Unbound is a high-performance, validating, recursive DNS resolver. Running a local DNS resolver on your server reduces DNS query latency, improves privacy, and adds DNSSEC validation.
Installation
sudo apt install unbound
sudo systemctl enable unboundBasic Configuration
# /etc/unbound/unbound.conf
server:
interface: 127.0.0.1
port: 53
access-control: 127.0.0.0/8 allow
do-ip6: no
# Performance
num-threads: 2
msg-cache-size: 64m
rrset-cache-size: 128m
cache-min-ttl: 3600
cache-max-ttl: 86400
# Privacy
hide-identity: yes
hide-version: yes
qname-minimisation: yes
# DNSSEC validation
auto-trust-anchor-file: "/var/lib/unbound/root.key"
# Use root hints for recursive resolution
root-hints: "/usr/share/dns/root.hints"
# Forward to upstream (optional, for non-recursive mode)
# forward-zone:
# name: "."
# forward-addr: 1.1.1.1
# forward-addr: 8.8.8.8Configure System to Use Unbound
# Point resolv.conf to local resolver
echo "nameserver 127.0.0.1" | sudo tee /etc/resolv.conf
# If using systemd-resolved, disable it first
sudo systemctl disable --now systemd-resolved
sudo rm /etc/resolv.conf # Remove symlink
echo "nameserver 127.0.0.1" | sudo tee /etc/resolv.confTesting
# Test resolution
dig @127.0.0.1 example.com
# Test DNSSEC validation
dig @127.0.0.1 dnssec-failed.org
# Should return SERVFAIL (DNSSEC validation failure)
# Check cache statistics
sudo unbound-control stats_noreset | grep totalLocal DNS Overrides
# Add local DNS entries
# /etc/unbound/unbound.conf.d/local.conf
server:
local-zone: "internal.myorg.com." static
local-data: "db.internal.myorg.com. IN A 10.0.0.5"
local-data: "cache.internal.myorg.com. IN A 10.0.0.6"
local-data: "app.internal.myorg.com. IN A 10.0.0.7"
sudo unbound-control reload