
Unbound is a modern, validating, recursive, and caching DNS resolver that can be easily set up and configured on various platforms, including Linux and macOS.
First, you'll need to install Unbound on your system. On Ubuntu-based systems, you can do this by running the command `sudo apt-get install unbound` in the terminal.
Unbound comes with a default configuration file that you can use as a starting point for your own setup. This file is typically located at `/etc/unbound/unbound.conf`.
The configuration file includes various settings, such as the interface to bind to and the cache size, that you can adjust to suit your needs.
What is Unbound
Unbound is a free and open-source DNS resolver that's designed to be a drop-in replacement for your existing DNS server.
Unbound uses a recursive resolver architecture, which means it can handle complex DNS queries on its own.
It's highly customizable, allowing users to tweak various settings to suit their needs.
Unbound is also known for its speed and efficiency, making it a great choice for users who want fast and reliable DNS resolution.
One of the key features of Unbound is its ability to handle DNSSEC validation, which helps protect against DNS spoofing attacks.
Configuring Unbound
Configuring Unbound is a straightforward process that requires some basic knowledge of DNS and network settings. You can manually set listening and outbound interfaces in the General settings section, but it's recommended to keep these settings default unless you're sure what you're doing.
To configure Unbound, you can use a configuration file with a .conf extension, which can be placed in the /usr/local/etc/unbound.opnsense.d directory. This file will be automatically included by the UI-generated configuration. You can also use the template system to automatically generate these files.
To get started with configuring Unbound, you'll need to create a configuration file in the /usr/local/etc/unbound.opnsense.d directory. You can use the following format for the file name: +TARGETS file in /usr/local/opnsense/service/templates/sampleuser/Unbound:sampleuser_additional_options.conf:/usr/local/etc/unbound.opnsense.d/sampleuser_additional_options.conf. The file should contain the necessary configuration settings, such as the server clause and private-domain settings.
Here are some key settings to consider when configuring Unbound:
Remember to check the complete configuration via the configctl unbound check command to ensure that it's valid and error-free.
Configure
To configure Unbound, you can start by editing the configuration file in the /etc/unbound/unbound.conf.d/pi-hole.conf directory. This file allows you to configure Unbound to listen only for queries from the local Pi-hole installation, verify DNSSEC signatures, and apply security and privacy tricks.
You can also use individual configuration files with a .conf extension in the /usr/local/etc/unbound.opnsense.d directory. These files will be automatically included by the UI-generated configuration. However, you must prefix the configuration with the required clause, as it cannot be predicted in which clause the configuration currently takes place.
To ensure the configuration is valid, you can check the complete configuration via the command configctl unbound check. This will report errors that prevent Unbound from starting and also list warnings that may give hints as to why a particular configuration is not working or how it could be improved.
Here are some general settings you can manually set in the Unbound configuration:
Note that the recommended setting for both Listen Port and Network Interfaces is "All" for good reasons. Unless you absolutely know what you are doing, it's best to keep these settings default as misuse often causes startup issues.
You can also configure Unbound to use a different network interface for outgoing queries by setting the Outgoing Network Interfaces option. By default, all interfaces are used, but you can specify explicit outgoing interfaces only when they are statically configured.
In addition, you can use the Query Forwarding section to enter arbitrary nameservers to forward queries to. You can specify nameservers to forward to for specific domains, catch-all domains, and specify non-default ports. However, be careful enabling "DNS Query Forwarding" in combination with DNSSEC, as no DNSSEC validation will be performed for forwards with a specific domain.
Readers also liked: What Is a Dns Query
Predefined Sources
When configuring Unbound, you have the option to use predefined sources to block ads and malware. These sources are publicly available lists that you can add to your Unbound configuration to improve your online security.
The Abuse.ch ThreatFox IOC database is a great resource to include in your Unbound configuration. You can find it at https://threatfox.abuse.ch/.
You can also use AdAway List, which is available at https://adaway.org/hosts.txt. This list is a popular choice among Unbound users.
Another option is the AdGuard List, found at https://v.firebog.net/hosts/AdguardDNS.txt. This list is known for its effectiveness in blocking ads and malware.
If you're looking for more options, you can consider the OISD lists. These wildcard lists will block all subdomains of the listed domains, making them a powerful tool in your online security arsenal. The OISD lists are available at https://small.oisd.nl/domainswild, https://big.oisd.nl/domainswild, and https://nsfw.oisd.nl/domainswild.
Here are some other predefined sources you can consider:
Keep in mind that the OISD lists are wildcard lists, which means they'll block all subdomains of the listed domains. This makes them a bit larger than regular lists, but they're also more effective.
Advanced Settings
Advanced settings in Unbound can be accessed through individual configuration files with a .conf extension placed in the /usr/local/etc/unbound.opnsense.d directory. These files will be automatically included by the UI generated configuration.
Multiple configuration files can be placed in this directory, but it's essential to note that the order in which the files are included is in ascending ASCII order, based on glob(7) wildcard include processing.
To avoid name collisions with plugin code, use a unique filename for your configuration file. For example, if you want to add an option in the server clause, prefix the configuration with the required clause, as seen in the sample configuration file.
Here are some key things to keep in mind when working with advanced configurations:
- Prefix the configuration with the required clause.
- Use a unique filename to avoid collisions.
- Check the complete configuration via `configctl unbound check` to ensure it's valid.
Advanced Technology
The latest advancements in technology have enabled us to control our devices with voice commands, thanks to the integration of virtual assistants.
With the rise of artificial intelligence, our devices can now learn our preferences and adapt to our habits.
The Internet of Things (IoT) has made it possible to control our smart home devices remotely, making our lives more convenient and efficient.
Artificial intelligence algorithms can analyze our behavior and provide personalized recommendations, making our experiences more enjoyable and relevant.
Smart speakers can now understand complex commands and respond accordingly, making our interactions with technology more seamless and intuitive.
Additional reading: Nordvpn Smartdns
Access Lists

Access lists are a powerful tool for controlling which clients can query our dns resolver. They define which clients are allowed to access our dns resolver.
Records for the assigned interfaces will be automatically created and are shown in the overview. This makes it easy to see which interfaces are already configured.
You can also define custom policies, which apply an action to predefined networks. This allows you to granularly control access to specific networks.
The action can be as defined in the list below, which includes options such as allow or deny. The most specific netblock match is used, so the order of the access-control statements doesn't matter.
See what others are reading: How to Access an Ftp Server
Blocklists
Blocklists are a powerful tool for filtering out unwanted content on your network. You can enable integrated DNS blacklisting using predefined sources or custom locations.
To get started, you'll want to enable blacklists and consider forcing SafeSearch on popular search engines like Google, DuckDuckGo, and Bing. This can be done by checking the "Enable SafeSearch" box.
You can choose from predefined external sources or specify a custom URL to download blacklists from. Just make sure the file is in plain text and contains a list of fully qualified domain names (FQDNs) or wildcard domains.
If you have specific domains you want to exclude from the blacklist results, you can add them to the Whitelist Domains list. This is particularly useful for excluding certain top-level domains, like .nl.
On the other hand, if you want to explicitly block certain domains, you can add them to the Blocklist Domains list. This is where you can also find domains that have been blocked using the Reporting: Unbound DNS page.
Wildcard domains can also be blocked by adding them to the Wildcard Domains list. However, keep in mind that blocking first-level domains, like "com", is not supported.
If you want to redirect users to a separate web server when DNS records are blocked, you can specify an IP address in the Destination Address field. Just be aware that this will be skipped if "Return NXDOMAIN" is checked.
Finally, if you're using devices that can't cope with the 0.0.0.0 destination address, you can return the NXDOMAIN code instead. This is particularly useful for certain Apple devices.
Additional reading: Wildcard DNS Record
Here's a summary of the blocklist settings:
Advanced Configurations
Advanced Configurations can be a bit tricky, but don't worry, we've got you covered. Some installations require configuration settings that aren't accessible in the UI, so you can place individual configuration files with a .conf extension in the /usr/local/etc/unbound.opnsense.d directory.
These files will be automatically included by the UI-generated configuration, but there are a few things to keep in mind. You must prefix the configuration with the required clause, which is explained in the unbound.conf(5) documentation.
The order in which the files are included is based on glob(7), so make sure to use a unique filename to avoid name collisions with plugin code. You can check the complete configuration via the configctlunboundcheck command to report errors and warnings.
To make things easier, you can use the template system to automatically generate these files. This method replaces the Customoptions settings in the General page of the Unbound configuration, which was removed in version 21.7.
Explore further: Dns Settings Hostinger

Here's a step-by-step guide to using the template system:
- Create a +TARGETS file in /usr/local/opnsense/service/templates/sampleuser/Unbound:sampleuser_additional_options.conf:/usr/local/etc/unbound.opnsense.d/sampleuser_additional_options.conf
- Place the template file as sampleuser_additional_options.conf in the same directory:server:private-domain:xip.io
- Test the template generation by issuing the following command:# generate templateconfigctltemplatereloadsampleuser/Unbound
- Check the output in the target directory:# show generated filecat/usr/local/etc/unbound.opnsense.d/sampleuser_additional_options.conf# check if configuration is validconfigctlunboundcheck
Remember, it's your responsibility as the administrator to ensure that the configuration is valid.
Resolution No Longer Affected by External Factors
Having a local DNS server like Unbound allows you to control DNS resolution without relying on external nameservers.
You can set up custom DNS entries for devices or services on your network, making it easier to access them using friendly names instead of IP addresses.
This is particularly useful for devices like printers, IP cameras, and Home Assistant-attached devices, which can be accessed using custom domains and subdomains.
With a local DNS server, you can still access your home media server or other self-hosted apps even if the internet connection goes down, keeping your family entertained.
You can also set up subdomains and other records for services behind a reverse proxy or load balancer, without having to go into the domain registrar accounts and wait for record changes to propagate.
Troubleshooting and Maintenance
If you're experiencing issues with Unbound, the first step is to check the system log for error messages.
Unbound's system log can be found in the config directory, and it's a good idea to check it regularly to catch any potential issues early on.
If you're experiencing DNS resolution issues, try restarting the Unbound service to see if that resolves the problem.
According to the Unbound documentation, the service can be restarted using the command "sudo service unbound restart".
Regular maintenance tasks, such as updating the root hints and updating the IP addresses of upstream DNS servers, can also help prevent issues with DNS resolution.
A unique perspective: DNS Hosting Service
Add Logging
Adding logging to Unbound can be a lifesaver when troubleshooting issues. You can specify the log file, human-readable timestamps, and the verbosity level in the server part of /etc/unbound/unbound.conf.d/pi-hole.conf.
There are five levels of verbosity to choose from, ranging from no verbosity at all to very detailed information. Here are the levels in brief:
- Level 0: only errors
- Level 1: operational information
- Level 2: detailed operational information
- Level 3: query level information
- Level 4: algorithm level information
- Level 5: client identification for cache misses
To set up logging, you'll need to create a log dir and file, and set the right permissions. This will ensure that Unbound can write to the log file.
On modern Debian/Ubuntu-based Linux systems, you'll also need to add an AppArmor exception for the new file. This involves creating or editing the file /etc/apparmor.d/local/usr.sbin.unbound and appending the path to the log file to the end. Make sure the value matches the one you specified earlier.
Common Issues & Troubleshooting
If you're experiencing issues with your equipment, it's essential to identify the root cause before attempting any repairs. In many cases, this involves checking the power supply, as a faulty power source can cause a range of problems.
A common issue with equipment is overheating, which can be caused by a clogged air filter. This can be easily fixed by cleaning or replacing the filter.
Proper maintenance is key to preventing equipment failure. Regularly checking and cleaning the equipment can help prevent dust and debris from building up and causing problems.
Equipment that is not used for an extended period of time may require special care to prevent damage. This can include storing it in a dry, cool place or using a desiccant to keep the air dry.
In some cases, equipment failure can be caused by a software issue. This can often be resolved by updating the software or reinstalling it.
If you're experiencing issues with your equipment, it's a good idea to consult the user manual for troubleshooting tips.
A different take: Comparison of DNS Server Software
Fix So-Rcvbuf Warning
If you're seeing a so-rcvbuf warning in your unbound logs, don't worry, it's an easy fix.
The warning is caused by setting the socket receive buffer size for incoming DNS queries to a higher-than-default value in the configuration file /etc/unbound/unbound.conf.d/pi-hole.conf.
To check the current limit, run the command `sudosysctl net.core.rmem_max` - this will show you the current value, something like `425984`.
You can temporarily increase the limit to match unbound's request by running `sudosysctl -w net.core.rmem_max=1048576`.
To make this change permanent, edit the file `/etc/sysctl.conf` and add or edit the line `net.core.rmem_max=1048576`.
Finally, save and apply the changes by running `sudosysctl -p`, and then restart unbound with the command `sudoservice unbound restart`.
Uninstall
Uninstalling a program can be a straightforward process, and it's often a good idea to remove any unwanted software to free up space and resources on your system.
To remove unbound from your system, run the command specified in the instructions.
You'll want to make sure you're following the correct steps to avoid any potential issues with your system.
To remove unbound from your system, run the command specified in the instructions.
A fresh viewpoint: MH Message Handling System
Performance and Security
Using Unbound as your DNS server can make your network significantly faster. It can handle a large number of queries and respond quickly, reducing latency and improving overall performance.
Unbound is also a more secure option compared to external DNS resolvers. By running a local DNS server, you have more control over the security of your network and can block malicious requests.
Unbound is particularly useful for controlling your home network, keeping local services running even if your internet connection goes out.
A fresh viewpoint: Azure Virtual Network Dns Servers
Over Tls
Over TLS, we can encrypt our DNS traffic to protect it from interception and eavesdropping. This is especially important when using public Wi-Fi networks.
To set up DNS over TLS, we need to enable it for our domain. This involves specifying the domain, server IP, port, and verification certificate name. The port is typically 853, unless we have a good reason to use a different port.
A catch-all entry in both Query Forwarding and DNS over TLS will be considered a duplicate zone, so we need to be careful with our configuration. In our case, DNS over TLS will be preferred.
Here are some public resolvers we can use for DNS over TLS:
To ensure a validated environment, we should block all outbound DNS traffic on port 53 using a firewall rule. This will prevent clients from querying other nameservers directly and force requests over TLS.
Improves Network Speed, Security, and Flexibility

Self-hosting a DNS server makes your searches faster and more secure. Unbound DNS achieves this by maintaining a local DNS cache for frequently visited sites, reducing the time it takes to load websites and minimizing the impact of external factors.
Waiting for DNS resolution and the next browser page to load can be frustrating, especially with a fast internet connection. The author of the article shares this sentiment, recalling the days of dial-up internet when a single webpage could take minutes to load.
Using Unbound DNS resolves this issue, providing a faster browsing experience. The local DNS cache enables browsers to query Unbound directly, eliminating the need for external servers and resulting in snappier browsing.
By self-hosting a DNS server, you can also improve the security of your network. Unbound DNS is safer and more private than using an external DNS resolver, protecting your data from potential threats.
Custom DNS entries for devices or services on your network can also be set up using Unbound DNS. This allows you to use friendly names instead of IP addresses when accessing devices, making it easier to manage your network.
Having this level of control over your network can be especially useful in situations where the internet connection is down. With Unbound DNS, you can still access internal domains and subdomains, keeping your family entertained even when connectivity to the outside internet is lost.
For more insights, see: Spectrum Internet Dns Server Not Responding
Protected from spoofing and cache poisoning by validation
You might be wondering how Unbound keeps your DNS requests safe from tampering. Thanks to DNSSEC validation, you're protected from DNS spoofing and cache poisoning. This is especially important when using a public DNS resolver, as attackers can try to intercept your DNS requests and redirect you to a malicious site.
Public resolvers like Cloudflare, Google, and Quad9 offer DNS over TLS, which encrypts your DNS traffic. However, even with encryption, your DNS requests can still be vulnerable to spoofing and cache poisoning. This is where DNSSEC validation comes in, ensuring that your DNS responses are from the authoritative nameserver you want.
To give you an idea of the security benefits, here are some public resolvers that support DNS over TLS and DNSSEC validation:
By using Unbound with DNS over TLS and DNSSEC validation, you can trust that your DNS requests are being routed securely and accurately.
Limit Corporate Tracking
Limiting corporate tracking is a great way to protect your online identity.
Unbound is a recursive DNS resolver that talks directly to the root nameservers, reducing the number of points your browsing habits are shared with. This means that Google, Cloudflare, or your ISP don't get to build a complete picture of you or your family.
Using Unbound reduces the risk of data being used for advertising purposes or worse.
Query name minimization is another privacy-focused feature of Unbound that only sends the necessary part of domain names to each level of the DNS server hierarchy. This makes it harder for anyone to piece together a view of your browsing habits.
Even if one nameserver is compromised, an attacker would need access to every part of the chain, which is almost impossible to achieve.
Setup and Testing
To set up Unbound, you'll need a machine that's always online and accessible to your network. This can be as small as a Raspberry Pi or any other Linux/Unix machine with Internet connectivity via your router.
You can install Unbound on Ubuntu 22.04 LTS by running `sudo apt-get install unbound` in your terminal. This will give you a complete and running version of Unbound as a caching recursive DNS resolver.
Before you start, it's a good idea to test Unbound on the machine it's installed on (locally) and from any other machine on your network (remotely). To do this, you can use the `dig` tool to look up the IP address for a domain, such as example.com, and ask for the information from the resolver running at the IP address 127.0.0.1, which is where Unbound is running by default.
To test Unbound locally, you can use the following command: `dig example.com @127.0.0.1`. This will verify that Unbound has indeed answered your query instead of the default resolver that's present on Ubuntu by default.
If you want to test Unbound remotely, you can use the same command from any other machine on your network. To do this, you'll need to expose Unbound to the network, which we'll cover in the next section.
Here's a summary of the steps to test Unbound locally:
- Install Unbound on your machine
- Test Unbound locally using the `dig` tool
- Verify that Unbound has answered your query instead of the default resolver
Setting Up

Setting up Unbound on your home network can be a straightforward process. You'll need a dedicated machine with Internet connectivity, such as a Raspberry Pi or a small Linux/Unix machine.
To get started, you can download the Unbound code from GitHub or use the `apt-get` command to install it on your system. This will give you a complete and running version of Unbound, which behaves as a caching recursive DNS resolver out of the box.
The version of Unbound you have installed can be checked using the `unbound-V` command. If you're running an older version, you can download the latest release tarball from the Unbound website and build it yourself.
By default, Unbound will only be queriable from the local host, meaning you'll need to configure it to allow queries from other machines on your network. This can be done by setting up an ACL (Access Control List) in the Unbound DNS settings.
Curious to learn more? Check out: Cisco Network Registrar
Here's a quick rundown of the options you'll need to configure:
Once you've configured these options, you can restart the Unbound service to apply the changes. After that, you can test your Unbound setup by querying it from another machine on your network.
Testing Locally
Testing locally is a great way to verify that your server works correctly before exposing it to the network. You can test it on the machine where you installed Unbound.
The command to test locally on the Unbound machine is a dig query that looks up the IP address for example.com and asks for this information from the resolver running at 127.0.0.1, the default IP address for Unbound.
To verify that Unbound has answered your query instead of the default resolver, look for the ANSWERSECTION in the output of every dig command. This section gives the response to the query.
The SERVER entry in the output will tell you which server has answered the query. For Unbound, it will look like 127.0.0.1#53.
Explore further: Dns Query Logging
To get a baseline for the default Ubuntu resolver, you can use a dig query without specifying an IP address. This will cause dig to use the machine's default DNS resolver.
The response should be the same, but the SERVER entry will look different. For the default resolver, it will look like 127.0.0.53.
Suggestion: 'use Server' Nextjs
Benefits and Features
Unbound offers a range of features that make it a powerful DNS server solution.
Its caching resolver with prefetching of popular items before they expire helps reduce the time it takes to load frequently visited sites. This is especially noticeable on fast connections like my fiber gigabit connection, where every little slowdown can be frustrating.
Unbound's local caching mechanism also means that your browsing experience will be faster and more secure, as it maintains a local DNS cache for everything you browse. This cache can be queried by your browser instead of relying on external servers, reducing the time it takes to load web pages.
Here are some of the key features of Unbound:
- Caching resolver with prefetching of popular items before they expire
- DNS over TLS forwarding and server, with domain-validation
- DNS over HTTPS
- DNS over QUIC
- Query Name Minimization
- Aggressive Use of DNSSEC-Validated Cache
- Authority zones, for a local copy of the root zone
- DNS64
- DNSCrypt
- DNSSEC validating
- EDNS Client Subnet
Like local name resolution without external nameservers
Local name resolution without relying on external nameservers can be a game-changer for your home network. It allows you to use friendly names instead of IP addresses when accessing devices or services on your network.
You can set up custom DNS entries for devices or services on your network, making it easy to access them by their friendly names. This is especially useful for devices like printers, IP cameras, and Home Assistant-attached devices.
Having a nameserver on your router means you can still access your home media server or other self-hosted apps even if the internet connection goes down. This keeps your family entertained when connectivity to the outside internet is lost.
With local name resolution, you can set up subdomains and other records for services behind a reverse proxy, or load balancers, without having to go into the domain registrar accounts you hold. Changes are reflected instantly, without waiting for propagation across the nameservers on the internet.
This setup also helps the health of the internet as a whole, by reducing the strain on main DNS resolvers.
Related reading: Root Name Server
Features
Unbound offers a range of features that make it a powerful and secure DNS resolver.
One of its key features is caching, which allows it to prefetch popular items before they expire. This helps to improve performance and reduce the load on external DNS servers.
Unbound also supports DNS over TLS forwarding and server, with domain-validation, providing an extra layer of security.
Additionally, it supports DNS over HTTPS and DNS over QUIC, which are newer, more secure protocols for DNS resolution.
Unbound also implements Query Name Minimization, which reduces the amount of data sent over the network, and Aggressive Use of DNSSEC-Validated Cache, which prioritizes validated responses.
It also includes Authority zones, which allows for a local copy of the root zone, and DNS64, which helps with IPv4-IPv6 transition.
Unbound also supports DNSCrypt, which adds an extra layer of encryption to DNS queries, and DNSSEC validating, which ensures the authenticity of DNS responses.
Lastly, it includes EDNS Client Subnet, which allows for more accurate geolocation of clients.
Reception and Community
Unbound has gained widespread acceptance as a reliable and secure DNS server solution.
It's now the default name server in both FreeBSD and OpenBSD, replacing the older Berkeley Internet Name Daemon (BIND).
This shift is largely due to Unbound's smaller size and more modern architecture, making it a better fit for most applications.
Many developers and system administrators appreciate its improved security features, which help protect against common DNS-related threats.
As a result, Unbound has become a go-to choice for those seeking a reliable and secure DNS server solution.
Curious to learn more? Check out: Name Server
Featured Images: pexels.com


