Adguard + Unbuond Configuration ISSUE

ok i try to disable firewall and still not work

i dont have a wifi module but i have a PiZero2W with DietPi v8.11.2

i try this command

root@DietPi:~# unbound
[1671111324] unbound[1536:0] warning: so-rcvbuf 4194304 was not granted. Got 425984. To fix: start with root permissions(linux) or sysctl bigger net.core.rmem_max(linux) or kern.ipc.maxsockbuf(bsd) values.
[1671111324] unbound[1536:0] warning: so-sndbuf 4194304 was not granted. Got 425984. To fix: start with root permissions(linux) or sysctl bigger net.core.wmem_max(linux) or kern.ipc.maxsockbuf(bsd) values.
[1671111324] unbound[1536:0] error: can't bind socket: Address already in use for port 8953
[1671111324] unbound[1536:0] error: cannot open control interface 8953
[1671111324] unbound[1536:0] fatal error: could not open ports

unbound is already started as service. You can’t start it twice :wink:

What I’m still not sure about are these messages :thinking:

theoretically you could try to install unbound while connected to your local network and check how it is going. No need to install AGH. Issue is with unbound directly.

Ah yes of course, sorry for the stupid thing, in the end I created a virtual machine and connected to the hostpot and it doesn’t work

strange thing, I could not replicate the issue at all. Unbound is working, doesn’t matter what SOC or VM I’m using,

@trendy any ideas?

As you pointed out @Joulinar the SERVFAIL is a sign of DNSSEC failure.
Reading this thread from the beginning, I’ll share a crazy idea which I faced recently.
Could the original DNS packet to the root dns server be hijacked?
Could you try over another connection? LTE, VPN…

Yes, then I tried again and actually changing the network works… is there anything I can do to solve the problem? change any router settings?

does it mean, using a different network, hotspot, was resolving the issue? Not sure if there are settings on your router that could be changed. We are not familiar with your hardware. Probably you could ask technical support of your ISP?

Sorry if I didn’t specify better, I took the RPi 2w and connected it to the hostpot of the mobile phone (this time I did everything with the monitor and not blindly), what should I tell the ISP customer service? “why are DNS/DNSSEC calls being hijacked?” can i be more specific?

I share with you some settings maybe you can help me

hiii @pietromezza ,

I don’t know if it can help you but there’s this one that’s a bit old, but it’s related to a vodafone router and unbound, also with the error SERVEUR FAIL
Pi-Hole + Unbound => Unbound anchor not ok // always SERVFAIL : pihole (

yeah looks like similar issue bit sadly no solution.

@pietromezza on DNS settings, what happen if you switch from Secure DNS to manually?? What are the options after you changed to option.

can you save settings on manually. Does this change something for unbound?

Ok after some testing I found how to make it work then: it should be configured as follows

Before definitively closing the issue, when my ISP hijacks, what do I encounter? do they see all my searches?

Well by default DNS is not encrypted and someone who like, could theoretically see what request has been sent. Unbound by default is not encrypting DNS reuest. However, it’s giving some kind of privacy as DNS request are send to the root DNS server directly and not to your ISP or some other global upstream DNS provider. If you like encrypted DNS, you will need to look into DNS over TLS (DoT). We describe a configuration example on our online docs. DNS Servers Options - Docs

Ok thx,

Is corret this configuration on “server” side?

dietpi@DietPi:~$ cat /etc/resolv.conf

and client side is corret this one?

Yes, best practice is to have server using a global upstream DNS server. And clients should point to your AdBlock server. However you should try to distribute DNS server settings via DHCP. Manual configuration might be working on a Windows or Mac client. But on mobile devices or other small network devices, it might become impossible.

Tonight a few things happened that I don’t understand, I received requests like this:


Why did I get so many requests from external IPs to the local network?

If some devices continue to use the router’s DNS or what happens?

Maybe all this happened because I had the firewall turned off?

It looks to me that you created an open resolver.
Didn’t you turn the firewall back on?

1 Like

at least 172.17.* ; 10.6.* and 192.168.* are private network addresses Private network - Wikipedia

Did you open any port to public internet (port forwarding)?

Oh yes I was saying the other two, however yes I have an open port 5xxx on TCP/UDP