Configs2026年7月15日·1 分钟阅读

Unbound — Validating Recursive DNS Resolver

A high-performance, security-focused recursive DNS resolver with built-in DNSSEC validation, DNS-over-TLS, and DNS-over-HTTPS support.

Agent 就绪

Agent 可直接安装

这个资产可安装;Agent 先选择当前运行时、检查安装计划,再运行匹配命令。

Native · 98/100策略:允许
Agent 入口
任意 MCP/CLI Agent
类型
Skill
安装
Single
信任
信任等级:Established
入口
Unbound
直接安装命令
npx -y tokrepo@latest install eb385776-7fe4-11f1-9bc6-00163e2b0d79 --target codex

先 dry-run 确认安装计划,再运行此命令。

Introduction

Unbound is an open-source, validating, recursive, and caching DNS resolver developed by NLnet Labs. Designed with security as a priority, it implements DNSSEC validation out of the box and supports modern encrypted DNS protocols including DNS-over-TLS (DoT) and DNS-over-HTTPS (DoH), making it a popular choice for privacy-conscious networks and infrastructure.

What Unbound Does

  • Performs recursive DNS resolution with aggressive DNSSEC validation by default
  • Caches DNS responses to reduce latency and upstream query load
  • Supports DNS-over-TLS and DNS-over-HTTPS for encrypted DNS transport
  • Provides local data zones for internal DNS overrides and split-horizon configurations
  • Offers response policy zones (RPZ) for DNS-based content filtering and security

Architecture Overview

Unbound is written in C with a modular architecture. The core resolver handles recursive queries using iterative resolution against authoritative nameservers. A validator module performs DNSSEC chain-of-trust verification. The cache module stores responses with TTL-based expiration and serves stale data during upstream failures when configured. Worker threads handle queries concurrently, with each thread maintaining its own cache partition for lock-free operation.

Self-Hosting & Configuration

  • Install via system package manager or compile from source with OpenSSL
  • Main configuration file is /etc/unbound/unbound.conf with YAML-like syntax
  • Enable DNSSEC with auto-trust-anchor-file pointing to the root trust anchor
  • Configure DoT forwarding with forward-zone and forward-tls-upstream: yes
  • Use unbound-control for runtime statistics, cache management, and zone reloads

Key Features

  • DNSSEC validation enabled by default with automatic trust anchor management
  • Prefetching refreshes popular cache entries before they expire, reducing latency
  • Aggressive NSEC/NSEC3 caching synthesizes negative answers without upstream queries
  • Access control lists restrict which clients can query the resolver
  • EDNS Client Subnet support for CDN-aware resolution when needed

Comparison with Similar Tools

  • BIND 9 — Full authoritative and recursive DNS server; Unbound focuses purely on recursive resolution with a smaller attack surface
  • CoreDNS — Cloud-native DNS written in Go with plugin architecture; Unbound is a traditional Unix daemon optimized for recursive resolution
  • Pi-hole — DNS sinkhole for ad blocking that often uses Unbound as its upstream recursive resolver
  • Knot Resolver — Similar recursive resolver with Lua scripting; Unbound has broader adoption and more conservative design

FAQ

Q: Can Unbound be used as an authoritative DNS server? A: Unbound can serve local zones for internal use, but it is not designed as a full authoritative server. Use NSD, BIND, or PowerDNS for that role.

Q: How does Unbound compare to using a public DNS like 8.8.8.8? A: Unbound resolves queries directly against authoritative servers, removing the need to trust a third-party resolver. It also validates DNSSEC signatures locally.

Q: Does Unbound support DNS-over-HTTPS? A: Yes, Unbound supports both DoT (port 853) and DoH (HTTPS) as a server and can forward to DoT/DoH upstream resolvers.

Q: How much memory does Unbound use? A: Default cache size is modest. Configure msg-cache-size and rrset-cache-size based on your query volume; typical home setups need under 100 MB.

Sources

讨论

登录后参与讨论。
还没有评论,来写第一条吧。

相关资产