Installing Unbound for Pi-Hole on the Raspberry Pi?

Configuring Pi-Hole with Unbound offers many security and privacy benefits over using third-party DNS resolvers. This guide will walk you through the process of installing Unbound for use with Pi-Hole on a Raspberry Pi, as well as optimizing the setup for performance and reliability. We’ll cover the reasons for running your own DNS resolver, detail the installation process step-by-step, provide post-install configuration recommendations, and troubleshoot common issues that may arise.

Installing Unbound for Pi-Hole on the Raspberry Pi?

Benefits of Running Unbound with Pi-Hole

Here are some of the main advantages of running your own DNS resolver through Unbound instead of relying on third party options:

  • Improved Security and Privacy – Your DNS queries are handled locally instead of being sent out to a third party’s servers. This avoids potential spying or logging of your internet activity. It also mitigates the risk of man-in-the-middle attacks that try to intercept your traffic.
  • Better Reliability – By running the DNS resolver on your local network, you reduce dependence on Internet connectivity for DNS lookups. Unbound implements cache management so that popular DNS queries are saved temporarily for better performance.
  • Flexibility of Configuration – Unbound gives you granular control over DNS settings like cache size, number of query threads, port configuration, and more. This allows DNS functionality to be tailored to your specific needs.
  • Support for Latest DNS Protocols – Unbound stays updated with modern DNS protocol features out-of-the-box. This includes support for DNS over TLS, authentication of DNSSEC results, and more security focused improvements.

Now let’s move on to installing and setting up Unbound.

Step-by-Step Installation Guide

Here are the detailed steps to install Unbound and integrate it with Pi-Hole:

1. Install Unbound

Connect to your Raspberry Pi and execute the following command to install Unbound:

sudo apt install -y unbound

2. Configure Unbound

We need to configure Unbound to act as a recursive resolver and communicate with Pi-Hole properly.

Create a new configuration file with your preferred editor:

sudo nano /etc/unbound/unbound.conf.d/pi-Holicong

Paste in the following configuration:


   If no logfile is specified, syslog is used

   logfile: “/var/log/unbound/unbound.log”

    verbosity: 0


    port: 5335

    do-ip4: yes

    do-udp: yes

    do-tcp: yes

    May be set to yes if you have IPv6 connectivity

    do-ip6: no

     You want to leave this to no unless you really know what you are doing

    do-daemonize: no

     Use this only when you downloaded the list of primary root servers!

    root-hints: “/var/lib/unbound/root. Hints”

     Trust glue only if it is within the server’s authority

    harden-glue: yes

     Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS

    harden-dnssec-stripped: yes

     Don’t use Capitalization randomization as it known to cause DNSSEC issues sometimes

     see for further details

    use-caps-for-id: no

     Reduce EDNS reassembly buffer size.

     Suggested by the unbound man page to reduce fragmentation reassembly problems

    edns-buffer-size: 1472

    Perform prefetching of close to expired message cache entries

    This only applies to domains that have been frequently queried

    prefetch: yes

     One thread should be sufficient, can be increased on beefy machines. In reality for most users running on small networks or on a single machine, it should be unnecessary to seek performance enhancement by increasing num-threads above 1.

    num-threads: 1

     Ensure kernel buffer is large enough

    so-rcvbuf: 1m

   Ensure privacy of local IP ranges





    private-address: fd00::/8

    private-address: fe80::/10

The key settings are:

  • Set verbosity to 0 to reduce logging and improve performance
  • Listen only on localhost interface
  • Set DNS port to 5335 for Pi-Hole integration
  • Enable DNSSEC, harden settings for security
  • Adjust thread count, cache settings, and timeouts for performance/reliability

Save and exit the file when done editing.

3. Configure Pi-Hole

We need to point Pi-Hole to use Unbound as the local DNS resolver rather than a third party option.

In the Pi-Hole admin interface, go to Settings > DNS and choose the Custom option. Enter for the upstream DNS server.

  • Set Custom DNS (IPv4) to
  • Set Custom DNS (IPv6) to ::1#5335

Click Save to apply the Unbound configuration.

4. Restart Services

Run the following commands to restart services and enable Unbound on startup:

sudo service unbound restart

sudo service pihole-FTL restart

sudo systemctl enable unbound

That completes the installation! Unbound should now be running in integration with Pi-Hole.

Post-Install Configuration Tips

Here are some additional configuration tweaks worth considering for your Unbound + Pi-Hole setup:

  • Adjust thread count by setting num-threads – Consider setting to equal number of cores on your Pi
  • Increase cache size from default – Set msg-cache-size to improve caching performance
  • Enable prefetching – Set prefetch to Yes get additional caching benefits
  • Change DNS port configuration – Adjust port if needed to resolve conflicts
  • Add additional blocking lists – Block ad/malware domains via Pi-Hole admin dashboard
  • Set up backup DNS resolver – Add public DNS server as fallback upstream option
  • Monitor query logging – Check pihole -t often for insights on DNS usage

Make adjustments gradually and check that Unbound/Pi-Hole remain working reliably.

Troubleshooting Common Issues

Here are some common issues and fixes to consider if your Unbound/Pi-Hole setup has problems:

  • Cannot Access Network After Enabling – Flush DNS and reset networking with sudo /etc/init.d/dnsmasq restart & sudo ip addr flush dev eth0
  • Slow DNS Lookups – Check Pi CPU usage, increase cache size, add upstream DNS fallback
  • DNS Lookups Eventually Fail -flush logs and cache with sudo service unbound restart and enable prefetch
  • Pi-Hole Stats Show No Blocks – Ensure you have added blacklists & restarted Unbound/FTL
  • Specific Domains Won’t Resolve – Manually whitelist mis-blocked domains
  • DHCP Issues After Install – Adjust DHCP server configs in /etc/dnsmasq.d/01-pihole.conf
  • Web Admin Broken After Changes – Reconfigure DNS settings or flush caches

Note that many DNS issues can appear unrelated until root cause is found! Start troubleshooting by double checking configs, cache utilization, log searches and monitoring network traffic flows.

Key Takeaways

Some of the major points to remember from this Unbound with Pi-Hole guide include:

  • Unbound offers important security and privacy advantages over third party DNS when running your own recursive resolver.
  • Integrating Unbound with Pi-Hole blocks ads while providing a self-hosted DNS solution.
  • There are multiple performance optimization tweaks available for Unbound involving adjusting cache size, thread count, prefetching and more.
  • Pay close attention to DNS-related network traffic when troubleshooting Pi-Hole and Unbound issues.
  • Proper configuration avoids DNS leaks, ensures reliable connections, and provides insightful metrics into overall DNS usage.

Running your own recursive resolver with Pi-Hole integration leads to a very capable network-wide ad blocking setup.


Installing Unbound for Pi-Hole on a Raspberry Pi greatly enhances privacy, security and control over your DNS functionality while maintaining the ad and malware blocking benefits of Pi-Hole. Although it involves some initial setup, the long-term advantages are worth the effort for most users. Be sure to apply the post-install performance tweaks and optimize configurations based on your specific network. Reference the troubleshooting advice to quickly diagnose and restore DNS functionality when issues occur. With a properly configured system, you can reap the benefits of your own DNS resolver while blocking ads and threats using Pi-Hole with Unbound.

Frequently Asked Questions

  1. Do I need a Raspberry Pi to run Unbound and Pi-Hole?
    No, this setup can work on any Linux machine like Ubuntu, not just Raspberry Pi OS. But the Pi works very well as a low-cost, low-power DNS server.

  2. What are the ideal hardware specs for good performance?
    A Raspberry Pi 2 or newer quad-core model is recommended. For best performance, use a Pi 4 with 2GB+ RAM.

  3. Is it secure to allow Unbound internet access?
    Yes, Unbound is run locally with no ports exposed to the internet. The only inbound connection allowed is from the Pi-Hole resolver.

  4. How much bandwidth and storage does Unbound need?
    Storage needs are minimal, but additional RAM improves cache performance. In most homes 100-200MB RAM cache is sufficient for good Unbound speeds.

  5. Does DNS over HTTPS cause problems with this setup?
    No, you can enable DNS over HTTPS in Pi-Hole without issues. Traffic will pass encrypted to/from Unbound.

  6. What specific privacy benefits does running Unbound provide?
    Mainly your DNS queries stay on your LAN instead of going to your ISP or public resolvers like Google which could log/sell data.

  7. Is it difficult to backup and restore this type of configuration?
    No, you can easily backup the Pi-Hole and Unbound config files to restore settings. Data stored in cache will be lost and need to rebuild over time automatically.

  8. How do I monitor and check logs for this setup?
    Check pihole -t and sudo unbound-control stats often. Also grep through Unbound logs for issues. Pi-Hole admin provides excellent visual DNS query summaries.

  9. Will running Unbound slow down my internet speeds?
    Slightly higher latency may be observed but caching means overall DNS speeds should improve in most setups. Faster Pis and more Unbound memory prevent any perceivable slowdowns.

  10. How does this improve Network Ad Blocking over regular Pi-Hole?
    Unbound adds an additional layer to prevent DNS leaks of blocked domains, improves caching performance, and gives more config control.

  11. What are the main advantages of Unbound over OpenDNS?
    Mainly improved privacy, no reliance on 3rd party resolvers, ability to fine-tune configurations and caching to your network, better visibility into all DNS queries.

  12. Does configuration differ across Pi-Hole and Docker installs?
    Core Unbound config principles are the same. Ports, volumes and networking paramters differ for Docker. Most install steps are identical though.

  13. Do I need to manually update Root Hints with this config?
    No, default root hints data auto-updates. But you can optionally override and manage root hints manually if desired.

  14. Is DNSSEC supported and enabled by default here?
    Yes, DNSSEC is enabled in the default config provided for improved security. Validation ensures chains of trust back to the root zone.

  15. How many total domains can Unbound cache with typical configs?
    Cache hits depend on memory, TTLs and prefetch settings. But around 150,000 cached domains is reasonable for low-end hardware with no tuning.

  16. What is a reasonable query rate I can expect Unbound to handle?
    Default config can handle 150+ queries per second easily for a typical home connection on a Pi. Quad core Pis can handle 500+ QPS rates without issue.

  17. How much memory overhead does Unbound DNS caching utilize?
    Baseline Unbound memory utilization is low, around 30-50MB. Cache sizes determine most memory needs, typically 100-500MB for most users.

  18. Can I improve DNS speed by binding Unbound to specific CPU cores?
    Yes, use num-threads equal to cores and cpu-affinity to bind process threads if supported. Helps avoid thread migration delays.

  19. Is Boost compatible if I want to leverage other privacy services?
    Yes! Unbound plays nicely with Pi-Hole’s conditional forwarding feature that connects to boost family services.

  20. Can Unbound act as an upstream resolver for other devices like cell phones?
    Absolutely, just point upstream DNS on devices to Pi-IP and port 5335. Custom firmware often required to override ISP locks.

Leave a Comment