← DNS SoftwareDNS Software / Recursive Resolver

Unbound

A high-performance validating, recursive, and caching DNS resolver by NLnet Labs — the preferred choice for secure, DNSSEC-validating resolver deployments.

Overview

Validating, Recursive, Caching Resolver

Unbound is purpose-built as a recursive resolver — it does not serve authoritative zones. This singular focus makes it lean, fast, and secure. It is the default resolver on OpenBSD, ships with many Linux distributions, and is the recommended resolver to pair with NSD (authoritative) in a split-architecture deployment.

Unbound performs full DNSSEC validation by default and provides fine-grained access control, per-client rate limiting, Response Policy Zones, DNS-over-TLS, and a module system for extending functionality. The unbound-control tool provides runtime management similar to BIND's rndc.

  • DNSSEC validation enabled by default — auto-fetches root trust anchor
  • DNS-over-TLS (DoT) for upstream queries and client connections
  • Response Policy Zones (RPZ) for DNS firewall / category blocking
  • Per-client rate limiting with ip-ratelimit
  • Local data (local-zone / local-data) for internal split-DNS without a separate authoritative server
  • Cache prefetching and aggressive NSEC for faster NXDOMAIN responses
  • Python and dynlib module support for custom logic
When to Choose Unbound
  • You need a secure, validating recursive resolver
  • You want DNSSEC validation without authoritative complexity
  • You are building a privacy-focused or ISP resolver
  • You want to pair with NSD for a clean auth/recursive split
2006
First released
NLnet
Maintained by NLnet Labs
Configuration

Key Configuration Examples

Core unbound.conf

# /etc/unbound/unbound.conf server: # Listen interfaces interface: 0.0.0.0 interface: ::0 port: 53 # Allow only internal clients access-control: 127.0.0.0/8 allow access-control: 192.168.0.0/16 allow access-control: 10.0.0.0/8 allow access-control: 0.0.0.0/0 refuse # DNSSEC validation auto-trust-anchor-file: "/var/lib/unbound/root.key" # Performance num-threads: 4 cache-max-ttl: 86400 prefetch: yes prefetch-key: yes

DNS-over-TLS upstream

# Forward all queries over TLS to # Cloudflare and Quad9 resolvers forward-zone: name: "." forward-tls-upstream: yes forward-addr: 1.1.1.1@853#cloudflare-dns.com forward-addr: 1.0.0.1@853#cloudflare-dns.com forward-addr: 9.9.9.9@853#dns.quad9.net forward-addr: 149.112.112.112@853#dns.quad9.net # Note: forwarding disables full recursion. # Remove forward-zone for full recursive mode.

Local split-DNS zones

# Internal overrides — no separate # authoritative server needed server: # Block a domain entirely local-zone: "badsite.com" refuse # Override a name (internal IP) local-data: "internal.example.com A 10.0.0.5" # Serve an internal zone local-zone: "corp.internal." static local-data: "web.corp.internal. A 10.0.0.10" local-data: "db.corp.internal. A 10.0.0.11"

unbound-control commands

# Setup control socket (first time) unbound-control-setup # Check status unbound-control status # Flush cache for a domain unbound-control flush example.com unbound-control flush_type example.com A # Reload configuration unbound-control reload # View statistics unbound-control stats_noreset | grep queries # Add a local record at runtime unbound-control local_data "test.example.com A 10.0.0.99"
Installation

Getting Started

Install on Debian/Ubuntu

apt update && apt install -y unbound # Initialize root trust anchor for DNSSEC unbound-anchor -a /var/lib/unbound/root.key # Enable and start systemctl enable --now unbound # Test DNSSEC validation unbound-host -C /etc/unbound/unbound.conf -v sigok.verteiltesysteme.net # Should return: DNSSEC signature ok

Verify operation

# Basic resolution dig @127.0.0.1 example.com A +short # Test DNSSEC validation dig @127.0.0.1 dnssec-failed.org A # Should return SERVFAIL (invalid DNSSEC) dig @127.0.0.1 cloudflare.com A # Should return NOERROR + ad flag (authentic data) # Check statistics unbound-control stats_noreset | grep -E "num\.queries|cache.hits"

Related Topics

Knot Resolver

Another DNSSEC-validating recursive resolver from CZ.NIC — designed for high-scale deployments.

dnsmasq

Lightweight DNS forwarder and DHCP server — ideal for home networks and small environments.

Recursive Resolver

Understand the full role of a recursive resolver in the DNS resolution chain.