Unbound Shout Out to all the Developers and Maintainers of Unbound_Manager

[JGrana]

I just want to do a shout out to all the developers (and users contributing) of unbound_manager.

I recently tried to install a fresh RaspberryPi OS on a spare Pi 4 I had. I haven't been running Unbound on my router or any other device for some time.
I am planning on migrating a bunch of local scripts and cron job off my router (AX88U Pro) and onto the Pi4.
Before I started I decided - why not install Unbound as well. After going through at least 5 site that go through the process (and for some reason, everyone insists on Pi-Hole as well...) all I ever get is SERVFAIL. Some debugging shows all the root servers responding with THROWAWAY.

Tried an older version of Pi OS (Bullseye instead of Bookworm). Marginally better but still wont do a lookup.

So, went back to installing unbound_mananger on my router. Up, running and serving within minutes.

If this script was available for Debian Linux you guys would be heros.

 

[bennor]

No issues running Unbound on two Raspberry Pi's (loaded with Bullseye) along side Pi-Hole. Followed this guide: https://docs.pi-hole.net/guides/dns/unbound/
Left the /etc/unbound/unbound.conf.d/pi-hole.conf file at default values.

 

[Tech9]

Similar to @bennor experience. I was using Ubuntu Server last time when playing with Unbound + AdGuard Home. Ubuntu is Debian based OS. I had to reinstall the entire system once because of failed USB drive it was running on. It was working properly just following the installation instructions. Nothing had to be tweaked of fixed additionally.

 

[dave14305]

After not using Unbound for many years, I had a chance to play with it again this past week while running an OpenBSD 7.7 router on x86 (which is a beautifully simple solution). One aspect of Unbound I didn't really appreciate is the use of RPZ for adblocking. No special scripts or addons needed. You can give the URL of an RPZ-formatted blocklist and Unbound will auto-refresh it based on the refresh interval in the file. And whitelisting is as simple as adding a local RPZ zone in the unbound.conf before the remote blocklist. The first one to match the query wins.

unbound.conf:

server:
    module-config: "respip validator iterator"
    
rpz:
    name: local-rpz
    zonefile: zonefiles/local.rpz

rpz:
    name: hagezi-light-rpz
    zonefile: zonefiles/hagezi-light.rpz
    url: https://raw.githubusercontent.com/hagezi/dns-blocklists/refs/heads/main/rpz/light.txt

local.rpz (for whitelisting or blacklisting extra domains):

$TTL 300
@ SOA localhost. root.localhost. 1754697180 43200 3600 86400 300
  NS  localhost.
;
browser-intake-datadoghq.com CNAME rpz-passthru.
*.browser-intake-datadoghq.com CNAME rpz-passthru.

Hagezi's header info from the blocklist (the 43200 informs unbound to refresh every 12 hours):

$TTL 300
@ SOA localhost. root.localhost. 1755127740 43200 3600 86400 300
  NS  localhost.
;
; Title: HaGeZi's Light DNS Blocklist
; Description: Hand brush - Cleans the Internet and protects your privacy! Blocks Ads, Tracking, Metrics and some Badware.
; Homepage: https://github.com/hagezi/dns-blocklists
; License: https://github.com/hagezi/dns-blocklists/blob/main/LICENSE
; Issues: https://github.com/hagezi/dns-blocklists/issues
; Expires: 1 day
; Last modified: 13 Aug 2025 23:29 UTC
; Version: 2025.0813.2329.09
; Syntax: RPZ
; Number of entries: 119618
;