Networking, Security, Linux



server: port:53 Run in a chroot chroot: "/etc/unbound" Run as unbound user username:unbound Address/interface to listen on Use to listen on a…

Rohan MolloyRohan Molloy

Run in a chroot

chroot: "/etc/unbound"

Run as unbound user


Address/interface to listen on

Use to listen on all

# interface:

Egress interface

We also have the option of specifying the outgoing interface
This is applicable if you have multiple links to the internet
and wish to restrict vpn traffic to a particular one


Protocols to use

do-ip6: no
do-ip4: yes
do-udp: yes
do-tcp: yes

Access control

Specify the CIDR blocks to allow or deny
On an internet reachable host, use iptables too

access-control:     allow
access-control:      allow
access-control:  allow
access-control:   allow
access-control:       refuse

Root hints:

Next, we manually download the root hints
"wget -qO root.hints"

root-hints: "/etc/unbound/root.hints"

Trust anchors:

File containing trust anchors. A trust anchor specifies the key used to sign the DNS root and forms the foundation for chains of trust

auto-trust-anchor-file: "/etc/unbound/root.key"

Do not provide version.bind and hostname.bind

hide-identity:  yes
hide-version :  yes

Will trust glue only if it is within the servers authority.

Suppose I want to set as the NS for,
then I need to set recotd 'ns' as a glue record


When sending a query to the authority NS,

use a mix of uppercase and lowercase
Best to leave this set to "no" (default) as it can cause unreliability


Performance and computational options.

If you don't have a multicore/hyperthreaded machine (e.g. running on embedded router) then set num-threads to 1 (disable multithreading )

The slabs must take a value approximately double the number of threads
this value must be a power of 2

num-threads:        4
msg-cache-slabs:    2        
rrset-cache-slabs:  2  
key-cache-slabs:    2
infra-cache-slabs:  2

RRset size
The RRset cache record values like A,NS
These values are appropriate for a desktop or server
On a small embedded device like a router, use values like 2m


Message cache size.
Msg cache contains metadata, things like AD bit etc
This should be 1/2 the size of the rrset-cache


**>Prefetch the message cache
**>When popular entries are about to expire, we

prefetch: yes

Override records with short TTL (time to live)

we do --not-- update records below this time
Don't make it longer than ~300s, you may get stale records


Override records with long TTL
Don't keep cached records for longer than 30h (10800)


Custom records

Forward zone

Suppose you have a special dns provider for accessing US netflix
You can set a forward zone here so that queries to netflix are selectively forwarded to that server

    name:           ""

Stub zones

There is also a type of zone known as a stub zone.
In contrast to a forward zone, a stub zone does not perform recursion,
and so the stub server must be authoritative

    name: ""
    stub-addr: ""

Internal records

local-data:      "gateway IN A"
local-data:      "foo-pc  IN A"
local-data:      "bar-pc  IN A"
local-data-ptr:  "gateway IN A"

We can split our config into multiple files.

Let's add a file containing local records to block ad domains

include: /etc/unbound/ads.conf

Forward to an external resolver

Delegate roo

        name:          "."