Installation of unbound from scratch not working

[jjpd19]

Thank you everybody in advance and greetigns too. By the way, Merry Christmas.
I do not even have a problem because unbound never worked.
I have just imaged an SD with Raspberry pi OS bookworm.
After that I only have configured locale and installed unbound.
Well, it did not work, I have checked with netstat -tulpn to check if it is listening, and it does.
But raspi (unbound) is not resolving anything. I only obtain SERVFAIL.

Commands I have run:

sudo netstat -tulpn
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 127.0.0.1:5335          0.0.0.0:*               LISTEN      515/unbound
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      516/sshd: /usr/sbin
tcp6       0      0 :::22                   :::*                    LISTEN      516/sshd: /usr/sbin
udp        0      0 127.0.0.1:5335          0.0.0.0:*                           515/unbound
udp        0      0 0.0.0.0:5353            0.0.0.0:*                           370/avahi-daemon: r
udp        0      0 0.0.0.0:58730           0.0.0.0:*                           370/avahi-daemon: r
udp6       0      0 :::41610                :::*                                370/avahi-daemon: r
udp6       0      0 :::5353                 :::*                                370/avahi-daemon: r

sudo systemctl status unbound
● unbound.service - Unbound DNS server
    Loaded: loaded (/lib/systemd/system/unbound.service; enabled; preset: enabled)
    Active: active (running) since Mon 2024-12-16 20:22:14 CET; 7min ago
      Docs: man:unbound(8)
   Process: 490 ExecStartPre=/usr/libexec/unbound-helper chroot_setup (code=exited, status=0/SUCCESS)
   Process: 513 ExecStartPre=/usr/libexec/unbound-helper root_trust_anchor_update (code=exited, status=0/SUCCESS)
  Main PID: 515 (unbound)
     Tasks: 1 (limit: 762)
       CPU: 284ms
    CGroup: /system.slice/unbound.service
            └─515 /usr/sbin/unbound -d -p

dig pi-hole.net @127.0.0.1 -p 5335

; <<>> DiG 9.18.28-1~deb12u2-Debian <<>> pi-hole.net @127.0.0.1 -p 5335
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 49161
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;pi-hole.net.                   IN      A

;; Query time: 500 msec
;; SERVER: 127.0.0.1#5335(127.0.0.1) (UDP)
;; WHEN: Mon Dec 16 20:30:56 CET 2024
;; MSG SIZE  rcvd: 40

The unique configuration file I have, adding the installation ones, is this:

`server:
# If no logfile is specified, syslog is used
# logfile: "/var/log/unbound/unbound.log"
verbosity: 0

interface: 127.0.0.1
port: 5335
do-ip4: yes
do-udp: yes
do-tcp: yes

# May be set to yes if you have IPv6 connectivity
do-ip6: no

# You want to leave this to no unless you have *native* IPv6. With 6to4 and
# Terredo tunnels your web browser should favor IPv4 for the same reasons
prefer-ip6: no

# Use this only when you downloaded the list of primary root servers!
# If you use the default dns-root-data package, unbound will find it automatically
#root-hints: "/var/lib/unbound/root.hints"

# Trust glue only if it is within the server's authority
harden-glue: yes

# Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS
harden-dnssec-stripped: yes

# Don't use Capitalization randomization as it known to cause DNSSEC issues sometimes
# see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 for further details
use-caps-for-id: no

# Reduce EDNS reassembly buffer size.
# IP fragmentation is unreliable on the Internet today, and can cause
# transmission failures when large DNS messages are sent via UDP. Even
# when fragmentation does work, it may not be secure; it is theoretically
# possible to spoof parts of a fragmented DNS message, without easy
# detection at the receiving end. Recently, there was an excellent study
# >>> Defragmenting DNS - Determining the optimal maximum UDP response size for DNS <<<
# by Axel Koolhaas, and Tjeerd Slokker (https://indico.dns-oarc.net/event/36/contributions/776/)
# in collaboration with NLnet Labs explored DNS using real world data from the
# the RIPE Atlas probes and the researchers suggested different values for
# IPv4 and IPv6 and in different scenarios. They advise that servers should
# be configured to limit DNS messages sent over UDP to a size that will not
# trigger fragmentation on typical network links. DNS servers can switch
# from UDP to TCP when a DNS response is too big to fit in this limited
# buffer size. This value has also been suggested in DNS Flag Day 2020.
edns-buffer-size: 1232

# Perform prefetching of close to expired message cache entries
# This only applies to domains that have been frequently queried
prefetch: yes

# One thread should be sufficient, can be increased on beefy machines. In reality for most users running on small networks or on a single machine, it should be unnecessary to seek performance enhancement by increasing num-threads above 1.
num-threads: 1

# Ensure kernel buffer is large enough to not lose messages in traffic spikes
so-rcvbuf: 1m

# Ensure privacy of local IP ranges
private-address: 192.168.0.0/16
private-address: 169.254.0.0/16
private-address: 172.16.0.0/12
private-address: 10.0.0.0/8
private-address: fd00::/8
private-address: fe80::/10`

Would anybody help me?

[Aura67]

I think you want to install Unbound from this guide here: https://docs.pi-hole.net/guides/dns/unbound/

Just follow the steps that the Pihole developers write because I assume that you have pihole installed and want to combine unbound with it.

[jjpd19]

I think you want to install Unbound from this guide here: https://docs.pi-hole.net/guides/dns/unbound/

Just follow the steps that the Pihole developers write because I assume that you have pihole installed and want to combine unbound with it.

Thank You for your answer. In fact all started there but, as I was unable to make it work fine following those steps, I tried to do it in a clear installation, without pi-hole or anything else, a this was the result. I tried to do it in a VMware machine with Debian and it did not work properly either.

[Aura67]

I tried the setup myself as the Pihole developers wrote it and it works. Unbound answered my DNS requests with this setup. You have to install pihole first and then unbound. So it is not a problem what you opened.