Unbound
Unbound is a validating, recursive and caching DNS server designed for high performance. It was released on May 20, 2008 (version 1.0.0) as free software licensed under the BSD license by NLnet Labs, Verisign Inc., Nominet, and Kirei. It is installed as part of the base system in FreeBSD starting with version 10.0, and in NetBSD with version 8.0. A version is also available in OpenBSD version 5.6 and beyond. (Previous versions of FreeBSD shipped with BIND.) The default config file is /usr/local/etc/unbound/unbound.conf
in FreeBSD and /etc/unbound/unbound.conf
in Linux. Port 53 needs to be open in your router and in the local firewall.
DNS Resolving Cache
This can be used as a DNS cache to serve local or external DNS queries. It can also be used to block advertisements.
Custom DNS domains can be set within Unbound as well. This is a basic A record:
local-data: "xboxone.local IN A 192.168.1.139"
A PTR record can also be set for external queries. Please note that your ISP may block these.
local-data-ptr: "68.225.35.119 server.domain.com"
A root hints file is required as well. You can wget
this here
In order to block most advertisements, include:
is needed. Here is the TBP blackhole.zone file for download. Be sure to include it in the /usr/local/etc/unbound/unbound.conf
file. Here's a complete config setup:
## Unbound config file server: # Zone file include: /usr/local/etc/unbound/blackhole.zone # List of valid clients port: 53 include: /usr/local/etc/unbound/users.conf # Enable IPv4, "yes" or "no". do-ip4: yes # Enable IPv6, "yes" or "no". do-ip6: yes # Enable UDP, "yes" or "no". do-udp: yes do-tcp: yes harden-dnssec-stripped: yes rrset-cache-size: 2048m msg-cache-size: 1024m so-rcvbuf: 1m val-permissive-mode: yes # Verbosity to zero - we don't log verbosity: 0 use-syslog: no # Specify interfaces interface: 0.0.0.0 interface: ::0 # Our root hints file root-hints: /usr/local/etc/unbound/root.hints auto-trust-anchor-file: "root.key" # Hide/block identity and version hide-identity: yes hide-version: yes # Trust glue only if it is within the servers authority. harden-glue: yes # Require DNSSEC data for trust-anchored zones harden-dnssec-stripped: yes # Use 0x20-encoded random bits in the query to help prevent spoofs use-caps-for-id: yes # Specify caching TTLs cache-min-ttl: 360 cache-max-ttl: 8640 # Perform prefetching of close to expired message cache entries. prefetch: yes minimal-responses: yes qname-minimisation: yes rrset-roundrobin: yes num-threads: 8 # Do not allow localhost to use the forwarder do-not-query-localhost: yes ssl-upstream: yes # Specify servers for forwarding to forward-zone: name:"." forward-addr: 1.1.1.1@853 #Cloudflare DNS over TLS forward-addr: 1.0.0.1@853 #Cloudflare DNS over TLS forward-addr: 9.9.9.9@853 #IBM IPv6 Quad9 over TLS forward-addr: 149.112.112.112@853 #IBM IPv6 Quad9 over TLS forward-addr: 2606:4700:4700::1111@853 #IPv6 Cloudflare DNS over TLS forward-addr: 2606:4700:4700::1001@853 #IPv6 Cloudflare DNS over TLS # forward-addr: 68.1.16.108 # forward-addr: 68.1.16.107 # forward-addr: 208.67.222.222 # forward-addr: 208.67.220.220 # forward-addr: 172.98.193.42 # forward-addr: 192.99.85.244 # forward-addr: 1.1.1.1 # Cloudflare # forward-addr: 1.0.0.1 # Cloudflare # forward-addr: 8.8.4.4 # Google # forward-addr: 8.8.8.8 # Google # forward-addr: 37.235.1.174 # FreeDNS # forward-addr: 37.235.1.177 # FreeDNS # forward-addr: 64.6.64.6 # Verisign # forward-addr: 64.6.65.6 # Verisign # forward-addr: 74.82.42.42 # Hurricane Electric # forward-addr: 84.200.69.80 # DNS Watch # forward-addr: 84.200.70.40 # DNS Watch # forward-addr: 91.239.100.100 # censurfridns.dk # forward-addr: 109.69.8.51 # puntCAT # forward-addr: 208.67.222.220 # OpenDNS # forward-addr: 208.67.222.222 # OpenDNS # forward-addr: 216.146.35.35 # Dyn Public # forward-addr: 216.146.36.36 # Dyn Public remote-control: # Enable remote control with unbound-control(8) here. # set up the keys and certificates with unbound-control-setup. control-enable: yes # what interfaces are listened to for remote control. # give 0.0.0.0 and ::0 to listen to all interfaces. control-interface: 127.0.0.1 # port number for remote control operations. control-port: 8953 # unbound server key file. server-key-file: "/usr/local/etc/unbound/unbound_server.key" # unbound server certificate file. server-cert-file: "/usr/local/etc/unbound/unbound_server.pem" # unbound-control key file. control-key-file: "/usr/local/etc/unbound/unbound_control.key" # unbound-control certificate file. control-cert-file: "/usr/local/etc/unbound/unbound_control.pem"