Unbound DNS — A Validating, Recursive DNS Resolver
Unbound is a recursive DNS resolver developed by NLnet Labs. It is designed to be secure, privacy-focused, and high-performance. Unlike a forwarding DNS server that sends queries to an upstream provider, Unbound resolves queries from scratch by starting at the DNS root zone and following the chain of delegations.
Recursive resolution means Unbound does not rely on any external DNS provider. It queries the root nameservers directly, then the TLD nameservers, then the authoritative nameservers for the domain, all while validating DNSSEC signatures at each step. This makes it completely self-contained and privacy-preserving.
How Unbound Works
When Unbound receives a DNS query, it starts at the root. It has a list of the 13 root nameserver addresses built in. It queries a root server for the TLD nameservers. It gets the TLD nameservers for .com, .org, etc. Then it queries the TLD nameserver for the domain's authoritative nameservers. Finally, it queries the authoritative nameserver for the actual DNS record.
At each step, Unbound validates DNSSEC signatures if the zone is signed. It checks that the response includes valid RRSIG records, that the signatures chain up to a trusted anchor, and that no records have been tampered with. If validation fails, Unbound discards the response and returns SERVFAIL.
Unbound caches every response it receives. Subsequent queries for the same domain are answered from cache instantly. The cache respects TTL values from the authoritative servers. Unbound also includes a negative cache for domains that do not exist, preventing repeated lookups for nonexistent domains.
Installing and Configuring Unbound
Install Unbound from your distribution's package manager. On Debian and Ubuntu: sudo apt install unbound. On Fedora: sudo dnf install unbound. On Arch: sudo pacman -S unbound. The installation creates a default configuration file at /etc/unbound/unbound.conf.
The default configuration works as a basic recursive resolver. Unbound starts and immediately begins resolving queries from the root. No upstream DNS provider configuration is needed because Unbound does not use one. It is the most self-sufficient DNS server you can run.
For better performance, configure the cache size and enable prefetching. Add these to your configuration: cache-size: 100m (100MB cache), prefetch: yes (refresh popular records before they expire), and prefetch-key: yes (refresh DNSSEC keys before expiry).
After configuration, start Unbound: sudo systemctl start unbound. Enable it to start on boot: sudo systemctl enable unbound. Test that it resolves queries: dig @127.0.0.1 example.com.
Unbound with Pi-hole
Combining Unbound with Pi-hole is the ultimate DIY DNS setup for privacy-conscious users. Pi-hole handles ad blocking and provides the statistics dashboard. Unbound handles recursive DNS resolution with full DNSSEC validation. No third-party DNS provider sees any of your queries.
Configure Pi-hole to use 127.0.0.1#53 as its upstream DNS server, where Unbound is listening. Pi-hole receives queries from your network, checks its blocklists, and forwards allowed queries to Unbound. Unbound resolves them recursively from the root. The queries never leave your network unencrypted.
This setup gives you complete privacy. Your ISP cannot see your DNS queries because you are not using their DNS servers. No public DNS provider sees your queries because Unbound resolves them directly. The only entities that see your queries are the authoritative nameservers for the domains you visit.
Security Features
Unbound has built-in DNSSEC validation with automatic key updates. It includes the root zone's trust anchor and can update it automatically when the root signing key changes. This ensures DNSSEC validation continues working without manual intervention.
Access control features let you restrict which clients can use Unbound. By default, Unbound only responds to queries from localhost. Configure access-control: 192.168.0.0/16 allow to allow queries from your local network.
Unbound supports DNS over TLS for both incoming and outgoing queries. You can configure it to forward queries to other DoT servers for specific domains, or accept DoT queries from clients. This adds encryption on top of the recursive resolution.
For blocking malicious domains, Unbound can be configured with local zone files or RPZ (Response Policy Zones). These are similar to the blocklists used by Pi-hole. You can subscribe to threat intelligence feeds and block known malicious domains at the DNS level.
Performance Tuning
Unbound is fast out of the box, but you can tune it for better performance. Increase the cache size if you have available RAM. A larger cache means more queries are answered from memory. The default is 4MB. Set it to 64MB or 128MB for a busy home network.
Enable the prefetch feature. Unbound proactively refreshes cached records before they expire. This means popular domains are always in cache and queries are answered instantly. The overhead is minimal because Unbound only prefetches records that are being actively queried.
Use the num-threads setting to match your CPU core count. Unbound is multi-threaded and can handle multiple queries concurrently. Set num-threads to the number of CPU cores on your server. Do not exceed this, as more threads than cores causes context switching overhead.
For more on setting up Unbound as part of a complete DNS server, see our DNS server setup guide.