on the same device as Pi-hole and will be accessed via the localhost interface anyways.

I updating to « no » now but I do have a natif IPv6

Doesn't matter, you use 127.0.0.1:5335 as the address for Pi-hole to connect to unbound.

I changed to no, just checking I can still refer IPv6 to ::1#5335 right? (I added 127.0.0.1:5335)

Also I did this again just in case I forgot during the last reformat

wget -O root.hints https://www.internic.net/domain/named.root
sudo mv root.hints /var/lib/unbound/

but I still get this

pi@raspberrypi:~ $ sudo unbound-checkconf
/var/lib/unbound/root.key: No such file or directory
[1594497037] unbound-checkconf[2260:0] fatal error: auto-trust-anchor-file: "/var/lib/unbound/root.key" does not exist

Shorted (cat /var/lib/unbound/root.hints)

pi@raspberrypi:~ $ cat /var/lib/unbound/root.hints
;       This file holds the information on root name servers needed to 
;       initialize cache of Internet domain name servers
;       (e.g. reference this file in the "cache  .  <file>"
;       configuration file of BIND domain name servers). 
; 
;       This file is made available by InterNIC 
;       under anonymous FTP as
;           file                /domain/named.cache 
;           on server           FTP.INTERNIC.NET
;       -OR-                    RS.INTERNIC.NET
; 
;       last update:     June 08, 2020 
;       related version of root zone:     2020060801
; 
; FORMERLY NS.INTERNIC.NET 
;
.                        3600000      NS    A.ROOT-SERVERS.NET.
A.ROOT-SERVERS.NET.      3600000      A     198.41.0.4
A.ROOT-SERVERS.NET.      3600000      AAAA  2001:503:ba3e::2:30
; 
; FORMERLY NS1.ISI.EDU 
;
.                        3600000      NS    B.ROOT-SERVERS.NET.
B.ROOT-SERVERS.NET.      3600000      A     199.9.14.201
B.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:200::b
; 
; FORMERLY C.PSI.NET 
;
.                        3600000      NS    C.ROOT-SERVERS.NET.
C.ROOT-SERVERS.NET.      3600000      A     192.33.4.12
C.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:2::c
; 
; FORMERLY TERP.UMD.EDU 
;
.                        3600000      NS    D.ROOT-SERVERS.NET.
D.ROOT-SERVERS.NET.      3600000      A     199.7.91.13
D.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:2d::d
; 
; FORMERLY NS.NASA.GOV
;
.                        3600000      NS    E.ROOT-SERVERS.NET.
E.ROOT-SERVERS.NET.      3600000      A     192.203.230.10
E.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:a8::e
; 
; FORMERLY NS.ISC.ORG
;
.                        3600000      NS    F.ROOT-SERVERS.NET.
F.ROOT-SERVERS.NET.      3600000      A     192.5.5.241
F.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:2f::f
; 
; FORMERLY NS.NIC.DDN.MIL
;
.                        3600000      NS    G.ROOT-SERVERS.NET.
G.ROOT-SERVERS.NET.      3600000      A     192.112.36.4
G.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:12::d0d
; 
; FORMERLY AOS.ARL.ARMY.MIL
;
.                        3600000      NS    H.ROOT-SERVERS.NET.
H.ROOT-SERVERS.NET.      3600000      A     198.97.190.53
H.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:1::53
; 
; FORMERLY NIC.NORDU.NET
;
.                        3600000      NS    I.ROOT-SERVERS.NET.
I.ROOT-SERVERS.NET.      3600000      A     192.36.148.17
I.ROOT-SERVERS.NET.      3600000      AAAA  2001:7fe::53
; 
; OPERATED BY VERISIGN, INC.
;
.                        3600000      NS    J.ROOT-SERVERS.NET.
J.ROOT-SERVERS.NET.      3600000      A     192.58.128.30
J.ROOT-SERVERS.NET.      3600000      AAAA  2001:503:c27::2:30
; 
; OPERATED BY RIPE NCC
;
.                        3600000      NS    K.ROOT-SERVERS.NET.
K.ROOT-SERVERS.NET.      3600000      A     193.0.14.129
K.ROOT-SERVERS.NET.      3600000      AAAA  2001:7fd::1
; 
; OPERATED BY ICANN
;
.                        3600000      NS    L.ROOT-SERVERS.NET.
L.ROOT-SERVERS.NET.      3600000      A     199.7.83.42
L.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:9f::42
; 
; OPERATED BY WIDE
;
.                        3600000      NS    M.ROOT-SERVERS.NET.
M.ROOT-SERVERS.NET.      3600000      A     202.12.27.33
M.ROOT-SERVERS.NET.      3600000      AAAA  2001:dc3::35
; End of filepi@raspberrypi:~ $

For the root.key:

sudo -u unbound unbound-anchor

root.hints looks good now.

Why would you? They are both loopbacks.