Unboung log empty

Hi

After upgrading to dietpi 6.34 I installed Unbound.
I also had pihole installed. It seems to be working as DNS are resolved.

I changed the configuration file /etc/unbound/unbound.conf.d/pi-hole.conf to include this (it was empty) as per https://docs.pi-hole.net/guides/unbound/:

server:
    # If no logfile is specified, syslog is used
    logfile: "/var/log/unbound/unbound.log"
    verbosity: 3

    interface: 127.0.0.1
    port: 5335
    do-ip4: yes
    do-udp: yes
    do-tcp: yes

    # May be set to yes if you have IPv6 connectivity
    do-ip6: no

    # You want to leave this to no unless you have *native* IPv6. With 6to4 and
    # Terredo tunnels your web browser should favor IPv4 for the same reasons
    prefer-ip6: no

    # Use this only when you downloaded the list of primary root servers!
    # If you use the default dns-root-data package, unbound will find it automatically
    #root-hints: "/var/lib/unbound/root.hints"

    # Trust glue only if it is within the server's authority
    harden-glue: yes

    # Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS
    harden-dnssec-stripped: yes

    # Don't use Capitalization randomization as it known to cause DNSSEC issues sometimes
    # see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 for further details
    use-caps-for-id: no

    # Reduce EDNS reassembly buffer size.
    # Suggested by the unbound man page to reduce fragmentation reassembly problems
    edns-buffer-size: 1472

    # Perform prefetching of close to expired message cache entries
    # This only applies to domains that have been frequently queried
    prefetch: yes

    # One thread should be sufficient, can be increased on beefy machines. In reality for most users running on small networks or on a single machine, it should be unnecessary to seek performance enhancement by increasing num-threads above 1.
    num-threads: 1

    # Ensure kernel buffer is large enough to not lose messages in traffic spikes
    so-rcvbuf: 1m

    # Ensure privacy of local IP ranges
    private-address: 192.168.0.0/16
    private-address: 169.254.0.0/16
    private-address: 172.16.0.0/12
    private-address: 10.0.0.0/8
    private-address: fd00::/8
    private-address: fe80::/10

I enabled the logging and changed verbosity to 3. Restarted service but the log stays empty…

Also, how do I get this graph (or some other stats on what unbound did/is doing):

Thx in advance

Hi,

many thanks for your message. basically there are already quite some enhancement planned for unbound on next release 6.35. This include an own config file

RP: https://github.com/MichaIng/DietPi/pull/4022
Config file: https://github.com/MichaIng/DietPi/commit/a23d799a9c61c4b9c8df1a09a9b6a51a0e31e7c4

Hi

OK but this doesn’t resolve my question or I misunderstand.

Does the config file I edited work (or is it taken into account)? If yes, why is the log empty?

When 6.35 comes out should I uninstall unbound and then reinstall after the update or will the update take care of the existing installation and modify it accordingly?
I’m confused…

I’m not sure where the graph is taking the logs from, probably it needs a log file? By default we ship with zero logging for privacy reasons, aside of verbosity have a look at these settings in /etc/unbound/unbound.conf.d/dietpi.conf.

log-queries: no
log-replies: no
logfile: ''

Btw, many settings do not override each other, so adding another settings file will lead to multiple IP bindings etc. This is also why we’re currently reworking the implementation to use a single config file only: https://github.com/MichaIng/DietPi/pull/4022

I suggest the following:

rm -vf /etc/unbound/unbound.conf.d/{dietpi-pihole,pi-hole}.conf
G_CONFIG_INJECT 'port:[[:blank:]]' '	port: 5335' /etc/unbound/unbound.conf.d/dietpi.conf
G_CONFIG_INJECT 'interface:[[:blank:]]' '	interface: 127.0.0.1' /etc/unbound/unbound.conf.d/dietpi.conf
G_CONFIG_INJECT 'verbosity:[[:blank:]]' '	verbosity: 3' /etc/unbound/unbound.conf.d/dietpi.conf
G_CONFIG_INJECT 'log-queries:[[:blank:]]' '	log-queries: yes' /etc/unbound/unbound.conf.d/dietpi.conf

G_CONFIG_INJECT ‘log-replies:[[:blank:]]’ ’ log-replies: yes’ /etc/unbound/unbound.conf.d/dietpi.conf[/code]
So there is a single config file only with query and reply logs enabled, log level 3 and a single IP binding at 127.0.0.1#5335, which is then your upstream. Logs will be going to syslog: journalctl -u unbound

I’m also running some tests and go through all the settings, adding some comment to each of it, what it does and why we set it.

OK. I cleared the config file /etc/unbound/unbound.conf.d/pi-hole.conf again as it was.

As I’m no linux expert am I supposed to paste this into the cmd line?

rm -vf /etc/unbound/unbound.conf.d/{dietpi-pihole,pi-hole}.conf
G_CONFIG_INJECT ‘port:[[:blank:]]’ ’ port: 5335’ /etc/unbound/unbound.conf.d/dietpi.conf
G_CONFIG_INJECT ‘interface:[[:blank:]]’ ’ interface: 127.0.0.1’ /etc/unbound/unbound.conf.d/dietpi.conf
G_CONFIG_INJECT ‘verbosity:[[:blank:]]’ ’ verbosity: 3’ /etc/unbound/unbound.conf.d/dietpi.conf
G_CONFIG_INJECT ‘log-queries:[[:blank:]]’ ’ log-queries: yes’ /etc/unbound/unbound.conf.d/dietpi.conf

Yes exactly, you can paste the commands into the terminal to execute them.

Not wanting to be a pita and just double checking, this is what I paste into cmd, right?

rm -vf /etc/unbound/unbound.conf.d/{dietpi-pihole,pi-hole}.conf
G_CONFIG_INJECT ‘port:[[:blank:]]’ ’ port: 5335’ /etc/unbound/unbound.conf.d/dietpi.conf
G_CONFIG_INJECT ‘interface:[[:blank:]]’ ’ interface: 127.0.0.1’ /etc/unbound/unbound.conf.d/dietpi.conf
G_CONFIG_INJECT ‘verbosity:[[:blank:]]’ ’ verbosity: 3’ /etc/unbound/unbound.conf.d/dietpi.conf
G_CONFIG_INJECT ‘log-queries:[[:blank:]]’ ’ log-queries: yes’ /etc/unbound/unbound.conf.d/dietpi.conf

G_CONFIG_INJECT ‘log-replies:[[:blank:]]’ ’ log-replies: yes’ /etc/unbound/unbound.conf.d/dietpi.conf[/code]

yes, line by line

All working. Thx!

Happy New Year

manilx
Happy new year :slight_smile:.

Just to be sure, you didn’t setup a monitoring/graph page yet, right? The image you posted looks like Cacti as shown in Unbound docs here (bottom of page): https://www.nlnetlabs.nl/documentation/unbound/howto-statistics/
This requires the cacti package to be installed: https://packages.debian.org/buster/cacti
That again requires a webserver stack with MariaDB. Since there are many other possibilities to do this and it is not something natively baked into Unbound, it’s a bit out of scope for now. But we definitely need to add some more documentation/comments to the config file, also grouping all logs-related things together so that not parts at the top and parts at the bottom of the file need to be edited to configure it :wink:.

No I did not install this, didn’t know how. Just followed you instructions. But configured logging to separate file.

Did install this though: https://www.cyberciti.biz/faq/dnstop-monitor-bind-dns-server-dns-network-traffic-from-a-shell-prompt/

It’s all very basic now…

Okay, I see we have that monitor screenshot in our logs. Probably not the best idea to show something there that requires a lot of additional setup. But we’ll anyway tune those logs based on experience/feedback. I meanwhile updated our default config file to sort things and give some more information: https://github.com/MichaIng/DietPi/blob/unbound/.conf/dps_182/unbound.conf

True… :wink:

I will use the new config file and put my changes in there.

Thank You!

PS: I edited the dietpi.con file in/etc/unbound/unbound.conf.d

There is an unbound.conf in /etc/unbound. It then refers to the other one…


Which file should I now use? Thinking about a future dietpi update…

Ah, this file is installed as /etc/unbound/unbound.conf.d/dietpi.conf. I just gave it the name unbound.conf so that the filename alone in the repository shows what it is for. /etc/unbound/unbound.conf should be kept as it is so that all files from the sub directory are loaded.

After uncomenting the log file option in your new conf: logfile: “/var/log/unbound.log” and restarting the service the log file is not created…

I had to

touch /var/log/unbound.log

and

chown unbound /var/log/unbound.log

for it to start working.

Yes, this is the natural downside of the usual service setup: Log files and/or directories mostly need to be pre-created so that the service user can access.