Unbound Pi-hole Setup | Learn how to Increase your Privacy!

Today we are going to take a look at the Unbound Pi-hole setup process on a Raspberry Pi, so that it can be used with Pi-hole.

The first question that needs to be answered is why you might want to setup Unbound on Pi-hole. Ultimately, the answer is somewhat simple, and it’s mostly privacy related. When you use Pi-hole, you generally configure an upstream DNS provider. The first thing you need to realize is that all traffic is being sent from your external IP address, so depending on who you’re sending the data to, you’re trusting them with your internet traffic. 

The other issue is that periodically, these services will go down. In that case, it might appear as if your internet “stopped” working, when the reality is that it simply cannot resolve DNS names. While this is infrequent, it does happen.

When you install Unbound, you become your DNS provider. This ensures that your privacy is maintained, and you will no longer be impacted by potential service outages.

1. Instructions - Unbound Pi-hole Setup

The instructions that we will be following were taken straight from the Pi-hole website that shows how to configure Unbound. The goal of these instructions is to strip out some of the explanation (though I highly suggest that you read the official documentation if you can) and simply enter the instructions that need to be followed below.

1. Ensure that Pi-hole is installed on your Raspberry Pi. I have a tutorial here that you can quickly follow to get it up and running.

2. Connect to your Raspberry Pi, either via SSH or by plugging it into a monitor with a keyboard and mouse.

3. Run the commands below to install Unbound and attain the root.hints file needed.

sudo apt install unbound
wget https://www.internic.net/domain/named.root -qO- | sudo tee /var/lib/unbound/root.hints

4. Create a file that will force Unbound to only listen for queries from Pi-hole. There are a few other benefits that can be found on the official Unbound page.

sudo nano /etc/unbound/unbound.conf.d/pi-hole.conf

5. Paste the contents below into the file we just created and save.

server:
    # If no logfile is specified, syslog is used
    # logfile: "/var/log/unbound/unbound.log"
    verbosity: 0

    interface: 127.0.0.1
    port: 5335
    do-ip4: yes
    do-udp: yes
    do-tcp: yes

    # May be set to yes if you have IPv6 connectivity
    do-ip6: no

    # You want to leave this to no unless you have *native* IPv6. With 6to4 and
    # Terredo tunnels your web browser should favor IPv4 for the same reasons
    prefer-ip6: no

    # Use this only when you downloaded the list of primary root servers!
    # If you use the default dns-root-data package, unbound will find it automatically
    #root-hints: "/var/lib/unbound/root.hints"

    # Trust glue only if it is within the server's authority
    harden-glue: yes

    # Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS
    harden-dnssec-stripped: yes

    # Don't use Capitalization randomization as it known to cause DNSSEC issues sometimes
    # see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 for further details
    use-caps-for-id: no

    # Reduce EDNS reassembly buffer size.
    # Suggested by the unbound man page to reduce fragmentation reassembly problems
    edns-buffer-size: 1472

    # Perform prefetching of close to expired message cache entries
    # This only applies to domains that have been frequently queried
    prefetch: yes

    # One thread should be sufficient, can be increased on beefy machines. In reality for most users running on small networks or on a single machine, it should be unnecessary to seek performance enhancement by increasing num-threads above 1.
    num-threads: 1

    # Ensure kernel buffer is large enough to not lose messages in traffic spikes
    so-rcvbuf: 1m

    # Ensure privacy of local IP ranges
    private-address: 192.168.0.0/16
    private-address: 169.254.0.0/16
    private-address: 172.16.0.0/12
    private-address: 10.0.0.0/8
    private-address: fd00::/8
    private-address: fe80::/10

6. Restart the Unbound server and run the dig command to test DNS resolution. You should see the status as “NOERROR” with an IP address for the pi-hole.net server.

sudo service unbound restart 
dig pi-hole.net @127.0.0.1 -p 5335

unbound pi-hole setup

7. The final test is to ensure that DNSSEC is working properly. First, if you’re interested in learning what DNSSEC is, this is a great explanation. There are two commands that you can run to ensure that DNSSEC is working properly.

dig sigfail.verteiltesysteme.net @127.0.0.1 -p 5335

This command should return SERVFAIL with NO IP address.

dig sigok.verteiltesysteme.net @127.0.0.1 -p 5335

This command should return NOERROR WITH an IP address. If both are returned properly, DNSSEC is properly working. 

8. The final step is to configure Pi-hole to use our recursive DNS server. Open the Pi-hole admin page, select Settings then DNS. Uncheck all Upstream DNS Servers, check off Custom 1, and add 127.0.0.1#5335 in the textbox. Save the settings.

pi-hole unbound raspberry pi

9. Test to ensure that everything is working as expected and you are fully set up!

2. Conclusion - Unbound Pi-hole Setup

Privacy is something that everyone takes differently. Some people don’t care about it at all, and some want to ensure that their data is protected and not being sent to larger corporations. If you don’t care about privacy, you probably don’t have a benefit in implementing this Unbound Pi-hole setup process. However, if you do, this is a very easy way to ensure you manage your own recursive DNS server!

Thanks for checking out the tutorial. If you have any questions, please leave them in the comments!

This Post Has 7 Comments

  1. THANK YOU!

  2. This went through without a hitch for me (thus far…) which for some reason was not the case when I initially attempted to set up Unbound a couple months back from the Pi-Hole website instructions… Question I have: I’m running Pi-Hole and Unbound on an RPi4 but I also have a PiZero running AdGuard. Do I need to install Unbound on that Pi as well and change some AdGuard settings for the same time of functionality or does Unbound only play nice with Pi-Hole? Would you be willing to do a video on that as well?

    1. Yes, you will, unfortunately. The setup might be slightly different, but any device that’s serving DNS will need to implement Unbound (or an alternative).

  3. Thank you! Very good tutorial.
    Do you know, how i can make a SSL Certificate for pihole? I wanna access it in my local Network, not over the Internet.

    1. When you say an SSL certificate for pi-hole, do you mean the admin interface? If so, it’s pretty confusing (and for something that you won’t have that huge of a benefit from if you’re only running it locally), but if you google “https pi-hole web interface” you should find a bunch of tutorials!

  4. I followed your directions and every thing seems to work perfectly with one exception. In the PiHole admin GUI under TOOLS > Update Gravity, is an option to update the block list. In the initial configuration of PiHole, using OPENDNS or GOOGLE it worked within a few seconds of clicking update. In the Unbound Configuration it runs for about 40 seconds and comes back with

    [✗] DNS resolution is currently unavailable
    [✗] DNS resolution is not available

    if I go back and turn on google or openDNS, leaving the custom link to the unbound server enable it functions normally again. I went digging in the logs to see if I could find anything but nothing that pointed to a configuration issue, and everything else on my network seems to resolve without a problem. I’m going to increase the logging level of unbound to see if I can at least see what its looking for. Anyone else see this?

    1. Can you generate a debug log and see if there’s anything out of the ordinary there?

Leave a Reply

Close Menu