Installing ubound on a Raspberry Pi


Edit the /etc/hosts file to add a IP to receive queries to ubound by running sudo nano /etc/hosts and adding host e.g. for ubound localhost DietPi
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters ubound

Download and install required files:

sudo apt install unbound

# Updated every 6 months (Jan & July)
wget -O root.hints
sudo mv root.hints /var/lib/unbound/

sudo nano /etc/unbound/unbound.conf.d/pi-hole.conf

Now paste the following text:

    # If no logfile is specified, syslog is used
    # logfile: "/var/log/unbound/unbound.log"
    verbosity: 0
    port: 5353
    do-ip4: yes
    do-udp: yes
    do-tcp: yes

    # May be set to yes if you have IPv6 connectivity
    do-ip6: no

    # Use this only when you downloaded the list of primary root servers!
    root-hints: "/var/lib/unbound/root.hints"

    # Trust glue only if it is within the servers authority
    harden-glue: yes

    # Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS
    harden-dnssec-stripped: yes

    # Don't use Capitalization randomization as it known to cause DNSSEC issues sometimes
    # see for further details
    use-caps-for-id: no

    # Reduce EDNS reassembly buffer size.
    # Suggested by the unbound man page to reduce fragmentation reassembly problems
    edns-buffer-size: 1472

    # Perform prefetching of close to expired message cache entries
    # This only applies to domains that have been frequently queried
    prefetch: yes

    # One thread should be sufficient, can be increased on beefy machines. In reality for most users running on small networks or on a single machine it should be unnecessary to seek performance enhancement by increasing num-threads above 1.
    num-threads: 1

    # Ensure kernel buffer is large enough to not lose messages in traffic spikes
    so-rcvbuf: 1m

    # Ensure privacy of local IP ranges
    private-address: fd00::/8
    private-address: fe80::/10

Now create the ubound.conf file to /etc/unbound/unbound.conf. Create the file by:

sudo nano /etc/unbound/unbound.conf

Then paste the following lines:

# Unbound configuration file for Debian.
# See the unbound.conf(5) man page.
# See /usr/share/doc/unbound/examples/unbound.conf for a commented
# reference config file.
# The following line includes additional configuration files from the
# /etc/unbound/unbound.conf.d directory.
include: "/etc/unbound/unbound.conf.d/*.conf"

Start unbound server and test:

sudo service unbound start
dig @ -p 5353

If you have enabled DNSSEC you can check by:

# FAIL test
dig @ -p 5353
# OK test
dig @ -p 5353

Now set the PI hole custom DNS to and hit ==Save== on the DNS settings page of Pihole.

Updating to 1.9.6

Found from pihole discourse.

sudo apt install build-essential openssl libssl-dev libexpat1-dev bison

git clone
cd unbound
git checkout release-1.9.6

./configure --prefix=/usr --includedir=/usr/include --mandir=/usr/share/man --infodir=/usr/share/info --sysconfdir=/etc --localstatedir=/var --disable-rpath --with-pidfile=/run/ --with-rootkey-file=/var/lib/unbound/root.key --enable-subnet --with-chroot-dir= --libdir=/usr/lib


./unbound -v # To check if it compiled correctly

sudo service unbound stop
sudo make install
sudo service unbound start
# If the above command doesn't work check

sudo /usr/sbin/unbound -ddd -vvv -c /etc/unbound/unbound.conf

# Check if Unbound is working or not
dig @ -p 5353

# Check unbound version
unbound -v

dig +short @ -p 5353 chaos txt version.bind

sudo reboot
#check again if unbound works or not

Now disable auto-update or overwrting by default debian releases.

sudo tee /etc/apt/preferences.d/unbound <<< $'Package: unbound\nPin: release *\nPin-Priority: -1'

sudo apt update

apt policy unbound