Unbound does not start when passing custom unbound.conf mvance/ubound-rpi

[nlt6444]

Hello I receive the below error when attempting to load a custom unbound.conf file:

[1561868398] unbound[1:0] error: can't bind socket: Cannot assign requested address for ::1 port 53

Not sure what could be causing this, my file appears to be valid when tested with a local installation of unbound. Any suggestion would be great. I am using the mvance/ubound-rpi image for docker.

Contents of unbound.conf

`# Unbound configuration file for Debian. #

See the unbound.conf(5) man page.

#

See /usr/share/doc/unbound/examples/unbound.conf for a commented

reference config file.

#

The following line includes additional configuration files from the

/etc/unbound/unbound.conf.d directory.

include: "*.conf"

server:

If no logfile is specified, syslog is used logfile:

# "/var/log/unbound/unbound.log"
verbosity: 0
port: 5353
do-ip4: yes
do-udp: yes
do-tcp: yes
# May be set to yes if you have IPv6 connectivity
do-ip6: no
# Use this only when you downloaded the list of primary root servers!
root-hints: "root.hints"
# Trust glue only if it is within the servers authority
harden-glue: yes
# Require DNSSEC data for trust-anchored zones, if such data is absent, 
# the zone becomes BOGUS
harden-dnssec-stripped: yes
# Don't use Capitalization randomization as it known to cause DNSSEC 
# issues sometimes see 
# https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 
# for further details
use-caps-for-id: no
# Reduce EDNS reassembly buffer size. Suggested by the unbound man page 
# to reduce fragmentation reassembly problems
edns-buffer-size: 1472
# Perform prefetching of close to expired message cache entries This 
# only applies to domains that have been frequently queried
prefetch: yes
# One thread should be sufficient, can be increased on beefy machines. 
# In reality for most users running on small networks or on a single 
# machine it should be unnecessary to seek performance enhancement by 
# increasing num-threads above 1.
num-threads: 1
# Ensure kernel buffer is large enough to not lose messages in traffic 
# spikes
so-rcvbuf: 1m
# Ensure privacy of local IP ranges
private-address: 192.168.0.0/16
private-address: 169.254.0.0/16
private-address: 172.16.0.0/12
private-address: 10.0.0.0/8
#private-address: fd00::/8
#private-address: fe80::/10`

[MatthewVance]

Hi,

Typically "can't bind socket: Cannot assign requested address for ::1 port 53" means something is already using the IP and port the container needs. You could try stopping all other Unbound containers and also the local Unbound instance. It's possible one of those is still using the port, preventing this container from being able to allocate it.

While the above is the typical issue and fix, I'm guessing the issue has to do with your config using IPv6. IPv6 within a Docker container requires Docker itself to be configured to support it. Try running your custom config with just IPv4, leaving all else equal. If that works and you need IPv6, you'll need to work on your Docker host config.

https://docs.docker.com/v17.09/engine/userguide/networking/default_network/ipv6/

On Sat, Jun 29, 2019, 11:54 PM nlt6444 notifications@github.com wrote:

Hello I receive the below error when attempting to load a custom unbound.conf file:

[1561868398] unbound[1:0] error: can't bind socket: Cannot assign requested address for ::1 port 53

Not sure what could be causing this, my file appears to be valid when tested with a local installation of unbound. Any suggestion would be great. I am using the mvance/ubound-rpi image for docker.

Contents of unbound.conf

`# Unbound configuration file for Debian. See the unbound.conf(5) man page. See /usr/share/doc/unbound/examples/unbound.conf for a commented reference config file. The following line includes additional configuration files from the /etc/unbound/unbound.conf.d directory.

include: "*.conf"

server:

If no logfile is specified, syslog is used logfile:

"/var/log/unbound/unbound.log"

verbosity: 0 port: 5353 do-ip4: yes do-udp: yes do-tcp: yes

May be set to yes if you have IPv6 connectivity

do-ip6: no

Use this only when you downloaded the list of primary root servers!

root-hints: "root.hints"

Trust glue only if it is within the servers authority

harden-glue: yes

Require DNSSEC data for trust-anchored zones, if such data is absent,

the zone becomes BOGUS

harden-dnssec-stripped: yes

Don't use Capitalization randomization as it known to cause DNSSEC

issues sometimes see

https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378

for further details

use-caps-for-id: no

Reduce EDNS reassembly buffer size. Suggested by the unbound man page

to reduce fragmentation reassembly problems

edns-buffer-size: 1472

Perform prefetching of close to expired message cache entries This

only applies to domains that have been frequently queried

prefetch: yes

One thread should be sufficient, can be increased on beefy machines.

In reality for most users running on small networks or on a single

machine it should be unnecessary to seek performance enhancement by

increasing num-threads above 1.

num-threads: 1

Ensure kernel buffer is large enough to not lose messages in traffic

spikes

so-rcvbuf: 1m

Ensure privacy of local IP ranges

private-address: 192.168.0.0/16 private-address: 169.254.0.0/16 private-address: 172.16.0.0/12 private-address: 10.0.0.0/8

private-address: fd00::/8

private-address: fe80::/10`

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/MatthewVance/unbound-docker/issues/21?email_source=notifications&email_token=AAUMHOTTENAT7KSQSE3VBLTP5A4B7A5CNFSM4H4LYPE2YY3PNVWWK3TUL52HS4DFUVEXG43VMWVGG33NNVSW45C7NFSM4G4PFL2A, or mute the thread https://github.com/notifications/unsubscribe-auth/AAUMHOQJSSEXG2R5ICDIYC3P5A4B7ANCNFSM4H4LYPEQ .

[nlt6444]

Thanks for pointing me in the right direction, I can finally load custom unbound.conf.

I received the following errors when attempting to start unbound:

rpiDev-unbound | [1562032823] unbound[1:0] warning: unbound is already running as pid 1. rpiDev-unbound | [1562032823] unbound[1:0] error: Could not open logfile /home/pi/Documents/docker/configs/unbound/unbound.log: No such file or directory rpiDev-unbound | [1562032824] unbound[1:0] error: could not read root hints /home/pi/Documents/docker/configs/unbound/root.hints: No such file or directory rpiDev-unbound | [1562032824] unbound[1:0] error: Could not set root or stub hints rpiDev-unbound | [1562032824] unbound[1:0] fatal error: Could not initialize main thread rpiDev-unbound | [1562032827] unbound[1:0] warning: so-rcvbuf 1048576 was not granted. Got 327680. To fix: start with root permissions(linux) or sysctl bigger net.core.rmem_max(linux) or kern.ipc.maxsockbuf(bsd) values.

I've tried starting the docker container with sudo and still error out. I'm thinking it's looking for the files in the container rather than the local host. No clue as to why it did not see the files referenced.

[MatthewVance]

I'm glad you are making progress. What command are you using to run the container? What does your current config look like? Does everything still work without a custom config?

On Mon, Jul 1, 2019, 9:18 PM nlt6444 notifications@github.com wrote:

Thanks for pointing me in the right direction, I can finally load custom unbound.conf.

I received the following errors when attempting to start unbound:

rpiDev-unbound | [1562032823] unbound[1:0] warning: unbound is already running as pid 1. rpiDev-unbound | [1562032823] unbound[1:0] error: Could not open logfile /home/pi/Documents/docker/configs/unbound/unbound.log: No such file or directory rpiDev-unbound | [1562032824] unbound[1:0] error: could not read root hints /home/pi/Documents/docker/configs/unbound/root.hints: No such file or directory rpiDev-unbound | [1562032824] unbound[1:0] error: Could not set root or stub hints rpiDev-unbound | [1562032824] unbound[1:0] fatal error: Could not initialize main thread rpiDev-unbound | [1562032827] unbound[1:0] warning: so-rcvbuf 1048576 was not granted. Got 327680. To fix: start with root permissions(linux) or sysctl bigger net.core.rmem_max(linux) or kern.ipc.maxsockbuf(bsd) values.

I've tried starting the docker container with sudo and still error out. I'm thinking it's looking for the files in the container rather than the local host. No clue as to why it did not see the files referenced.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/MatthewVance/unbound-docker/issues/21?email_source=notifications&email_token=AAUMHOUISJVKBSNOXYO3GQLP5K3ILA5CNFSM4H4LYPE2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODY73HII#issuecomment-507491233, or mute the thread https://github.com/notifications/unsubscribe-auth/AAUMHOXE2CEAKHJ5V23AAIDP5K3ILANCNFSM4H4LYPEQ .

[nlt6444]

I am using docker-compose to start the container with the following settings:

unbound: container_name: rpiDev-unbound image: mvance/unbound-rpi:latest hostname: rpiDev-unbound.jabba.lan mac_address: d0:ca:ab:cd:ef:02 ports:

• "5354:5354/tcp"
• "5354:5354/udp" volumes:
• /home/pi/Documents/docker/configs/unbound/:/opt/unbound/etc/unbound/ networks: home: ipv4_address: 192.168.1.6 restart: always

My current unbound config:

Unbound configuration file for Debian.

#

See the unbound.conf(5) man page.

#

See /usr/share/doc/unbound/examples/unbound.conf for a commented

reference config file.

#

The following line includes additional configuration files from the

/etc/unbound/unbound.conf.d directory.

include: "*.conf"

Conf files it should load based off unbound.conf:

server:

If no logfile is specified, syslog is used

logfile: /home/pi/Documents/docker/configs/unbound/unbound.log

verbosity: 0

port: 5354
do-ip4: yes
do-udp: yes
do-tcp: yes

# May be set to yes if you have IPv6 connectivity
do-ip6: no

# Use this only when you downloaded the list of primary root servers!
root-hints: "/root.hints"

# Trust glue only if it is within the servers authority
harden-glue: yes

# Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS
harden-dnssec-stripped: yes

# Don't use Capitalization randomization as it known to cause DNSSEC issues sometimes
# see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 for further details
use-caps-for-id: no

# Reduce EDNS reassembly buffer size.
# Suggested by the unbound man page to reduce fragmentation reassembly problems
edns-buffer-size: 1472

# Perform prefetching of close to expired message cache entries
# This only applies to domains that have been frequently queried
prefetch: yes

# One thread should be sufficient, can be increased on beefy machines. In reality for most users running on small networks or on a single machine it should be unnecessary to seek performance enhancement by increasing num-threads above 1.
num-threads: 1

# Ensure kernel buffer is large enough to not lose messages in traffic spikes
so-rcvbuf: 1m

# Ensure privacy of local IP ranges
private-address: 192.168.0.0/16
private-address: 169.254.0.0/16
private-address: 172.16.0.0/12
private-address: 10.0.0.0/8
private-address: fd00::/8
private-address: fe80::/10

Everything works fine when without passing the option to load my unbound.conf file.

Thank you

[MatthewVance]

I believe the issue is due to you setting root-hints: "/root.hints" and not providing a root.hints file. To confirm that's where the problem is, comment out that line and try running again.

Perhaps it should, but the unbound image itself does not provide a root.hints file. With the default config, this image is designed to be forward queries to an external resolving DNS server over TLS rather than act as a recursive DNS server. The image can work as a recursive DNS server, but may require you to provide certain files like root.hints when using certain config options.

[MatthewVance]

If it helps, the unbound.conf file I use on my Pi currently is:

server:
    verbosity: 1
    num-threads: 3
    interface: 0.0.0.0@53
    so-reuseport: yes
    edns-buffer-size: 1472
    delay-close: 10000
    cache-min-ttl: 60
    cache-max-ttl: 86400
    do-daemonize: no
    username: "_unbound"
    log-queries: no
    hide-version: yes
    hide-identity: yes
    identity: "DNS"
    harden-algo-downgrade: yes
    harden-short-bufsize: yes
    harden-large-queries: yes
    harden-glue: yes
    harden-dnssec-stripped: yes
    harden-below-nxdomain: yes
    harden-referral-path: no
    do-not-query-localhost: no
    prefetch: yes
    prefetch-key: yes
    qname-minimisation: yes
    aggressive-nsec: yes
    ratelimit: 1000
    rrset-roundrobin: yes
    minimal-responses: yes
    chroot: "/opt/unbound/etc/unbound"
    directory: "/opt/unbound/etc/unbound"
    auto-trust-anchor-file: "var/root.key"
    num-queries-per-thread: 4096
    outgoing-range: 8192
    msg-cache-size: 260991658
    rrset-cache-size: 260991658
    neg-cache-size: 4M
    serve-expired: yes
    unwanted-reply-threshold: 10000
    use-caps-for-id: yes
    val-clean-additional: yes
    tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
    private-address: 10.0.0.0/8
    private-address: 172.16.0.0/12
    private-address: 192.168.0.0/16
    private-address: 169.254.0.0/16
    private-address: fd00::/8
    private-address: fe80::/10
    private-address: ::ffff:0:0/96
    access-control: 127.0.0.1/32 allow
    access-control: 192.168.1.1/24 allow
    access-control: 172.16.0.0/12 allow
    access-control: 10.0.0.0/8 allow
    include: /opt/unbound/etc/unbound/a-records.conf
    forward-zone:
        name: "."
        forward-addr: 1.1.1.1@853#cloudflare-dns.com
        forward-addr: 1.0.0.1@853#cloudflare-dns.com
        forward-addr: 2606:4700:4700::1111@853#cloudflare-dns.com
        forward-addr: 2606:4700:4700::1001@853#cloudflare-dns.com
        forward-tls-upstream: yes
    remote-control:
        control-enable: no

[nlt6444]

I do provide a root.hints file in the same directory as unbound.conf. I will try redownloading root.hints perhaps it's corrupted. Do you think it could be the directory location I keep it in? I have it set as: /home/pi/Documents/docker/configs/unbound/

[MatthewVance]

If that is the case, you need to adjust the path in the config option to match where it will be when mounted into the container. Right now, it is pointing to /. Try this instead:

root-hints: /opt/unbound/etc/unbound/root.hints

On Sat, Jul 6, 2019, 2:39 PM nlt6444 notifications@github.com wrote:

I do provide a root.hints file in the same directory as unbound.conf. I will try redownloading root.hints perhaps it's corrupted. Do you think it could be the directory location I keep it in? I have it set as: /home/pi/Documents/docker/configs/unbound/

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/MatthewVance/unbound-docker/issues/21?email_source=notifications&email_token=AAUMHOSA4CS5IRYYYWBSPDDP6DYIDA5CNFSM4H4LYPE2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODZK7FPA#issuecomment-508949180, or mute the thread https://github.com/notifications/unsubscribe-auth/AAUMHOUI4FPBMERETSFHP6TP6DYIDANCNFSM4H4LYPEQ .

[nlt6444]

Can you clarify that last request a bit? After updating unbound.conf with the above where would I place the root.hints file on my local system?

My assumption is:

/etc/unbound/

[MatthewVance]

In the same place as the custom config file. The issue, I think, is the config file tells Unbound to look for the hints file in a specific place within the container's file system, but the file isn't in that directory because it actually gets placed elsewhere within the container (the same place as the config file). As such, the solution is to update the config file to tell Unbound to look at the right folder where the hints file gets loaded.

You should not need to move the file or change how you mount the volume, rather just update the config to match what you're doing.

Hopefully this helps and is more clear.

On Tue, Jul 9, 2019, 4:28 PM nlt6444 notifications@github.com wrote:

Can you clarify that last request a bit? After updating unbound.conf with the above where would I place the root.hints file on my local system?

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/MatthewVance/unbound-docker/issues/21?email_source=notifications&email_token=AAUMHOQYKGV3WX7SWEKDNJTP6T7IJA5CNFSM4H4LYPE2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODZRS4WA#issuecomment-509816408, or mute the thread https://github.com/notifications/unsubscribe-auth/AAUMHOSJEAC2CQOPA2DLFPLP6T7IJANCNFSM4H4LYPEQ .

[MatthewVance]

Where on your local file system doesn't really matter as long as your compose file gives the right path to find it. The point is all files get mounted to /opt/unbound/etc/unbound by default.

The 'Use a customized Unbound configuration' section of the readme explains the concept.

You could use multiple volumes and or sub-folders, but I recommend keeping it simple.

On Tue, Jul 9, 2019, 4:36 PM Matthew Vance vancematthew@gmail.com wrote:

In the same place as the custom config file. The issue, I think, is the config file tells Unbound to look for the hints file in a specific place within the container's file system, but the file isn't in that directory because it actually gets placed elsewhere within the container (the same place as the config file). As such, the solution is to update the config file to tell Unbound to look at the right folder where the hints file gets loaded.

You should not need to move the file or change how you mount the volume, rather just update the config to match what you're doing.

Hopefully this helps and is more clear.

On Tue, Jul 9, 2019, 4:28 PM nlt6444 notifications@github.com wrote:

Can you clarify that last request a bit? After updating unbound.conf with the above where would I place the root.hints file on my local system?

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/MatthewVance/unbound-docker/issues/21?email_source=notifications&email_token=AAUMHOQYKGV3WX7SWEKDNJTP6T7IJA5CNFSM4H4LYPE2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODZRS4WA#issuecomment-509816408, or mute the thread https://github.com/notifications/unsubscribe-auth/AAUMHOSJEAC2CQOPA2DLFPLP6T7IJANCNFSM4H4LYPEQ .

[nlt6444]

Thank you that seemed to clear up all the errors. Unbound starts correctly now. Name resolution isn't happening but that's something I will just have to work through. Appreciate the support.

[MatthewVance]

Glad it helped some. Good luck and let me know if you stay stuck and need more help.

On Tue, Jul 9, 2019, 9:49 PM nlt6444 notifications@github.com wrote:

Thank you that seemed to clear up all the errors. Unbound starts correctly now. Name resolution isn't happening but that's something I will just have to work through. Appreciate the support.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/MatthewVance/unbound-docker/issues/21?email_source=notifications&email_token=AAUMHOQLDPEQFAZ3S6A4UI3P6VE4RA5CNFSM4H4LYPE2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODZSD6HQ#issuecomment-509886238, or mute the thread https://github.com/notifications/unsubscribe-auth/AAUMHOTONVYXCW5RSHK6N4LP6VE4RANCNFSM4H4LYPEQ .

[nlt6444]

Finally have name resolution working, I had to add some additional parameters to my unbound.conf file. Accomplished my goal to get pihole configured according to the documentation located at:

https://docs.pi-hole.net/guides/unbound/

I figured the config may be useful to other users so I included it below.

My unbound.conf:

Unbound configuration file for Debian.

#

See the unbound.conf(5) man page.

#

See /usr/share/doc/unbound/examples/unbound.conf for a commented

reference config file.

#

The following line includes additional configuration files from the

/etc/unbound/unbound.conf.d directory.

server:

If no logfile is specified, syslog is used

logfile: /opt/unbound/etc/unbound/unbound.log
verbosity: 1

port: 53
do-ip4: yes
do-udp: yes
do-tcp: yes

# May be set to yes if you have IPv6 connectivity
do-ip6: no

# Use this only when you downloaded the list of primary root servers!
root-hints: "/opt/unbound/etc/unbound/root.hints"

# Trust glue only if it is within the servers authority
harden-glue: yes

# Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS
harden-dnssec-stripped: yes

# Don't use Capitalization randomization as it known to cause DNSSEC issues sometimes
# see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 for further details
use-caps-for-id: no

# Reduce EDNS reassembly buffer size.
# Suggested by the unbound man page to reduce fragmentation reassembly problems
edns-buffer-size: 1472

# Perform prefetching of close to expired message cache entries
# This only applies to domains that have been frequently queried
prefetch: yes

# One thread should be sufficient, can be increased on beefy machines. In reality for most users running on small networks or on a single machine it should be unnecessary to seek performance enhancement by increasing num-threads above 1.
num-threads: 1

# Ensure kernel buffer is large enough to not lose messages in traffic spikes
#so-rcvbuf: 1m

# Ensure privacy of local IP ranges
private-address: 192.168.0.0/16
private-address: 169.254.0.0/16
private-address: 172.16.0.0/12
private-address: 10.0.0.0/8
private-address: fd00::/8
private-address: fe80::/10

interface: 0.0.0.0
access-control: 192.168.0.0/16 allow_snoop

My docker compose yaml:

version: "2"

services: pihole: container_name: rpiDev-pihole image: pihole/pihole:latest hostname: rpiDev-pihole.jabba.lan mac_address: d0:ca:ab:cd:ef:01 links:

• unbound cap_add:
• NET_ADMIN ports:
• "443"
• "53:53"
• "80"
• "22" environment: ServerIP: 192.168.1.5 WEBPASSWORD: ${WEBPASSWORD} DNS1: 192.168.1.6 DNS2: 192.168.1.8 PROXY_LOCATION: pihole volumes:
• /home/pi/Documents/docker/configs/pihole:/etc/pihole:rw
• /home/pi/Documents/docker/configs/pihole/hosts:/etc/hosts:ro
• /home/pi/Documents/docker/configs/pihole/resolv.conf:/etc/resolv.conf:ro networks: home: ipv4_address: 192.168.1.5 restart: always unbound: container_name: rpiDev-unbound image: mvance/unbound-rpi:latest hostname: rpiDev-unbound.jabba.lan mac_address: d0:ca:ab:cd:ef:02 ports:
• "53:53/tcp"
• "53:53/udp" volumes:
• /home/pi/Documents/docker/configs/unbound/:/opt/unbound/etc/unbound/ networks: home: ipv4_address: 192.168.1.6 restart: always

networks: home: driver: macvlan driver_opts: parent: eth0 ipam: config:

• subnet: 192.168.1.0/24 gateway: 192.168.1.1

[nlt6444]

The only outstanding issue I have is related to the "so-rcvbuf" option in the unbound.conf file. I receive this error:

rpiDev-unbound | [1562032827] unbound[1:0] warning: so-rcvbuf 1048576 was not granted. Got 327680. To fix: start with root permissions(linux) or sysctl bigger net.core.rmem_max(linux) or kern.ipc.maxsockbuf(bsd) values.

It appears to be related to the unbound image itself. I have tried running with my local account and root account.

[MatthewVance]

You should remove so-rcvbuf: 1m from your config to use the default (the default inherits the underlying system value). Your config should no longer cause a conflict because it will match whatever value used by the base OS image (i.e., the FROM debian:stretch in the Dockerfile).

so-rcvbuf is for performance, not Pi-hole functionality (see Unbound documentation included below for reference). I doubt your Raspberry Pi will experience enough load to worry about such optimizations (if extra Unbound optimization is needed beyond the defaults, you probably shouldn't be running on a Pi).

While you could spend the time to optimize the image to support a higher value, it wouldn't be worth the trouble. If you want some increased performance custom tuned to your Pi, look at how the shell script that builds the default conf file dynamically calculates values based on OS support.

Also keep in mind that Docker is a container, not a full VM. One way this difference comes into play is with permissions. While the Docker service may be run as a root user and a container often runs as root user by default, the root user in a running container does not have full rights to change the underlying Docker host. By default, Docker uses the Linux capabilities support to limit the rights of the "root" user within the container. See https://docs.docker.com/engine/security/security/#linux-kernel-capabilities.

It's also worth noting this particular Unbound image runs Unbound within the container as the user _unbound, not as the "root" user by default. However, your config doesn't appear to set username: "_unbound", meaning you're missing out on the improved security from dropping user privileges.

From Howto Optimise:

Set so-rcvbuf to a larger value (4m or 8m) for a busy server. This sets 
the kernel buffer larger so that no messages are lost in spikes in the 
traffic...The OS caps it at a maximum, on linux unbound needs root 
permission to bypass the limit, or the admin can use 
sysctl net.core.rmem_max.
...
    # Larger socket buffer.  OS may need config.
    so-rcvbuf: 4m

From Unbound documentation:

so-rcvbuf: <number>
              If not 0, then set the SO_RCVBUF socket option to get more  buf-
              fer space on UDP port 53 incoming queries.  So that short spikes
              on busy servers do not drop  packets  (see  counter  in  netstat
              -su).   Default  is 0 (use system value).  Otherwise, the number
              of bytes to ask for, try "4m" on a busy server.  The OS caps  it
              at  a  maximum, on linux unbound needs root permission to bypass
              the limit, or the admin can use  sysctl  net.core.rmem_max.   On
              BSD  change kern.ipc.maxsockbuf in /etc/sysctl.conf.  On OpenBSD
              change header and recompile kernel. On Solaris ndd -set /dev/udp
              udp_max_buf 8388608.

[MatthewVance]

You should also consider adding more of the config options I provided in the example config file. While the Unbound guide on the Pi-hole site applies a few security and privacy tricks, I took quite a bit of care to take advantage of several more such features.

The main ones Unbound supports that are not currently taken advantage of are related to running Unbound as a recursive server. Those are things like the root.hints you added and some TLS server related settings (see https://github.com/MatthewVance/unbound-docker/issues/13 and https://github.com/MatthewVance/unbound-docker/issues/14).

[nlt6444]

Thank you I added the additional options from your script.

[MatthewVance]

Excellent. Everything else working now?

On Sat, Jul 13, 2019, 8:54 PM nlt6444 notifications@github.com wrote:

Thank you I added the additional options from your script.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/MatthewVance/unbound-docker/issues/21?email_source=notifications&email_token=AAUMHOX6YC2EAVH3I3HCDD3P7KBNVA5CNFSM4H4LYPE2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODZ34QXQ#issuecomment-511166558, or mute the thread https://github.com/notifications/unsubscribe-auth/AAUMHOW46FQZIP276NDCT7TP7KBNVANCNFSM4H4LYPEQ .

[nlt6444]

Sure is, everything is running smoothly.

[plsnotracking]

I was going through the pihole + unbound setup on my raspberrypi. I have both setup and seemed to running (albeit the unbound-rpi reports unhealthy).

I went through the exact setup: https://docs.pi-hole.net/guides/unbound/ (my pihole has been working fine)

server:
    # If no logfile is specified, syslog is used
    logfile: "/opt/unbound/etc/unbound/unbound.log"
    verbosity: 9

    interface: 127.0.0.1
    port: 5335
    do-ip4: yes
    do-udp: yes
    do-tcp: yes

    # May be set to yes if you have IPv6 connectivity
    do-ip6: no

    # You want to leave this to no unless you have *native* IPv6. With 6to4 and
    # Terredo tunnels your web browser should favor IPv4 for the same reasons
    prefer-ip6: no

    # Use this only when you downloaded the list of primary root servers!
    root-hints: "/opt/unbound/etc/unbound/root.hints"

    # Trust glue only if it is within the server's authority
    harden-glue: yes

    # Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS
    harden-dnssec-stripped: yes

    # Don't use Capitalization randomization as it known to cause DNSSEC issues sometimes
    # see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 for further details
    use-caps-for-id: no

    # Reduce EDNS reassembly buffer size.
    # Suggested by the unbound man page to reduce fragmentation reassembly problems
    edns-buffer-size: 1472

    # Perform prefetching of close to expired message cache entries
    # This only applies to domains that have been frequently queried
    prefetch: yes

    # One thread should be sufficient, can be increased on beefy machines. In reality for most users running on small networks or on a single machine, it should be unnecessary to seek performance enhancement by increasing num-threads above 1.
    num-threads: 1

    # Ensure kernel buffer is large enough to not lose messages in traffic spikes
    # so-rcvbuf: 1m

    # Ensure privacy of local IP ranges
    private-address: 192.168.0.0/16
    private-address: 169.254.0.0/16
    private-address: 172.16.0.0/12
    private-address: 10.0.0.0/8
    private-address: fd00::/8
    private-address: fe80::/10

roots.hints

❯ cat storage/unbound/root.hints                                                                                                                                                                                                                                                                                            ~
;       This file holds the information on root name servers needed to
;       initialize cache of Internet domain name servers
;       (e.g. reference this file in the "cache  .  <file>"
;       configuration file of BIND domain name servers).
;
;       This file is made available by InterNIC
;       under anonymous FTP as
;           file                /domain/named.cache
;           on server           FTP.INTERNIC.NET
;       -OR-                    RS.INTERNIC.NET
;
;       last update:     August 12, 2020
;       related version of root zone:     2020081201
;
; FORMERLY NS.INTERNIC.NET
;
.                        3600000      NS    A.ROOT-SERVERS.NET.
A.ROOT-SERVERS.NET.      3600000      A     198.41.0.4
A.ROOT-SERVERS.NET.      3600000      AAAA  2001:503:ba3e::2:30
;
; FORMERLY NS1.ISI.EDU
;
.                        3600000      NS    B.ROOT-SERVERS.NET.
B.ROOT-SERVERS.NET.      3600000      A     199.9.14.201
B.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:200::b
.
.
.
.
.                        3600000      NS    M.ROOT-SERVERS.NET.
M.ROOT-SERVERS.NET.      3600000      A     202.12.27.33
M.ROOT-SERVERS.NET.      3600000      AAAA  2001:dc3::35

But it listens to stuff at port 53 (which makes sense since my router will hit my pi ip - 192.168.0.100:53)

❯ sudo lsof -i -P | grep 53
pihole-FT 10680       root    4u  IPv4  756820      0t0  UDP *:53
pihole-FT 10680       root    5u  IPv4  756821      0t0  TCP *:53 (LISTEN)
pihole-FT 10680       root    6u  IPv6  756822      0t0  UDP *:53
pihole-FT 10680       root    7u  IPv6  756823      0t0  TCP *:53 (LISTEN)

So I started running the docker image like this docker run --name=unbound-rpi --volume=/home/flipswitch/storage/unbound:/opt/unbound/etc/unbound/ --publish=5335:5335/tcp --publish=5335:5335/udp --restart=unless-stopped --detach=true mvance/unbound-rpi:latest At port 5335

Logs

❯ docker logs 72c7f04a3568                                                                                                                                                                                                                                                                                                  ~
[1597711793] unbound[1:0] debug: creating udp4 socket 0.0.0.0 5335
[1597711793] unbound[1:0] debug: creating tcp4 socket 0.0.0.0 5335
[1597711793] unbound[1:0] debug: chdir to /opt/unbound/etc/unbound
[1597711793] unbound[1:0] debug: chroot to /opt/unbound/etc/unbound
[1597711793] unbound[1:0] debug: drop user privileges, run as _unbound
[1597711793] unbound[1:0] debug: switching log to /opt/unbound/etc/unbound/unbound.log
[1597711793] unbound[1:0] error: Could not open logfile /unbound.log: Permission denied
[1597711793] unbound[1:0] debug: module config: "validator iterator"
[1597711793] unbound[1:0] notice: init module 0: validator
[1597711793] unbound[1:0] debug: validator nsec3cfg keysz 1024 mxiter 150
[1597711793] unbound[1:0] debug: validator nsec3cfg keysz 2048 mxiter 500
[1597711793] unbound[1:0] debug: validator nsec3cfg keysz 4096 mxiter 2500
[1597711793] unbound[1:0] notice: init module 1: iterator
[1597711793] unbound[1:0] debug: target fetch policy for level 0 is 3
[1597711793] unbound[1:0] debug: target fetch policy for level 1 is 2
[1597711793] unbound[1:0] debug: target fetch policy for level 2 is 1
[1597711793] unbound[1:0] debug: target fetch policy for level 3 is 0
[1597711793] unbound[1:0] debug: target fetch policy for level 4 is 0
[1597711793] unbound[1:0] debug: donotq: 127.0.0.0/8
[1597711793] unbound[1:0] debug: total of 59466 outgoing ports available
[1597711793] unbound[1:0] debug: start threads
[1597711793] unbound[1:0] debug: libevent 2.1.8-stable uses epoll method.
[1597711793] unbound[1:0] debug: Reading root hints from /root.hints
[1597711793] unbound[1:0] info: DelegationPoint<.>: 13 names (0 missing), 26 addrs (0 result, 26 avail) parentNS
[1597711793] unbound[1:0] info:   M.ROOT-SERVERS.NET. * A AAAA
[1597711793] unbound[1:0] info:   L.ROOT-SERVERS.NET. * A AAAA
[1597711793] unbound[1:0] info:   K.ROOT-SERVERS.NET. * A AAAA
[1597711793] unbound[1:0] info:   J.ROOT-SERVERS.NET. * A AAAA
[1597711793] unbound[1:0] info:   I.ROOT-SERVERS.NET. * A AAAA
[1597711793] unbound[1:0] info:   H.ROOT-SERVERS.NET. * A AAAA
[1597711793] unbound[1:0] info:   G.ROOT-SERVERS.NET. * A AAAA
[1597711793] unbound[1:0] info:   F.ROOT-SERVERS.NET. * A AAAA
[1597711793] unbound[1:0] info:   E.ROOT-SERVERS.NET. * A AAAA
[1597711793] unbound[1:0] info:   D.ROOT-SERVERS.NET. * A AAAA
[1597711793] unbound[1:0] info:   C.ROOT-SERVERS.NET. * A AAAA
[1597711793] unbound[1:0] info:   B.ROOT-SERVERS.NET. * A AAAA
[1597711793] unbound[1:0] info:   A.ROOT-SERVERS.NET. * A AAAA
[1597711793] unbound[1:0] debug:    ip6 2001:dc3::35 port 53 (len 28)
[1597711793] unbound[1:0] debug:    ip4 202.12.27.33 port 53 (len 16)
[1597711793] unbound[1:0] debug:    ip6 2001:500:9f::42 port 53 (len 28)
[1597711793] unbound[1:0] debug:    ip4 199.7.83.42 port 53 (len 16)
[1597711793] unbound[1:0] debug:    ip6 2001:7fd::1 port 53 (len 28)
[1597711793] unbound[1:0] debug:    ip4 193.0.14.129 port 53 (len 16)
[1597711793] unbound[1:0] debug:    ip6 2001:503:c27::2:30 port 53 (len 28)
[1597711793] unbound[1:0] debug:    ip4 192.58.128.30 port 53 (len 16)
[1597711793] unbound[1:0] debug:    ip6 2001:7fe::53 port 53 (len 28)
[1597711793] unbound[1:0] debug:    ip4 192.36.148.17 port 53 (len 16)
[1597711793] unbound[1:0] debug:    ip6 2001:500:1::53 port 53 (len 28)
[1597711793] unbound[1:0] debug:    ip4 198.97.190.53 port 53 (len 16)
[1597711793] unbound[1:0] debug:    ip6 2001:500:12::d0d port 53 (len 28)
[1597711793] unbound[1:0] debug:    ip4 192.112.36.4 port 53 (len 16)
[1597711793] unbound[1:0] debug:    ip6 2001:500:2f::f port 53 (len 28)
[1597711793] unbound[1:0] debug:    ip4 192.5.5.241 port 53 (len 16)
[1597711793] unbound[1:0] debug:    ip6 2001:500:a8::e port 53 (len 28)
[1597711793] unbound[1:0] debug:    ip4 192.203.230.10 port 53 (len 16)
[1597711793] unbound[1:0] debug:    ip6 2001:500:2d::d port 53 (len 28)
[1597711793] unbound[1:0] debug:    ip4 199.7.91.13 port 53 (len 16)
[1597711793] unbound[1:0] debug:    ip6 2001:500:2::c port 53 (len 28)
[1597711793] unbound[1:0] debug:    ip4 192.33.4.12 port 53 (len 16)
[1597711793] unbound[1:0] debug:    ip6 2001:500:200::b port 53 (len 28)
[1597711793] unbound[1:0] debug:    ip4 199.9.14.201 port 53 (len 16)
[1597711793] unbound[1:0] debug:    ip6 2001:503:ba3e::2:30 port 53 (len 28)
[1597711793] unbound[1:0] debug:    ip4 198.41.0.4 port 53 (len 16)
[1597711793] unbound[1:0] debug: cache memory msg=33040 rrset=33040 infra=3916 val=33196
[1597711793] unbound[1:0] info: start of service (unbound 1.11.0).
[1597711819] unbound[1:0] debug: refused query from ip4 172.17.0.1 port 58679 (len 16)
[1597711819] unbound[1:0] debug: refuse[52:0] 4D3D012000010000000000010770692D686F6C65036E65740000010001000029100000000000000C000A0008B8A9B54588DDD065
[1597711830] unbound[1:0] debug: refused query from ip4 172.17.0.1 port 44235 (len 16)
[1597711830] unbound[1:0] debug: refuse[52:0] F752012000010000000000010770692D686F6C65036E65740000010001000029100000000000000C000A00089BBC78AD646527A3
[1597711840] unbound[1:0] debug: refused query from ip4 172.17.0.1 port 38580 (len 16)
[1597711840] unbound[1:0] debug: refuse[69:0] 634901200001000000000001077369676661696C107665727465696C746573797374656D65036E65740000010001000029100000000000000C000A00086C73580FC6D2AADE
[1597711840] unbound[1:0] debug: refused query from ip4 172.17.0.1 port 42371 (len 16)
[1597711840] unbound[1:0] debug: refuse[67:0] 7FB101200001000000000001057369676F6B107665727465696C746573797374656D65036E65740000010001000029100000000000000C000A000826C6411BC69B1B02
[1597711914] unbound[1:0] debug: refused query from ip4 192.168.0.100 port 57439 (len 16)
[1597711914] unbound[1:0] debug: refuse[51:0] 51AE0120000100000000000106676F6F676C6503636F6D0000010001000029100000000000000C000A000825FF10AEDF1AC962

How I generated this error:

> dig sigfail.verteiltesysteme.net @127.0.0.1 -p 5335

; <<>> DiG 9.11.5-P4-5.1+deb10u1-Debian <<>> sigfail.verteiltesysteme.net @127.0.0.1 -p 5335
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 25417
;; flags: qr rd ad; QUERY: 0, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; Query time: 0 msec
;; SERVER: 127.0.0.1#5335(127.0.0.1)
;; WHEN: Tue Aug 18 01:50:40 BST 2020
;; MSG SIZE  rcvd: 12

Error: WARNING: recursion requested but not available

Wondering if any of y'all ran into this issue or am I missing something?

Thank you.

EDIT: When I run it as the network host, it seems to be doing okay

docker run --net=host --name=unbound-rpi --volume=/home/flipswitch/storage/unbound:/opt/unbound/etc/unbound/ --publish=5335:5335/tcp --publish=5335:5335/udp --restart=unless-stopped --detach=true mvance/unbound-rpi:latest

But it obviously doesn't honour any publish tags in the docker command.

❯ dig sigok.verteiltesysteme.net @127.0.0.1 -p 5335                                                                                                                                                                                                                                                                         

; <<>> DiG 9.11.5-P4-5.1+deb10u1-Debian <<>> sigok.verteiltesysteme.net @127.0.0.1 -p 5335
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55460
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1472
;; QUESTION SECTION:
;sigok.verteiltesysteme.net.    IN  A

;; ANSWER SECTION:
sigok.verteiltesysteme.net. 60  IN  A   134.91.78.139

;; Query time: 381 msec
;; SERVER: 127.0.0.1#5335(127.0.0.1)
;; WHEN: Tue Aug 18 02:41:22 BST 2020
;; MSG SIZE  rcvd: 71

Not sure if this is the solution, but I feel like it is a dirty hack much rather a clean solution like one of y'all above.

[MatthewVance]

I'm not a fan of running as --net=host. It can be a security risk in some situations. There should be a more elegant solution.

I think the issue may be with having the interface set to 127.0.0.1. With Docker networking, that's probably not doing what you think/want. Try this instead:

    # The  port  number,  default  53, on which the server responds to queries.
    port: 5335
    # Listen to for queries from clients and answer from this network interface
    # and port.
    interface: 0.0.0.0@5335

Is there a reason you need it to be on port 5335? I know you want to avoid a conflict with Pi-hole, but you should be able to change the public port and keep the container port on 53 if you like (i.e., publish=5335:53/tcp --publish=5335:53/udp). It may be worth trying since the issue seems somewhat port related. If you do, just swap out 5335 with 53 in the port and interface settings.

You may also want to add the following to your config (by default only localhost is allowed and the rest are refused):

    access-control: 127.0.0.1/32 allow
    access-control: 192.168.1.1/24 allow
    access-control: 172.16.0.0/12 allow
    access-control: 10.0.0.0/8 allow

One other issue I see appears to be related to the log file location. The specified path (/opt/unbound/etc/unbound/unbound.log) does not exist by default within the container which is likely why it's giving a permission denied error (that and it's in the default chroot location and root privileges are dropped after the port is bound). I don't think that's causing your problem, but may still be worth resolving.

I don't currently run Pi-hole with Unbound so the others on here may be of more help than me. If you haven't already, you might also look over https://github.com/MatthewVance/unbound-docker/issues/35.

Please report future issues related to the unbound-rpi image at https://github.com/MatthewVance/unbound-docker-rpi.

[plsnotracking]

Thank you, that worked, didn't realise the nuance between 127.0.0.1 and 0.0.0.0 in the docker world!

In addition to the access-control. Thank you so much.

On a side note, I was wondering what has stopped you from using pihole + unbound?

I'll add my config in the rpi repo for someone who hits the same problem.

[MatthewVance]

Thanks for confirming it worked and sharing your config.

Nothing really stopped me from using Pi-hole with Unbound...I never been much of a user. It's one of those things I should try. Unbound or Unbound+Stubby has met most of my needs.

I have been thinking about picking up DNSCrypt again because it's advanced some since I last played with it. Ideally, I'd run it on a cloud server.

Pi-hole is nice, it just fits a different niche.

On Tue, Aug 18, 2020, 4:45 PM plsnotracking notifications@github.com wrote:

Thank you, that worked, didn't realise the nuance between 127.0.0.1 and 0.0.0.0 in the docker world!

In addition to the access-control. Thank you so much.

On a side note, I was wondering what has stopped you from using pihole + unbound?

I'll add my config in the rpi repo for someone who hits the same problem.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/MatthewVance/unbound-docker/issues/21#issuecomment-675736192, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAUMHOQO5FP5DMKAX3IKPRTSBLZANANCNFSM4H4LYPEQ .