Issues fresh Unbound install

I installed unbound but got some problems with it.

 unbound -dd
[1639130659] unbound[2017:0] error: can't bind socket: Address already in use for port 8953
[1639130659] unbound[2017:0] error: cannot open control interface 8953
[1639130659] unbound[2017:0] fatal error: could not open ports

netstat -anp tcp | grep
tcp        0      0*               LISTEN      2003/unbound
tcp        0      0*               LISTEN      2003/unbound
udp        0      0*                           2003/unbound

Why is Unbound using port 8953?
I think this is the reason why Unbound won’t work.

How did you installed unbound? As well it seems unbound is already running on that port. Can you reboot and check status of service

systemctl status unbound

Through Dietpi-software list

systemctl status unbound
● unbound.service - Unbound DNS server
     Loaded: loaded (/lib/systemd/system/unbound.service; enabled; vendor preset: enabled)
    Drop-In: /etc/systemd/system/unbound.service.d
     Active: active (running) since Fri 2021-12-10 11:07:51 CET; 1min 25s ago
       Docs: man:unbound(8)
    Process: 366 ExecStartPre=/usr/lib/unbound/package-helper chroot_setup (code=exited, status=0/SUCCESS)
    Process: 374 ExecStartPre=/usr/lib/unbound/package-helper root_trust_anchor_update (code=exited, status=0/SUCCESS)
   Main PID: 377 (unbound)
      Tasks: 1 (limit: 470)
        CPU: 413ms
     CGroup: /system.slice/unbound.service
             └─377 /usr/sbin/unbound -d -p

Dec 10 11:07:51 DietPi systemd[1]: Starting Unbound DNS server...
Dec 10 11:07:51 DietPi systemd[1]: Started Unbound DNS server.
Dec 10 11:07:51 DietPi unbound[377]: [377:0] info: start of service (unbound 1.13.1).

When I test with dig commands:

root@DietPi:~# dig @ -p 5335

; <<>> DiG 9.16.22-Debian <<>> @ -p 5335
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 11053
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

; EDNS: version: 0, flags:; udp: 1232
;                   IN      A

;; Query time: 1136 msec
;; WHEN: Fri Dec 10 11:11:02 CET 2021
;; MSG SIZE  rcvd: 40

Every reply is ‘SERVFAIL’

Unbound is already running as service. Therefore you are not able to start it manually.

Do you use Unbound standalone or in combination with Pihole or AGH?

I want to use it with AGH.

before changing anything, can you share your config file

cat /etc/unbound/unbound.conf.d/dietpi.conf

to change port do following

G_CONFIG_INJECT 'port:[[:blank:]]' ' port: 5335' /etc/unbound/unbound.conf.d/dietpi.conf
systemctl restart unbound
root@DietPi:~# cat /etc/unbound/unbound.conf.d/dietpi.conf
        # Do not daemonize, to allow proper systemd service control and status estimation.
        do-daemonize: no

        # A single thread is pretty sufficient for home or small office instances.
        num-threads: 1

        # Logging: For the sake of privacy and performance, keep logging at a minimum!
        # - Verbosity 2 and up practically contains query and reply logs.
        verbosity: 0
        log-queries: no
        log-replies: no
        # - If required, uncomment to log to a file, else logs are available via "journalctl -u unbound".
        #logfile: "/var/log/unbound.log"

        # Set interface to "" to make Unbound listen on all network interfaces.
        # Set it to "" to listen on requests from the same machine only, useful in combination with Pi-hole.
        # Default DNS port is "53". When used with Pi-hole, set this to e.g. "5335", since "5353" is used by mDNS already.
        port: 5335

        # Control IP ranges which should be able to use this Unbound instance.
        # The DietPi defaults permit access from official local network IP ranges only, hence requests from www are denied.
        access-control: refuse
        access-control: allow
        access-control: allow
        access-control: allow
        access-control: allow
        access-control: ::/0 refuse
        access-control: ::1/128 allow
        access-control: fd00::/8 allow
        access-control: fe80::/10 allow

        # Private IP ranges, which shall never be returned or forwarded as public DNS response.
        # NB: is sometimes used by adblock lists, hence DietPi by default allows those as response.
        private-address: fd00::/8
        private-address: fe80::/10

        # Define protocols for connections to and from Unbound.
        # NB: Disabling IPv6 does not disable IPv6 IP resolving, which depends on the clients request.
        do-udp: yes
        do-tcp: yes
        do-ip4: yes
        do-ip6: no
        prefer-ip6: no

        # DNS root server information file. Updated monthly via cron job: /etc/cron.monthly/dietpi-unbound
        root-hints: "/var/lib/unbound/root.hints"

        # Maximum number of queries per second
        ratelimit: 1000

        # Defend against and print warning when reaching unwanted reply limit.
        unwanted-reply-threshold: 10000

        # Set EDNS reassembly buffer size to match new upstream default, as of DNS Flag Day 2020 recommendation.
        edns-buffer-size: 1232

        # Increase incoming and outgoing query buffer size to cover traffic peaks.
        so-rcvbuf: 4m
        so-sndbuf: 4m

        # Hardening
        harden-glue: yes
        harden-dnssec-stripped: yes
        harden-algo-downgrade: yes
        harden-large-queries: yes
        harden-short-bufsize: yes

        # Privacy
        use-caps-for-id: yes # Spoof protection by randomising capitalisation
        rrset-roundrobin: yes
        qname-minimisation: yes
        minimal-responses: yes
        hide-identity: yes
        identity: "Server" # Purposefully a dummy identity name
        hide-version: yes

        # Caching
        cache-min-ttl: 300
        cache-max-ttl: 86400
        serve-expired: yes
        neg-cache-size: 4M
        prefetch: yes
        prefetch-key: yes
        msg-cache-size: 50m
        rrset-cache-size: 100m

is that information from before or after the change because port is correctly set

port: 5335

But I guess there is no issue. All seems to be working fine. According your information Unbound is listen to correct port already

what you could do is to install tcpdump and to capture network DNS traffic while running dig. Best would be to stop AGH before to avoid some influence from other clients

tcpdump -i any -c500 -nn port 53 or port 5335

Before any change.
I did now the change, but still got SERVFAIL.
It’s weird that port 8953 is used… :confused:

Netstat output is same like the opening post.

you are hunting a ghost with that port 8953. It’s an internal port of unbound. Same on my system.

root@DietPiProd:~# ss -tulpn | grep unbound
udp   UNCONN 0      0*    users:(("unbound",pid=461,fd=3))
udp   UNCONN 0      0              [::1]:5335             *:*    users:(("unbound",pid=461,fd=5))
tcp   LISTEN 0      256*    users:(("unbound",pid=461,fd=4))
tcp   LISTEN 0      256*    users:(("unbound",pid=461,fd=8))
tcp   LISTEN 0      256            [::1]:5335          [::]:*    users:(("unbound",pid=461,fd=6))
tcp   LISTEN 0      256            [::1]:8953          [::]:*    users:(("unbound",pid=461,fd=7))

pls see above my updated comment for tcpdump

I found the issue:

On my Asus router, DNSfilter was enabled.
When I disabled DNSfilter setting, the dig commands just work en give the right response.

Thanks for the help!
Lessons learned :slight_smile: