How to set up pi-hole with Unbound

[prog-amateur2]

Describe the bug

Hello, I have installed pi-hole from Yunohost app store. I would like to use it with unbound to set up pi-hole as my own recursive DNS server. The official guide explain how to install unbound on Debian and how to set it up with pi-hole.

The problem I have is that I cannot enter the port 5335 in my custom DNS server like in this picture :

When I add a #, it is automatically deleted. Trying with : is the same. And at the end, I have no graphics, and pi-hole service is considered as exited (like in issue #43 ).

On the official guide, there is an optional paragraph to check if pi-hole comes with a systemd service called unbound-resolvconf.service, but I don't know how to deal with it.

Could you please help me ? Thank you very much for your kind help.

Context

• Hardware: Old laptop or computer
• YunoHost version: 4.2.8
• I have access to my server: Through SSH | through the webadmin
• Are you in a special context or did you perform some particular tweaking on your YunoHost instance?: yes
  • If yes, please explain: I have installed unbound and have modified /etc/unbound/unbound.conf.d/pi-hole.conf as follow :

  server:
    # If no logfile is specified, syslog is used
    # logfile: "/var/log/unbound/unbound.log"
    verbosity: 0

    interface: 127.0.0.1
    port: 5335
    do-ip4: yes
    do-udp: yes
    do-tcp: yes

    # May be set to yes if you have IPv6 connectivity
    do-ip6: no

    # You want to leave this to no unless you have *native* IPv6. With 6to4 and
    # Terredo tunnels your web browser should favor IPv4 for the same reasons
    prefer-ip6: no

    # Use this only when you downloaded the list of primary root servers!
    # If you use the default dns-root-data package, unbound will find it automatically
    #root-hints: "/var/lib/unbound/root.hints"

    # Trust glue only if it is within the server's authority
    harden-glue: yes

    # Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS
    harden-dnssec-stripped: yes

    # Don't use Capitalization randomization as it known to cause DNSSEC issues sometimes
    # see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 for further details
    use-caps-for-id: no

    # Reduce EDNS reassembly buffer size.
    # Suggested by the unbound man page to reduce fragmentation reassembly problems
    edns-buffer-size: 1472

    # Perform prefetching of close to expired message cache entries
    # This only applies to domains that have been frequently queried
    prefetch: yes

    # One thread should be sufficient, can be increased on beefy machines. In reality for most users running on small networks or on a single machine, it should be unnecessary to seek performance enhancement by increasing num-threads above 1.
    num-threads: 1

    # Ensure kernel buffer is large enough to not lose messages in traffic spikes
    so-rcvbuf: 1m

    # Ensure privacy of local IP ranges
    private-address: 192.168.0.0/16
    private-address: 169.254.0.0/16
    private-address: 172.16.0.0/12
    private-address: 10.0.0.0/8
    private-address: fd00::/8
    private-address: fe80::/10

• Using, or trying to install package version/branch: 5.4~ynh1
• If upgrading, current package version: *N/A

Steps to reproduce

Go to pi-hole UI > Settings > DNS > try to setup DNS 127.0.0.1#5335 in the custom DNS field without success

Expected behavior

I could use unbound as my own recursive DNS server.

Logs

journalctl :

sept. 22 23:23:47 pihole-FTL[18293]: Stopped
sept. 22 23:23:47 systemd[1]: pihole-FTL.service: Succeeded.
sept. 22 23:23:47 systemd[1]: Stopped LSB: pihole-FTL daemon.
sept. 22 23:25:38 systemd[1]: Starting LSB: pihole-FTL daemon...
sept. 22 23:25:38 pihole-FTL[20540]: Not running
sept. 22 23:25:38 pihole-FTL[20540]: rm: impossible de supprimer '/var/run/pihole/FTL.sock': Aucun fichier ou dossier de ce type
sept. 22 23:25:38 su[20554]: (to pihole) root on none
sept. 22 23:25:38 su[20554]: pam_unix(su:session): session opened for user pihole by (uid=0)
sept. 22 23:25:38 pihole-FTL[20540]: FTL started!
sept. 22 23:25:38 su[20554]: pam_unix(su:session): session closed for user pihole
sept. 22 23:25:38 systemd[1]: Started LSB: pihole-FTL daemon

/var/log/pihole-FTL.log :

[2021-09-22 00:00:02.047] FATAL: Trying to free NULL pointer in pihole_log_flushed() (flush.c:72)
[2021-09-22 00:00:02.129] Gravity list entries: 104404
[2021-09-22 00:00:02.129] No blacklist present
[2021-09-22 00:00:02.129] No wildcard blocking list present
[2021-09-22 00:00:02.129] Imported 0 queries from the long-term database
[2021-09-22 00:00:02.130] Reading from /var/log/pihole.log (rw-r--r--)
[2021-09-22 23:23:47.514] FATAL: FTL received SIGTERM from PID/UID 18293/0, exiting gracefully
[2021-09-22 23:23:47.514] Shutting down...
[2021-09-22 23:23:47.549] Finished final database update
[2021-09-22 23:23:47.549] ########## FTL terminated after 34.8 ms! ##########
[2021-09-22 23:25:38.846] ########## FTL started! ##########
[2021-09-22 23:25:38.846] FTL branch: 
[2021-09-22 23:25:38.846] FTL version: 
[2021-09-22 23:25:38.846] FTL commit: 
[2021-09-22 23:25:38.846] FTL date: 
[2021-09-22 23:25:38.846] FTL user: pihole
[2021-09-22 23:25:38.846] Starting config file parsing (/etc/pihole/pihole-FTL.conf)
[2021-09-22 23:25:38.846]    SOCKET_LISTENING: only local
[2021-09-22 23:25:38.846]    QUERY_DISPLAY: Show queries
[2021-09-22 23:25:38.846]    AAAA_QUERY_ANALYSIS: Show AAAA queries
[2021-09-22 23:25:38.847]    MAXDBDAYS: max age for stored queries is 365 days
[2021-09-22 23:25:38.847]    RESOLVE_IPV6: Resolve IPv6 addresses
[2021-09-22 23:25:38.847]    RESOLVE_IPV4: Resolve IPv4 addresses
[2021-09-22 23:25:38.847]    DBINTERVAL: saving to DB file every minute
[2021-09-22 23:25:38.847]    DBFILE: Using /etc/pihole/pihole-FTL.db
[2021-09-22 23:25:38.847]    MAXLOGAGE: Importing up to 24.0 hours of log data
[2021-09-22 23:25:38.847] Finished config file parsing
[2021-09-22 23:25:38.855] Found no other running pihole-FTL process
[2021-09-22 23:25:38.857] PID of FTL process: 20571
[2021-09-22 23:25:38.897] Gravity list entries: 104404
[2021-09-22 23:25:38.897] No blacklist present
[2021-09-22 23:25:38.897] No wildcard blocking list present
[2021-09-22 23:25:38.898] Database initialized
[2021-09-22 23:25:38.898] Imported 0 queries from the long-term database
[2021-09-22 23:25:38.898] Starting initial log file parsing
[2021-09-22 23:25:38.898] Reading from /var/log/pihole.log (rw-r--r--)
[2021-09-22 23:25:38.899] Finished initial log file parsing
[2021-09-22 23:25:38.900]  -> Total DNS queries: 0
[2021-09-22 23:25:38.900]  -> Cached DNS queries: 0
[2021-09-22 23:25:38.900]  -> Forwarded DNS queries: 0
[2021-09-22 23:25:38.900]  -> Exactly blocked DNS queries: 0
[2021-09-22 23:25:38.900]  -> Wildcard blocked DNS queries: 0
[2021-09-22 23:25:38.900]  -> Unknown DNS queries: 0
[2021-09-22 23:25:38.900]  -> Unique domains: 0
[2021-09-22 23:25:38.900]  -> Unique clients: 0
[2021-09-22 23:25:38.900]  -> Known forward destinations: 0
[2021-09-22 23:25:38.900] Successfully accessed setupVars.conf
[2021-09-22 23:25:38.900] Listening on port 4711 for incoming IPv4 telnet connections
[2021-09-22 23:25:38.900] Listening on port 4711 for incoming IPv6 telnet connections
[2021-09-22 23:25:38.901] Listening on Unix socket

[kay0u]

Hello,

Thank you for your report!

During the install, do you install the Last 3.x or the Last available version? Maybe this feature is only available in the lastest version?

[prog-amateur2]

Hello, thank you for your quick reply. I have originally installed the 3.4 (from where the issue was present), then yesterday I have updated to 5.4~ynh1 and I still have the same issue.

[kay0u]

If you have just upgraded, you are probably still in 3.x because version 5.x may conflict with YunoHost (dnsmasq) and we don't have enough feedback yet to impose it on users.

[prog-amateur2]

Hello, as pi-hole seems to not work at all, I am ready to install 5.x version, but do you know how to do it ?
Just uninstall 3.x, then install again with "lastest" as an option is correct way ?
Thank you

[prog-amateur2]

SO ! I come back with a good news. Thank you @kay0u, your suggestion was the good one : I had to uninstall pi-Hole 3.x (upgraded to 5.x with the old version of dnsmasq), and re-install it by selecting the latest version (which is the 5.x with the FTLDNS version of dnsmasq).

Now, I can both use pi-Hole, and unbound (I can add the port in the custom DNS field). Therefore, I can close this issue ! Thank you again !!!

[kay0u]

Thanks for the feedback!
I plan to remove the old 3.x version in the future to avoid this confusion if 5.x works well.
I may also think about integrate unbound as an option if it's worth it, but I'm not very familiar with pihole and unbound.