Pi-hole alongside Unbound on Raspberry Pi

Home  »  UNBLOG Tutorials (EN)   »   Pi-hole alongside Unbound on Raspberry Pi
Leave a comment
0
(0)

To deploy Pi-hole alongside Unbound as a recursive DNS resolver on your Raspberry Pi, you need to install Pi-hole, configure Unbound to listen on a custom port, and link the two together. This guide assumes you have already flashed Raspberry Pi OS Lite and successfully connected to your Pi via SSH.

1. Update the OS & Install Unbound

Ensure all system packages are fully updated. Install the Unbound package via your system package manager.

sudo apt update && sudo apt upgrade -y && sudo apt install unbound dns-root-data -y

2. Install Pi-hole

Run the automated installation script provided by Pi-hole [1].

curl -sSL https://install.pi-hole.net | bash
  • Step-by-step choices: Follow the on-screen installer prompts.
  • IP Address: Acknowledge the static IP warning.
  • Upstream DNS: Temporarily select a temporary public provider like Google or Cloudflare [2] (we will change this to Unbound shortly).
  • Completion: At the end of the installation, note down the Admin Web Interface Password displayed on your terminal screen.

3. Configure Unbound

Create a custom configuration file dedicated to your Pi-hole integration.

sudo nano /etc/unbound/unbound.conf.d/pi-hole.conf

Paste the official configuration optimized by Pi-hole [3] into the file:

server:
    verbosity: 1
    interface: 127.0.0.1
    port: 5335
    do-ip4: yes
    # May be set to yes if you have IPv6 capability
    do-ip6: no
    do-udp: yes
    do-tcp: yes
    ratelimit: 1000
    hide-identity: yes
    hide-version: yes
    harden-glue: yes
    harden-dnssec-stripped: yes
    use-caps-for-id: no

    # Use this only when you downloaded the list of primary root servers!
    # If for some reason root.hints cannot be fetched defaults to built-in.
    root-hints: "/var/lib/unbound/root.hints"

    # Trust anchor file, used for DNSSEC
    # auto-trust-anchor-file: "/var/lib/unbound/root.key"

    # Buffer size management
    so-rcvbuf: 4m
    edns-buffer-size: 1232
    prefetch: yes
    num-threads: 1

    # Ensure privacy of local networks
    private-address: 192.168.0.0/16
    private-address: 169.254.0.0/16
    private-address: 172.16.0.0/12
    private-address: 10.0.0.0/8

Press CTRL+O, then Enter to save, and CTRL+X to exit the nano editor.

4. Download Root Hints (optional)

Download the list of primary root servers so Unbound can perform true recursive lookups independently. if not already been done in step 1.

sudo wget -O /var/lib/unbound/root.hints https://www.internic.net/domain/named.root

5. Adjust Package Conflicts (Debian/Ubuntu specific)

Recent versions of Debian/Raspberry Pi OS include a package called resolvconf that can disrupt Unbound’s startup binding. Disable this conflicting service element: 

sudo systemctl disable --now unbound-resolvconf.service

6. Restart and Verify Unbound

Restart the Unbound service to initialize your custom configuration.

sudo systemctl restart unbound && systemctl status unbound

Test if Unbound successfully resolves queries locally on its assigned port (5335):

dig @127.0.0.1 -p 5335 unblog.ch

If you see a status: NOERROR message along with an actual IP address in the response output, Unbound is working correctly.

7. Link Pi-hole to Unbound

  1. Open your web browser and go to your Pi-hole web panel dashboard: http://YOUR_PI_IP/admin.
  2. Log in using the password generated in Step 2.
  3. Navigate to Settings in the left sidebar menu, and select the DNS tab at the top.
  4. Under the Upstream DNS Servers columns, uncheck every active public provider.
  5. On the right side under Custom 1 (IPv4), type:
    127.0.0.1#5335
  6. Scroll down to the bottom of the page and click Save.

Hint If a Pi-hole has been running for some time, an update can be performed.

sudo pihole -up

Hide the Unbound warning about the missing option.

sudo echo "DAEMON_OPTS=" > /etc/default/unbound

✅ Deployment Complete

Your self-contained local network privacy shield is now ready. To begin filtering your entire environment, log into your home internet router’s admin settings page and change your local network’s DHCP Primary DNS Server IP directly to the static IP address belonging to your Raspberry Pi running Pi-hole.

Link Sources

How useful was this post?

Click on a star to rate it!

Average rating 0 / 5. Vote count: 0

No votes so far! Be the first to rate this post.

We are sorry that this post was not useful for you!

Let us improve this post!

Tell us how we can improve this post?

Related posts:

Leave a Reply

Your email address will not be published. Required fields are marked *