Unbound fails on startup, attempt to install with pihole on Centos7

[brianread108]

Feb 02 18:19:17 pihole systemd[1]: Starting Unbound recursive Domain Name Server... Feb 02 18:19:17 pihole unbound-checkconf[377]: unbound-checkconf: no errors in /etc/unbound/unbound.conf Feb 02 18:19:17 pihole systemd[1]: Started Unbound recursive Domain Name Server. Feb 02 18:19:17 pihole unbound[379]: Feb 02 18:19:17 unbound[379:0] error: can't bind socket: Address already in use for ::1 Feb 02 18:19:17 pihole unbound[379]: Feb 02 18:19:17 unbound[379:0] fatal error: could not open ports Feb 02 18:19:17 pihole systemd[1]: unbound.service: main process exited, code=exited, status=1/FAILURE Feb 02 18:19:17 pihole systemd[1]: Unit unbound.service entered failed state. Feb 02 18:19:17 pihole systemd[1]: unbound.service failed.

Using this link

https://docs.pi-hole.net/guides/dns/unbound/

[brianread108]

With extra verbosity:

Feb 02 18:24:11 pihole systemd[1]: Started Unbound recursive Domain Name Server. Feb 02 18:24:11 pihole unbound[449]: [1612290251] unbound[449:0] notice: Start of unbound 1.6.6. Feb 02 18:24:11 pihole unbound[449]: Feb 02 18:24:11 unbound[449:0] debug: increased limit(open files) from 1024 to 16566 Feb 02 18:24:11 pihole unbound[449]: Feb 02 18:24:11 unbound[449:0] debug: creating udp6 socket ::1 53 Feb 02 18:24:11 pihole unbound[449]: Feb 02 18:24:11 unbound[449:0] debug: creating tcp6 socket ::1 53 Feb 02 18:24:11 pihole unbound[449]: Feb 02 18:24:11 unbound[449:0] error: can't bind socket: Address already in use for ::1 port 53 (len 28) Feb 02 18:24:11 pihole unbound[449]: Feb 02 18:24:11 unbound[449:0] fatal error: could not open ports Feb 02 18:24:11 pihole systemd[1]: unbound.service: main process exited, code=exited, status=1/FAILURE Feb 02 18:24:11 pihole systemd[1]: Unit unbound.service entered failed state. Feb 02 18:24:11 pihole systemd[1]: unbound.service failed. [ Port 53 is definately in use by pihole. ` server:

# If no logfile is specified, syslog is used
# logfile: "/var/log/unbound/unbound.log"
verbosity: 0

interface: 127.0.0.1
port: 5335
do-ip4: yes
do-udp: yes
do-tcp: yes

# May be set to yes if you have IPv6 connectivity
do-ip6: no

# You want to leave this to no unless you have *native* IPv6. With 6to4 and
# Terredo tunnels your web browser should favor IPv4 for the same reasons
prefer-ip6: no

# Use this only when you downloaded the list of primary root servers!
# If you use the default dns-root-data package, unbound will find it automatically
root-hints: "/var/lib/unbound/root.hints"

# Trust glue only if it is within the server's authority
harden-glue: yes

# Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS
harden-dnssec-stripped: yes

# Don't use Capitalization randomization as it known to cause DNSSEC issues sometimes
# see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 for further details
use-caps-for-id: no

# Reduce EDNS reassembly buffer size.
# Suggested by the unbound man page to reduce fragmentation reassembly problems
edns-buffer-size: 1472

# Perform prefetching of close to expired message cache entries
# This only applies to domains that have been frequently queried
prefetch: yes

# One thread should be sufficient, can be increased on beefy machines. In reality for most users running on small networks or on a single machine, it should be unnecessary to seek performance enhancement by increasing num-threads above 1.
num-threads: 1

# Ensure kernel buffer is large enough to not lose messages in traffic spikes
so-rcvbuf: 1m

# Ensure privacy of local IP ranges
private-address: 192.168.0.0/16
private-address: 169.254.0.0/16
private-address: 172.16.0.0/12
private-address: 10.0.0.0/8
private-address: fd00::/8
private-address: fe80::/10

`

[brianread108]

So I guess the real question is how do I stop unbound using port 53? And what is it used for. I tried disabling the remote feature and it stopped faling, but would not respond to a dig.

[wcawijngaards]

So you have IPv6 disabled and are using a port other than port 53, but the log says it is trying to open :: port 53. Unbound must not be using the config file that you are editing. Is this because you have several config files, eg. the alternatives framework on debian/ubuntu may be confusing and put the real config file somewhere else? Checkconf reports config file /etc/unbound/unbound.conf but is that also what the unbound daemon is started with and the file you are editing?

As an alternative it is also possible to override the options with later options in the config file, for that you need like an include statement at the end and then another file with different options after it.

[brianread108]

Thanks for your reply. Strange, This is the start link in the service file: ExecStart=/usr/sbin/unbound -d -vvvv $UNBOUND_OPTIONS Not sure where the $UNBOUND_OPTIONS comes from. Incidentally this is a Centos7 install not ubunutu.

[brianread108]

This is the conf file it is mean't to use: [root@pihole unbound.conf.d]# ls -l /etc/unbound/unbound.conf.d/pi-hole.conf -rw-r--r-- 1 root root 2053 Feb 2 18:18 /etc/unbound/unbound.conf.d/pi-hole.conf

[brianread108]

ok, found the problem, the pihole.conf, should in in: /etc/unbound/conf.d/pi-hole.conf: not /etc/unbound/unbound.conf.d/pi-hole.conf: I'll submit a bug for the pihole docs.

[DL6ER]

The Pi-hole documentation was right at the time when they were written, according to:

cat /etc/unbound/unbound.conf
# Unbound configuration file for Debian.
#
# See the unbound.conf(5) man page.
#
# See /usr/share/doc/unbound/examples/unbound.conf for a commented
# reference config file.
#
# The following line includes additional configuration files from the
# /etc/unbound/unbound.conf.d directory.
include: "/etc/unbound/unbound.conf.d/*.conf"

(I did not modify this file).

Did unbound change this file or is it even distro-provided?

[brianread108]

reopen

[brianread108]

Looks like I am using an older version of unbound - 1.6.6, whereas @DL6ER seems to be on a later one. So the question is - has this changed (and does it matter?).

[wcawijngaards]

Unbound has a default config file, you can see which one with unbound -h that prints the file location. This is set by the ./configure script at compile time. It has not changed, but the packager could have changed compile parameters. The config file can also be set with -c <file> when unbound is started. This could be in the start script.