Introduction
Unbound is an open-source, validating, recursive, and caching DNS resolver developed by NLnet Labs. Designed with security as a priority, it implements DNSSEC validation out of the box and supports modern encrypted DNS protocols including DNS-over-TLS (DoT) and DNS-over-HTTPS (DoH), making it a popular choice for privacy-conscious networks and infrastructure.
What Unbound Does
- Performs recursive DNS resolution with aggressive DNSSEC validation by default
- Caches DNS responses to reduce latency and upstream query load
- Supports DNS-over-TLS and DNS-over-HTTPS for encrypted DNS transport
- Provides local data zones for internal DNS overrides and split-horizon configurations
- Offers response policy zones (RPZ) for DNS-based content filtering and security
Architecture Overview
Unbound is written in C with a modular architecture. The core resolver handles recursive queries using iterative resolution against authoritative nameservers. A validator module performs DNSSEC chain-of-trust verification. The cache module stores responses with TTL-based expiration and serves stale data during upstream failures when configured. Worker threads handle queries concurrently, with each thread maintaining its own cache partition for lock-free operation.
Self-Hosting & Configuration
- Install via system package manager or compile from source with OpenSSL
- Main configuration file is
/etc/unbound/unbound.confwith YAML-like syntax - Enable DNSSEC with
auto-trust-anchor-filepointing to the root trust anchor - Configure DoT forwarding with
forward-zoneandforward-tls-upstream: yes - Use
unbound-controlfor runtime statistics, cache management, and zone reloads
Key Features
- DNSSEC validation enabled by default with automatic trust anchor management
- Prefetching refreshes popular cache entries before they expire, reducing latency
- Aggressive NSEC/NSEC3 caching synthesizes negative answers without upstream queries
- Access control lists restrict which clients can query the resolver
- EDNS Client Subnet support for CDN-aware resolution when needed
Comparison with Similar Tools
- BIND 9 — Full authoritative and recursive DNS server; Unbound focuses purely on recursive resolution with a smaller attack surface
- CoreDNS — Cloud-native DNS written in Go with plugin architecture; Unbound is a traditional Unix daemon optimized for recursive resolution
- Pi-hole — DNS sinkhole for ad blocking that often uses Unbound as its upstream recursive resolver
- Knot Resolver — Similar recursive resolver with Lua scripting; Unbound has broader adoption and more conservative design
FAQ
Q: Can Unbound be used as an authoritative DNS server? A: Unbound can serve local zones for internal use, but it is not designed as a full authoritative server. Use NSD, BIND, or PowerDNS for that role.
Q: How does Unbound compare to using a public DNS like 8.8.8.8? A: Unbound resolves queries directly against authoritative servers, removing the need to trust a third-party resolver. It also validates DNSSEC signatures locally.
Q: Does Unbound support DNS-over-HTTPS? A: Yes, Unbound supports both DoT (port 853) and DoH (HTTPS) as a server and can forward to DoT/DoH upstream resolvers.
Q: How much memory does Unbound use?
A: Default cache size is modest. Configure msg-cache-size and rrset-cache-size based on your query volume; typical home setups need under 100 MB.