unbound install error?

Have some feedback, questions, suggestions, or just fancy a chat? Pop it in here.
User avatar
Joulinar
Posts: 3135
Joined: Sat Nov 16, 2019 12:49 am

Re: unbound install error?

Post by Joulinar »

@neo-2020
Within DietPi 6.34 we have some challanges around unbound. But we will introduce quite some improvement with DietPi 6.35

This is the related pull request on GitHub. https://github.com/MichaIng/DietPi/pull/4022
Pls let us know if a solution is working. This could help others if they hit by similar situation. Your DietPi Team
neo-2020
Posts: 5
Joined: Sun Jan 10, 2021 5:49 pm

Re: unbound install error?

Post by neo-2020 »

Joulinar wrote: Thu Jan 14, 2021 11:30 am @neo-2020
Within DietPi 6.34 we have some challanges around unbound. But we will introduce quite some improvement with DietPi 6.35

This is the related pull request on GitHub. https://github.com/MichaIng/DietPi/pull/4022
then i will wait for the official update.
can someone please answer my questions?
My question:
1: must comment out in /etc/systemd/resolved.conf # DNSSEC = allow-downgrade and replace allow-downgrade with off?
2: does /etc/resolv.conf nameserver have to be changed to 127.0.0.1?
3: systemctl status dhcpcd.service is inactive (dead), is that correct?
4: systemctl status unbound-resolvconf.service is inactive (dead), is that correct?
5: how to update from /var/lib/unbound/root.hints. Once in six months? about cromjob? or is that already automated by dietpi?
6: Which other settings have to be set in order to use Unbound correctly?

Many Thanks!
User avatar
Joulinar
Posts: 3135
Joined: Sat Nov 16, 2019 12:49 am

Re: unbound install error?

Post by Joulinar »

usually DietPi will take care on all settings needed to have unbound working correctly, as well in combination with PiHole.
Pls let us know if a solution is working. This could help others if they hit by similar situation. Your DietPi Team
User avatar
MichaIng
Site Admin
Posts: 2488
Joined: Sat Nov 18, 2017 6:21 pm

Re: unbound install error?

Post by MichaIng »

TL;DR nothing to do aside of:

Code: Select all

echo -e '#!/bin/dash\ncurl -sSfL https://www.internic.net/domain/named.root -o /var/lib/unbound/root.hints' > /etc/cron.monthly/dietpi-unbound
chmod +x /etc/cron.monthly/dietpi-unbound
Details:
  1. /etc/systemd/resolved.conf is relevant for systemd-resolved only, which is not used by default on DietPi to manage /etc/resolv.conf. If you actively use it (manually enabled it for a specific purpose), and you use Unbound to resolve hostnames for the DietPi server itself, then you can indeed either leave DNSSEC in for resolved commented (default) or set it to "no" actively.
  2. /etc/resolv.conf defines the DNS nameservers for the DietPi server itself. I usually do not recommend to use a servers own services by the server itself for such a critical service. E.g. when you do some remote maintenance, update or such and for some reason Unbound crashes or does not start up, the DietPi server itself cannot resolve hostnames anymore, which may break further steps to repair/debug the situation and may even lock you out in some circumstances (I just remember two cases where with Pi-hole this was an issue). For this reason, also Pi-hole does not enforce itself as local resolver anymore on install. Since you don't use the server for browsing the web, usually, there is usually not much reason to use no regular upstream DNS server, but it depends on the individual use case of course.
  3. Yes this is correct, we do not use a DHCP client to disable DHCP (what Pi-hole does, as on Raspbian by default dhcpcd is used for network setup in general), but use the Debian default method which sets up network interfaces via /etc/network/interfaces. dhcpcd can conflict with this and is unnecessary then, so we disable it. Luckily Pi-hole is about to remove the forced dhcpcd install, so the package and service won't be present then anymore: https://github.com/pi-hole/pi-hole/pull/3715
  4. This service adds and removes 127.0.0.1 to /etc/resolv.conf dynamically with Unbound service start and stop, if "resolvconf" is installed (AFAIK it is as a dependency for Pi-hole). That would actually makes sense when you use Unbound directly as local resolver and relativises my argument above at least for maintenance tasks when the service is gracefully stopped. The problem in combination with Pi-hole is that unbound-resolvconf.service manages 127.0.0.1 without port (hence port 53) hardcoded, instead of using the IP + port that it is actually configured to listen on, which is 127.0.0.1:5335 (or 5353), while Pi-hole listens on port 53. Hence it adds and removes Pi-hole as local nameserver entry when the Unbound service is started/stopped, which might not be exactly what you want, e.g. if Pi-hole has a fallback upstream DNS or you actually use Unbound directly with port 5335 or 5353, which would make sense when you want to hide DNS queries from upstream providers but do not need to have ads blocked on the server, where you do not browse websites from ;).
  5. Good point and idea, that one is missing in our docs. Probably we can add a monthly cron job :?. Do:

    Code: Select all

    curl -sSfL https://www.internic.net/domain/named.root > /var/lib/unbound/root.hints
  6. None that I am aware of, otherwise we would set it during install already ;).
User avatar
Joulinar
Posts: 3135
Joined: Sat Nov 16, 2019 12:49 am

Re: unbound install error?

Post by Joulinar »

well we could blase a small script into /etc/cron.monthly to refresh root.hints??
Pls let us know if a solution is working. This could help others if they hit by similar situation. Your DietPi Team
User avatar
MichaIng
Site Admin
Posts: 2488
Joined: Sat Nov 18, 2017 6:21 pm

Re: unbound install error?

Post by MichaIng »

See the two commands I posted above. We could add then as is to dietpi-software. I just verified, if any error occurs with the connection, -o /var/lib/unbound/root.hints won't override the target file, compared to simple redirect > /var/lib/unbound/root.hints.
User avatar
Joulinar
Posts: 3135
Joined: Sat Nov 16, 2019 12:49 am

Re: unbound install error?

Post by Joulinar »

Ah I should read with more care :D
Overlooked the first comment
Pls let us know if a solution is working. This could help others if they hit by similar situation. Your DietPi Team
User avatar
MichaIng
Site Admin
Posts: 2488
Joined: Sat Nov 18, 2017 6:21 pm

Re: unbound install error?

Post by MichaIng »

Likely because I edited it inside after you read ;).
neo-2020
Posts: 5
Joined: Sun Jan 10, 2021 5:49 pm

Re: unbound install error?

Post by neo-2020 »

@MichaIng
MichaIng wrote: Fri Jan 15, 2021 1:45 pm
  1. None that I am aware of, otherwise we would set it during install already ;).
First of all, many thanks for the detailed explanation!
As far as I understand everything, I hope that my settings are correct! I'm very happy.
Next question about the setting in router:
Where is it correct or better to enter the pi-hole ip in the router (fritzbox)?
1: Internet > Zugangsdate > DNS-Server > Bevorzugter DNSv4-Server
or
2: Heimnetzt > Netzwerk > Netzwerkeinstellungen > IPv4-Konfiguration > Lokaler DNS-Server
Where's the difference? I never got it right :(

And what about the guest access, are the guests also directed via pi-hole? the guest access uses a different IPv4 address / IP address range 192.168.179.1!
Guest network
The FRITZ! Box guest network has its own IP address range from which the FRITZ! Box assigns the IP addresses to the guest devices. The address range is determined by the FRITZ! Box and cannot be changed.
User avatar
Joulinar
Posts: 3135
Joined: Sat Nov 16, 2019 12:49 am

Re: unbound install error?

Post by Joulinar »

Setting 1 is the DNS settings for your FritzBox. This is the DNS Server your FritzBox is using to answer DNS queries. If nothing else set, all clients will use the FritzBox as DNS server and inside PiHole you will see just the FitzBox as client.

Setting 2 is the DNS server that will be published to your client. Now your clients will use PiHole as DNS server and DNS queries will go directly to PiHole. Inside PiHole you will see all clients separately now, allowing you to configure and manage them individually as you like. Maybe your kids needs a stronger setting than you.

Both settings are not conflicting and can be set together.

Personally I'm using a 3rd option. I deactivated DHCP on my FritzBox and I'm using PiHole as DHCP server.
Pls let us know if a solution is working. This could help others if they hit by similar situation. Your DietPi Team
Post Reply