After backup restore Unbound will not start on boot

I had an SSD failure so I needed to buy a new one for IPFire and restore from an old backup (talking ~two years ago) on to the latest version of IPFire. My understanding, after some research, is that Unbound had since changed in some significant way, thus causing my issue.

After backup restore Unbound will not start on boot. If I go into the console and type “unbound-control start” it starts up just fine.

How can I get it to start up on boot so I do not have to keep manually running that command after every reboot? I reboot so infrequently I am sure I will just forget the command each time.

Here are some relevant logs (sorry for the image, the forums will not let me post the text due to me being a new user and since it contains more than two links):
Processing: PXL_20220305_232204144.jpg…

Here is the image since it will not show up on the forum.

EDIT2: moderator added image.

@nickwebha Welcome to ipfire !

[root@ipfire ~]# /etc/rc.d/init.d/unbound
Usage: /etc/rc.d/init.d/unbound {start|stop|restart|reload|status|resolve|update-forwarders}

From this page: Start or stop an IPFire service

Sorry but I can’t see your image, just a text line so I can’t look at the logs.

If your backup was from before May 2021 then the backup included unbound.conf which would then replace any new config additions. This was raised as a bug and fixed in May 2021 so that unbound.conf is not backed up.

Can you show your unbound.conf contents.

There have also been changes made over time to the initscripts. I can’t remember if these are backed up or not. I don’t think so. However it would be good to just check your initscript.

If unbound starts ok from a console command then likely the initscript won’t be the proble stopping it although it might not have all the updates you should have.
Your startup links could be a problem.
What do you get if you run
ls -hal /etc/rc.d/rc3.d/S11unbound
mine shows

lrwxrwxrwx 1 root root 17 Nov 14 2020 /etc/rc.d/rc3.d/S11unbound → …/init.d/unbound

If the link is not present then that would be a problem.

Under rc0.d and rc6.d the link should be

lrwxrwxrwx 1 root root 17 Nov 14 2020 K86unbound → …/init.d/unbound

for stopping unbound. Those should also be present otherwise unbound won’t be properly stopped when shutting down.

1 Like

/etc/unbound/unbound.conf says:

Unbound configuration file for IPFire

The full documentation is available at:

NLnet Labs Documentation - Unbound

# Common Server Options
chroot: “”
directory: “/etc/unbound”
username: “nobody”
port: 53
do-ip4: yes
do-ip6: no
do-udp: yes
do-tcp: yes
so-reuseport: yes
do-not-query-localhost: yes

# System Tuning
include: "/etc/unbound/tuning.conf"

# Logging Options
verbosity: 1
use-syslog: yes
log-time-ascii: yes
log-queries: no

# Unbound Statistics
statistics-interval: 86400
statistics-cumulative: yes
extended-statistics: yes

# Prefetching
prefetch: yes
prefetch-key: yes

# Randomise any cached responses
rrset-roundrobin: yes

# Privacy Options
hide-identity: yes
hide-version: yes
qname-minimisation: yes
minimal-responses: yes

auto-trust-anchor-file: "/var/lib/unbound/root.key"
val-permissive-mode: no
val-clean-additional: yes
val-log-level: 1

# Hardening Options
harden-glue: yes
harden-short-bufsize: no
harden-large-queries: yes
harden-dnssec-stripped: yes
harden-below-nxdomain: yes
harden-referral-path: yes
harden-algo-downgrade: no
use-caps-for-id: yes
aggressive-nsec: yes

# Harden against DNS cache poisoning
unwanted-reply-threshold: 1000000

# Listen on all interfaces
interface-automatic: yes

# Allow access from everywhere
access-control: allow

# Bootstrap root servers
root-hints: "/etc/unbound/root.hints"

# Include DHCP leases
include: "/etc/unbound/dhcp-leases.conf"

# Include any forward zones
include: "/etc/unbound/forward.conf"

# Include safe search settings
include: "/etc/unbound/safe-search.conf"

control-enable: yes
control-use-cert: no

Import any local configurations

include: “/etc/unbound/local.d/*.conf”`

/etc/rc.d/init.d/unbound says:

Begin $rc_base/init.d/unbound

Description : Unbound DNS resolver boot script for IPfire

Author : Marcel Lorenz

. /etc/sysconfig/rc
. ${rc_functions}

Cache any local zones for 60 seconds


Load configuration

eval $(/usr/local/bin/readhash /var/ipfire/dns/settings)
eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)

ip_address_revptr() {
local addr=${1}

local a1 a2 a3 a4
IFS=. read -r a1 a2 a3 a4 <<< ${addr}

echo "${a4}.${a3}.${a2}.${a1}"


read_name_servers() {
# Read name servers from ISP
if [ “${USE_ISP_NAMESERVERS}” = “on” -a “${PROTO}” != “TLS” ]; then
local i
for i in 1 2; do
echo “$(</var/run/dns${i})”
done 2>/dev/null

# Read configured name servers
local id address tls_hostname enabled remark
while IFS="," read -r id address tls_hostname enabled remark; do
	[ "${enabled}" != "enabled" ] && continue

	if [ "${PROTO}" = "TLS" ]; then
		if [ -n "${tls_hostname}" ]; then
			echo "${address}@853#${tls_hostname}"
		echo "${address}"
done < /var/ipfire/dns/servers


config_header() {
echo “# This file is automatically generated and any changes”
echo “# will be overwritten. DO NOT EDIT!”

write_hosts_conf() {

	# Make own hostname resolveable
	# is reserved for unused green, skip this
	if [ -n "${GREEN_ADDRESS}" -a "${GREEN_ADDRESS}" != "" ]; then
		echo "local-data: \"${HOSTNAME} ${LOCAL_TTL} IN A ${GREEN_ADDRESS}\""

	local address
		[ -n "${address}" ] || continue
		[ "${address}" = "" ] && continue

		address=$(ip_address_revptr ${address})
		echo "local-data: \"${address} ${LOCAL_TTL} IN PTR ${HOSTNAME}\""

	local enabled address hostname domainname generateptr

	# Find all unique domain names
	while IFS="," read -r enabled address hostname domainname generateptr; do
		[ "${enabled}" = "on" ] || continue

		# Skip empty domainnames
		[ "${domainname}" = "" ] && continue

		echo "local-zone: ${domainname} transparent"
	done < /var/ipfire/main/hosts | sort -u

	# Add all hosts
	while IFS="," read -r enabled address hostname domainname generateptr; do
		[ "${enabled}" = "on" ] || continue

		# Build FQDN
		local fqdn="${hostname}.${domainname}"
		echo "local-data: \"${fqdn} ${LOCAL_TTL} IN A ${address}\""

		# Skip reverse resolution if the address equals the GREEN address
		[ "${address}" = "${GREEN_ADDRESS}" ] && continue

		# Skip reverse resolution if user requested not to do so
		[ "${generateptr}" = "off" ] && continue

		# Add RDNS
		address=$(ip_address_revptr ${address})
		echo "local-data: \"${address} ${LOCAL_TTL} IN PTR ${fqdn}\""
	done < /var/ipfire/main/hosts
) > /etc/unbound/hosts.conf


write_forward_conf() {

	# Enable strict QNAME minimisation
	if [ "${QNAME_MIN}" = "strict" ]; then
		echo "server:"
		echo "	qname-minimisation-strict: yes"

	# Force using TCP for upstream servers only
	if [ "${PROTO}" = "TCP" ]; then
		echo "# Force using TCP for upstream servers only"
		echo "server:"
		echo "	tcp-upstream: yes"

	local insecure_zones=""

	local enabled zone server servers remark disable_dnssec rest
	while IFS="," read -r enabled zone servers remark disable_dnssec rest; do
		# Line must be enabled.
		[ "${enabled}" = "on" ] || continue

		# Zones that end with .local are commonly used for internal
		# zones and therefore not signed
		case "${zone}" in
				insecure_zones="${insecure_zones} ${zone}"
				if [ "${disable_dnssec}" = "on" ]; then
					insecure_zones="${insecure_zones} ${zone}"

		echo "stub-zone:"
		echo "	name: ${zone}"
		for server in ${servers//|/ }; do
			if [[ ${server} =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
				echo "	stub-addr: ${server}"
				echo "	stub-host: ${server}"

		# Make all reverse lookup zones transparent
		case "${zone}" in
				echo "server:"
				echo "	local-zone: \"${zone}\" transparent"
	done < /var/ipfire/dnsforward/config

	if [ -n "${insecure_zones}" ]; then
		echo "server:"

		for zone in ${insecure_zones}; do
			echo "	domain-insecure: ${zone}"

	# Read name servers.

	# Only write forward zones if any nameservers are configured.
	# Otherwise fall-back into recursor mode.
	if [ -n "${nameservers}" ]; then

		echo "forward-zone:"
		echo "	name: \".\""

		# Force using TLS only
		if [ "${PROTO}" = "TLS" ]; then
			echo "	forward-tls-upstream: yes"

		# Add upstream name servers
		local ns
		for ns in ${nameservers}; do
			echo "	forward-addr: ${ns}"

) > /etc/unbound/forward.conf


write_tuning_conf() {
# NLnet Labs Documentation - Unbound

# Determine amount of system memory
local mem=$(get_memory_amount)

# In the worst case scenario, unbound can use double the
# amount of memory allocated to a cache due to malloc overhead

# Even larger systems with more than 8GB of RAM
if [ ${mem} -ge 8192 ]; then

# Extra large systems with more than 4GB of RAM
elif [ ${mem} -ge 4096 ]; then

# Large systems with more than 2GB of RAM
elif [ ${mem} -ge 2048 ]; then

# Medium systems with more than 1GB of RAM
elif [ ${mem} -ge 1024 ]; then

# Small systems with less than 256MB of RAM
elif [ ${mem} -le 256 ]; then

# Everything else


	# Slice up the cache
	echo "rrset-cache-size: $(( ${mem} / 2 ))m"
	echo "msg-cache-size: $(( ${mem} / 4 ))m"
	echo "key-cache-size: $(( ${mem} / 4 ))m"

	# Increase parallel queries
	echo "outgoing-range: 8192"
	echo "num-queries-per-thread: 4096"

	# Use larger send/receive buffers
	echo "so-sndbuf: 4m"
	echo "so-rcvbuf: 4m"
) > /etc/unbound/tuning.conf


get_memory_amount() {
local key val unit

while read -r key val unit; do
	case "${key}" in
			# Convert to MB
			echo "$(( ${val} / 1024 ))"
done < /proc/meminfo


fix_time_if_dns_fails() {
# If DNS is working, everything is fine
if resolve “” &>/dev/null; then
return 0

# Try to sync time with a known time server
boot_mesg "DNS not functioning... Trying to sync time with ("
loadproc /usr/local/bin/settime


resolve() {
local hostname="${1}"
local found=1

local answer
for answer in $(dig +short A "${hostname}"); do
	# Filter out non-IP addresses
	if [[ ! "${answer}" =~ \.$ ]]; then
		echo "${answer}"

return ${found}


Sets up Safe Search for various search engines

update_safe_search() {
local google_tlds=(

# Cleanup previous settings
unbound-control local_zone_remove "" >/dev/null
unbound-control local_zone_remove "" >/dev/null
unbound-control local_zone_remove "" >/dev/null
unbound-control local_zone_remove "" >/dev/null
unbound-control local_zone_remove "" >/dev/null

local domain
for domain in ${google_tlds[@]}; do
	unbound-control local_zone_remove "${domain}"
done >/dev/null

if [ "${ENABLE_SAFE_SEARCH}" = "on" ]; then
	# Bing
	unbound-control transparent >/dev/null
	for address in $(resolve ""); do
		unbound-control local_data " ${LOCAL_TTL} IN A ${address}"
	done >/dev/null

	# DuckDuckGo
	unbound-control local_zone typetransparent >/dev/null
	for address in $(resolve ""); do
		unbound-control local_data " ${LOCAL_TTL} IN A ${address}"
	done >/dev/null

	# Google
	local addresses="$(resolve "")"
	for domain in ${google_tlds[@]}; do
		unbound-control local_zone "${domain}" transparent >/dev/null
		for address in ${addresses}; do
			unbound-control local_data "www.${domain} ${LOCAL_TTL} IN A ${address}"
		done >/dev/null

	# Yandex
	for domain in; do
		unbound-control local_zone "${domain}" typetransparent >/dev/null
		for address in $(resolve "familysearch.${domain}"); do
			unbound-control local_data "${domain} ${LOCAL_TTL} IN A ${address}"
		done >/dev/null

	# YouTube
	if [ "${ENABLE_SAFE_SEARCH_YOUTUBE}" = "on" ]; then
		unbound-control local_zone transparent >/dev/null
		for address in $(resolve ""); do
			unbound-control local_data " ${LOCAL_TTL} IN A ${address}"
		done >/dev/null

return 0


case “$1” in
# Print a nicer messagen when unbound is already running
if pidofproc -s unbound; then
statusproc /usr/sbin/unbound
exit 0

	# Update configuration files

	boot_mesg "Starting Unbound DNS Proxy..."
	loadproc /usr/sbin/unbound || exit $?

	# Install Safe Search rules when the system is already online
	if [ -e "/var/ipfire/red/active" ]; then

	boot_mesg "Stopping Unbound DNS Proxy..."
	killproc /usr/sbin/unbound

	$0 stop
	sleep 1
	$0 start
	# Update configuration files

	# Call unbound-control and perform the reload
	/usr/sbin/unbound-control -q reload

	# Dummy Resolve to wait for unbound
	resolve "" &>/dev/null

	if [ "$1" = "update-forwarders" ]; then
		# Make sure DNS works at this point

	# Update Safe Search rules if the system is online.
	if [ -e "/var/ipfire/red/active" ]; then

	statusproc /usr/sbin/unbound

	resolve "${2}" || exit $?

	echo "Usage: $0 {start|stop|restart|reload|status|resolve|update-forwarders}"
	exit 1


End $rc_base/init.d/unbound`

(Sorry, it got formatted strangely. I think you can still make it out.)

ls -hal /etc/rc.d/rc3.d/S11unbound
looks the same as your example except the date is says:
lwxrwxrwxr 1 root root 17 Feb 7 06:47 /etc/rc.d/rc3.d/S11unbound -> ../init.d/unbound

So it is there.

There are no rc0.d or rc6.d folders in /etc/. Just an /etc/rc.d/ folder (out of the
folders starting in “rc”).

I created the rc0.d and rc6.d folders in /etc/ and then symlinked them to
../init.d/unbound but upon reboot nothing has changed. DNS Servers Status is still listed
as “broken”. Both synlinks have the permissions of lrwxrwxrwx.

Thank you for the help.

[root@ipfire ~]# cd /etc/rc.d/
[root@ipfire rc.d]# ls -l
total 32
drwxr-xr-x  8 root root 4096 Feb  7 07:53 .
drwxr-xr-x 50 root root 4096 Mar  6 01:53 ..
drwxr-xr-x  2 root root 4096 Nov 17 03:31 helper
drwxr-xr-x  3 root root 4096 Feb 27 08:01 init.d
drwxr-xr-x  2 root root 4096 Mar  4 15:25 rc0.d
drwxr-xr-x  2 root root 4096 Mar  4 15:25 rc3.d
drwxr-xr-x  2 root root 4096 Mar  4 15:25 rc6.d
drwxr-xr-x  2 root root 4096 Jun 19  2020 rcsysinit.d
[root@ipfire rc.d]#

If you don’t have this dir structure, your installation is not ok.


Hi @nickwebha

So I was able to look at your pdf file with the updated link. It is preferred that you actually paste the content you put into the pdf as text into the forum page. That way the content is easily visible to everyone as those links often stop to work after some time.

Looking at your unbound.conf it is definitely different from what I have on my CU163 system. It is missing the Include Hosts line which means that your backup was definitely from a CU that was released before May 2021. However I didn’t find anything obvious that would stop it loading, just that you are missing newer additions.

Looking through the initscript, that looks to be correct. Also checked the backups and confirmed that they do not restore initscripts. So your initscript is not a problem.

In your pdf you wrote the following:-

ls -hal /etc/rc.d/rc3.d/S11unbound
looks the same as your example except the date is says:
lwxrwxrwxr 1 root root 17 Feb 7 06:47 /etc/rc.d/rc3.d/S11unbound -> ../init.d/unbound
So it is there.
There are no rc0.d or rc6.d folders in /etc/. Just an /etc/rc.d/ folder (out of the
folders starting in “rc”).
I created the rc0.d and rc6.d folders in /etc/ and then symlinked them to
../init.d/unbound but upon reboot nothing has changed. DNS Servers Status is still listed
as “broken”. Both synlinks have the permissions of lrwxrwxrwx.

The rc0.d and rc6.d directories should be under /etc/rc.d/ the same as for the rc2.d directory that you said you found not under /etc/

Those additional symlinks you added should be removed.

I would agree with @pavlos that if your /etc/rc.d/ directory does not look like he has displayed then your installation is not okay and you should redo the installation.
If it does look like Paul has shown then what is in the unbound logs after you have done a reboot.

If you do a redo the installation then before doing a restore of the backup confirm that unbound starts after a reboot. Then you can do a restore and check again. Before doing the restore I would make a backup copy of /etc/unbound/unbound.conf so that you can replace it after doing the old version restore.

1 Like

Thank you for the advise. I thought of that and totally agree with you. I just had no choice at the time. I will edit the second post to include what the PDF includes.

I do have that directory structure but only after I added the rc0.d and rc6.d directories. So I guess a reinstall is in order.

Oddly enough I can not enter the BIOS to set the boot order nor is there an option to specify a temporary boot device. Nor Esc or Del work (as it says on the startup screen) to enter the BIOS. The keyboard works fine after this point (selecting GRUB menus, IPFire login, etc). That is strange.

I am going to have to figure that out and get back to you guys. Until then…

1 Like

Maybe your firmware is a UEFI system with the BIOS compatibility mode disabled and fast boot enabled. If that’s the case, by removing all the boot drives you should be able to enter to set up and remove the fast boot mode.

1 Like

I removed the SSD and USB stick and booted up. It goes to an EFI Shell since it can not find a boot media. If I type exit I get into the BIOS setup. However then the (still lit up) keyboard stops working except for the Ctrl-Alt-Del key combination. I tried all the USB ports before rebooting (regular and Super Speed) but I get the same results each time. There is no PS/2 port, only four USB (one Super Speed), a VGA port, and four network ports.

Ugh. I know this is not a support forum for my BIOS so I will figure it out and get back to you guys.

Thanks for sticking with me so far.

1 Like

Well nuts to this.

The only thing that does not work is unbound until I run unbound-control start after boot. The machine is on a UPS so it rarely goes down (manually restarting every now and then for updates).

I am just going to live with it because all my searching is turning up bumpkis and I have other problems to solve in my life. I could try another keyboard but I would need to buy that so it does not seem worth it right now.

Sincerely, thank you all for yourself.

There is one more thing you could still try. Rest the CMOS by removing the battery (and wait several minutes before putting it back). This should put everything back to factory default.

Or, as you said, time is the most scarce thing in the universe and we have to chose our battles wisely. In any case, best of luck.


I was going to try this but it is one of those really, really compact tiny machines and the battery is not visible. I checked it out and it looks like the motherboard is not meant to be taken out (rivets holding it in). It would just be easier to buy another machine at this point as I doubt a new keyboard would work (this one lights up fine in the BIOS and Ctrl-Alt-Del still works).

Again, thank you.

[I am reposting within this thread because I feel in my gut that the following might be related to restoring from such an old backup (see above). If anyone feels that I am wrong and should create a new thread I can do that.]

I will just blurt it out: Now I can not log into the web interface.

I was able to since my last reinstall (see above) until just now (at least I am noticing it just now, last known good web interface login was March 7th in order to create a new backup after restoring from the ~two year-old backup).

Chrome gives me an ERR_SSL_PROTOCOL_ERROR error and Firefox gives an equivalent error. I can log into SSH fine, which I had enabled when I was still able to get into the web interface. I have tried rebooting the device (cleanly via SSH) but it does not fix (either) issue. I can still type in unbound-control start to fix the original issue (again, see above).

Should I just give up, reinstall from scratch, and manually recreate my configuration including the tons of firewall rules/port forwardings? It is going to be a huge headache but so is this current state. If a reinstall plus reconfiguration from scratch is suggested is there a place, via SSH, I can at least get a copy of my firewall rules/port forwardings? Engrampa (the Ubuntu MATE archive manager) can not open the .ipf file it thinks are tars so there is no getting a copy from old backups.


you can create a fresh backup without having access to the web interface. Please refer to this blog post for how to do so.

Skimming through the entire thread, I get the feeling that there is either a severe file system error (which apparently was not spotted and properly fixed by fsck), or the hard disk is damaged.

Either way, I think the least inconvenient way to solve this would be creating a backup of that machine, then booting from a Linux live CD and run smartctl and badblocks over the HDD (to ensure there are no fundamental errors with it), check for the BIOS to have the correct time set, and install IPFire again.

Please let us know how things go - especially if some of these errors persist.

Thanks, and best regards,
Peter Müller


[I have a different problem now. Not sure if this is the appropriate to post this here or what not. If he mods would like me to remove this reply and start a new thread I can do that.]

Good morning!

you can create a fresh backup without having access to the web interface. Please refer to this blog post for how to do so.

First off, thank you for that link. It might prove useful in the future.

So I decided to do a fresh reinstall given all the issues and who knows whatever else I have yet to discover: I have been using a KANSUNG Fanless Mini PC (four gigabit ethernet ports, four USB posts, one USB port being Super Speed, just barely big enough to hold all the ports) for IPFire. As implied before, everything had been going great for many years. I finally, after all that time, had an SSD S.M.A.R.T. failure and had the replace the SSD.

Currently there is a “broken” version of IPFire installed from restoring a pretty old backup (see above but the short of it is that I installed a years-old backup after a fresh, modern IPFire install and it did not like that). So now I got the ISO onto a USB stick (verified it on another machine) and I am trying to do a reinstall but pressing ESC or DEL (as specified on the BIOS splash screen) are not being recognized so it just, after a few seconds, goes to GRUB. I also tried F1, F2, F10, F11, and F12 a few times (been an ~hour) but no go. The lights on my keyboard illuminate during this BIOS splash screen, the keyboard works in GRUB, but I am unable to get into the BIOS no matter what key(s) I press. I now assume, almost two months ago when I first started this thread, that this problem existed then as well; I just did not notice it because the SSD was empty so the machine automatically booted the USB drive instead.

The question is how can I get back into the BIOS or a temporary boot screen to boot from the USB device so I can do a fresh install of IPFire?

There is no access to the BIOS battery. The machine is so compact that the battery must be on the under side of the motherboard because I can not find it after opening the case and the motherboard is riveted into place.

Thanks for any help anyone offer. Really not sure what to do here besides buy a new mini PC.


um, I assume you consulted the manual of this device or its mainboard (if any is available) and it did not contain any helpful information.

If that machine boots from a USB stick and is capable of EFI, try booting a different Linux distribution from it. Many of them feature a GRUB entry “firmware settings” or something similar, which gets you into the BIOS via an EFI option. (I do not know by heart if IPFire does so as well when booted via EFI.)

Should this not work, I would recommend to get in touch with the vendor’s support department.

Thanks, and best regards,
Peter Müller



I took a shot in the dark and bought a new, cheap keyboard to test out. It worked.

Let this be a lesson about some BIOS having finicky connectivity while booting.