Unbound will not start

unbound

#1

Trying to get Unbound running as per (https://docs.pi-hole.net/guides/unbound/)
Could not get past starting the service.
Did a complete new install

Expected Behaviour:

Unbound service starts

Actual Behaviour:

Unbound service fails to start

Debug Token:

mu18do1n4l

So far:

pi@raspberrypi:~ $ sudo service unbound start

pi@raspberrypi:~ $ dig pi-hole.net @127.0.0.1 -p 5353

; <<>> DiG 9.10.3-P4-Raspbian <<>> pi-hole.net @127.0.0.1 -p 5353
;; global options: +cmd
;; connection timed out; no servers could be reached

pi@raspberrypi:~ $ sudo journalctl -u unbound.service -b
-- Logs begin at Thu 2016-11-03 11:16:42 MDT, end at Thu 2018-11-08 11:41:20 MST. --
Nov 08 11:36:21 raspberrypi systemd[1]: Starting Unbound DNS server...
Nov 08 11:36:22 raspberrypi package-helper[9588]: /var/lib/unbound/root.key does not exist, copying from /usr/share/dns/root.key
Nov 08 11:36:22 raspberrypi package-helper[9588]: /var/lib/unbound/root.key has content
Nov 08 11:36:22 raspberrypi package-helper[9588]: success: the anchor is ok
Nov 08 11:36:22 raspberrypi systemd[1]: Started Unbound DNS server.
Nov 08 11:36:22 raspberrypi unbound[9594]: [1541702182] unbound[9594:0] error: can't bind socket: Address already in use for ::1
Nov 08 11:36:22 raspberrypi unbound[9594]: [1541702182] unbound[9594:0] fatal error: could not open ports
Nov 08 11:36:22 raspberrypi systemd[1]: unbound.service: Main process exited, code=exited, status=1/FAILURE
Nov 08 11:36:22 raspberrypi systemd[1]: unbound.service: Unit entered failed state.
Nov 08 11:36:22 raspberrypi systemd[1]: unbound.service: Failed with result 'exit-code'.
Nov 08 11:36:22 raspberrypi systemd[1]: unbound.service: Service hold-off time over, scheduling restart.
Nov 08 11:36:22 raspberrypi systemd[1]: unbound.service: Service hold-off time over, scheduling restart.
Nov 08 11:36:22 raspberrypi systemd[1]: Stopped Unbound DNS server.
Nov 08 11:36:22 raspberrypi systemd[1]: Starting Unbound DNS server...
Nov 08 11:36:23 raspberrypi package-helper[9679]: /var/lib/unbound/root.key has content
Nov 08 11:36:23 raspberrypi package-helper[9679]: success: the anchor is ok
Nov 08 11:36:23 raspberrypi systemd[1]: Started Unbound DNS server.
Nov 08 11:36:23 raspberrypi unbound[9688]: [1541702183] unbound[9688:0] error: can't bind socket: Address already in use for ::1
Nov 08 11:36:23 raspberrypi unbound[9688]: [1541702183] unbound[9688:0] fatal error: could not open ports
Nov 08 11:36:23 raspberrypi systemd[1]: unbound.service: Main process exited, code=exited, status=1/FAILURE
Nov 08 11:36:23 raspberrypi systemd[1]: unbound.service: Unit entered failed state.
Nov 08 11:36:23 raspberrypi systemd[1]: unbound.service: Failed with result 'exit-code'.
Nov 08 11:36:23 raspberrypi systemd[1]: unbound.service: Service hold-off time over, scheduling restart.
Nov 08 11:36:23 raspberrypi systemd[1]: Stopped Unbound DNS server.
Nov 08 11:36:23 raspberrypi systemd[1]: Starting Unbound DNS server...
Nov 08 11:36:24 raspberrypi package-helper[9766]: /var/lib/unbound/root.key has content
Nov 08 11:36:24 raspberrypi package-helper[9766]: success: the anchor is ok
Nov 08 11:36:24 raspberrypi systemd[1]: Started Unbound DNS server.
Nov 08 11:36:24 raspberrypi unbound[9773]: [1541702184] unbound[9773:0] error: can't bind socket: Address already in use for ::1
Nov 08 11:36:24 raspberrypi unbound[9773]: [1541702184] unbound[9773:0] fatal error: could not open ports
Nov 08 11:36:24 raspberrypi systemd[1]: unbound.service: Main process exited, code=exited, status=1/FAILURE
Nov 08 11:36:24 raspberrypi systemd[1]: unbound.service: Unit entered failed state.
Nov 08 11:36:24 raspberrypi systemd[1]: unbound.service: Failed with result 'exit-code'.
Nov 08 11:36:24 raspberrypi systemd[1]: unbound.service: Service hold-off time over, scheduling restart.
Nov 08 11:36:24 raspberrypi systemd[1]: Stopped Unbound DNS server.
Nov 08 11:36:24 raspberrypi systemd[1]: Starting Unbound DNS server...
Nov 08 11:36:24 raspberrypi package-helper[9832]: /var/lib/unbound/root.key has content
Nov 08 11:36:24 raspberrypi package-helper[9832]: success: the anchor is ok
Nov 08 11:36:24 raspberrypi systemd[1]: Started Unbound DNS server.
Nov 08 11:36:24 raspberrypi unbound[9838]: [1541702184] unbound[9838:0] error: can't bind socket: Address already in use for ::1
Nov 08 11:36:24 raspberrypi unbound[9838]: [1541702184] unbound[9838:0] fatal error: could not open ports
Nov 08 11:36:24 raspberrypi systemd[1]: unbound.service: Main process exited, code=exited, status=1/FAILURE
Nov 08 11:36:24 raspberrypi systemd[1]: unbound.service: Unit entered failed state.
Nov 08 11:36:24 raspberrypi systemd[1]: unbound.service: Failed with result 'exit-code'.
Nov 08 11:36:24 raspberrypi systemd[1]: unbound.service: Service hold-off time over, scheduling restart.
Nov 08 11:36:25 raspberrypi systemd[1]: Stopped Unbound DNS server.
Nov 08 11:36:25 raspberrypi systemd[1]: Starting Unbound DNS server...
Nov 08 11:36:25 raspberrypi package-helper[9894]: /var/lib/unbound/root.key has content
Nov 08 11:36:25 raspberrypi package-helper[9894]: success: the anchor is ok
Nov 08 11:36:25 raspberrypi systemd[1]: Started Unbound DNS server.
Nov 08 11:36:25 raspberrypi unbound[9899]: [1541702185] unbound[9899:0] error: can't bind socket: Address already in use for ::1
Nov 08 11:36:25 raspberrypi unbound[9899]: [1541702185] unbound[9899:0] fatal error: could not open ports
Nov 08 11:36:25 raspberrypi systemd[1]: unbound.service: Main process exited, code=exited, status=1/FAILURE
Nov 08 11:36:25 raspberrypi systemd[1]: unbound.service: Unit entered failed state.
Nov 08 11:36:25 raspberrypi systemd[1]: unbound.service: Failed with result 'exit-code'.
Nov 08 11:36:25 raspberrypi systemd[1]: unbound.service: Service hold-off time over, scheduling restart.
Nov 08 11:36:25 raspberrypi systemd[1]: Stopped Unbound DNS server.
Nov 08 11:36:25 raspberrypi systemd[1]: Starting Unbound DNS server...
Nov 08 11:36:25 raspberrypi package-helper[9955]: /var/lib/unbound/root.key has content
Nov 08 11:36:25 raspberrypi package-helper[9955]: success: the anchor is ok
Nov 08 11:36:25 raspberrypi systemd[1]: Started Unbound DNS server.
lines 1-62

#2

What are the outputs of these two commands:

sudo service unbound status

cat /etc/unbound/unbound.conf.d/pi-hole.conf


#3
pi@raspberrypi:~ $ sudo service unbound status
● unbound.service - Unbound DNS server
   Loaded: loaded (/lib/systemd/system/unbound.service; enabled; vendor preset: enabled)
   Active: failed (Result: exit-code) since Thu 2018-11-08 11:38:59 MST; 1h 3min ago
     Docs: man:unbound(8)
  Process: 10375 ExecStart=/usr/sbin/unbound -d $DAEMON_OPTS (code=exited, status=1/FAILURE)
  Process: 10368 ExecStartPre=/usr/lib/unbound/package-helper root_trust_anchor_update (code=exited, status=0/SUCCESS)
  Process: 10364 ExecStartPre=/usr/lib/unbound/package-helper chroot_setup (code=exited, status=0/SUCCESS)
 Main PID: 10375 (code=exited, status=1/FAILURE)

Nov 08 11:38:59 raspberrypi systemd[1]: unbound.service: Failed with result 'exit-code'.
Nov 08 11:38:59 raspberrypi systemd[1]: unbound.service: Service hold-off time over, scheduling restart.
Nov 08 11:38:59 raspberrypi systemd[1]: Stopped Unbound DNS server.
Nov 08 11:38:59 raspberrypi systemd[1]: unbound.service: Start request repeated too quickly.
Nov 08 11:38:59 raspberrypi systemd[1]: Failed to start Unbound DNS server.
Nov 08 11:38:59 raspberrypi systemd[1]: unbound.service: Unit entered failed state.
Nov 08 11:38:59 raspberrypi systemd[1]: unbound.service: Failed with result 'exit-code'.

pi@raspberrypi:~ $ cat /etc/unbound/unbound.conf.d/pi-hole.conf
server:
    logfile: "/var/log/unbound/unbound.log"
    verbosity: 0

    port: 5353
    do-ip4: yes
    do-udp: yes
    do-tcp: yes

    # May be set to yes if you have IPv6 connectivity
    do-ip6: no

    # Use this only when you downloaded the list of primary root servers!
    root-hints: "/var/lib/unbound/root.hints"

    # Trust glue only if it is within the servers authority
    harden-glue: yes

    # Require DNSSEC data for trust-anchored zones, if such data is absent, the                                                                                                                                                              zone becomes BOGUS
    harden-dnssec-stripped: yes

    # Don't use Capitalization randomization as it known to cause DNSSEC issues                                                                                                                                                              sometimes
    # see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378                                                                                                                                                              for further details
    use-caps-for-id: no

    # Reduce EDNS reassembly buffer size.
    # Suggested by the unbound man page to reduce fragmentation reassembly probl                                                                                                                                                             ems
    edns-buffer-size: 1472

    # TTL bounds for cache
    cache-min-ttl: 3600
    cache-max-ttl: 86400

    # Perform prefetching of close to expired message cache entries
    # This only applies to domains that have been frequently queried
    prefetch: yes

    # One thread should be sufficient, can be increased on beefy machines
    num-threads: 1

    # Ensure kernel buffer is large enough to not loose messages in traffic spik                                                                                                                                                             es
    so-rcvbuf: 1m

    # Ensure privacy of local IP ranges
    private-address: 192.168.0.0/16
    private-address: 169.254.0.0/16
    private-address: 172.16.0.0/12
    private-address: 10.0.0.0/8
    private-address: fd00::/8
    private-address: fe80::/10

#4

pi@raspberrypi:~ $ cat /var/lib/unbound/root.hints
cat: /var/lib/unbound/root.hints: No such file or directory


#5

It looks that Unbound is using a different config file than you expect.

In the shown config file, IPv6 is disabled but the log shows that it can’t bind to ::1.


#6

This file should not be empty. This is the directory of the root name servers.

Double check your command syntax cat /var/lib/unbound/root.hints and if still empty, then run this command and paste in the code below, exit, save and restart unbound.

sudo nano /var/lib/unbound/root.hints

;       This file holds the information on root name servers needed to 
;       initialize cache of Internet domain name servers
;       (e.g. reference this file in the "cache  .  <file>"
;       configuration file of BIND domain name servers). 
; 
;       This file is made available by InterNIC 
;       under anonymous FTP as
;           file                /domain/named.cache 
;           on server           FTP.INTERNIC.NET
;       -OR-                    RS.INTERNIC.NET
; 
;       last update:     October 24, 2018 
;       related version of root zone:     2018102401
; 
; FORMERLY NS.INTERNIC.NET 
;
.                        3600000      NS    A.ROOT-SERVERS.NET.
A.ROOT-SERVERS.NET.      3600000      A     198.41.0.4
A.ROOT-SERVERS.NET.      3600000      AAAA  2001:503:ba3e::2:30
; 
; FORMERLY NS1.ISI.EDU 
;
.                        3600000      NS    B.ROOT-SERVERS.NET.
B.ROOT-SERVERS.NET.      3600000      A     199.9.14.201
B.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:200::b
; 
; FORMERLY C.PSI.NET 
;
.                        3600000      NS    C.ROOT-SERVERS.NET.
C.ROOT-SERVERS.NET.      3600000      A     192.33.4.12
C.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:2::c
; 
; FORMERLY TERP.UMD.EDU 
;
.                        3600000      NS    D.ROOT-SERVERS.NET.
D.ROOT-SERVERS.NET.      3600000      A     199.7.91.13
D.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:2d::d
; 
; FORMERLY NS.NASA.GOV
;
.                        3600000      NS    E.ROOT-SERVERS.NET.
E.ROOT-SERVERS.NET.      3600000      A     192.203.230.10
E.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:a8::e
; 
; FORMERLY NS.ISC.ORG
;
.                        3600000      NS    F.ROOT-SERVERS.NET.
F.ROOT-SERVERS.NET.      3600000      A     192.5.5.241
F.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:2f::f
; 
; FORMERLY NS.NIC.DDN.MIL
;
.                        3600000      NS    G.ROOT-SERVERS.NET.
G.ROOT-SERVERS.NET.      3600000      A     192.112.36.4
G.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:12::d0d
; 
; FORMERLY AOS.ARL.ARMY.MIL
;
.                        3600000      NS    H.ROOT-SERVERS.NET.
H.ROOT-SERVERS.NET.      3600000      A     198.97.190.53
H.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:1::53
; 
; FORMERLY NIC.NORDU.NET
;
.                        3600000      NS    I.ROOT-SERVERS.NET.
I.ROOT-SERVERS.NET.      3600000      A     192.36.148.17
I.ROOT-SERVERS.NET.      3600000      AAAA  2001:7fe::53
; 
; OPERATED BY VERISIGN, INC.
;
.                        3600000      NS    J.ROOT-SERVERS.NET.
J.ROOT-SERVERS.NET.      3600000      A     192.58.128.30
J.ROOT-SERVERS.NET.      3600000      AAAA  2001:503:c27::2:30
; 
; OPERATED BY RIPE NCC
;
.                        3600000      NS    K.ROOT-SERVERS.NET.
K.ROOT-SERVERS.NET.      3600000      A     193.0.14.129
K.ROOT-SERVERS.NET.      3600000      AAAA  2001:7fd::1
; 
; OPERATED BY ICANN
;
.                        3600000      NS    L.ROOT-SERVERS.NET.
L.ROOT-SERVERS.NET.      3600000      A     199.7.83.42
L.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:9f::42
; 
; OPERATED BY WIDE
;
.                        3600000      NS    M.ROOT-SERVERS.NET.
M.ROOT-SERVERS.NET.      3600000      A     202.12.27.33
M.ROOT-SERVERS.NET.      3600000      AAAA  2001:dc3::35
; End of file

#7

Problem solved . I did not do that step in the documentation because it said it was optional and only needed to be done every six months.
Thanks for your time jfb


#8

We’ll have to take a look at that part of the documentation and see if it can be improved. Glad you’re up and running now.


#9

This is off topic but I don’t want to create a new topic for this.

If you are already using Unbound 1.8.0 then there is a 1.8.1 version available in Debian except for the i386. If you are using a RaspberryPI then it is available in the SID (unstable) distribution.

I was already using 1.8.1 for several weeks but it was not bound to into Systemd and had to manually start it after a reboot. Now it will start by default during a reboot.

First check the dependencies: https://packages.debian.org/sid/unbound
Download if you want to install it manually: http://ftp.us.debian.org/debian/pool/main/u/unbound/ and scroll down to unbound_1.8.1-1_armhf.deb (RaspberryPI).


Hyperlocal: Is it meaningful to hold a local copy of the root zone?
#10

Thanks for this, I’m a newb with the linux console but have a second pi to play with. What about backing up the created cache? I have no idea where it even is.

Regards,

Brian


#11

if you mean by cache that from Unbound that will be cleared after each restart.
If you mean by cache the cache of APT then that will be rebuild on apt update.

Which version of Debian are you running?


#12

I mean the cache that from Unbound that will be cleared after each restart

Stretch- lite

Brian


#13

All entries in the cache is limited by the TTL (time to live) and all life comes sooner or later to a end. The cache rebuild with entries requested by Pi-hole.

Look at the dependicies and install those up front.

You will gain then about two years of fixes and features.

https://www.nlnetlabs.nl/svn/unbound/tags/release-1.8.1/doc/Changelog